Google Paper: Quantum Computers Could Steal Bitcoin in 9 Minutes — Millions of BTC at Risk

Headline: How a quantum computer could steal your bitcoin in nine minutes — and why some coins are already at risk Quantum computers aren’t just faster PCs — they work on completely different physics. Part 1 of this series explained the basics. Here, we take that foundation and show exactly what a quantum attacker would be targeting in Bitcoin, how Shor’s algorithm does it, and why a recent Google paper condensed the danger into a practical nine‑minute window. What Bitcoin’s keys actually are - Bitcoin ownership rests on elliptic curve cryptography (the secp256k1 curve). Each wallet has: - a 256‑bit private key k (a secret number) - a public key K derived from k by a one‑way operation on the curve. - Mathematically: K = k × G, where G is the agreed starting point (the generator). Scalar “multiplication” on the curve means repeatedly adding a point to itself. Going forward (k → K) is easy; reversing K → k is the elliptic curve discrete logarithm problem, which classical computers can’t solve in any practical time frame. Why Shor’s algorithm breaks that one‑way trapdoor - In 1994 Peter Shor discovered a quantum algorithm that solves discrete logarithms efficiently. Problems that would take classical machines longer than the age of the universe can be solved in polynomial time by a quantum computer with Shor’s method. - Intuition: Shor turns the problem into finding the period of a function. Quantum computers use: - superposition to evaluate many inputs at once, - entanglement to keep inputs and outputs correlated, - and interference (via the quantum Fourier transform) to cancel wrong answers and reinforce the right period. - Once the period is measured, the private key k can be recovered with ordinary math. In short: Shor extracts your secret from your public key. Why this hasn’t happened — yet - Shor’s algorithm has existed for 30+ years, but running it requires a very large, low‑error quantum computer. Qubits decohere; to get stable “logical” qubits you need many physical qubits for error correction. Prior estimates put the physical‑qubit requirement in the millions. What Google’s new paper changed - A recent Google Quantum AI paper (with contributions from Justin Drake and Dan Boneh) dramatically reduced those resource estimates. Instead of millions, they estimate fewer than 500,000 physical qubits — roughly a 20× reduction from prior figures. - They designed two concrete quantum circuits for attacking secp256k1: - one needs ~1,200 logical qubits and ~90 million Toffoli gates, - the other ~1,450 logical qubits and ~70 million Toffoli gates. - A Toffoli gate is a three‑qubit gate — think of it like a lightbulb that turns on only if two specific switches are both flipped. These are expensive operations in quantum circuits. - Because of error correction, Google’s analysis implies about a 400:1 ratio of physical to logical qubits: most of a future quantum computer will be devoted to keeping itself honest. The practical attack scenario: precompute, then wait - The paper introduced a practical optimization: precompute everything that depends only on the curve’s fixed parameters (which are public and identical across all wallets). The quantum machine can be pre‑primed and sitting “halfway” through the computation, ready to finish quickly when a target public key appears. - When a public key shows up (in the mempool or already on the blockchain), the attacker only needs to run the second half of the algorithm. Google estimates that finishing the job takes about nine minutes. The two attack modes and what they mean 1. Mempool (race) attack: - Bitcoin’s average block time is ~10 minutes. If you broadcast a transaction that reveals your public key in the mempool, a quantum attacker has about nine minutes to derive your private key and publish a competing transaction that steals the funds. - Google’s math gives the attacker roughly a 41% chance of finishing before the original transaction is confirmed. This is alarming but requires the large quantum machine described above. 2. At‑rest (batch) attack: - Far more concerning: about 6.9 million BTC (roughly one‑third of supply) are already sitting in wallets whose public keys are permanently exposed on‑chain. These funds can be attacked “at rest” — no race, no mempool timing, the attacker can take as long as needed to recover the private key. - Since Taproot (activated November 2021) exposes public keys on chain when used, a substantial fraction of coins moved under Taproot are already vulnerable. For older address types, the public key becomes exposed once you spend from them — at that moment you get a limited (~9‑minute) window before an attacker could potentially catch up. Bottom line - Shor’s algorithm threatens the core one‑way math that protects bitcoin private keys. Google’s paper shows the attack needs far fewer resources than previously thought and, crucially, that precomputation makes a rapid (≈9 minute) finish plausible once a public key appears. - We still do not yet have quantum machines of this scale in the real world, but the resource gap has been narrowed significantly. The biggest immediate risk is coins with public keys already revealed on chain. What’s next - Part 3 will map which specific coins are exposed, detail how Taproot changed the exposure profile, and review how quickly quantum hardware is closing the remaining gap. Stay tuned — the clock on this threat is counting down. Read more AI-generated news on: undefined/news