Future quantum computers could derive Bitcoin private keys from public keys in approximately nine minutes, giving attackers a window to hijack transactions before they confirm on the blockchain, according to research published by Google’s Quantum AI team.
The findings, detailed in a whitepaper released in March 2026, indicate that breaking Bitcoin’s elliptic curve cryptography may require far fewer computational resources than previously estimated. Google researchers found that a quantum computer with fewer than 500,000 physical qubits could crack the encryption protecting Bitcoin wallets, representing a 20-fold reduction from earlier projections.
Bitcoin‘s security relies on elliptic curve cryptography, a one-way mathematical function making it effectively impossible for traditional computers to derive a private key from a public key. However, a quantum algorithm called Shor’s algorithm can reverse this process, turning public keys into private keys and enabling theft.
The nine-minute attack window works because quantum computers can precompute parts of the calculation that depend only on Bitcoin’s fixed parameters, which are identical for every wallet. Once a target public key appears when a transaction is broadcast to the network’s mempool, the machine only needs to finish the second half of the calculation.
Because Bitcoin’s average block confirmation time is 10 minutes, an attacker has roughly nine minutes to derive a private key and submit a competing transaction redirecting funds. Google estimates this gives attackers approximately a 41% chance of completing the theft before the original transaction confirms.
The research reveals that approximately 6.9 million bitcoin, representing roughly one-third of total supply, already sit in wallets where public keys have been permanently exposed. This includes around 1.7 million bitcoin from the network’s early years using the pay-to-public-key format, where public keys are visible by default on the blockchain.
Bitcoin’s 2021 Taproot upgrade inadvertently expanded the pool of vulnerable wallets by making public keys visible on-chain by default. While Taproot improved transaction efficiency and privacy in other ways, it created additional exposure to potential quantum attacks.
The whitepaper distinguishes between two types of quantum threats. Real-time attacks would target transactions in the mempool during the brief window when public keys are exposed, requiring the nine-minute race against confirmation time. Static attacks would target the 6.9 million bitcoin already sitting in exposed wallets, allowing attackers with sufficiently powerful quantum computers to crack them without time pressure.
John Martinis, a 2025 Nobel Prize-winning physicist who helped build Google’s quantum computers, endorsed the research and warned that Bitcoin could be among the earliest real-world targets of quantum attacks.
“It turns out that breaking cryptography is one of the easier applications for quantum computing, because it’s very numeric,” Martinis stated. “These are the smaller, easier algorithms.”
However, both Martinis and Google researchers emphasized that such powerful quantum computers do not yet exist. Current quantum processors have around 1,000 qubits, far below the estimated 500,000 physical qubits needed for the attack. Martinis suggested building machines of this scale may take five to 10 years and remains a major engineering challenge.
Google designed the research using zero-knowledge proof methods to validate resource estimates without revealing actual quantum circuits that could be used for attacks, preventing immediate misuse while allowing the community to verify the findings.
Unlike Ethereum, which confirms transactions faster and leaves less time for quantum attacks, Bitcoin has not yet begun migrating to post-quantum cryptography. Google has previously pointed to 2029 as a potential milestone for useful quantum systems and urged the cryptocurrency community to begin migration efforts before that deadline.
Bitcoin mining would continue functioning even if private key derivation becomes possible, because mining uses SHA-256, a different algorithm that quantum computers cannot meaningfully accelerate with current approaches.
On the other hand, some researchers also want to develop what is being described as the world’s first open-source quantum-resistant chip, designed to protect digital systems from future threats posed by quantum computing. However, the ability to derive private keys from public keys would undermine the network’s ownership guarantees.
