Part 1 of this series explained what quantum computers actually are. Not just faster versions of regular computers, but a fundamentally different kind of machine that exploits the strange rules of physics that only apply at the scale of atoms and particles.
But knowing how a quantum computer works doesn’t tell you how a bad actor can use it to steal bitcoins. That requires understanding what is actually attacking, how Bitcoin security is built, and exactly where the weakness lies.
This piece begins with the encryption of bitcoin and continues to the nine-minute window it takes to decrypt it, as identified by Google’s recent quantum computing paper.
The one-way map
Bitcoin uses a system called elliptic curve cryptography to prove who owns what. Each wallet has two keys. A private key, which is a 256-digit secret number in binary, about as long as this sentence. A public key is derived from the private key by performing a mathematical operation on the specific curve called “secp256k1“.
Think of it as a one-way map. Start at a known location on the curve that everyone agrees on, called generator point G (as shown in the chart below). Take a private number of steps in a pattern defined by the mathematics of the curve. The number of steps is your private key. Where you end on the curve is your public key (point K on the graph). Anyone can verify that you ended up at that specific location. No one can calculate how many steps you took to get there.
Technically, this is written as K = k × G, where k is your private key and K is your public key. “Multiplication” is not regular multiplication but a geometric operation in which a point is repeatedly added to itself along the curve. The result arrives at a seemingly random place that would only produce your specific number k.
The crucial property is that going forward is easy and going back is, for classical computers, effectively impossible. If you know k and G, calculating K takes milliseconds. If you know K and G and want to calculate k, you are solving what mathematicians call the elliptic curve discrete logarithm problem.
It is estimated that the best-known classical algorithms for a 256-bit curve would take longer than the age of the universe.
This one-way hatch is the entire security model. Your private key proves that you own your coins. It is safe to share your public key because no classical computer can reverse the calculations. When you send bitcoins, your wallet uses the private key to create a digital signature, mathematical proof that you know the secret number without revealing it.
Shor’s algorithm opens the door in both directions
In 1994, a mathematician named Peter Shor discovered a quantum algorithm that breaks the trapdoor.
Shor’s algorithm efficiently solves the discrete logarithm problem. The same mathematics that would take a classical computer longer to exist than the universe, Shor’s algorithm handles what mathematicians call polynomial timemeaning that the difficulty grows slowly as the numbers increase rather than explosively.
The intuition for how it works goes back to the three quantum properties in Part 1 of this series.
The algorithm needs to find its private key k, given its public key K and the generator point G. Convert this into a problem of finding the period of a function. Consider a function that takes a number as input and returns a point on the elliptic curve.
As you feed it sequential numbers, 1, 2, 3, 4, the outputs eventually repeat in a loop. The length of that cycle is called the period, and once you know how often the function repeats, the mathematics of the discrete logarithm problem is unraveled in one step. The private key disappears almost immediately.
Finding this period of a function is exactly what quantum computers are built to do. The algorithm places its input record in a superposition (or, in quantum mechanics, a particle exists in multiple locations simultaneously), representing all possible values simultaneously. Apply the function to everyone at once.
It then applies a quantum operation called a Fourier transform, which causes the number of incorrect answers to cancel out while correct answers are reinforced.
When you measure the result, the period appears. From this period onwards, ordinary mathematics recovers k. That is your private key and therefore your coins.
The attack uses all three quantum tricks from the first piece. The overlay evaluates the function on each possible input at a time. Entanglement links the input and output so that the results remain correlated. ‘Interference’ filters out the noise until only the response remains.
Why bitcoin still works today
Shor’s algorithm has been known for more than 30 years. The reason bitcoin still exists is that running it requires a quantum computer with a large enough number of stable qubits to maintain coherence throughout the calculation.
Building that machine has been out of reach, but the question has always been how big is “big enough.”
Previous estimates said that these were millions of physical qubits. Google’s paper, published in early April by its Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, reduced that number to less than 500,000.
Or a reduction of about 20 times from previous estimates.
The team designed two quantum circuits that implement Shor’s algorithm against the bitcoin-specific elliptic curve. Approximately 1,200 logical qubits and 90 million Toffoli gates are used. The other uses approximately 1,450 logical qubits and 70 million Toffoli gates.
A Toffoli gate is a type of gate that acts on three qubits: two control qubits, which affect the state of a third target qubit. Let’s imagine this as three light switches (qubits) and a special light bulb (the target) that only turns on if two specific switches are activated at the same time.
Because qubits constantly lose their quantum state, as explained in Part 1, hundreds of redundant qubits controlling each other’s work are needed to maintain a single reliable logical qubit. Most of a quantum computer exists only to detect the machine’s own errors before they ruin the calculation. The roughly 400-to-1 ratio of physical to logical qubits reflects how much of the machine exists as self-care infrastructure.
The nine minute window
The Google paper didn’t just reduce the number of qubits. Introduced a practical attack scenario that changes the way you think about the threat.
The parts of Shor’s algorithm that depend solely on the fixed parameters of the elliptic curve, which are publicly known and identical for each bitcoin wallet, can be precomputed. The quantum computer is in a ready state, already halfway through the calculation, waiting.
The moment a target public key appears, whether transmitted in a transaction to the network mempool or already exposed on the blockchain from a previous transaction, the machine only needs to finish the second half.
Google estimates that the second half lasts about nine minutes.
The average Bitcoin block confirmation time is 10 minutes. That means that if a user transmits a transaction and their public key is visible in the mempool, a quantum attacker has approximately nine minutes to obtain a private key and send a competing transaction that redirects the funds.
The math gives the attacker about a 41% chance of finishing before the original transaction is confirmed.
That’s the mempool attack. It’s alarming but it requires a quantum computer that doesn’t exist yet.
The biggest concern, however, is the 6.9 million bitcoins (about a third of the total supply) that are held in wallets where the public key has already been permanently exposed on the blockchain. Those coins are vulnerable to a “resting” attack that does not require a race against time. The attacker can take as long as necessary.
A quantum computer running Shor’s algorithm can convert a bitcoin public key into the private key that controls the coins. For coins made from Taproot (a Bitcoin privacy update that went live in November 2021), the public key is already visible. For coins at older addresses, the public key is hidden until you spend it, at which point you have approximately nine minutes before the attacker catches up with you.
What this means in practice, what 6.9 million bitcoins are already exposed, what Taproot changed, and how quickly hardware is closing the gap, is the subject of the next and final article in this series.
