Google flags 6.9M Bitcoin at higher risk from quantum attacks

Google’s Quantum AI team reported in a new whitepaper that fewer than 500,000 physical qubits may be enough for a quantum computer to compute Bitcoin private keys from exposed public keys before a transaction is confirmed. The finding lowers prior resource estimates for a practical attack.

The paper describes a real-time attack in which an adversary monitors the network, captures a public key when a transaction is broadcast, and computes the corresponding private key quickly enough to redirect funds. With Bitcoin blocks arriving about every 10 minutes, the model estimates a 41% success rate within nine minutes for a sufficiently fast machine.

Two attack paths are outlined, each requiring roughly 1,200 to 1,450 logical qubits. Earlier projections often assumed millions of physical qubits would be necessary.

The authors estimate that about 6.9 million bitcoin currently sit in addresses where public keys have already appeared on-chain, including early holdings and reused addresses. Those coins would be more exposed if capable quantum hardware becomes available because no new transaction is needed to reveal a key.

The analysis flags aspects of Bitcoin’s 2021 Taproot upgrade. While Taproot was designed to simplify and aggregate signatures, it can make certain spending conditions more visible on-chain, which could expand the set of wallets identifiable to a quantum-capable adversary.

Similar conclusions are drawn for Ethereum, whose cryptography would also require fewer qubits to compromise than previously assumed. Ethereum co-founder Vitalik Buterin has urged work on quantum resistance and described EIP-8141 as one that “makes privacy protocols much more first-class.”

Google is advancing its own defenses. Company plans call for migrating systems to quantum-resistant cryptography by 2029, with Android 17 already using quantum-resistant signatures and Chrome supporting post-quantum key exchange. The research builds on Google’s 105-qubit Willow chip, used to test improved error correction and scaling techniques.

Any protocol changes intended to harden Bitcoin against quantum attacks would need broad agreement among network participants. Major changes to widely used cryptographic standards require coordinated implementation across wallets, exchanges and miners.