A recent paper from Google's Quantum AI division, with contributions from an Ethereum Foundation researcher and a Stanford cryptographer, has detailed a potential quantum computing attack that could steal Bitcoin in approximately nine minutes. The research significantly reduces the estimated number of qubits required to break Bitcoin's elliptic curve cryptography from millions to under 500,000, a roughly 20-fold improvement from prior estimates.
The core of the vulnerability lies in Bitcoin's use of elliptic curve cryptography (secp256k1). This system uses a private key to generate a public key in a one-way mathematical operation. For classical computers, reversing this process to derive the private key from the public key is considered impossible, taking longer than the age of the universe. However, Peter Shor's quantum algorithm can solve this discrete logarithm problem efficiently.
Google's team designed quantum circuits that implement Shor's algorithm specifically for Bitcoin's curve. They estimate the attack would require about 1,200-1,450 logical qubits and tens of millions of quantum gates. Crucially, the paper outlines a practical attack scenario: an attacker could precompute parts of the algorithm. Then, the moment a target's public key appears—for example, when a transaction is broadcast to the mempool—the quantum computer would need only about nine minutes to complete the calculation and derive the private key.
This creates a race condition against Bitcoin's average 10-minute block time, giving an attacker a roughly 41% chance of stealing funds before the victim's transaction confirms. An even greater concern is the estimated 6.9 million Bitcoin (about one-third of the total supply) held in wallets where the public key is already permanently exposed on the blockchain. These funds are vulnerable to an "at-rest" attack with no time constraint once a sufficiently powerful quantum computer exists.
Separately, a claim that the Lightning Network is "helplessly broken" in a post-quantum world has sparked debate. Bitcoin developer Udi Wertheimer highlighted that force-closing a Lightning channel exposes public keys on-chain, creating a time-locked window (often 24 hours) during which a quantum attacker could theoretically derive the private key and steal the output. While this is a specific vulnerability, it is conditional on the existence of cryptographically relevant quantum computers (CRQCs), which do not yet exist.
The Bitcoin development community is actively researching post-quantum solutions. Since December, multiple proposals have emerged, including SHRINCS, SHRIMPS, BIP-360, and various hash-based and STARK-based signature schemes for Tapscript. The consensus among experts is that the quantum threat, while a serious long-term challenge, is not an immediate risk, with realistic timelines for capable hardware ranging from the late 2020s to the 2030s or beyond.
