The Q-Day Prize Bitcoin awarded yesterday is already being walked back. Not by Project Eleven, the company that handed out the bounty, but by Bitcoin developers who showed the same 15-bit key recovery works just as well without quantum hardware. The IBM circuit and Linuxโs random number generator produced statistically identical results. The quantum part, by their reading, did nothing.
Project Eleven CEO Alex Pruden has now responded, saying it was never meant to be Q-Day. The community notes flag and the cryptographer pushback came faster than the press releases.
What the developers actually did
Former Bitcoin Core maintainer Jonas Schnelli pulled apart the submission first. Researcher Giancarlo Lelli ran a two-register variant of Shorโs algorithm on IBMโs Heron r2 processors, totaling roughly 98,000 gates at around 99.5% per-gate fidelity. Schnelli looked at the raw outputs. They were indistinguishable from random coin flips. He then rewrote the entire key recovery in roughly 20 lines of pure Python, no quantum hardware involved, and got the same answer.
Yuval Adam confirmed it from a different angle. He swapped Lelliโs IBM backend for /dev/urandom, the standard Linux random number generator that anyone can run on a laptop, and recovered the target private key identically. The 15-bit elliptic curve has only 32,767 possible private keys. A classical filter that checks each candidate against the public key finds the right one through near-random sampling at high probability.
Coinkite founder Rodolfo Novak put it in plainer language. The private key is solved classically before the quantum circuit runs. The system is not finding anything. It is being told the answer.
Project Eleven called it incremental progress, not Q-Day
Prudenโs follow-up was direct about what the result actually demonstrates. Bottom line, his words, this is incremental progress in a noisy field. Not Q-Day. He acknowledged that NISQ-era experiments routinely depend on classical assistance, and argued the value lies in tracking resource reductions on accessible public hardware over time.
That is a defensible framing, except the press cycle around the prize did not read that way. Project Eleven, backed by Coinbase Ventures, Castle Island Ventures, Variant, and Balaji Srinivasan, created the bounty, judged it through three independent physicists, awarded it, and issued statements warning that 6.9 million BTC in exposed-key wallets face long-term risk. The company also sells post-quantum cryptography tools.
Critics flagged that loop. The same firm sets the test, scores the test, and warns about the threat its products are positioned to solve.
Why /dev/urandom matched the IBM result
The math behind the criticism is simple enough to write on a napkin. Fifteen bits gives a search space of 32,767 keys. A classical verifier loops through candidates, checks each one against the public key on the elliptic curve, and stops when it finds a match. With that small a search space, even pure random sampling lands on the answer quickly.
Bitcoin proponent Jimmy Song described the IBM machine in this experiment as performing the same function as /dev/urandom. The TFTC account noted in a widely shared thread that every public Shorโs-on-ECC demonstration to date has relied on classical pre-computation that effectively encodes the answer into the circuit before any quantum gate runs.
Here is the side-by-side that the cryptographer pushback produced.
| Metric | Lelliโs IBM Submission | Random Bits Replication |
|---|---|---|
| Hardware | IBM Heron r2 quantum | Linux /dev/urandom |
| Code length | ~98,000 quantum gates | ~20 lines of Python |
| Output distribution | Statistically random | Statistically random |
| Key recovered | Yes | Yes |
| Quantum advantage detected | None | Not applicable |
The 256-bit gap nobody is closing this year
Bitcoinโs actual production cryptography uses 256-bit secp256k1. The distance from 15 bits to 256 bits is a factor of 2 raised to the 241st power. That is not a number that contracts gracefully. Even Googleโs April 2026 paper, the most aggressive estimate to date, put a full 256-bit ECC break at under 500,000 physical qubits. Current quantum hardware is several orders of magnitude short of that.
Novak summarized the position the cryptographer side has held throughout. The quantum threat to Bitcoin is real, but distant. Todayโs demos are classical computations wearing quantum costumes.
What this means for the migration timeline
None of this changes what the developer side is already doing. BIP-360 is still in active discussion as a path toward post-quantum signatures. Ethereum, Tron, StarkWare, and Ripple are all working on quantum-resistant primitives at varying stages. The migration playbook does not depend on whether yesterdayโs IBM run cleared a real quantum bar or a theatrical one.
What it does change is the public benchmark. Quantum cryptography demonstrations now have to ship with a control test against random sampling. Pruden himself signaled the next bounty will likely target larger key sizes, where classical brute force stops working as a shortcut. Until then, the gap between demo scale and production scale remains the variable that matters.
For Bitcoin holders, the practical takeaway is the same as it was yesterday morning. Coins in modern address types where the public key has never touched the chain remain protected. Coins in pay-to-public-key outputs, including Satoshiโs roughly 1.1 million BTC, are still on the long-term exposure list. A 15-bit demo does not move that needle.
The needle moves when somebody runs a 30-bit attack and the random-bits control test fails to keep up.
