A canary in the coal mine for quantum threats to Bitcoin
In 2015, an anonymous user created 160 Bitcoin addresses with private keys hidden in progressively larger ranges.
On this site you can explore the puzzle, estimate its difficulty on your own hardware, and even try brute-forcing the easy ones right in your browser.
Read FAQ ↓Every Bitcoin wallet is protected by a private key, just a number in the range from 1 to 2256(a number with 77 digits). The wallet address is derived from the private key through a one-way function (elliptic curve multiplication + hashing), easy to compute forward, but impossible to reverse. Anyone who knows the private key can calculate the address and has full access to the wallet's balance. The security of Bitcoin relies on the fact that the key range is so astronomically large that guessing it by brute force is practically impossible. The total number of possible keys is 2256 ≈ 1.16×1077. The estimated number of atoms in the observable universe is ~1080, so there are only about 1,000× more atoms in the entire universe than possible Bitcoin keys.
In 2015, an anonymous user created 160 puzzle addresses to demonstrate just how secure Bitcoin is. Each puzzle restricts the private key to a progressively larger range: puzzle #1 has the key between 1 and 2, puzzle #2 between 2 and 4, all the way up to puzzle #160 where the key is between 2159 and 2160. A total of ~1000 BTC was distributed across these addresses.
The early puzzles (up to ~70 bits) can be solved by brute force on modern hardware. Run the benchmark below to see how long each puzzle would take on your machine.
This puzzle is a vivid proof that Bitcoin's cryptography is unbreakable by brute force, even with all the computing power on Earth combined.
However, quantum computers will change everything. Since the puzzle keys have much narrower ranges than regular Bitcoin addresses, and several unsolved puzzles (#135, #140, #145, #150, #155, #160) already have their public keys exposed, they will be the easiest targets for quantum attacks. If we see someone solving #135, #140 and beyond within days or weeks, that is an unmistakable sign that a sufficiently powerful quantum computer has arrived, and regular Bitcoin should brace for impact. Read why Bitcoin Puzzle is a quantum canary ↓
Measure how fast your browser can check keys
| Bits | Address | Private Key | Balance | Range | Your PC | Quantum ⚛ | Status | Action |
|---|---|---|---|---|---|---|---|---|
| Loading puzzles... | ||||||||
The difficulty doubles with every puzzle number. Puzzle #70 has a key space of 270 (~1.2 sextillion keys). Modern GPUs and FPGAs can search billions of keys per second, making puzzles up to ~70 bits feasible within weeks or months of computation. But puzzle #71 has twice the range, #72 has four times, and so on. By puzzle #80, the brute force time already exceeds thousands of years even on the fastest hardware. That said, hardware keeps improving, so puzzles #71–74 may eventually fall to brute force on conventional GPU farms.
These puzzles (every 5th starting from #75) were solved not by brute force, but using Pollard's kangaroo algorithm, a mathematical method that exploits the public key to find the private key much faster than brute force.
When someone spends Bitcoin from an address, the public key is revealed on the blockchain. For these puzzles, the creator intentionally moved small amounts to expose the public keys. Once the public key is known, the kangaroo algorithm reduces the search from O(2n) to O(2n/2), the square root of the range. For puzzle #130, this means searching ~265 instead of 2130, which is feasible with enough GPU power.
You can see which unsolved puzzles have known public keys in the table (#135, #140, #145, #150, #155, #160) — these are the next targets for kangaroo solvers.
No. This is a common misconception. All current Bitcoin address formats are vulnerable to quantum attacks once the public key is exposed:
For non-Taproot addresses, the only way to keep your public key hidden is to never spend from the address. For Taproot, there is no protection at all: you should not even receive Bitcoin to a Taproot address if you are concerned about quantum threats, because the public key is exposed the moment the address appears on the blockchain.
Post-quantum cryptography has not yet been integrated into Bitcoin. Until it is, no address format offers true quantum resistance.
