量子電腦如何能在「9 分鐘」內真正竊取您的 Bitcoin

📄完整原文· 由 trafilatura 自動擷取9746 字

How a quantum computer can be used to actually steal your bitcoin in '9 minutes' Part one explained the physics of quantum computing. This piece explains the target — how bitcoin's encryption works, why a quantum algorithm breaks it, and what Google's paper changed about the timeline. What to know: - Bitcoin’s security relies on elliptic curve cryptography, a one-way mathematical function that makes deriving a private key from a public key effectively impossible for traditional computers. - Shor’s algorithm allows a sufficiently powerful quantum computer to efficiently reverse this one-way function, turning a bitcoin public key into its corresponding private key and enabling theft. - A recent Google-led paper outlines a realistic attack in which a future quantum computer could, within about nine minutes, derive a private key from an exposed public key and potentially front-run or drain vulnerable bitcoin wallets. Part 1 of this series explained what quantum computers actually are. Not just faster versions of regular computers, but a fundamentally different kind of machine that exploits the weird rules of physics that only apply at the scale of atoms and particles. But knowing how a quantum computer works does not tell you how it can be used to steal bitcoin by a bad actor. That requires understanding what it is actually attacking, how bitcoin's security is built, and exactly where the weakness sits. This piece starts with bitcoin's encryption and works through to the nine-minute window it takes to break it, as identified by Google's recent quantum computing paper. The one-way map Bitcoin uses a system called elliptic curve cryptography to prove who owns what. Every wallet has two keys. A private key, which is a secret number, 256 digits long in binary, roughly as long as this sentence. A public key is derived from the private key by performing a mathematical operation on the specific curve called "secp256k1." Think of it as a one-way map. Start at a known location on the curve that everyone agrees on, called the generator point G (as shown in the chart below). Take a private number of steps in a pattern defined by the curve's math. The number of steps is your private key. Where you end up on the curve is your public key (point K in the chart). Anyone can verify that you ended up at that specific location. Nobody can figure out how many steps you took to get there. Technically, this is written as K = k × G, where k is your private key and K is your public key. The "multiplication" is not regular multiplication but a geometric operation where you repeatedly add a point to itself along the curve. The result lands on a seemingly random spot that only your specific number k would produce. The crucial property is that going forward is easy and going backward is, for classical computers, effectively impossible. If you know k and G, calculating K takes milliseconds. If you know K and G and want to figure out k, you are solving what mathematicians call the elliptic curve discrete logarithm problem. It is estimated that the best-known classical algorithms for a 256-bit curve would take longer than the age of the universe. This one-way trapdoor is the entire security model. Your private key proves you own your coins. Your public key is safe to share because no classical computer can reverse the math. When you send bitcoin, your wallet uses the private key to create a digital signature, a mathematical proof that you know the secret number without revealing it. Shor's algorithm opens the door both ways In 1994, a mathematician named Peter Shor discovered a quantum algorithm that breaks the trapdoor. Shor's algorithm solves the discrete logarithm problem efficiently. The same math that would take a classical computer longer than the universe has existed, Shor's algorithm handles in what mathematicians call polynomial time, meaning the difficulty grows slowly as numbers get bigger rather than explosively. The intuition for how it works comes back to the three quantum properties from Part 1 of this series. The algorithm needs to find your private key k, given your public key K and the generator point G. It converts this into a problem of finding the period of a function. Think of a function that takes a number as input and returns a point on the elliptic curve. As you feed it sequential numbers, 1, 2, 3, 4, the outputs eventually repeat in a cycle. The length of that cycle is called the period, and once you know how often the function repeats, the math of the discrete logarithm problem unravels in a single step. The private key falls out almost immediately. Finding this period of a function is exactly what quantum computers are built for. The algorithm puts its input register into a superposition (or, in quantum mechanics, a particle exists in multiple locations simultaneously), representing all possible values simultaneously. It applies the function to all of them at once. Then it applies a quantum operation called the Fourier transform, which causes the number of wrong answers to cancel out while the correct answers are reinforced. When you measure the result, the period appears. From this period, ordinary math recovers k. That is your private key, and therefore your coins. The attack uses all three quantum tricks from the first piece. Superposition evaluates the function on every possible input at once. Entanglement links the input and output so the results stay correlated. ‘Interference’ filters the noise until only the answer remains. Why bitcoin still works today Shor's algorithm has been known for more than 30 years. The reason bitcoin still exists is that running it requires a quantum computer with a large enough number of stable qubits to maintain coherence through the entire calculation. Building that machine has been beyond reach, but the question has always been how large is "large enough." Previous estimates said millions of physical qubits. Google's paper, in early April by its Quantum AI division with contributions from Ethereum Foundation researcher Justin Drake and Stanford cryptographer Dan Boneh, reduced that to fewer than 500,000. Or a roughly 20-fold reduction from prior estimates. The team designed two quantum circuits that implement Shor's algorithm against bitcoin's specific elliptic curve. One uses approximately 1,200 logical qubits and 90 million Toffoli gates. The other uses approximately 1,450 logical qubits and 70 million Toffoli gates. A Toffoli gate is a type of gate that acts on three qubits: two control qubits, which affect the state of a third, target qubit. Imagine this as three light switches (qubits) and a special lightbulb (the target) that only turns on if two specific switches are flipped on at the same time. Because qubits lose their quantum state constantly, as Part 1 explained, you need hundreds of redundant qubits checking each other's work to maintain a single reliable logical qubit. Most of a quantum computer exists just to catch the machine's own mistakes before they ruin the calculation. The roughly 400-to-1 ratio between physical and logical qubits reflects how much of the machine exists as self-babysitting infrastructure. The nine-minute window Google’s paper did not just reduce qubit counts. It introduced a practical attack scenario that changes how to think about the threat. The parts of Shor's algorithm that depend only on the elliptic curve's fixed parameters, which are publicly known and identical for every bitcoin wallet, can be precomputed. The quantum computer sits in a primed state, already halfway through the calculation, waiting. The moment a target public key appears, whether broadcast in a transaction to the network's mempool or already exposed on the blockchain from a previous transaction, the machine only needs to finish the second half. Google estimates that the second half takes about nine minutes. Bitcoin's average block confirmation time is 10 minutes. That means if a user broadcasts a transaction and their public key is visible in the mempool, a quantum attacker has roughly nine minutes to derive a private key and submit a competing transaction that redirects funds. The math gives the attacker a roughly 41% chance of finishing before your original transaction confirms. That is the mempool attack. It is alarming but it requires a quantum computer that does not exist yet. The bigger concern, however, is the 6.9 million bitcoin (roughly one-third of total supply) sitting in wallets where the public key has already been permanently exposed on the blockchain. Those coins are vulnerable to an "at-rest" attack that requires no race against the clock. The attacker can take as long as needed. A quantum computer running Shor's algorithm can turn a bitcoin public key into the private key that controls the coins. For coins transacted since Taproot (a privacy upgrade on Bitcoin that went live in November 2021), the public key is already visible. For coins in older addresses, the public key is hidden until you spend, at which point you have roughly nine minutes before the attacker catches up. What this means in practice, which 6.9 million bitcoin are already exposed, what Taproot changed, and how fast the hardware is closing the gap, is the subject of the next and final piece in this series. More For You The project is also expanding its partnerships with Tinder, Zoom and Docusign. What to know: - World unveiled a major upgrade to its World ID system, pitching it as “full-stack proof of human” infrastructure to verify real people across consumer apps, enterprises and AI agents without exposing personal data. - The rollout includes new features, partnerships with Tinder, Zoom and Docusign and tools for AI agents, while...

