Who Is Giancarlo Lelli and How One Researcher Just Proved Quantum Computers Can Break Bitcoin's Encryption

On April 24, 2026, an independent Italian researcher named Giancarlo Lelli broke a 15-bit elliptic curve key on a publicly accessible quantum computer, winning the 1 BTC Q-Day Prize from Project Eleven. The result is the largest public demonstration of the attack class that could one day threaten Bitcoin, Ethereum, and every blockchain that relies on elliptic curve cryptography. Seven months earlier, the record was a 6-bit key, which means Lelli's result represents a 512x jump in complexity.

The gap between 15 bits and the 256 bits that protect real Bitcoin wallets is still enormous. But the speed of progress, combined with Google's March 2026 research showing a full break could require fewer than 500,000 physical qubits, has shifted the conversation from "if" to "when" and forced the Bitcoin developer community to respond with concrete migration plans.

What Giancarlo Lelli Actually Did

Lelli used a variant of Shor's algorithm to derive a private key from its corresponding public key across a search space of 32,767 possible values. He ran this on a cloud-accessible quantum device with roughly 70 qubits, without a national laboratory, proprietary chip, or institutional funding behind him. The hardware he used is publicly available and anyone with the right knowledge can rent time on it.

The target was the Elliptic Curve Discrete Logarithm Problem (ECDLP), which is the exact mathematical foundation that secures Bitcoin's public and private key pairs. When you send Bitcoin, your wallet signs the transaction with a private key that corresponds to your public key. The security assumption is that no computer can reverse-engineer the private key from the public one. Lelli proved that a quantum computer can do exactly that, at a small scale, on hardware you can access from a laptop.

Think of it like this. Classical computers trying to reverse a public key into a private key is like trying every combination on a lock one by one. A quantum computer running Shor's algorithm can test many combinations simultaneously through quantum superposition, which is why it can solve the problem exponentially faster. At 15 bits, the lock has 32,767 combinations. At 256 bits, it has more combinations than there are atoms in the observable universe.

When asked about his motivation, Lelli told Decrypt he joined "out of a mix of wanting to challenge myself by diving into a topic for a whole year, and pure passion for technology and innovation." The fact that an independent researcher working alone, using nothing more than rented cloud hardware, could achieve this on a personal timeline and a personal budget matters as much as the technical result itself.

What Is Project Eleven and the Q-Day Prize

Project Eleven is a company building post-quantum security infrastructure for Bitcoin and the broader crypto ecosystem. It raised $6 million in mid-2025 specifically to defend against the quantum threat.

The Q-Day Prize was their public bounty. One Bitcoin to the first person who could break the largest possible elliptic curve key on real quantum hardware. The concept of "Q-Day" itself refers to the moment when quantum computers become powerful enough to break the cryptography protecting Bitcoin wallets. Project Eleven wanted to measure how close that moment actually is by offering a financial incentive for researchers to push the boundary publicly rather than behind closed doors.

Before Lelli's win, the record belonged to Steve Tippeconnic, who broke a 6-bit key on IBM's 133-qubit quantum computer in September 2025. That was notable as the first public demonstration, but a 6-bit key has only 64 possible values. Lelli's 15-bit result covers 32,767 possible values, a 512x jump in seven months.

Project Eleven is also launching Yellowpages, a post-quantum cryptographic registry where users can generate hybrid key pairs and create proofs linking them to their existing BTC addresses. The goal is to give Bitcoin holders a migration path before it becomes urgent.

Why 15 Bits Is Not 256 Bits, But the Trend Matters

Bitcoin uses 256-bit elliptic curve cryptography, and Lelli broke 15 bits. The honest answer is that 15 bits is not remotely close to threatening real wallets. A 256-bit key has a search space so large that writing out the number takes 77 digits, and the distance is not linear because every additional bit doubles the difficulty.

But the trajectory is what has researchers paying attention. In September 2025, the record was 6 bits, and by April 2026 it reached 15 bits. The constraint is no longer fundamental physics but rather an engineering challenge, since current quantum computers max out around 1,100 physical qubits. A full 256-bit break would require roughly 500,000 physical qubits according to Google Quantum AI's March 2026 whitepaper, which also showed a 20-fold reduction from previous estimates.

A subsequent paper from Caltech and Oratomic suggested the number could drop as low as 10,000 qubits using neutral-atom architecture. If that research holds up, the timeline compresses dramatically. The Quantum Insider reported that three papers in three months have collectively rewritten the threat timeline.

