Written by: Changan, Biteye content team

TLDR; The latest paper from Google's quantum AI team shows that a fault-tolerant quantum computer with 500,000 qubits could theoretically crack Bitcoin private keys in 9 minutes, posing a threat to about 6.9 million Bitcoin with exposed public keys. Although current technology is still 446 times away from this goal, and it is expected to be achievable around 2029, this is no longer distant science fiction. The Bitcoin community is advancing quantum-resistant upgrades like BIP-360 and SPHINCS+. Ordinary users do not need to panic but should check address formats (to avoid long-term use of Taproot addresses starting with bc1p), cultivate the habit of "one address, one transaction," and pay attention to updates from wallet providers.

On March 31, 2026, an ordinary Monday, the crypto world suddenly exploded.

The Google quantum AI team published a paper stating that quantum computers could crack Bitcoin private keys in just 9 minutes, while the average confirmation time for a Bitcoin block is 10 minutes.

Some said this was alarmist, while others claimed it was a long way from reality, but the warning came from Google.

Can quantum computers really crack Bitcoin? Is the threat real or exaggerated? What should ordinary people do? This article attempts to clarify this issue.

1. What exactly does Google's paper say?

The previous consensus in the industry was that cracking Bitcoin's encryption algorithm would require millions of qubits. This number seemed absurdly high, leading everyone to believe that this was at least decades away. However, Google's paper has reduced this number to less than 500,000, shrinking it by a factor of 20.

The paper outlines a specific attack scenario: when you initiate a Bitcoin transaction, your public key is briefly exposed on the network, waiting to be packaged into a block. This window lasts approximately 10 minutes. According to Google's estimates, a powerful enough quantum computer could derive the private key from your public key in about 9 minutes and forge a transaction with a higher miner fee to siphon off the funds before your original transaction is included on the blockchain, with a success rate of about 41%.

Of course, the paper describes a fully fault-tolerant quantum computer. Google's own Willow processor has only 105 physical qubits, while the paper requires 500,000. There is a difference of 446 times, so a quantum computer capable of cracking BTC does not yet exist.

Google's own target is to complete the transition to quantum-resistant cryptography by 2029, which indicates their estimate of when the threat might become real.

But if such a machine is built one day, cracking Bitcoin would cost much less than you might think.

2. What’s the difference between quantum computers and ordinary computers?

Before discussing what this implies, we first need to clarify one question: what exactly is a quantum computer?

Ordinary computers process information using bits, with each bit having only two states: 0 or 1.

Any computation involves manipulating these 0s and 1s. A 256-bit private key means there are 2²⁵⁶ possible combinations: cracking it using a classical computer would take longer than the age of the universe, which is why Bitcoin has remained secure for the past 15 years.

Quantum computers use quantum bits (qubits), and the remarkable aspect of qubits is superposition: they can be both 0 and 1 simultaneously. 8 qubits do not only represent 1 state but can represent 256 states at once. The more qubits there are, the exponentially greater the capacity for parallel processing.

However, merely having parallel processing is not enough to threaten BTC; what truly makes quantum computers a threat to cryptography is the "Shor's algorithm," invented by MIT mathematician Peter Shor in 1994. This algorithm is specifically designed to factor large integers and solve the elliptic curve discrete logarithm problem, and these two challenges form the basis of the security of Bitcoin and Ethereum private keys.

For example: a traditional computer trying to find an exit in a maze can only try one path at a time; with Shor's algorithm, a quantum computer is like having an overhead view of the maze, instantly revealing the exit's location.

Bitcoin uses a signature algorithm called ECDSA (Elliptic Curve Digital Signature Algorithm), operating on the secp256k1 curve. This system is solid against classical computers, but Shor's algorithm can specifically break the mathematical structure of elliptic curves.

3. How can a quantum computer steal your Bitcoin?

Now that we understand the principles of quantum computers, let’s examine how they specifically threaten Bitcoin.

