On April 24, Project Eleven awarded the Q-Day Prize to researcher Giancarlo Lelli, who used publicly accessible quantum hardware to derive a 15-bit elliptic curve private key from a public key.
This is the largest public demonstration yet of a class of attacks that could one day threaten Bitcoin, Ethereum, and all other systems secured by elliptic curve cryptography. The prize was 1 Bitcoin.
The irony is that a researcher obtained Bitcoin by breaking a miniature version of the mathematics that protects it.
a A 15-bit key is not as secure as Bitcoin’s 256-bit elliptic curve.and currently there is no publicly known quantum computer that can break a real Bitcoin wallet.
This result comes at a time when things are getting pretty serious, with Google reducing its ECDLP-256 resource estimates and setting a 2029 migration deadline in the same month.
What Leli actually did
Lelli used a variant of Scholl’s algorithm, a quantum algorithm targeted at the elliptic curve discrete logarithm problem, the mathematical basis of Bitcoin’s signature scheme, to recover private keys from public keys across a search space of 32,767.
The Q-Day prize competition challenged participants to crack the largest ECC key possible on a quantum computer without using any classical shortcuts or hybrid tricks.
Lelli’s 15-bit result was the best among participants to reach the deadline, and Project Eleven says it beats Steve Tippeconnic’s September 2025 6-bit demo by a factor of 512.
According to Project Eleven, Decrypt reports that the winning machine has approximately 70 qubits, and that an independent committee that included researchers from the University of Wisconsin-Madison and qBraid reviewed the submissions.
The appropriate frame for this result is a toy lock that was opened using the same set of methods that would one day threaten the safe. The locksmith has been improved and the safe is in storage for now.
| Claim | What the article supports | why is it important |
|---|---|---|
| Quantum computer breaks 15-bit ECC key | Project Eleven says Giancarlo Relli derived a 15-bit elliptic curve private key from a public key using publicly accessible quantum hardware. | Turning quantum threats into concrete public demonstrations rather than purely theoretical warnings |
| Bitcoin itself has not been hacked | The article clearly states that currently, no publicly known quantum computer can crack a real Bitcoin wallet. | This preserves the authenticity of the work and avoids exaggerating the results |
| As a result, the same attack family related to Bitcoin was used. | Lelli used a variant of Scholl’s algorithm for the elliptic curve discrete logarithm problem, which is the basis of Bitcoin’s signature scheme. | Connect toy demos to real crypto risks without claiming equivalence |
| The demonstration took place under restrictive rules | The Q-Day prize required entrants to crack the largest ECC key possible on a quantum computer without using classical shortcuts or hybrid tricks. | Reinforces the importance of the results as quantum benchmarks |
| Results are greater than previous public ECC demonstrations | Project Eleven described the 15-bit results as a 512x jump over Steve Tippeconnic’s September 2025 6-bit demo. | Shows progress on the public demonstration front |
| The gap with Bitcoin’s 256-bit security remains large | The article states that 15-bit keys are nowhere near Bitcoin’s 256-bit elliptic curve security. | This is the central warning the reader needs to correctly interpret the story |
| The hardware was still small by actual attack standards. | The winning machine reportedly had around 70 qubits. | The achievement emphasizes its significance as a milestone rather than proof that a full-scale attack is imminent. |
| The real story is directional, not catastrophic | Public demos have gotten bigger, resource estimates have been reduced, and migration deadlines have been set with concrete dates. | Threats remain in future tense, but timelines are becoming increasingly difficult to ignore |
The reason this demo is more important than it was six months ago is because of Google.
On March 31, Google announced new ECDLP-256 resource estimates for circuits using less than 1,200 logical qubits and 90 million Toffoli gates, or less than 1,450 logical qubits and 70 million Toffoli gates.
Google estimated that these circuits could run on quantum computers associated with superconducting cryptography with fewer than 500,000 physical qubits, about 20 times lower than previous estimates.
On March 25, Google set its own post-quantum cryptography transition goal for 2029, explicitly tying that deadline to advances in hardware, error correction, and resource estimation.
Cloudflare hit its 2029 goal on April 7, citing both the Google paper and Caltech/Oratomic preprint as reasons for the acceleration.
In that preprint, they claimed that a neutral atomic architecture could run Scholl’s algorithm at cryptographically relevant scales using just 10,000 reconfigurable atomic qubits.
QuTech noted in an April 9 comment that at 10,000 qubits, this architecture would still take nearly three years to crack a single ECC-256 key, while a more time-efficient 26,000 qubit configuration would bring execution time to about 10 days.