How Many Bitcoin Are Actually at Risk

Not all Bitcoin wallets are equally exposed, and the vulnerability comes down to one question. Is your public key visible on the blockchain? Roughly 6.9 million BTC sit in wallets where the public key has already been exposed on-chain, either through older address formats or through the act of spending from an address. At current prices, that represents about $650 billion in potentially vulnerable coins.

Modern Bitcoin addresses using Pay-to-Taproot (P2TR) or Pay-to-Witness-Public-Key-Hash (P2WPKH) do not expose the public key until you spend from them. But once you sign a transaction, the public key becomes visible. Google's whitepaper warned that quantum attacks could theoretically hijack an in-flight Bitcoin transaction in about nine minutes, potentially beating confirmation roughly 41% of the time.

The practical takeaway for holders is straightforward. If you are holding BTC in an address you have already spent from, your public key is on-chain and theoretically vulnerable to a future quantum attacker. If you have never spent from the address, the public key remains hidden behind a hash, adding an extra layer of protection.

This vulnerability extends well beyond Bitcoin. Every blockchain that uses ECDSA or similar elliptic curve signature schemes faces the same vulnerability, including Ethereum, Solana, and most Layer-1 networks. Ethereum has outlined its own post-quantum research roadmap, Ripple has published quantum migration plans, and zero-knowledge proof systems like those used by StarkNet are already quantum-resistant by design. But Bitcoin, as the largest store of value in crypto with the most conservative upgrade process, faces the hardest migration challenge.

BIP-360 and Bitcoin's Post-Quantum Migration Plan

Bitcoin developers are not waiting for Q-Day to arrive. BIP-360, introduced in February 2026, proposes a new output type called Pay-to-Merkle-Root (P2MR). Unlike current address types, P2MR never exposes the public key, even when spending. The quantum attack surface disappears entirely for any coins held in P2MR addresses.

BTQ Technologies implemented BIP-360 on testnet in March 2026, with full P2MR consensus, SegWit version 2 outputs, and complete wallet support for creating, funding, signing, and spending P2MR transactions.

The companion proposal, BIP-361, goes further. It establishes a phased migration timeline where Bitcoin holders must move their coins to quantum-resistant addresses. Coins that do not migrate would eventually be frozen. This is the controversial part. CoinDesk reported that the proposal forces the network to choose between frozen coins and stolen coins, since dormant wallets (including Satoshi's estimated 1.1 million BTC) cannot voluntarily migrate.

And this is where the debate gets real. Freezing coins violates Bitcoin's core principle that your keys mean your coins. But allowing quantum-vulnerable coins to remain spendable means a future attacker with a sufficiently powerful quantum computer could drain them overnight. The community has no consensus yet, and Lelli's result just added urgency to a conversation that many assumed they had another decade to resolve. The fact that progress jumped 512x in seven months makes the "we have plenty of time" argument harder to defend.

Frequently Asked Questions

Can quantum computers break Bitcoin right now?

No. The largest key broken on quantum hardware is 15 bits. Bitcoin uses 256-bit keys. Current quantum computers have roughly 1,100 qubits, while a full break is estimated to require 500,000 or more. The threat is real but most experts place a practical attack at least a decade away.

Who is Giancarlo Lelli?

Lelli is an independent Italian researcher who won Project Eleven's 1 BTC Q-Day Prize on April 24, 2026, by breaking a 15-bit elliptic curve key on a publicly accessible quantum computer. He spent a year working on the problem and used cloud-based quantum hardware anyone can rent.

What is BIP-360 and how does it protect Bitcoin from quantum attacks?

BIP-360 introduces Pay-to-Merkle-Root (P2MR) addresses that never expose public keys, even during spending. This eliminates the quantum attack surface entirely for new transactions. It is already running on Bitcoin's testnet as of March 2026.

How many Bitcoin are vulnerable to quantum computing?

Roughly 6.9 million BTC have exposed public keys on-chain, making them theoretically vulnerable if quantum computers reach sufficient power. Coins in addresses that have never been spent from are safer because only a hash of the public key is visible, not the key itself.

Bottom Line

Giancarlo Lelli's 15-bit break is a proof of concept, not a crisis. But the pace of progress, from 6 bits to 15 bits in seven months, combined with Google's research showing a 20-fold reduction in the estimated resources needed for a full break, means the Bitcoin community cannot afford to treat quantum resistance as a future problem. BIP-360 is already on testnet and the migration debate is already live, with the 6.9 million BTC holding exposed public keys representing the most concrete deadline. If you hold BTC in older address formats or addresses you have spent from, watching the BIP-360/361 proposals is no longer optional. The researchers are moving faster than most people expected, and the defense needs to move faster still.

This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.