Researcher Wins Bitcoin Prize for Quantum Attack Breaking 15-bit Crypto Key
Project Eleven's Q-Day Prize marks largest public demonstration of Shor's algorithm on elliptic curve cryptography, as Google and Cloudflare set 2029 migration deadlines
Hızlı Bakış
- Giancarlo Lelli won one Bitcoin from Project Eleven's Q-Day Prize on Apr.
- 24 for deriving a 15-bit elliptic curve private key from its public key using publicly accessible quantum hardware — the largest demonstration of this attack class that could threaten Bitcoin and Ethereum.
- While a 15-bit key is nowhere near Bitcoin's 256-bit security, Google cut ECDLP-256 resource estimates 20-fold in March and set a 2029 migration deadline, with Cloudflare matching that target.
Yapay zekâ özeti
Neden Önemli?
Quantum computers running Shor's algorithm could theoretically break elliptic curve cryptography that secures Bitcoin and Ethereum. While current machines are far from breaking 256-bit keys, public demonstrations are advancing and resource estimates are falling.
On Apr. 24, Project Eleven awarded its Q-Day Prize to Giancarlo Lelli, a researcher who used publicly accessible quantum hardware to derive a 15-bit elliptic curve private key from its public key. This is the largest public demonstration to date of the attack class that could one day threaten Bitcoin, Ethereum, and every other system secured by elliptic curve cryptography. The prize was one Bitcoin. The irony is that a researcher won Bitcoin by breaking a miniature version of the math that protects Bitcoin. A 15-bit key is nowhere near the security of Bitcoin's 256-bit elliptic curve, and no publicly known quantum computer can break real Bitcoin wallets today. The result arrives at a moment when the surrounding context has gotten considerably more serious, with Google cutting its ECDLP-256 resource estimates and setting a 2029 migration deadline in the same month.
What Lelli actually did
Lelli used a variant of Shor's algorithm, a quantum algorithm targeting the elliptic-curve discrete logarithm problem, the mathematical foundation of Bitcoin's signature scheme, to recover a private key from a public key over a search space of 32,767. The Q-Day Prize competition asked entrants to break the largest possible ECC key on a quantum computer, with no classical shortcuts or hybrid tricks. Lelli's 15-bit result was the highest any entrant reached by the deadline, and Project Eleven described it as a 512x jump over Steve Tippeconnic's 6-bit September 2025 demonstration. The winning machine had roughly 70 qubits, per Decrypt's reporting, and an independent panel including researchers from the University of Wisconsin-Madison and qBraid reviewed the submission, according to Project Eleven. The right frame for this result is a toy lock picked using the same family of methods that would one day threaten the vault. The locksmiths improved, and the vault holds for now.
The context has gotten more serious
The reason this demo lands with more weight than it would have six months ago is Google. On Mar. 31, Google published new ECDLP-256 resource estimates for circuits using fewer than 1,200 logical qubits and 90 million Toffoli gates, or fewer than 1,450 logical qubits and 70 million Toffoli gates. Google estimated those circuits could execute on a superconducting cryptographically relevant quantum computer with fewer than 500,000 physical qubits, roughly a 20-fold reduction from prior estimates. On Mar. 25, Google set a 2029 target for its own post-quantum cryptography migration, tying the deadline explicitly to progress in hardware, error correction, and resource estimates. Cloudflare matched that 2029 target on Apr. 7, citing both the Google paper and a Caltech/Oratomic preprint as reasons for acceleration. That preprint argued that neutral-atom architectures could run Shor's algorithm at cryptographically relevant scales with as few as 10,000 reconfigurable atomic qubits. Commenting on Apr. 9, QuTech noted that at 10,000 qubits, the architecture would still require nearly three years to break a single ECC-256 key, while the more time-efficient 26,000-qubit configuration would bring the runtime to roughly 10 days. Both estimates depend on machines that do not yet exist, and the Caltech/Oratomic work is an unreviewed preprint. The useful takeaway from those numbers is that some theoretical architectures now place the long-term hardware requirement far below what researchers assumed a year ago. The clocks for public demonstrations are getting shorter, resource estimates are falling, and migration timelines now carry concrete dates.
Bitcoin wallets are already exposed
Project Eleven's live tracker currently lists 6,934,064 BTC as vulnerable to a quantum attack. The vulnerability is that quantum attacks are most dangerous when a public key is already visible on-chain, which happens with older address types, reused addresses, and partial spends. Some Bitcoin wallets have already exposed their public keys through prior transactions. Google's Mar. 31 paper sharpened that picture, noting that fast-clock cryptographically relevant quantum computers could enable on-spend attacks on public mempool transactions, extending the risk from dormant old wallets to live spending. Bitcoin's governance has begun to respond with BIP 360, which proposes a new output type removing Taproot's quantum-vulnerable key-path spend. BIP 361 proposes a phased sunset of legacy signatures that would push quantum-vulnerable outputs toward migration. Their existence confirms that Bitcoin has entered the migration phase. The harder problem ahead is if a decentralized network can align on incentives, timetables, and the treatment of dormant or lost coins before urgency outruns coordination.
Two paths forward
In the bull case, migration becomes routine before any emergency arrives. Google's and Cloudflare's 2029 targets reset expectations across the industry, wallet providers and exchanges push users away from long-exposure address patterns, and Bitcoin governance coalesces around output changes before any real cryptographically relevant quantum computer materializes. Q-Day stays future tense, and the most vulnerable stock of BTC tied to exposed public keys shrinks as hardware catches up.
In the bear case, the attack path keeps looking more like engineering than science fiction, outpacing governance's response. More public key break demonstrations arrive, architecture-specific estimates fall again, and the market starts repricing vulnerable UTXOs and long-idle coins. The damage in this scenario begins with the erosion of confidence, governance conflict, and rushed migration planning under the clock. A decentralized network with no central authority to mandate deadlines faces the hardest version of that race.
Key external deadlines
Google and Cloudflare target 2029; the UK's NCSC sets milestones at 2028, 2031, and 2035. Decentralized crypto networks cannot move as quickly as centralized firms by default. Bitcoin faces a harder version of the migration race because it depends on distributed coordination rather than a single authority.
Bottom-line consequence
In the best case, Q-Day stays future tense long enough for migration to get ahead of the threat. In the worst case, technical progress outpaces social and governance response. The real risk is not only eventual key-breaking power, but whether the ecosystem can align before urgency outruns coordination.
Bundan Sonra Ne Olabilir?
Yapay zekâ öngörüsü — kesinlik taşımaz
More public demonstrations of quantum ECC breaks will occur, with increasing key sizes
Çok muhtemel · Aylar içinde
BIP 360 and BIP 361 will face governance debates but eventually pass
Muhtemel · Aylar içinde
Migration deadline pressure will intensify as resource estimates fall
Muhtemel · Aylar içinde
Açık Sorular
- When will cryptographically relevant quantum computers actually exist?
- Can Bitcoin governance coordinate migration fast enough?
- What happens to lost coins with exposed public keys?
- Will neutral-atom architectures achieve 10,000 qubits as projected?






