Project Eleven, a quantum research outfit, has built a zero-knowledge proof system that lets a bitcoin wallet prove ownership of its coins after quantum computers can forge signatures, running in 243 milliseconds on an M5 MacBook Air. The scheme exploits a structural asymmetry in modern cryptography: Shor's algorithm can break elliptic-curve signatures, but Grover's algorithm only halves the security of a 256-bit hash, leaving HMAC-SHA512 key derivation effectively uncrackable. The proof shows the holder knows the parent key above their address in a BIP-32 derivation tree, without disclosing it.
Why it matters
The proof plugs directly into BIP-361, Jameson Lopp's April proposal to freeze quantum-vulnerable bitcoin after a five-year window. That plan covered more than 34% of circulating supply, including the roughly 1.1 million BTC attributed to Satoshi Nakamoto, but its loudest objection has always been that freezing coins breaks bitcoin's promise of permanent ownership. A working recovery proof reframes the freeze from a burn into a lock, handing the key back to anyone still holding a seed phrase. The benchmarks matter too: Project Eleven's prototype is roughly 16 times faster than prior work end-to-end and 60 times faster excluding one-time setup, with verification in 40 milliseconds and no trusted setup.
Market impact
The catch is the pre-BIP-32 gap. Satoshi mined through 2009 and 2010 and was gone by 2011, when wallets still generated every key independently at random. There is no parent key above those addresses, no derivation path and no seed phrase, so nothing to prove against. The same hole applies to every other pre-2012 wallet, which captures a meaningful share of the oldest and most dormant bitcoin, the exact population BIP-361 was written about. Project Eleven concedes the prototype is unaudited, supports three address types rather than Taproot, roots the proof at the coin-type key rather than the seed, and recovers nothing on any live chain today.
Frequently asked questions
-
What does Project Eleven's quantum recovery proof actually do?
It lets a wallet prove it knows the parent key above its address in a BIP-32 derivation tree, without disclosing that key, so ownership survives even after quantum computers can forge elliptic-curve signatures. Hash-based key derivation stays effectively uncrackable under Grover's algorithm.
-
How fast is the proof and how does it compare to prior work?
On an M5 MacBook Air it generates in 243 milliseconds across four cores and verifies in 40 milliseconds, using about 2GB of RAM and no GPU. Project Eleven puts the end-to-end run roughly 16 times faster than prior work, and about 60 times faster excluding one-time setup.
-
Why can't this recover Satoshi Nakamoto's 1.1 million BTC?
Satoshi mined through 2009 and 2010 and exited before BIP-32 landed on February 11, 2012. Pre-BIP-32 wallets generated every key independently at random, with no parent key, no derivation path and no seed phrase. There is nothing in a tree above those addresses to prove knowledge of.
-
How does this connect to BIP-361?
BIP-361 would block new deposits to quantum-vulnerable addresses after three years and freeze whatever remained after five, covering more than 34% of bitcoin's supply. Project Eleven's proof offers the recovery step BIP-361 promised, turning the freeze into a lock rather than a permanent burn for any wallet with a…
-
Is this ready to protect live bitcoin?
No. Project Eleven concedes the prototype is unaudited, supports three address types rather than Taproot, roots the proof at the coin-type key rather than the seed, and recovers nothing on any live blockchain today. Putting it into effect would still require contentious changes to bitcoin's protocol rules.
CoinDesk