When creating a wallet, the system generates a private key, a random string of 256 bits. The public key is derived from the private key, and the wallet address is derived from the public key. This chain can only move forward; knowing the private key allows you to calculate the public key, but not vice versa.

When you send Bitcoin, the private key is used only to create a digital signature, which is broadcast with the transaction, informing the network that you are the sender of the funds. The network validates the signature, the transaction is confirmed, and completion occurs.

Shor's algorithm theoretically can crack elliptic curve cryptography, which is the foundation of Bitcoin private key security. However, no one took this issue seriously, as the computational power required to run this algorithm was beyond classical computers.

The problem is that quantum computers have been progressing in recent years. Once they become sufficiently powerful, a quantum computer could derive your private key from your public key and forge your signature to transfer the funds.

This raises a critical question: has your public key been exposed?

There are two scenarios for public key exposure.

The first is long-term exposure, where the public key is permanently written on the blockchain and can be read by a quantum machine at any time. There are two types of addresses that fall into this category:

The original address format used by Satoshi Nakamoto and early miners, where the public key was stored in plaintext;

Addresses starting with bc1p, where the intent of Taproot was to improve privacy and efficiency, but by design embedded the public key within the address itself, ultimately backfiring in the face of quantum threats.

The second is short-term exposure, occurring at the moment you initiate a transaction. In the traditional address format, the public key is hidden behind a hash value in an unspent state and is not visible to outsiders. However, every time you send a transaction, the public key enters the memory pool along with the transaction, becoming visible to the entire network before being packaged into a block, and this window averages 10 minutes.

In other words, no matter how cautious you are with your operations, as long as you have sent a transaction, there is always a possibility of being attacked.

Currently, approximately 6.9 million Bitcoin public keys have been permanently exposed on the blockchain. Whether these coins are in personal wallets or the hot wallets of exchanges, as long as the address belongs to the aforementioned high-risk types or has ever sent a transaction, the public key has been leaked.

4. What is the Bitcoin community doing?

On the day the Google paper was released, CZ @cz_binance responded on Twitter: no need to panic; upgrading cryptocurrencies to quantum-resistant algorithms can solve the problem. The threat is real, but the industry has the capability to respond.

V God @VitalikButerin took a much more cautious stance, having warned about this issue for some time and estimating about a 20% probability that a truly capable quantum computer will appear before 2030.

Both of them believe the threat is real, but their assessments of urgency differ. The Bitcoin developer community had already been addressing this issue seriously even before this paper, currently discussing four directions thoroughly.

BIP-360, also known as Pay-to-Merkle-Root. Current Bitcoin addresses permanently write the public key on the blockchain; the idea of BIP-360 is to completely remove the public key from the transaction structure and replace it with a Merkle root. Quantum machines cannot analyze the public key, thus the attack cannot proceed.

This solution is already operational on the testnet of BTQ Technologies, with over 50 miners participating and more than 200,000 blocks processed. However, it should be clarified that BIP-360 only protects newly generated coins, and the 1.7 million old addresses with exposed public keys remain an issue.

SPHINCS+: officially named SLH-DSA, is a hash function-based post-quantum signature scheme. Its logic is straightforward: since Shor's algorithm specifically targets elliptic curves, we can replace the elliptic curves with hash functions for signatures.

This solution was standardized by NIST in August 2024. The challenge lies in the signature size: current Bitcoin ECDSA signatures are only 64 bytes, while SPHINCS+ signatures exceed 8KB, a 100-fold increase, greatly raising transaction fees and block space requirements.

For this reason, developers have proposed optimization schemes like SHRIMPS and SHRINCS aimed at compressing signature size without sacrificing security.

Commit/reveal scheme: proposed by Lightning Network co-founder Tadge Dryja, this scheme addresses the short-term exposure risks in the memory pool. It splits a transaction into two phases:

In the first phase, a hash fingerprint is submitted that contains no transaction information, only leaving a timestamp on the blockchain.

