Google's Quantum AI team said earlier this week that a future quantum computer could derive a bitcoin private key from a public key in roughly nine minutes. The number ricocheted across social media and spooked markets.
But, what does it actually mean in practice?
Let's start with how bitcoin transactions work. When you send bitcoin, your wallet signs the transaction with a private key, a secret number that proves you own the coins.
That signature also reveals your public key, a shareable address, which gets broadcast to the network and sits in a waiting area called the mempool until a miner includes it in a block. On average, that confirmation takes about 10 minutes.
Your private key and public key are linked by a math problem called the elliptic curve discrete logarithm problem. Classical computers can't reverse that math in any useful timeframe, while a sufficiently powerful future quantum computer running an algorithm called Shor's could.
Here's where the nine minutes part comes in. Google's paper found that a quantum computer could be "primed" in advance by pre-computing the parts of the attack that don't depend on any specific public key.
Once your public key appears in the mempool, the machine only needs about nine minutes to finish the job and derive your private key. Bitcoin's average confirmation time is 10 minutes. That gives the attacker a roughly 41% chance of deriving your key and redirecting your funds before the original transaction confirms.
Think of it like a thief spending hours building a universal safe-cracking machine (pre-computation). The machine works for any safe, but each time a new safe appears, it only needs a few final adjustments — and that last step is what takes about nine minutes.
That's the mempool attack. It's alarming but requires a quantum computer that doesn't exist yet. Google's paper estimates such a machine would need fewer than 500,000 physical qubits. Today's largest quantum processors have around 1,000.
The bigger and more immediate concern is the 6.9 million bitcoin, roughly one-third of total supply, that already sit in wallets where the public key has been permanently exposed.
This includes early bitcoin addresses from the network's first years that used a format called pay-to-public-key, where the public key is visible on the blockchain by default. It also includes any wallet that has reused an address, since spending from an address reveals the public key for all remaining funds.
These coins don't need the nine-minute race. An attacker with a sufficiently powerful quantum computer could crack them at leisure, working through exposed keys one by one without any time pressure.
Bitcoin's 2021 Taproot upgrade made this worse, as CoinDesk reported earlier Tuesday. Taproot changed how addresses work so that public keys are visible on-chain by default, inadvertently expanding the pool of wallets that would be vulnerable to a future quantum attack.
The bitcoin network itself would keep running. Mining uses a different algorithm called SHA-256 that quantum computers can't meaningfully speed up with current approaches. Blocks would still be produced.
The ledger would still exist. But if private keys can be derived from public keys, the ownership guarantees that make bitcoin valuable break down. Anyone with exposed keys is at risk of theft, and institutional trust in the network's security model collapses.
The fix is post-quantum cryptography, which replaces the vulnerable math with algorithms that quantum computers can't crack. Ethereum has spent eight years building toward that migration. Bitcoin hasn't even started.