Quantum Computer Breaks Tiny Bitcoin-Style Key, and the Industry Should Stop Pretending This Is Just Sci-Fi

A Small Demonstration With Large Implications

A quantum computer has broken a 15-bit elliptic-curve cryptography key, a simplified version of the kind of cryptographic system used to secure Bitcoin, Ethereum, and much of the digital asset economy.

The result was announced by quantum security firm Project Eleven, which awarded its one Bitcoin “Q-Day Prize” to independent researcher Giancarlo Lelli. Lelli used publicly accessible quantum hardware to derive a private key from a corresponding public key using a variant of Shor’s algorithm, the quantum algorithm long viewed as the eventual threat to public-key cryptography.

The result was announced by quantum security firm Project Eleven, Source: X

The important caveat is also the obvious one: Bitcoin has not been cracked. A 15-bit elliptic-curve key is nowhere close to Bitcoin’s 256-bit secp256k1 cryptography. The difference in scale is enormous. A 15-bit key has 32,768 possible values. A 256-bit key has roughly 1.16 × 10^77 possible values. Those two figures should not be put in the same sentence without a warning label.

Still, the result matters because it is a public demonstration of the attack class that would, at sufficient scale, threaten elliptic-curve signatures. Project Eleven described it as the largest public quantum attack on elliptic-curve cryptography to date, and said it represented a 512-fold jump from a previous six-bit demonstration in 2025.

“The resource requirements for this type of attack keep dropping, and the barrier to running it in practice is dropping with them,” said Alex Pruden, CEO of Project Eleven. “The winning submission came from an independent researcher working on cloud-accessible hardware. No national lab, no private chip.”

That is the part worth taking seriously. The experiment does not put Bitcoin funds at immediate risk. But it does show that quantum attacks on the underlying cryptographic family are no longer confined to whiteboards and conference panels. They are now being demonstrated, in miniature, on publicly available systems.

Bitcoin Is Not Broken, But Some Coins Are More Exposed Than Others

The quantum risk to Bitcoin is often misunderstood. The main concern is not mining, the proof-of-work system, or the historical ledger. The central issue is digital signatures.

Bitcoin ownership is proven through signatures. If an attacker could derive a private key from a public key, they could authorize a transaction as if they owned the coins. Classical computers cannot do that against Bitcoin’s current cryptography in any practical timeframe. A sufficiently powerful quantum computer running Shor’s algorithm theoretically could.

That distinction creates an important split in Bitcoin’s risk profile. Coins sitting in addresses where the public key has not yet been exposed are harder to target. Coins in addresses where the public key is already visible on-chain are more exposed to a future quantum attack. This includes old pay-to-public-key outputs, reused addresses, and other wallet behaviors that reveal public keys.

A recent Coinbase Quantum Advisory Council paper estimated that about 6.9 million BTC fall into this more exposed category. With Bitcoin trading near $77,500, that implies more than $530 billion of BTC sitting in addresses that could become relevant in a future quantum threat model.

That number should not be read as “$530 billion is about to be stolen.” It should be read as a map of where the long-term exposure is concentrated. The immediate risk remains low because today’s quantum computers are not powerful or reliable enough to break Bitcoin’s 256-bit elliptic-curve signatures. But the exposed-address problem is real, measurable, and not evenly distributed across the network.

Brave New Coin has previously covered this distinction in Bitcoin Faces Long-Term Quantum Threat as Researchers Push Post-Quantum Upgrades, noting that the risk is less about whether Bitcoin can adapt technically and more about whether a decentralized network can coordinate a migration in time.

Google’s Research Has Made the Timeline Less Comfortable

The Project Eleven result also arrives after a more consequential warning from Google’s Quantum AI team. In March, Google researchers published a paper on securing elliptic-curve cryptocurrencies against quantum vulnerabilities, arguing that future quantum computers may require fewer resources than previously estimated to attack the elliptic-curve cryptography used in major blockchains.

The paper estimated that an attack on 256-bit elliptic-curve cryptography over secp256k1 could be run with fewer than half a million physical qubits under certain assumptions involving superconducting architectures, physical error rates, and planar connectivity. That remains far beyond today’s public quantum hardware. But it moves the discussion away from vague “someday” language and toward concrete resource estimates.

