CryptoSlate
On Apr. 24, Project Eleven awarded its Q-Day Prize to researcher Giancarlo Lelli, who used a publicly accessible quantum machine to derive a 15-bit elliptic curve private key from its public key, the largest public demonstration to date of the attack class that could eventually threaten Bitcoin and Ethereum. The winning rig ran roughly 70 qubits, the prize was 1 BTC, and independent reviewers from the University of Wisconsin-Madison and qBraid signed off on the submission. A 15-bit result is 512x larger than Steve Tippeconnic's 6-bit September 2025 demo, and it ran on the same family of Shor's-algorithm methods that would one day target the elliptic-curve discrete logarithm problem, the math behind Bitcoin's signature scheme. It is a milestone, not a break.
Why it matters
The result lands in a month that compressed Bitcoin's quantum timeline from several directions at once. Google published new ECDLP-256 resource estimates on Mar. 31, putting a cryptographically relevant quantum computer at fewer than 500,000 physical qubits, roughly a 20x reduction from prior estimates, and set its own post-quantum migration deadline for 2029. Cloudflare matched that 2029 target on Apr. 7, and QuTech's Apr. 9 commentary noted that a 10,000-qubit neutral-atom machine would still need close to three years to break a single ECC-256 key, while a 26,000-qubit configuration brings that runtime to roughly 10 days. The UK NCSC has set migration milestones at 2028, 2031, and 2035. The math is theoretical, the architectures are unreviewed preprints in places, and the machines do not yet exist, but corporate calendars now carry concrete dates.
Market impact
Project Eleven's live tracker lists 6,934,064 BTC as quantum-vulnerable, concentrated in older address types, reused addresses, partial spends, and any wallet that has already exposed its public key on-chain. Google's paper sharpened that picture further by flagging on-spend attacks against live mempool transactions, which extend the risk from dormant old wallets to active spending. Bitcoin governance is already responding: BIP 360 proposes a new output type removing Taproot's quantum-vulnerable key-path spend, and BIP 361 proposes a phased sunset of legacy signatures. The bull case is routine migration before any emergency arrives; the bear case is technical progress outpacing decentralized coordination and markets starting to reprice vulnerable UTXOs.
Frequently asked questions
-
Did a quantum computer actually break Bitcoin?
No. On Apr. 24, Project Eleven awarded its Q-Day Prize to Giancarlo Lelli for deriving a 15-bit elliptic curve private key from its public key on a roughly 70-qubit quantum machine. Bitcoin uses a 256-bit elliptic curve, and no publicly known quantum computer can break real Bitcoin wallets today.
-
Why is a 15-bit key result still significant?
It is the largest public demonstration to date of the Shor's-algorithm attack class that targets the elliptic-curve discrete logarithm problem, the math behind Bitcoin's signature scheme. It is a 512x jump over Steve Tippeconnic's 6-bit September 2025 demo and was reviewed by an independent panel from the University…
-
How did Google's recent resource estimates change the picture?
On Mar. 31, Google published new ECDLP-256 estimates suggesting a cryptographically relevant quantum computer could run on fewer than 500,000 physical qubits, roughly a 20x reduction from prior estimates. Google and Cloudflare both now target 2029 for post-quantum migration, and the UK NCSC has set milestones at 2028,…
-
How much Bitcoin is currently exposed to a quantum attack?
Project Eleven's live tracker currently lists 6,934,064 BTC as quantum-vulnerable. Exposure is concentrated in older address types, reused addresses, partial spends, and any wallet that has already revealed its public key on-chain. Google's paper also flagged potential on-spend attacks against live mempool…
-
What is Bitcoin's governance doing about the quantum risk?
BIP 360 proposes a new output type that removes Taproot's quantum-vulnerable key-path spend, and BIP 361 proposes a phased sunset of legacy signatures. The proposals confirm that Bitcoin has entered the migration phase, but the harder open question is whether decentralized coordination can move fast enough to retire…
WuBlockchain
WatcherGuru
CoinDesk
TheBlock
CoinTelegraph