Author: Clow

In 1943, at Bletchley Park in the UK, a group of mathematicians gathered around a mechanical device called the "bombe," trying to break the Nazi German Enigma code. They succeeded. The significance of this event was never about solving a mathematical problem, but about who could crack the code first; they could rewrite the outcome of the war.

The offense and defense of cryptography have always been a war of real money.

Eighty years later, this logic is playing out in a quieter, yet possibly more lethal way. On March 30, 2026, a team from Google’s Quantum AI lab, along with Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, released a white paper: breaking the secp256k1 elliptic curve cryptography on which Bitcoin relies requires about 20 times fewer quantum resources than previous optimistic academic estimates. With 500,000 physical qubits, it can derive a private key from a public key in just 9 minutes.

The lock on Bitcoin is still there. But someone is sharpening the key.

01 What can be done in 9 minutes?

The average block time for Bitcoin is 10 minutes. You may have heard this number countless times, but never thought of it as a security vulnerability.

Now it is.

The Google team developed two optimized circuit designs for the secp256k1 curve. The low-gate variant only requires about 1,450 logical qubits and 70 million Toffoli gate operations, with an effective time of about 18 minutes to break a private key. By adding pre-calculation optimization, this time can be reduced to under 9 minutes.

What does this mean? Imagine: you just clicked "send" in your wallet, and a transaction is broadcast to the Bitcoin network's memory pool. Your public key is exposed at this moment. A sufficiently powerful quantum computer can complete the private key cracking before a block is mined, forging a competing transaction with a higher fee, transferring your money to the attacker's address. Miners only recognize the transaction with the higher fee. According to Google's estimates, the success rate of this "memory pool hijacking" is about 41%.

You won't even receive any error message. The money is just gone.

Notably, Google did not publicly disclose the complete attack circuit. They adopted a highly innovative "responsible disclosure" model: releasing a zero-knowledge proof based on SP1 and Groth16 SNARKs, allowing third parties to verify whether the resource consumption claimed by Google is accurate without knowing the attack details. In other words, they proved they could do it but did not tell you how.

This restraint itself is a warning.

02 6.9 million Bitcoins, waiting to be shattered

Not all Bitcoins are equally vulnerable in the face of quantum threats. Google's report clearly delineates the risks.

The first to be affected are early P2PK addresses, approximately 1.7 million BTC. The public keys of these addresses are directly written in plaintext on the blockchain, so no guessing is needed, and quantum computers can go straight to work. Following closely are about 5.2 million Bitcoins exposed due to address reuse. Once you initiate a transaction with the same address, the public key is permanently hanging on the chain.

In total, about 6.9 million Bitcoins are in a "static exposure" state. At current prices, this represents a risk exposure of over $600 billion.

More ironically, Taproot. The upgrade that the Bitcoin community worked hard to promote in 2021 was originally intended to enhance privacy and support more complex smart contracts. However, the Schnorr signature scheme used in Taproot was designed to directly expose the fine-tuned public key on the chain. This eliminated the layer of protection provided by hashing the public key in traditional P2PKH addresses. In classical computing environments, this is harmless. But in a quantum environment, it represents a regression in security. By 2025, Taproot transactions accounted for 21% of the Bitcoin network's transaction volume and continue to grow.

Then there's the elephant in the room: about 1.1 million BTC from the Satoshi Nakamoto era. These coins all use P2PK scripts, and the private keys are likely lost, making it impossible for anyone to migrate them to quantum-resistant addresses. Once a 500,000-qubit quantum computer appears, this will become the largest 'public treasure' in human history. Whoever builds that machine first will take this money.

03 How far is the hardware? Not as far as you think

500,000 physical qubits sound like an astronomical number. Google's current strongest Willow chip has only 105 qubits, a difference of about 4,760 times. Does it still seem far away?

But advancements in quantum computing have never been linear.

Google has already demonstrated the feasibility of quantum error correction with the Willow chip and has set the deadline for migrating all internal systems to post-quantum cryptography to 2029. They believe in this timeline. IBM's roadmap is even more aggressive: launching the Starling system in 2029, aiming for 200 logical qubits and 100 million gate operations; the long-term target of Blue Jay aims for 2,000 logical qubits. More critically, IBM has explicitly stated that it will reduce the overhead of physical qubits by 90% using qLDPC error correction codes. Research from startup Oratomic shows that using neutral atom architecture, only about 26,000 physical qubits are needed to crack the secp256k1 curve, although it would take 10 days.

Real-time hijacking isn't necessary; a gradual approach is fine. For those sleeping wallets whose public keys are permanently exposed on the chain, attackers have all the time in the world.

However, there is good news: the mining layer is temporarily safe. Although Grover's algorithm theoretically provides quadratic speedup for hash computations, the quantum gate overhead in practical physical implementation is far greater than that of current ASIC miners. To mine effectively with a quantum computer, the required number of physical qubits reaches the order of 10 to the power of 23, with power consumption approaching that of a star's energy output. The risk for Bitcoin is concentrated at the signature layer, not at the consensus layer.

04 The Bitcoin community's self-rescue

Developers are not sitting idly by.

The fastest progress is the BIP-360 proposal, also known as Pay-to-Merkle-Root (P2MR), which has already been merged into the official BIP repository as of early 2026. Its idea is straightforward: no longer displaying any public key information on the chain, instead using the Merkle root of a script tree. No matter how powerful a quantum computer is, it cannot derive a public key from a hash value. Although the public key is still briefly exposed when making payments, it paves the way for the subsequent introduction of quantum-resistant signature schemes.

Another route is the QSB (Quantum Safe Bitcoin) proposal put forward by StarkWare Chief Product Officer Avihu Levy. It requires no soft fork and utilizes the existing OP_RIPEMD160 opcode to build a complex hash puzzle for signature verification. The security is anchored on the pre-image resistance of the hash function, where quantum computers have no better means than Grover's algorithm. However, the cost is significant: each transaction requires a GPU computing cost of $75 to $150, resembling a "quantum sanctuary" prepared for ultra-high-net-worth assets.

The trickiest problem remains those dormant assets that cannot be migrated. The community faces three options, each of which is harsh: do nothing and allow the first nation or organization to build a high-power quantum computer to reap the rewards; force a hard fork to invalidate all un-migrated early coins, which would fundamentally undermine the belief in "code is law"; or establish a "bad debt side chain" allowing real owners to prove identity through means other than asymmetric cryptography.

Google even suggests that governments establish "digital recovery" regulations similar to maritime law, allowing regulated entities to recover lost assets through quantum computing. The reaction to this proposal in the cypherpunk community can be imagined.

05 Conclusion

Quantum computers have not yet been built. But Google's 2029 migration deadline, IBM's hardware sprint plan, and the step-wise increase in algorithm efficiency every few years all point to the same conclusion: the window period left for Bitcoin may only be three to five years.

The countdown waits for no one. The clock is ticking, and the sound is very faint.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。