A recent paper from Google's quantum AI team shows that a fault-tolerant quantum computer with 500,000 qubits could theoretically crack Bitcoin's private key in 9 minutes, threatening approximately 6.9 million Bitcoins with exposed public keys. While current technology is 446 times behind this goal, and it's projected to be achievable around 2029, it's no longer science fiction. The Bitcoin community is pushing forward with quantum-resistant upgrades such as BIP-360 and SPHINCS+. Ordinary users don't need to panic at this time, but should check their address formats (avoiding long-term use of Taproot addresses starting with bc1p), adopt the habit of "one address, one transaction," and pay attention to wallet vendor updates. On March 31, 2026, an ordinary Monday, the crypto world suddenly exploded. Google's quantum AI team published a paper stating that a quantum computer could crack Bitcoin's private key in just 9 minutes, while the average confirmation time for a Bitcoin block is 10 minutes. Some say this is alarmist, others say it's far from reality, but this time it's Google issuing the warning. Can quantum computers actually crack Bitcoin? Is the threat real or exaggerated? What do ordinary people need to do? This article attempts to clarify this matter. I. What exactly did Google's paper say? Previously, the general consensus in the industry was that a quantum computer would need millions of qubits to crack Bitcoin's encryption algorithm. This number was ridiculously large, so everyone thought it would take at least several decades. But Google's paper reduced this number to less than 500,000. That's a 20-fold reduction. The paper presents a specific attack scenario: when you send a Bitcoin transaction, your public key is briefly exposed to the network, waiting to be included in a block. This window averages 10 minutes. According to Google's estimates, a sufficiently powerful quantum computer can deduce your private key from your public key in about 9 minutes, then forge a transaction with a higher miner fee, intercepting the money before your original transaction is recorded on the blockchain, with a success rate of about 41%. Of course, the paper describes a fault-tolerant quantum computer with full error correction capabilities. Google's own Willow processor only has 105 physical qubits, while the paper requires 500,000. That's a difference of 446 times, so a quantum computer capable of cracking BTC does not yet exist. Google's own goal is to complete the migration to post-quantum cryptography by 2029, which to some extent indicates when they believe the threat will become a reality. But if this machine is ever built, the cost of cracking Bitcoin will be much lower than you think.II. The Difference Between Quantum Computers and Ordinary Computers Before discussing what this means, we need to understand one crucial question: What exactly is a quantum computer? Ordinary computers process information using bits, each bit having only two states: 0 or 1. Any computation involves operating on these 0s and 1s. A 256-bit private key means 2²⁵⁶ possible combinations: even with all the computing power in the world combined, brute-force cracking this using classical computers would take longer than the age of the universe. This is why Bitcoin has remained secure for the past 15 years. Quantum computers use qubits, whose magic lies in their superposition state: they can be both 0 and 1 simultaneously. Eight qubits don't just represent one state, but can simultaneously represent 256 states. The more qubits there are, the exponentially greater the parallel processing capability. However, parallel processing alone isn't enough to threaten Bitcoin. What truly makes quantum computers a threat to cryptography is the "Shor's algorithm," invented in 1994 by MIT mathematician Peter Shor. This algorithm is specifically designed to factor large integers and solve the elliptic curve discrete logarithm problem, two challenging problems that form the foundation of Bitcoin and Ethereum's private key security. For example, a traditional computer is like trying to find the exit in a maze, only able to try one path at a time; a quantum computer with Shor's algorithm is like having a top-down view of the maze, allowing you to instantly find the exit. Bitcoin uses an ECDSA (Elliptic Curve Digital Signature Algorithm), which operates on the secp256k1 curve. This system is impenetrable to classical computers, but Shor's algorithm can specifically break the mathematical structure of elliptic curves. III. How Quantum Computers Steal Your Bitcoin After understanding the principles of quantum computers, let's look at how they specifically threaten Bitcoin. When a wallet is created, the system generates a private key, a random 256-bit number. The public key is derived from the private key, and then the wallet address is derived from the public key. This chain can only be followed sequentially; knowing the private key allows you to calculate the public key, but not vice versa. When you send Bitcoin, your private key is only used to generate a digital signature, which is broadcast with the transaction to tell the entire network that you sent the money. The network verifies the signature, the transaction is confirmed, and the transaction is complete. Shor's algorithm can theoretically break elliptic curve cryptography, the foundation of Bitcoin's private key security. But nobody takes this seriously because the computational power required to run this algorithm is simply beyond the capabilities of classical computers. The problem is that quantum computers have indeed made significant progress in recent years.Once it becomes powerful enough, a quantum computer only needs your public key to deduce your private key, forge your signature, and transfer money. This raises a crucial question: has your public key been exposed? Public key exposure falls into two categories. The first is long-term exposure, where the public key is permanently written on the blockchain and can be read by a quantum machine at any time. Two types of addresses fall into this category: the original address format used by Satoshi Nakamoto and early miners, where the public key was stored directly in plaintext; and addresses starting with bc1p. Taproot intended to improve privacy and efficiency, but its design embedded the public key within the address itself, which backfired in the face of quantum threats. The second type is short-term exposure. At the moment you send a transaction, in the traditional address format, the public key is hidden behind the hash value in its unspent state and cannot be seen by outsiders. However, every time you send a transaction, the public key enters the mempool along with the transaction and becomes visible to the entire network before being packaged into a block. This window averages 10 minutes. In other words, no matter how careful you are in your daily operations, as long as you have sent a transaction, there is a possibility of being attacked. Currently, the public keys of approximately 6.9 million Bitcoins have been permanently exposed on the blockchain. Whether these coins are in personal wallets or exchange hot wallets, as long as the address belongs to the high-risk type mentioned above, or if the address has ever sent a transaction, the public key has been leaked. IV. What is the Bitcoin Community Doing? On the day the Google paper was published, CZ (@cz_binance) responded on Twitter: "No need to panic. Upgrading cryptocurrencies to quantum-resistant algorithms will solve the problem. The threat is real, but the industry is capable of dealing with it." Vitalik Buterin (@VitalikButerin) was much more cautious. He had warned about this issue long ago, giving an estimate that the probability of a truly capable quantum computer appearing before 2030 is about 20%. Both agree that the threat is real, but their assessments of the urgency differ. The Bitcoin developer community had not ignored this issue even before this paper, and currently four directions are being seriously discussed. 