Rewards Hub 
On April 24, 2026, an independent researcher named Giancarlo Lelli derived a private key from a public key on a 15-bit elliptic curve using cloud-accessible quantum hardware. He used a variant of Shor's algorithm, and it worked. Project Eleven, a quantum security research organization, awarded him their Q-Day Prize of 1 Bitcoin for executing the largest public quantum attack on the cryptography that protects Bitcoin, Ethereum, and virtually every major blockchain.
A 15-bit key is nowhere near the 256-bit keys that protect real wallets, and Bitcoin is not broken. But the gap between what quantum computers can crack today and what they need to crack to threaten real wallets is shrinking faster than most people in crypto realize, and three research papers published in the first quarter of 2026 are the reason the timeline just changed.
What Lelli Actually Did and Why It Matters
The attack targeted the Elliptic Curve Discrete Logarithm Problem, or ECDLP. This is the mathematical relationship that makes it possible to generate a public key from a private key but computationally impossible to reverse the process using classical computers. Every time you send Bitcoin, your wallet signs the transaction with your private key and broadcasts the corresponding public key. If someone can solve ECDLP for your public key, they have your private key and they have your coins.
Lelli's 15-bit break covered a search space of 32,767 possible values. That sounds tiny compared to the 2^256 space protecting real Bitcoin keys, and it is. But context matters here. The previous public record was a 6-bit break by Steve Tippeconnic in September 2025, which covered a search space of just 64. Lelli's result is a 512x jump in a single step, accomplished on publicly available cloud quantum hardware rather than a proprietary lab system.
The significance is not in the key size but in the trajectory of how fast these capabilities are advancing. Quantum researchers working on ECDLP have gone from theoretical papers to working demonstrations on accessible hardware, and they did it in less than a year.
How Far Is 15 Bits from 256 Bits
The honest answer is that 15 bits and 256 bits are separated by a gap so enormous that no quantum computer alive today can cross it. A 256-bit elliptic curve key has roughly 10^77 possible values. Current quantum processors top out around 1,000 to 1,500 qubits, most of which are too noisy for sustained cryptographic computation. Breaking a real Bitcoin key requires far more qubits and dramatically higher-quality qubits running with error correction rates that do not exist yet.
But here is where the conversation shifted in early 2026. Three separate research papers drastically lowered the estimated resources needed for a full 256-bit ECDLP attack.
Google Quantum AI published a 57-page whitepaper in March 2026 showing that two optimized quantum circuits could solve ECDLP-256 using fewer than 1,200 to 1,450 logical qubits and between 70 and 90 million Toffoli gates. Translated into physical hardware on a superconducting architecture with surface-code error correction, that comes to fewer than 500,000 physical qubits. The previous best estimate was roughly 10 million. Google cut that number by a factor of 20.
A follow-up paper from Caltech and Oratomic went further, estimating that a neutral-atom quantum architecture could accomplish the same attack with as few as 10,000 physical qubits. That architecture is still experimental, but neutral-atom platforms are exactly where companies like QuEra and Pasqal are focusing billions of dollars in development funding.
The shift from "we need 10 million qubits" to "we might need 10,000" happened in the span of three months. Researchers at Project Eleven described this trajectory in blunt terms. Closing the gap between 15 bits and 256 bits is increasingly viewed as an engineering problem, not a fundamental physics problem.
Which Bitcoin Is Actually Vulnerable
Not all Bitcoin addresses face the same risk. The quantum threat specifically targets addresses where the public key is already visible on the blockchain.
When you receive Bitcoin to an address and never spend from it, only the hash of your public key is exposed. Hashing provides an additional layer of protection because even a working ECDLP attack cannot reverse a hash. Your coins are safe as long as the public key stays hidden. But the moment you spend from an address, your full public key gets broadcast to the network as part of the transaction signature. Any address that has ever sent a transaction has an exposed public key sitting permanently on the blockchain.
Project Eleven estimates that roughly 6.9 million BTC sit in addresses with visible public keys. That is about one-third of the total Bitcoin supply, worth over $550 billion at current prices. It includes Satoshi Nakamoto's estimated 1.1 million BTC from the earliest mining days, when the original Pay-to-Public-Key format was standard and public keys were broadcast by default.
The practical takeaway for individual holders is straightforward. If you use a modern wallet and rotate addresses so that you never reuse a spent address, your exposure to a quantum attack is significantly lower than someone holding coins in a legacy address from 2010.
|
Address Type
|
Public Key Exposed?
|
Quantum Risk
|
|
Never spent from (hash only)
|
No
|
Low until hash is also broken
|
|
Spent from at least once
|
Yes
|
High if ECDLP is solved
|
|
Pay-to-Public-Key (early BTC)
|
Yes by default
|
High
|
|
Taproot (P2TR)
|
Key visible in keypath
|
Moderate
|
What Bitcoin Developers Are Building to Defend Against This
The Bitcoin developer community has not been sitting idle. BIP-360, formally titled Pay-to-Merkle-Root (P2MR), proposes a new transaction output type that functions similarly to Taproot but strips out the quantum-vulnerable keypath spend entirely. Under BIP-360, signing a transaction would use a post-quantum cryptographic scheme instead of the elliptic curve math that Lelli just cracked at small scale. BTQ Technologies moved BIP-360 into testnet implementation in early 2026.
