Part 1 of this series explained what quantum computers actually are. Not just faster versions of regular computers, but a fundamentally different machine that exploits the strange laws of physics that only apply on the scale of atoms and particles.
But knowing how a quantum computer works doesn’t tell you how it can be used to steal bitcoin by a bad actor. It requires understanding what it actually attacks, how bitcoin’s security is built, and exactly where the weakness is.
This piece starts with bitcoin’s encryption and works up to the nine-minute window it takes to break it, as identified by Google’s recent quantum computing paper.
The one-way card
Bitcoin uses a system called elliptic curve cryptography to prove who owns what. Each wallet has two keys. A private key, which is a secret number, 256 digits long in binary, about as long as this sentence. A public key is derived from the private key by performing a mathematical operation on the specific curve called “secp256k1.”
Think of it as a one-way map. Start at a known location on the curve that everyone agrees on, called the generator point G (as shown in the chart below). Take a private number of steps in a pattern defined by the mathematics of the curve. The number of steps is your private key. Where you end up on the curve is your public key (point K in the diagram). Anyone can verify that you ended up at that specific location. No one can find out how many steps you took to get there.
Technically, this is written as K = k × G, where k is your private key and K is your public key. The “multiplication” is not regular multiplication, but a geometric operation where you repeatedly add a point to itself along the curve. The result lands in a seemingly random place that only your specific number k would produce.
The defining feature is that going forward is easy, and going back is, for classical computers, effectively impossible. If you know k and G, it takes milliseconds to calculate K. If you know K and G and want to find k, you are solving what mathematicians call the elliptic curve discrete logarithm problem.
It is estimated that the best known classical algorithms for a 256-bit curve would take longer than the age of the universe.
This one-way trapdoor is the complete safety model. Your private key proves that you own your coins. Your public key is safe to share because no classical computer can reverse the math. When you send bitcoin, your wallet uses the private key to create a digital signature, a mathematical proof that you know the secret number without revealing it.
Shor’s algorithm opens the door both ways
In 1994, a mathematician named Peter Shor discovered a quantum algorithm that breaks the trap door.
Shor’s algorithm solves the discrete logarithm problem efficiently. The same mathematics that would take a classical computer longer than the universe has existed handles Shor’s algorithm in what mathematicians call polynomial timemeaning the difficulty grows slowly as the numbers get bigger rather than explosively.
The intuition for how this works comes back to the three quantum properties from Part 1 of this series.
The algorithm needs to find your private key k, given your public key K and the generator point G. It converts this into a problem of finding the period of a function. Think of a function that takes a number as input and returns a point on the elliptic curve.
When you feed the sequential numbers, 1, 2, 3, 4, the outputs eventually repeat in a cycle. The length of that cycle is called the period, and once you know how often the function repeats, the math for the discrete logarithm problem unravels in a single step. The private key drops out almost immediately.
Finding this period of a function is exactly what quantum computers are built for. The algorithm puts its input register into a superposition (or in quantum mechanics, a particle exists in several places simultaneously) that represents all possible values simultaneously. It applies the function to all of them at once.
It then applies a quantum operation called the Fourier transform, which causes the number of incorrect answers to cancel out while correct answers are amplified.
When you measure the result, the period is displayed. From this period, ordinary math recovers k. It is your private key, and therefore your coins.
The attack uses all three quantum tricks from the first piece. Superposition evaluates the function on all possible inputs at once. Entanglement connects inputs and outputs so that the results remain correlated. ‘Interference’ filters the noise until only the response remains.
Why bitcoin still works today
Shor’s algorithm has been known for more than 30 years. The reason bitcoin still exists is that it requires a quantum computer with a sufficiently large number of stable qubits to maintain coherence throughout the computation.
Building that machine has been out of reach, but the question has always been how big is “big enough.”
Previous estimates said millions of physical qubits. Google’s paper, in early April by its Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, whittled that down to fewer than 500,000.
Or a reduction of about 20 times compared to previous estimates.
The team designed two quantum circuits that implement Shor’s algorithm against bitcoin’s specific elliptic curve. Approximately 1,200 logic qubits and 90 million Toffoli gates are used. The second uses approximately 1,450 logic qubits and 70 million Toffoli gates.
A Toffoli gate is a type of gate that operates on three qubits: two control qubits, which affect the state of a third target qubit. Think of this as three light switches (qubits) and a special light bulb (the target) that only turns on if two specific switches are turned on at the same time.
Because qubits are constantly losing their quantum state, as Part 1 explained, you need hundreds of redundant qubits checking each other’s work to maintain a single reliable logic qubit. Most of a quantum computer exists just to catch the machine’s own errors before they destroy the computation. The roughly 400-to-1 ratio of physical to logical qubits reflects how much of the machine exists as self-babysitting infrastructure.
The nine-minute window
Google’s paper didn’t just reduce the number of qubits. It introduced a practical attack scenario that changes how you think about the threat.
The parts of Shor’s algorithm that only depend on the elliptic curve’s fixed parameters, which are publicly known and identical for every bitcoin wallet, can be precomputed. The quantum computer is sitting in a primed state, already halfway through the calculation and waiting.
The moment a target public key appears, whether broadcast in a transaction to the network’s mempool or already exposed on the blockchain from a previous transaction, the machine only needs to complete the second half.
Google estimates that the second half takes about nine minutes.
Bitcoin’s average block time is 10 minutes. This means that if a user issues a transaction and their public key is visible in the mempool, a quantum attacker has approximately nine minutes to derive a private key and submit a competing transaction that diverts funds.
The math gives the attacker about a 41% chance of finishing before your original transaction is confirmed.
It is the mempool attack. That’s alarming, but it requires a quantum computer that doesn’t exist yet.
The biggest concern, however, is the 6.9 million bitcoins (roughly a third of the total supply) sitting in wallets where the public key has already been permanently exposed on the blockchain. These coins are vulnerable to an “at rest” attack that does not require a race against the clock. The attacker can take as long as necessary.
A quantum computer running Shor’s algorithm can transform a bitcoin public key into the private key that controls the coins. For coins traded since Taproot (a Bitcoin privacy upgrade that went live in November 2021), the public key is already visible. For coins at older addresses, the public key is hidden until you spend, at which point you have about nine minutes before the attacker catches up.
What this means in practice, which 6.9 million bitcoins have already been exposed, what Taproot changed, and how quickly the hardware closes the gap is the subject of the next and final piece in this series.
