Google’s paper found that a quantum computer could derive a Bitcoin private key from a public key in roughly nine minutes. That nine-minute window compares with Bitcoin’s average confirmation time of about 10 minutes, and the attack targets transactions while the public key is exposed in the mempool. Google estimates such a machine would require fewer than 500,000 physical qubits, compared with roughly 1,000 qubits in current processors.
Bitcoin transactions use a private key to sign a transaction, and that signature reveals the corresponding public key when the transaction is broadcast to the mempool. While the transaction awaits confirmation, the public key is exposed in the mempool. That exposure creates an opportunity for an adversary to attempt to derive the private key before the transaction confirms. Bitcoin’s average confirmation time is about 10 minutes, which defines the window for such a race.
Google’s paper found that a quantum computer could derive a private key from a public key in roughly nine minutes, targeting that mempool window. The attack relies on the elliptic curve discrete logarithm problem, which a sufficiently powerful quantum computer could solve using Shor’s algorithm. The nine-minute figure refers to the time the machine would need after the public key enters the mempool to derive the private key. This description focuses on the computation performed while the public key is exposed.
The proposed attack separates computation into parts that can be pre-computed independently of any specific public key, and a short final phase that depends on the revealed key. Pre-computing reduces the time needed after a public key appears, limiting the live computation to a final set of adjustments. That final step is what takes roughly nine minutes in the paper’s estimate. Google estimates a machine built to perform this attack would require fewer than 500,000 physical qubits. That qubit count is far larger than the roughly 1,000 qubits in today’s processors.
The explanation above outlines the mempool attack, the role of pre-computation, and the specific computational requirement described in the paper. The attack’s practical effect depends on a machine that can perform the described computations within the mempool window.
About 6.9 million bitcoin sit in wallets where the public key has been permanently exposed, representing roughly one-third of the total supply. The public-key exposure in those wallets is permanent under current address conditions. Those exposed funds differ from addresses that keep the public key hidden until a new transaction is signed.
Exposed wallets include early addresses using the pay-to-public-key format and wallets that have reused an address, because spending from an address reveals the public key for remaining funds. Google’s paper identifies these categories of exposure. Because the public key is already revealed, these exposed coins do not require the nine-minute mempool race associated with freshly broadcast transactions. Instead, they could be targeted and cracked over time, one by one.
This summary quantifies the scale and causes of permanent public-key exposure in Bitcoin wallets. The data highlights a material subset of bitcoin that the paper identifies as vulnerable without a time-sensitive mempool window.
Google’s paper estimates a quantum machine built to perform this attack would require fewer than 500,000 physical qubits. Source
That estimate is far larger than the roughly 1,000 qubits available in today’s processors. Source
The proposed machine is described as generic in its ability to work for any public key after pre-computed work, requiring only a short set of final, key-dependent adjustments. Source
Those final adjustments are estimated to take about nine minutes after a public key appears in the mempool. Source
Google’s paper found that a quantum computer could derive a Bitcoin private key from a public key in roughly nine minutes.
About 6.9 million bitcoin — roughly one-third of the total supply — sit in wallets where the public key has been permanently exposed.
Google estimates a machine that could perform this attack would require fewer than 500,000 physical qubits.