Building on that foundation, BIP-361 was published in Bitcoin's official repository on April 14, 2026. Titled "Post Quantum Migration and Legacy Signature Sunset," BIP-361 lays out a migration plan with a hard deadline. After a defined grace period, spending from legacy ECDSA-based addresses would become invalid on the network. Coins that are not moved to quantum-resistant addresses within the window would effectively be frozen.
That last part is where the debate gets heated. Freezing legacy coins means Satoshi's estimated 1.1 million BTC and every other dormant wallet with an exposed public key would become permanently unspendable if the owner does not act. Some developers argue that protecting the network is worth the cost. Others argue that freezing coins sets a precedent that undermines Bitcoin's property-rights guarantee. There is no consensus yet, and this will likely be one of the most contested governance decisions in Bitcoin's history.
Google suggested a 2029 target for industry-wide migration to post-quantum cryptographic standards, which gives Bitcoin roughly three years to ship, test, and activate a soft fork that changes the signature scheme used by every wallet on the network. That is an aggressive timeline for a protocol that took four years to activate Taproot.
What This Means for Ethereum and Other Chains
Bitcoin gets the headlines, but the quantum threat applies equally to Ethereum and every blockchain using ECDSA or similar elliptic curve signature schemes. Ethereum's account model actually makes the problem worse in one specific way. Every Ethereum address that has ever sent a transaction has its public key permanently exposed, and unlike Bitcoin, Ethereum accounts are typically reused rather than rotated. The percentage of ETH in quantum-vulnerable addresses is likely higher than Bitcoin's one-third estimate.
Ethereum's roadmap does include a post-quantum migration under Vitalik Buterin's long-term "Splurge" upgrade category, but no specific EIP with a timeline has been finalized. The Ethereum Foundation's research team has published exploratory work on lattice-based signature schemes, but implementation is years away.
Smaller chains face an even harder problem. A chain like Solana or Avalanche that relies on ECDSA or EdDSA for wallet signatures faces the same fundamental vulnerability but may have less developer bandwidth to execute a migration. The irony is that the chains marketing themselves as the fastest and most modern are built on the same 1990s-era cryptographic assumptions that Lelli just demonstrated can be attacked on real quantum hardware.
Frequently Asked Questions
Can a quantum computer steal my Bitcoin right now?
No. The 15-bit key Lelli broke is roughly 10^72 times smaller than the 256-bit keys protecting real Bitcoin wallets. No publicly known quantum computer has anywhere near the qubit count or error correction capability needed to attack production keys. The threat is real but not imminent.
How many qubits would it take to break Bitcoin's encryption?
Google's March 2026 whitepaper estimated fewer than 500,000 physical qubits using superconducting architecture with surface-code error correction. A Caltech and Oratomic paper brought that figure down to potentially 10,000 qubits on a neutral-atom platform. Current quantum computers max out around 1,000 to 1,500 qubits, so a significant engineering gap remains.
What is BIP-360 and will it protect Bitcoin from quantum attacks?
BIP-360 introduces a new output type called Pay-to-Merkle-Root that removes the quantum-vulnerable elliptic curve keypath from Bitcoin transactions. It moved into testnet in early 2026, and BIP-361 builds on it with a migration timeline that would eventually freeze legacy addresses. If activated, these proposals would make Bitcoin quantum-resistant, but the upgrade requires a soft fork and broad community agreement.
Should I move my Bitcoin to a new address to protect it?
If your coins sit in an address you have never spent from, the public key is not exposed and the quantum risk is lower. If you have spent from an address, the public key is permanently on-chain. Using a modern wallet that generates a fresh address for each transaction is a reasonable precaution, though no quantum computer can exploit this vulnerability today.
Bottom Line
The 15-bit ECC break is not a crisis for Bitcoin. It is a proof of concept that moves the quantum threat from abstract to concrete. The resource estimates for a full 256-bit attack dropped 20x in a single quarter of 2026, and the trajectory suggests further reductions as quantum hardware improves and algorithms get optimized. Bitcoin developers have BIP-360 and BIP-361 in the pipeline, but activating a signature-scheme change across the entire network before quantum hardware catches up is a race against an opponent whose speed keeps increasing. The 6.9 million BTC in addresses with exposed public keys represent the most tangible risk, and holders who want to be ahead of the curve should be watching the BIP-361 governance debate closely. Three years to migrate an entire monetary network to new cryptography is not a lot of time, and the clock started in March.
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency trading involves substantial risk. Always conduct your own research before making trading decisions.
