Overview
- Google’s new research says a sufficiently powerful quantum computer could derive a Bitcoin private key from a public key in under nine minutes, which is faster than an average block confirmation, though no such machine exists today.
- Roughly 6.5–6.9 million bitcoin sit in targets for this attack, including about 1.7 million BTC in early pay-to-public-key addresses that already revealed their public keys and coins that briefly expose keys while transactions wait in the mempool.
- BIP 360 proposes a new output type called Pay-to-Merkle-Root that stops putting public keys on-chain, which would shield new coins but cannot retroactively protect old addresses with exposed keys.
- Adopting post-quantum signatures such as NIST-standardized SPHINCS+ (SLH-DSA) would remove the elliptic-curve weakness, yet its roughly 8-kilobyte signatures would swell transaction sizes and raise fees compared with today’s 64-byte signatures.
- A push by some market voices to lock Satoshi-era wallets or force a quantum-safe upgrade faces long odds, as developers and historians say such coercive changes conflict with Bitcoin’s principles and are unlikely to gain the broad consensus the protocol requires.