Google also said it had validated sensitive results using a zero-knowledge proof without disclosing full attack circuits. That detail matters. It signals that top-tier researchers are beginning to treat cryptocurrency quantum risk less like abstract speculation and more like a security disclosure problem.

The wider cybersecurity world has already started to move. The U.S. National Institute of Standards and Technology finalized its first post-quantum cryptography standards in 2024, including ML-KEM, ML-DSA and SLH-DSA. NIST has said those standards are ready for implementation. Governments and large enterprises are now mapping migration timelines because cryptographic transitions take years, not months.

Crypto should pay attention. The industry is good at moving fast when a new token narrative appears. It is less consistent when the work involves slow, technical infrastructure upgrades with no immediate marketing payoff.

The Hard Part Is Not the Math

Bitcoin can almost certainly be made more quantum resistant. Post-quantum signature schemes exist. Researchers are already studying ways to introduce quantum-resistant address formats, new signature opcodes, and phased migration paths.

The difficult question is governance. Bitcoin is deliberately hard to change. That conservatism is one of its strengths. It prevents reckless experimentation and protects the credibility of the monetary system. But it also means that major cryptographic upgrades require long lead times, broad consensus, extensive review, and careful activation.

That creates a mismatch. Quantum hardware progress may be nonlinear. Bitcoin governance is intentionally slow. If the network waits until the threat is clearly visible, it may find that the available response window has narrowed.

The most difficult issue may involve dormant or lost coins. If some coins remain in exposed public-key addresses and never migrate, what should the network do? Leave them alone and accept the possibility that a future quantum attacker could take them? Encourage voluntary migration and accept the residual risk? Consider protocol-level restrictions on vulnerable outputs? Each option carries trade-offs, and none will be politically easy.

This is why the quantum debate should not be reduced to a binary argument over whether Bitcoin is safe today. It is safe today. That is not the same as being prepared. The credible position is that Bitcoin has time, but time is only useful if it is spent well.

Ethereum and Other Chains Face Similar Questions

Bitcoin is not alone. Ethereum also relies on elliptic-curve cryptography, and proof-of-stake networks introduce additional exposure through validator signatures. The Coinbase paper noted that proof-of-stake chains have specific risks tied to the signature schemes validators use to secure networks.

Ethereum may have an easier path in some respects because its governance culture is more accepting of protocol change. The Ethereum Foundation has already placed post-quantum security higher on its research agenda, a shift Brave New Coin covered in Ethereum Goes All-In on Post-Quantum Security. That does not make Ethereum immune. It simply means the social process around upgrades is different.

Bitcoin’s upgrade culture is more conservative, and for good reason. But the same conservatism that protects Bitcoin from unnecessary change can also make necessary change slower. That is the trade-off. It should be discussed plainly rather than hidden under slogans.

For exchanges, custodians, wallet providers, miners, developers, and long-term holders, the practical agenda is becoming clearer. Identify exposed public-key holdings. Reduce address reuse. Improve wallet hygiene. Test post-quantum signature schemes. Model the impact of larger signatures on transaction size, fees, and block space. Begin the governance conversation before urgency removes the luxury of careful design.

None of this requires panic. It does require seriousness.

The Signal Is Getting Harder to Ignore

The 15-bit quantum demonstration is not a direct threat to Bitcoin’s cryptography. Anyone presenting it that way is overstating the result. But dismissing it entirely would be just as unserious.

Security risks usually become dangerous long before they become urgent. The early signs are technical, incremental, and easy to ignore. A small key is broken. Resource estimates fall. Cloud-accessible hardware improves. Standards bodies begin migration work. Large technology companies start publishing guarded warnings. Each individual development can be explained away. Together, they form a trend.

Bitcoin’s value proposition rests partly on the idea that it can survive for decades. That means it has to take decade-scale risks seriously. Post-quantum planning is not an attack on Bitcoin. It is part of keeping Bitcoin credible.

The right conclusion from Lelli’s result is not that Bitcoin is broken. It is that the industry has been given another reminder that cryptography has a shelf life, and that migration planning is easier before the deadline is visible.