1️⃣ BIP-360, also known as Pay-to-Merkle-Root. Current Bitcoin addresses permanently store their public keys on the blockchain. BIP-360's approach is to completely remove the public key from the transaction structure, replacing it with a Merkle root. Quantum machines have no public key to analyze, thus eliminating the possibility of attacks. This solution is already running on BTQ Technologies' testnet, with over 50 miners participating and processing over 200,000 blocks. However, it's important to clarify that BIP-360 only protects newly generated coins; the 1.7 million old addresses with exposed public keys remain a problem. 2️⃣SPHINCS+: Officially named SLH-DSA, it's a post-quantum signature scheme based on hash functions.Its logic is straightforward: since Shor's algorithm is specifically designed for elliptic curves, replace elliptic curves with hash functions for signatures. This scheme was standardized by NIST in August 2024. The problem lies in the signature size: currently, Bitcoin's ECDSA signature is only 64 bytes, while SPHINCS+ signatures exceed 8KB, a size increase of over 100 times, significantly driving up transaction fees and block space requirements. To address this, developers proposed optimization schemes such as SHRIMPS and SHRINCS, aiming to compress signature size without sacrificing security. 3️⃣ Commit/reveal scheme: proposed by Tadge Dryja, co-founder of the Lightning Network, this scheme targets the short-term exposure risk in the mempool. It divides a transaction into two stages: the first stage submits a hash fingerprint, containing no transaction information, only leaving a timestamp on the chain; the second stage broadcasts the real transaction, at which point the public key is exposed. Even if a quantum attacker intercepts the public key and deduces the private key in the second stage, the forged transaction will be rejected by the network because there is no corresponding record of the first stage pre-commit. The cost is an extra step per transaction, slightly increasing costs. This is seen by the community as a transitional solution, to be used until a more complete quantum-resistant system is established. 4️⃣ Hourglass V2: Proposed by developer Hunter Beast, specifically targeting the 1.7 million old addresses whose public keys have been permanently exposed. The logic of this solution is pessimistic but realistic: since the public keys of these addresses can no longer be hidden, these coins will eventually be stolen once quantum machines are powerful enough. Hourglass V2 doesn't intend to prevent the theft of old addresses, but rather limits the amount of Bitcoin that can be transferred from these addresses per block to one, similar to limiting daily withdrawals during a bank run. This proposal is highly controversial because the Bitcoin community has a principle: no one has the right to interfere with your Bitcoin, and many believe that even this limited restriction is excessive. This is not the first time Bitcoin has faced pressure to upgrade. The scaling debate in 2017 lasted for several years, eventually resulting in the split of Bitcoin Cash. The Taproot upgrade in 2021 took nearly four years from proposal to activation. Each time, the community goes through lengthy debates, tug-of-wars, and compromises before anything can move forward. The response to the quantum threat will likely follow the same path. V. What Do Ordinary Users Need to Do Now? Having said all that, what can ordinary users do? The answer isn't as complicated as you might think. Quantum computers can't crack your Bitcoin today, but there are a few things you can start paying attention to now. 1️⃣ Check your address format: Open your wallet and see what the receiving address starts with.Addresses starting with bc1p are Taproot addresses, where the public key is embedded in the address itself by default, making them a high-risk format with long-term exposure. If your assets are stored in such addresses and have never been touched, the risk is currently theoretical, but it's worth paying attention to the progress of BIP-360. SegWit addresses starting with bc1q, and traditional addresses starting with 1, have their public keys still protected by hashes when never spent, making them relatively secure. However, once you send a transaction, the public key is permanently exposed on the blockchain. 2️⃣ Cultivate address hygiene habits: Avoid repeatedly receiving and transferring funds to the same address. Each transaction exposes the public key, and used addresses no longer have hash protection. Most modern wallets generate a new address after each receipt by default; this feature should be left enabled. 3️⃣ Pay attention to wallet software updates: Hardware wallet vendors like Ledger and Trezor will be a crucial part of resisting quantum upgrades. Once BIP-360 or post-quantum signature schemes are activated on the mainnet, wallets will need to support the new address format and signature algorithm. This process might only require users to update firmware, but it could also involve migrating assets from old addresses to new ones. Currently, the best approach is to ensure your wallet comes from a reputable provider with continuous update capabilities and stay informed. 4️⃣ Assets held on exchanges: Exchanges don't require user intervention; technical upgrades are handled by their teams. Coinbase has established a quantum advisory committee, and other major exchanges will follow suit under regulatory pressure. For assets held on reputable exchanges, quantum upgrades are transparent to you. VI. In conclusion, the claim that "quantum computers will crack Bitcoin" has been circulating for many years, each time met with ridicule, and then nothing happens. Over time, people have come to accept it as a false alarm. This time, it's Google issuing the warning. Bitcoin developers are already seriously preparing countermeasures, and Ethereum's roadmap is progressing. However, this issue has remained theoretical until now; whether quantum computers can truly crack Bitcoin's encryption algorithm remains uncertain. Google says 2029, some say decades from now, and others say never. Only time will tell. Progress in quantum computing has never been uniform; the last major breakthrough occurred at an unexpected time, and the next one may be just as rapid. [Biteye]