Quantum computer researchers: Bitcoin encryption breakable in a few years

Contents

A superconducting quantum computer with 1,200 error-corrected qubits – in real hardware, this corresponds to fewer than 500,000 physical qubits – and 90 million computational steps could calculate a Bitcoin user's private key – thus breaking the cryptographic foundation of Bitcoin security. Bitcoin's average "block time", the interval between two permanently stored transaction bundles, is ten minutes.

According to the whitepaper by Google Quantum AI, however, the encryption could be circumvented in just nine minutes in the best-case scenario. The researchers also provide the associated zero-knowledge proof and source code.

How the attack works

Bitcoin's security relies on a mathematical promise: each user has two associated keys – a public one, which anyone can see, and a private one, which only the owner knows. Anyone who wants to spend coins must prove with a digital signature that they know the private key. Calculating the private key back from the public one is considered practically impossible for classical computers.

Quantum computers break this one-way street with the so-called Shor's algorithm – developed in 1994 by mathematician Peter Shor. It can directly recognize and exploit certain mathematical structures that underlie classical cryptography. What is a seemingly infinite search task for normal computers becomes a solvable computational problem for a sufficiently large quantum computer.

When a Bitcoin user sends a transaction, it first lands in the so-called mempool – a publicly viewable waiting area for all unconfirmed transactions. The sender's public key is visible to everyone there. Only after an average of ten minutes is the transaction permanently stored in a block by a miner – a computer participating in the network. This is precisely the window in which the described attack operates: a quantum computer reads the public key, calculates the private key from it, and sends a fake transaction with a higher fee – miners will prefer it, and the original transaction will be displaced.

The effective attack duration can be halved to about nine minutes because part of the calculation can be done in advance – the quantum computer then waits, prepared, for the victim's public key.

Not all quantum computers would be equally dangerous. While Google continues to rely on superconducting systems, alternative architectures are now also becoming relevant for attacks. Photonic quantum computers and silicon-based architectures would have the necessary speed for real-time attacks on ongoing transactions. Slower systems like ion trap quantum computers, which use individual atoms as qubits, could, on the other hand, only attack addresses whose public key is already permanently visible on the blockchain. For example, old, never-moved wallets where the attacker has days or weeks.

An order of magnitude more efficient than formerly known

The crucial advance of the paper lies not in the algorithm itself but in its efficiency. Previous estimates assumed around 200 million computational steps and nine million physical qubits. Google arrives at 70 million computational steps and fewer than 500,000 qubits. The total product of required computational steps and qubits – the so-called spacetime volume, which determines the actual hardware effort, is thus improved by about an order of magnitude.

This is achieved through two central levers that work together.

The first is Windowed Arithmetic. The core of the attack is the repeated addition of points on an elliptic curve – the special geometric structure on which Bitcoin's cryptography is based. Naively executed, this requires 512 individual controlled operations. The researchers group 16 steps each into a "window" and pre-calculate the possible results classically. This reduces the number of necessary quantum operations to 28 – about one-eighteenth.

The second lever concerns error correction. Qubits are prone to errors; a single logical qubit that functions reliably requires many physical qubits for backup. How many depends heavily on the error correction arrangement. Google uses so-called Yoked Surface Codes here – a particularly dense packing of the correction circuits – which reduces the need for physical qubits from nine million to under 500,000. The 1,200 logical qubits of the algorithm are error-corrected, reliable computing units. In real hardware, each of them requires about 400 error-prone physical qubits for backup, resulting in the total requirement of under 500,000 physical qubits.

In addition, there are smaller but effective optimizations. A technique called Measurement-Based Uncomputation replaces complex backward calculation steps with targeted measurements, thereby halving some computational steps. And by cleverly recycling a single small quantum register – instead of two large registers, as Shor's algorithm would naively require – the qubit requirement can be further reduced.

These tricks are not new; some have already been described in previous work. What's new about the paper is their consistent combination in a common circuit architecture. According to Google, the result is a quantum circuit that is more compact, faster, and requires less hardware than anything published so far.

How far along are today's quantum computers?