The browser-based search on this page is intentionally simple: it uses JavaScript and is limited to your CPU. Specialized tools like BitCrack, Kangaroo, or KeyHunt can leverage powerful GPUs (NVIDIA CUDA / AMD OpenCL) to search roughly ~1,000× faster than what you see in the browser benchmark.
For example, a single RTX 4090 can test ~1.5 billion keys per second for brute force, and even more with optimized kangaroo implementations. Farms with multiple GPUs push this further. Still, even at these speeds, puzzles above ~75 bits remain out of reach for brute force: the math simply doesn't allow it. The kangaroo algorithm with known public keys is the only realistic approach for higher puzzles.
There is also an economic problem: starting from puzzle #71, the GPU rental cost required for brute force at current hardware generation would likely exceed the BTC reward. Even with cheap cloud GPUs, the electricity and compute time make it a losing bet. The puzzle reward would need to be worth significantly more (or hardware would need to be significantly faster) for brute force to become profitable.
In the 19th and 20th centuries, coal miners brought canaries into the tunnels as an early warning system. The birds were far more sensitive to toxic gases like carbon monoxide than humans. If the canary stopped singing or died, miners knew to evacuate immediately, even before they could detect any danger themselves.
The Bitcoin Puzzle serves the same purpose for quantum computing threats. Its private keys are restricted to much narrower ranges than regular Bitcoin addresses, making them far easier to crack. If a quantum computer powerful enough to threaten Bitcoin ever emerges, the puzzle addresses will fall first. If puzzles #135, #140, #145 and beyond are all solved within days, weeks, or months of each other, that would be the canary's silence, a clear signal that a quantum computer powerful enough to threaten all of Bitcoin's cryptography has arrived.
Yes, and possibly sooner than expected. In March 2026, Google Quantum AI published a whitepaper showing that breaking elliptic curve cryptography (which protects Bitcoin) could require fewer than 500,000 physical qubits, a ~20× reduction from prior estimates of millions. The Bitcoin Puzzle is vulnerable to quantum attack in two distinct ways:
1. Shor's algorithm (known public key). Puzzles with exposed public keys (#135, #140, #145, #150, #155, #160 and all solved puzzles that had spending transactions) can be broken instantlyby Shor's algorithm. It computes the private key directly from the public key, no brute force needed. These puzzles are marked as instant ⚛ in the Quantum column.
2. Grover's algorithm (all unsolved puzzles). Even without a known public key, every puzzle has a much narrower key range than a standard Bitcoin address (2160 vs 2256). Grover's algorithm provides a quadratic speedup, effectively halving the bit length. So puzzle #160 (160-bit range) becomes a 80-bit search, and puzzle #80 becomes just 40 bits, easily solvable. For a regular Bitcoin address where the public key was never exposed (never sent a transaction, or uses a modern address format), Grover's would need 2128 operations. At ~1 billion quantum ops/sec, that is ~1022 years, trillions of trillions of years, still completely infeasible even for quantum computers. The puzzles are up to 2176 times easier to crack than such an address.
For Shor's attack, the number of qubits depends on the elliptic curve (secp256k1 = 256 bits), not the key range, so puzzles need the same ~500,000 physical qubits as a regular address. But the computation is much faster on narrower ranges. A quantum computer that needs minutes to crack a full 256-bit key could solve most puzzles in seconds.
For Grover's attack, the puzzles actually need fewer qubitssince the search register scales with the key range, not the curve size. Most of the qubits still go to the oracle circuit (computing the address from a key), but a less powerful quantum machine that can't yet run full Shor's on 256-bit keys might still be able to brute-force smaller puzzles via Grover.
This means there will be a window in time when a quantum computer can crack a puzzle in minutes, while breaking a regular Bitcoin address with a full 256-bit key would still take years on the same machine. The Bitcoin Puzzle will likely be the first real-world canary for quantum cryptographic breakthroughs, solved long before regular wallets are at risk.
All it takes is one researcher with access to a sufficiently capable quantum computer to notice this puzzle. If all remaining puzzles are suddenly solved in a short period, you can be certain: a quantum computer did it. Given Google's latest findings, this will likely happen within just a few years.