coindesk.com
Part 1 of this series explained what quantum computers actually are. Not just faster versions of regular computers, but a fundamentally different kind of machine that exploits the weird rules of physics that only apply at the scale of atoms and particles.
But knowing how a quantum computer works does not tell you how it can be used to steal bitcoin by a bad actor. That requires understanding what it is actually attacking, how bitcoin's security is built, and exactly where the weakness sits.
This piece starts with bitcoin's encryption and works through to the nine-minute window it takes to break it, as identified by Google's recent quantum computing paper.
The one-way map
Bitcoin uses a system called elliptic curve cryptography to prove who owns what. Every wallet has two keys. A private key, which is a secret number, 256 digits long in binary, roughly as long as this sentence. A public key is derived from the private key by performing a mathematical operation on the specific curve called "secp256k1."
Think of it as a one-way map. Start at a known location on the curve that everyone agrees on, called the generator point G (as shown in the chart below). Take a private number of steps in a pattern defined by the curve's math. The number of steps is your private key. Where you end up on the curve is your public key (point K in the chart). Anyone can verify that you ended up at that specific location. Nobody can figure out how many steps you took to get there.
Technically, this is written as K = k × G, where k is your private key and K is your public key. The "multiplication" is not regular multiplication but a geometric operation where you repeatedly add a point to itself along the curve. The result lands on a seemingly random spot that only your specific number k would produce.
The crucial property is that going forward is easy and going backward is, for classical computers, effectively impossible. If you know k and G, calculating K takes milliseconds. If you know K and G and want to figure out k, you are solving what mathematicians call the elliptic curve discrete logarithm problem.
It is estimated that the best-known classical algorithms for a 256-bit curve would take longer than the age of the universe.
This one-way trapdoor is the entire security model. Your private key proves you own your coins. Your public key is safe to share because no classical computer can reverse the math. When you send bitcoin, your wallet uses the private key to create a digital signature, a mathematical proof that you know the secret number without revealing it.
Shor's algorithm opens the door both ways
In 1994, a mathematician named Peter Shor discovered a quantum algorithm that breaks the trapdoor.
Shor's algorithm solves the discrete logarithm problem efficiently. The same math that would take a classical computer longer than the universe has existed, Shor's algorithm handles in what mathematicians call polynomial time, meaning the difficulty grows slowly as numbers get bigger rather than explosively.
The intuition for how it works comes back to the three quantum properties from Part 1 of this series.
The algorithm needs to find your private key k, given your public key K and the generator point G. It converts this into a problem of finding the period of a function. Think of a function that takes a number as input and returns a point on the elliptic curve.
As you feed it sequential numbers, 1, 2, 3, 4, the outputs eventually repeat in a cycle. The length of that cycle is called the period, and once you know how often the function repeats, the math of the discrete logarithm problem unravels in a single step. The private key falls out almost immediately.
Finding this period of a function is exactly what quantum computers are built for. The algorithm puts its input register into a superposition (or, in quantum mechanics, a particle exists in multiple locations simultaneously), representing all possible values simultaneously. It applies the function to all of them at once.
Then it applies a quantum operation called the Fourier transform, which causes the number of wrong answers to cancel out while the correct answers are reinforced.
When you measure the result, the period appears. From this period, ordinary math recovers k. That is your private key, and therefore your coins.
The attack uses all three quantum tricks from the first piece. Superposition evaluates the function on every possible input at once. Entanglement links the input and output so the results stay correlated. ‘Interference’ filters the noise until only the answer remains.
Why bitcoin still works today
Shor's algorithm has been known for more than 30 years. The reason bitcoin still exists is that running it requires a quantum computer with a large enough number of stable qubits to maintain coherence through the entire calculation.
Building that machine has been beyond reach, but the question has always been how large is "large enough."
Previous estimates said millions of physical qubits. Google's paper, in early April by its Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, reduced that to fewer than 500,000.
Or a roughly 20-fold reduction from prior estimates.
The team designed two quantum circuits that implement Shor's algorithm against bitcoin's specific elliptic curve. One uses approximately 1,200 logical qubits and 90 million Toffoli gates. The other uses approximately 1,450 logical qubits and 70 million Toffoli gates.
A Toffoli gate is a type of gate that acts on three qubits: two control qubits, which affect the state of a third, target qubit. Imagine this as three light switches (qubits) and a special lightbulb (the target) that only turns on if two specific switches are flipped on at the same time.
Because qubits lose their quantum state constantly, as Part 1 explained, you need hundreds of redundant qubits checking each other's work to maintain a single reliable logical qubit. Most of a quantum computer exists just to catch the machine's own mistakes before they ruin the calculation. The roughly 400-to-1 ratio between physical and logical qubits reflects how much of the machine exists as self-babysitting infrastructure.
The nine-minute window
Google’s paper did not just reduce qubit counts. It introduced a practical attack scenario that changes how to think about the threat.
The parts of Shor's algorithm that depend only on the elliptic curve's fixed parameters, which are publicly known and identical for every bitcoin wallet, can be precomputed. The quantum computer sits in a primed state, already halfway through the calculation, waiting.
The moment a target public key appears, whether broadcast in a transaction to the network's mempool or already exposed on the blockchain from a previous transaction, the machine only needs to finish the second half.
Google estimates that the second half takes about nine minutes.
Bitcoin's average block confirmation time is 10 minutes. That means if a user broadcasts a transaction and their public key is visible in the mempool, a quantum attacker has roughly nine minutes to derive a private key and submit a competing transaction that redirects funds.
The math gives the attacker a roughly 41% chance of finishing before your original transaction confirms.
That is the mempool attack. It is alarming but it requires a quantum computer that does not exist yet.
The bigger concern, however, is the 6.9 million bitcoin (roughly one-third of total supply) sitting in wallets where the public key has already been permanently exposed on the blockchain. Those coins are vulnerable to an "at-rest" attack that requires no race against the clock. The attacker can take as long as needed.
A quantum computer running Shor's algorithm can turn a bitcoin public key into the private key that controls the coins. For coins transacted since Taproot (a privacy upgrade on Bitcoin that went live in November 2021), the public key is already visible. For coins in older addresses, the public key is hidden until you spend, at which point you have roughly nine minutes before the attacker catches up.
What this means in practice, which 6.9 million bitcoin are already exposed, what Taproot changed, and how fast the hardware is closing the gap, is the subject of the next and final piece in this series.