In the second phase, the actual transaction is broadcasted, and the public key is exposed then. Even if a quantum attacker intercepts the public key and derives the private key during the second phase, their forged transaction would be rejected by the network due to the absence of a corresponding first-phase pre-submission record. The trade-off is that each transaction takes an extra step, slightly increasing costs.

This is seen by the community as a transitional solution to use until a more complete quantum-resistant system is established.

Hourglass V2: proposed by developer Hunter Beast, specifically targets the 1.7 million addresses with permanently exposed public keys. The logic of this proposal is pessimistic but realistic: since the public keys of these addresses can no longer be hidden, once quantum machines are powerful enough, these coins will inevitably be stolen.

Hourglass V2 does not intend to prevent old addresses from being stolen; rather, it limits the amount of Bitcoin that can be transferred from such addresses in each block to 1 coin, similar to limiting daily withdrawal amounts during a bank run.

This proposal is highly controversial because there is a principle in the Bitcoin community: no one has the right to interfere with your Bitcoin, and many believe that even such limited restrictions are overstepping boundaries.

This is not the first time Bitcoin has faced pressure to upgrade. The scaling debate in 2017 lasted several years, eventually leading to the split of Bitcoin Cash. The Taproot upgrade in 2021 took nearly four years from proposal to activation. Each time, the community has had to endure long discussions, tug-of-war, and compromises to push anything forward. The response to quantum threats will likely follow the same path.

5. What should ordinary users do right now?

After all this, what can ordinary users do?

The answer is not as complicated as you might think. Quantum computers cannot crack your Bitcoin today, but there are a few things to start paying attention to now.

Check your address format

Open your wallet and see what your receiving address starts with. Addresses starting with bc1p are Taproot addresses, where the public key is embedded in the address itself by default, representing a high-risk format of long-term exposure. If your assets are in these types of addresses and have never been moved, the current risk is still theoretical but worth monitoring the progress of BIP-360.

Addresses starting with bc1q (SegWit) and those starting with 1 (traditional addresses) still keep the public key protected behind hashes in an unspent state, relatively safe. However, once you have sent even one transaction, the public key will have been permanently exposed on the blockchain.

Cultivate good address hygiene habits

Avoid repeatedly receiving and sending funds to the same address. Every time you send a transaction, the public key will be exposed, and used addresses will no longer have hash protection. Most modern wallets generate a new address automatically after each receipt; just ensure this feature is enabled.

Stay updated on wallet software

Hardware wallet manufacturers like Ledger and Trezor will be crucial in quantum upgrades. Once BIP-360 or a post-quantum signature scheme is activated on the mainnet, wallets will need to support the new address formats and signature algorithms. What users may need to do is simply update the firmware, but they may also need to migrate assets from old addresses to the new format. Right now, ensure the wallet you use comes from manufacturers with a track record of ongoing updates, and keep informed.

Assets on exchanges

Exchanges do not require user action; their teams will handle technological upgrades. Coinbase has already established a quantum advisory board, and other major exchanges will follow suit under regulatory pressure. Assets stored in reputable exchanges will remain largely transparent to you concerning quantum upgrades.

6. In conclusion

The statement that "quantum computers will crack Bitcoin" has circulated for many years, being mocked every time it arises, with nothing happening afterward. Over time, people began to assume it was a "wolf coming" story.

However, this time the warning comes from Google. Bitcoin developers are already rigorously preparing countermeasures, and the roadmap on the Ethereum side is also progressing. Until now, this matter has remained largely theoretical, and no one can give a definitive answer about whether quantum computers can truly conquer Bitcoin's encryption algorithms.

Google predicts 2029; some say it will take decades longer, while others believe it will never happen. Only time will tell the answer to this question.

The progress of quantum computing has never been uniform; the last major breakthrough occurred without anyone anticipating it, and the next one could be the same.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。