But what does this mean in practice?
Let’s start with how bitcoin transactions work. When you send bitcoins, your wallet signs the transaction with a private key – a secret number that proves your ownership of the coins, writes coindesk.com.
This signature also reveals your public key, a shared address that is transmitted to the network and sits waiting in a special area called a mempool until the miner includes it in the block. On average, the confirmation takes about 10 minutes.
Your private key and public key are linked through a math problem called the discrete logarithm problem on an elliptic curve. Classical computers cannot solve this problem in a reasonable amount of time, whereas a sufficiently powerful future quantum computer using Shor’s algorithm will be able to do so.
This is where the nine-minute moment comes in. The Google document says that a quantum computer could be “prepared” in advance by pre-computing parts of the attack that don’t depend on any particular public key.
Once your public key appears in the mempool, it takes the machine about nine minutes to complete the task and retrieve your private key. The average transaction confirmation time in bitcoin is 10 minutes. This gives an attacker about a 41% chance of withdrawing the key and redirecting your funds before the original transaction is confirmed.
Imagine a thief who spends hours creating a universal device to open safes (pre-calculations). This device fits any safe, but every time a new safe comes up, only a few final adjustments are required – and it is this last step that takes about nine minutes.
This is a mempool attack. It’s alarming, but it requires a quantum computer that doesn’t yet exist. The Google article estimates that such a machine would require less than 500,000 physical qubits. Today’s largest quantum processors have about 1,000.
One-third of bitcoins are at particular risk
A more serious and urgent problem is the 6.9 million bitcoins, roughly one-third of the total supply, that are already in wallets where the public key has been permanently exposed.
This includes early bitcoin addresses from the early years of the network that used the pay-to-public-key format, where the public key is visible in the blockchain by default. It also applies to any wallets that reused the address, as spending funds from the address reveals the public key for any remaining funds.
These coins don’t need a nine-minute race. An attacker with a powerful enough quantum computer can hack them at their leisure, processing the compromised keys one at a time without any time pressure.
