Quantum security firm Project Eleven awarded its 1 Bitcoin Q-Day Prize, currently worth around $78,000, to independent Italian researcher Giancarlo Lelli for breaking a 15-bit elliptic curve cryptography key on publicly accessible quantum hardware. The result is the largest public demonstration to date of the attack class that threatens Bitcoin, Ethereum, and more than $2.5 trillion in ECC-secured digital assets. The 15-bit break is still far below Bitcoinโs 256-bit production keys, but the trend line is what matters here.
What Lelli Actually Did
Lelli derived a private key from its corresponding public key across a search space of 32,767 possible values, using a variant of Shorโs algorithm. Shorโs targets the Elliptic Curve Discrete Logarithm Problem, the mathematical foundation of the digital signature schemes that secure Bitcoin, Ethereum, and most blockchain assets.
The hardware was not exotic. Lelli ran the work on a publicly accessible cloud quantum computer, with no national lab, no private chip, and no classified resource. That is the part that has unsettled the post-quantum security community. The barrier to executing this class of attack is now low enough that an independent researcher with internet access and time can produce a meaningful result.
Project Eleven CEO Alex Pruden framed it directly: โThe resource requirements for this type of attack keep dropping, and the barrier to running it in practice is dropping with them. The winning submission came from an independent researcher working on cloud-accessible hardware. No national lab, no private chip.โ
Why a 15-Bit Break Matters When Bitcoin Uses 256-Bit
The natural pushback is that 15 bits and 256 bits are not even in the same conversation. Bitcoin wallets are protected by 256-bit elliptic curve cryptography, with a search space so large that no current computer, classical or quantum, can brute-force it. Project Eleven itself acknowledged that comparing the 15-bit demonstration to Bitcoinโs actual security level is mathematically misleading.
The relevance is not the absolute number. It is the rate of change. Quantum attacks on ECC have moved from theory to practice over the last seven months.
| Date | Key Size Broken | Search Space | Method |
|---|---|---|---|
| September 2025 | 6-bit ECC | 64 values | Quantum hardware |
| April 2026 | 15-bit ECC | 32,767 values | Variant of Shorโs algorithm |
| Bitcoin actual | 256-bit ECC | ~1.16 x 10^77 | Production cryptography |
The September 2025 break by Steve Tippeconnic was the first public quantum break of an ECC key on real hardware. Lelliโs result extends it by a factor of 512 in seven months. That is the trajectory that has the cryptography community paying attention, not the headline number.
Your Bitcoin Is Probably Safe. Satoshiโs 1.1 Million BTC Is Not.
Theoretical Estimates for a Full 256-Bit Attack Are Falling
The other half of the picture is the theoretical resource estimate. Googleโs April 2026 whitepaper put the requirement for breaking 256-bit ECC at under 500,000 physical qubits. A subsequent paper from Caltech and Oratomic brought that figure as low as 10,000 qubits under specific conditions.
These are still numbers that exceed what any current quantum computer can deliver. IBMโs roadmap targets large-qubit systems over the coming years, and other research groups are pursuing different architectures. The point is that the goalposts on the threat side are moving toward feasibility faster than the migration on the defense side is moving toward post-quantum cryptography.
The 6.9 Million Bitcoin Sitting in Exposed Wallets
Project Eleven has separately highlighted a specific concern: roughly 6.9 million bitcoin currently sit in addresses where the public key is already exposed on the blockchain. These include early-era pay-to-public-key outputs, reused addresses, and wallets where coins have been spent and then reused. Once a public key is on-chain, a sufficiently powerful quantum computer running Shorโs algorithm could derive the private key and move the funds.
That number is not a forecast of loss. It is a measure of attack surface. Modern Bitcoin wallets that follow best practices, in particular pay-to-public-key-hash and pay-to-witness-public-key-hash addresses, do not expose the public key until a transaction is signed. Coins that have never been spent from such an address remain protected even against a future quantum attacker, until the moment they move.
The Migration Conversation Is Already Happening
The post-quantum migration plans for major chains are no longer theoretical. Bitcoin developers are reviewing BIP-360, a proposal that would introduce post-quantum signature schemes alongside existing ECC-based ones. Ethereum, Tron, StarkWare, and Ripple have all signaled active work on quantum-resistant primitives, with various stages of research, prototyping, and standards work underway.
None of these efforts are on a timeline that would matter if a 256-bit break happened tomorrow. They are on a timeline that assumes years before practical Q-Day, with the migration happening in stages: standards selection first, then opt-in support, then mandatory upgrades, then long-term sunset of vulnerable address types. The Lelli result does not change that timeline directly. It compresses the margin for error.
What the Q-Day Prize Was Actually Designed to Test
The Q-Day Prize, launched in 2025, was specifically designed to address the most common criticism of quantum cryptography demonstrations: that current machines have only run trivial calculations, the most famous being the factoring of 21 into 3 and 7. By putting a public Bitcoin bounty on breaking a non-trivial ECC key on publicly accessible hardware, Project Eleven turned the question into something testable rather than rhetorical.
Lelliโs submission cleared that bar. A 15-bit elliptic curve problem with a 32,767 search space is not a trivial calculation, and the work was done on hardware anyone with a cloud account can use. The next bounties, if they happen, will likely target larger key sizes, and the gap between demonstration scale and production scale is the variable cryptocurrency holders should watch.
For now, no Bitcoin or Ethereum balance is at immediate risk from this result. What changed this week is the public benchmark for what an independent researcher can do with off-the-shelf quantum hardware, and the answer is now substantially more than it was seven months ago.