資料狀態✓ 已擷取全文閱讀原文（CoinDesk）

🔍歷史類似事件· 關鍵字 + 標的比對6 則

2026-04-22

免稅 Bitcoin 回歸：英國投資者如何再次避免為加密貨幣投資繳納稅款

相似度 380%標的 BTC關鍵字 how/bitcoin/can

2026-04-20

量子威脅即將衝擊 Bitcoin 與加密貨幣——XRP Ledger 正如何準備應對

相似度 380%標的 BTC關鍵字 how/bitcoin/quantum

2026-04-17

當量子電腦來襲時：傳統財產法對您的 Bitcoin 會如何處置

相似度 380%標的 BTC關鍵字 bitcoin/your/quantum

2026-04-17

Bitwise 研究顯示持有 Bitcoin 的時間長短如何影響您的虧損程度

相似度 380%標的 BTC關鍵字 how/bitcoin/your

2026-04-16

Citi 表示將 Bitcoin 與黃金混合配置可提升投資組合績效

相似度 380%標的 BTC關鍵字 bitcoin/can/your

2026-04-16

Cardano 的 Charles Hoskinson 表示，Bitcoin 的量子修復方案是一個無法拯救 Satoshi 持有幣的硬分叉（hard fork）。

相似度 380%標的 BTC關鍵字 bitcoin/can/quantum

💡 目前用關鍵字 + 標的比對（MVP）· 之後會升級為 embedding 語意搜尋

原始資訊

ID：285bfb1f13

來源：CoinDesk

發佈：2026-04-18 02:51:35

分類：一般 · 導出分類 neutral

標的：BTC

社群投票：+0 / −0 · ⭐ 0 重要 · 💬 0 留言