No existing quantum computer can perform the described attack today. IBM's current Nighthawk processor works with 120 physical qubits, and the Finnish company IQM has announced a 150-qubit chip with its Halocene system. Google's Willow processor operates in similar orders of magnitude. For a Bitcoin attack, 500,000 physical qubits would be needed – about three to four thousand times the most powerful systems available today. A detailed overview of the current status of various architectures can be found in the background article How far along is quantum hardware in 2026".

Some manufacturers are already aiming for systems with two million physical qubits by 2030. If these plans are even approximately met, the threshold required for a Bitcoin attack could theoretically be reached in the second half of the 2030s – provided that error correction keeps pace with qubit growth, which is by no means guaranteed. However, the Google researchers explicitly warn against drawing a conclusion of safety from the current lag: algorithm improvements like those described in the paper have continuously lowered the requirements in recent years. At the same time, it cannot be ruled out that crucial breakthroughs may not become publicly known first.

Millions of Bitcoins as a permanent attack target

Regardless of the transaction speed issue, there is a second, structural threat that does not require real-time capability: addresses whose public key is already permanently visible. According to the paper, around 6.9 million Bitcoins are currently at risk due to exposed public keys – including around 1.7 million BTC in so-called P2PK addresses. This is an outdated address format from the early days of Bitcoin, where the public key is stored directly on the blockchain. Among these are coins attributed to Satoshi Nakamoto, the anonymous Bitcoin creator.

Around 2.3 million of these at-risk BTC have not been moved for at least five years. These "sleeping" coins cannot be migrated to secure addresses – their owners are unreachable, or the private keys are lost. They thus remain a permanent attack target with a value in the three-digit billions.

Ethereum: Structurally broader risk

While Bitcoin is primarily at risk from exposed keys, Ethereum has a structurally broader attack profile. Like Bitcoin, Ethereum uses digital signatures based on the Elliptic Curve Digital Signature Algorithm (ECDSA) and is therefore fundamentally vulnerable to quantum attacks; however, the broader attack surface results from the system architecture. The platform not only performs transactions but also complex programs – so-called smart contracts – that manage assets and enforce rules without the need for an intermediary.

Ethereum accounts permanently reveal their public key after the first transaction – around 20.5 million ETH in the thousand most valuable accounts are therefore at risk. The situation is particularly precarious with smart contracts, which are often managed by a few privileged accounts: anyone who knows their private key controls the entire contract – and thus, according to the paper, around 200 billion US dollars in stablecoins and tokenized real assets such as bonds or real estate funds. In addition, around 37 million ETH are in so-called staking – coins that users deposit as collateral to participate in the network's validation process – which are at risk due to attackable signatures. Particularly critical: with Ethereum's data availability mechanism, a single quantum attack would be sufficient to create a permanently usable backdoor that would then function without a quantum computer.

Disclosure without an attack blueprint

The researchers are deliberately not publishing the concrete quantum circuits to avoid providing potential attackers with a blueprint. Instead, they use a so-called zero-knowledge proof – a mathematical method that can prove that one knows something without revealing the knowledge itself. Independent auditors can thus verify that the described circuits exist and meet the claimed resources – without obtaining the security-critical details.

Migration to quantum security – but how?

The researchers recommend an immediate migration to so-called post-quantum cryptography, for which Google is already setting a significantly tighter schedule than government agencies – encryption methods that also withstand quantum computers. The US standardization institute NIST has already adopted initial standards for this, including the lattice-based signature scheme Dilithium and the hash-based SPHINCS+. Both use mathematical problems for which no efficient quantum algorithm is known. The German Federal Office for Information Security also recommends using classical asymmetric encryption methods only in combination with post-quantum cryptography from 2032 onwards.

For cryptocurrencies, this is easier said than done. The migration requires protocol changes that need broad consensus in decentralized networks – a lengthy process. On the Bitcoin blockchain alone, transferring all coins to new, quantum-secure addresses would take several months at the current transaction throughput. As short-term protective measures, the authors also recommend not reusing public keys and using private mempools where transactions are not publicly visible.

(vza)