Both estimates rely on machines that don’t yet exist, and the Caltech/Oratomic study is an unreviewed preprint.
The useful takeaway from these numbers is that for some theoretical architectures, the long-term hardware requirements are much lower than what researchers envisioned a year ago.
Public demonstrations have become shorter, resource estimates have been reduced, and migration schedules now include specific dates.
Bitcoin wallet is already public
Project Eleven’s live tracker currently lists 6,934,064 BTC as vulnerable to quantum attacks.
This vulnerability means that quantum attacks are most dangerous when the public key is already visible on the chain, which occurs with old address types, reused addresses, and partial spends.
Some Bitcoin wallets have already exposed their public keys through previous transactions. Google’s March 31 paper makes the picture even clearer, pointing out that crypto-related quantum computers with fast clocks could enable on-spend attacks on public memory pool transactions, extending the risk from dormant old wallets to actual spending.
Bitcoin governance is starting to respond with BIP 360, which proposes a new output type that eliminates Taproot’s quantum-vulnerable key pass spending. BIP 361 proposes a phase-out of legacy signatures that will drive the transition of quantum-vulnerable outputs.
Their existence confirms that Bitcoin has entered a transition phase. The more difficult question going forward is whether decentralized networks can coordinate incentives, schedules, and handling of dormant and lost coins before urgency outweighs coordination.
Two paths forward
For bulls, migration becomes routine before the emergency arrives.
Google and Cloudflare’s 2029 goals reset expectations across the industry, wallet providers and exchanges move users away from long-exposure address patterns, and Bitcoin governance rallies around output changes before actual crypto-related quantum computers become a reality.
Q-Day remains in the future tense, and the most vulnerable BTC stock related to public keys being exposed will shrink as the hardware catches up.
In the case of bears, attack vectors continue to look more like engineering than science fiction, outpacing governance responses.
More public key destruction demonstrations arrive, architecture-specific estimates drop again, and the market begins to reprice vulnerable UTXOs and long-idle coins.
The damage in this scenario begins with diminished trust, governance conflicts, and hasty transition planning around the clock. Decentralized networks without a central authority that mandates deadlines face the most difficult version of that competition.
| scenario | what will change | What leaves you vulnerable | Market/governance impact |
|---|---|---|---|
| bull case | Migration is routinely done before emergencies arise. Wallet providers, exchanges and protocol developers begin to reduce public key exposure | Old address types, reused addresses, and some dormant wallets still pose a risk until fully migrated | Trust is maintained because the ecosystem treats quantum risk as an infrastructure upgrade rather than a crisis |
| bear case | Public key destruction demonstrations continue to improve and hardware/resource estimates continue to drop faster than governance adaptations | Public keys, long-idle coins, partial spends, and live spend transactions remain public for long periods of time. | Markets begin to reprice vulnerable UTXOs, governance conflicts intensify, transitions occur under pressure |
| The fastest way to reduce risk | Improved wallet health, reduced address reuse, reduced public key exposure, new output types, and phasing out legacy signatures | Coordination issues remain, especially regarding lost coins and slow user movement. | The network buys time and reduces the number of coins exposed to the public before cryptographically related quantum machines exist. |
| What is most urgent? | Large-scale public demonstrations, lower hardware estimates, faster clock architectures, and strong evidence that on-spend or memory pool attacks can become viable. | Wallets with public keys already visible will be more sensitive to future advances. | The discussion shifts from “Should I prepare?” “How fast can Bitcoin adjust?” |
| Important external deadlines | Google and Cloudflare are targeting 2029. UK NCSC sets milestones for 2028, 2031 and 2035 | Decentralized crypto networks cannot move as quickly as centralized companies by default | Bitcoin faces tougher migration competition as it relies on decentralized coordination rather than a single authority |
| final result | In the best case, Q-Day remains in the future tense long enough for migration to stay ahead of the threat. | In the worst case scenario, technological advances outpace social and governance responses. | The real risk lies not only in the ability to eventually break the lock, but in whether the ecosystem can adjust before urgency outweighs adjustment. |
The UK’s National Cyber Security Center has set transition milestones for 2028, 2031 and 2035. Google and Cloudflare are both targeting 2029.
The Ethereum Foundation says a global decentralized protocol transition will take years and needs to start before threats arrive.
Bitcoin’s quantum threat currently exists in public demonstrations, corporate migration calendars, and draft protocol proposals.
(Tag to translate) Bitcoin
