The Gap Is Still Enormous — But It Just Got Smaller
On April 24, independent researcher Giancarlo Lelli broke a 15-bit elliptic curve cryptography key on a publicly accessible IBM quantum computer — and collected a 1 BTC bounty from Project Eleven for doing it.
It's the largest public demonstration of a quantum attack on the same family of math that secures every Bitcoin transaction. And yet, Bitcoin developers quickly pointed out that random noise produces a statistically equivalent result.
Both things are true. That tension is the story.
What Lelli Actually Did
Lelli implemented a two-register variant of Shor's algorithm — the quantum algorithm that theoretically breaks the elliptic curve discrete logarithm problem underlying Bitcoin's secp256k1 signature scheme.
He ran the attack across multiple IBM Heron r2 processors, including ibm_torino and ibm_fez, targeting elliptic curves structurally identical to those used in Bitcoin but scaled down to just 15 bits.
Project Eleven called it a 512-fold increase in search-space complexity over the prior record: a 6-bit ECC key broken by engineer Steve Tippeconnic on IBM hardware in September 2025.
For context, Bitcoin uses 256-bit keys. The jump from 15 bits to 256 bits represents a factor of 2^241 in computational difficulty — a number so large it has 73 digits.
Why Bitcoin Developers Are Unimpressed
The immediate pushback from the Bitcoin development community was pointed: Lelli's output is statistically indistinguishable from random bits.
On noisy intermediate-scale quantum (NISQ) hardware, error rates are so high that the signal from an actual quantum computation gets buried in noise. The "answer" the quantum computer produced may not reflect genuine quantum advantage — it could be an artifact of hardware noise that happened to match the correct key.
This is a known problem in quantum computing research. Demonstrating that a quantum circuit was loaded and executed is not the same as demonstrating that quantum mechanics actually solved the problem faster than a classical brute-force search would have.
For a 15-bit key, classical computers can find the answer in microseconds. The quantum demonstration is meaningful only as a proof-of-concept stepping stone — not as evidence that quantum computers are close to threatening real cryptographic keys.
The Numbers That Actually Matter
The real question isn't whether today's quantum computers threaten Bitcoin. They don't. The question is how quickly the gap is closing.
Recent estimates on what it would take to break Bitcoin's 256-bit secp256k1:
- Google (April 2026 whitepaper): Fewer than 500,000 physical qubits
- Caltech/Oratomic: Potentially as low as 10,000 qubits using neutral-atom architecture
- Theoretical minimum: Roughly 2,000 logical (error-corrected) qubits
Today's largest quantum processors have around 1,200 physical qubits. The gap between physical qubits and error-corrected logical qubits remains vast — you need thousands of physical qubits to construct a single reliable logical qubit with current error rates.
But the trajectory is unmistakable. The quantum community increasingly frames breaking ECC as an engineering problem, not a physics problem. The math works. It's the hardware that needs to catch up.
Bitcoin's Defense: Already in Motion
The Bitcoin community hasn't been sitting idle. Earlier this week, BIP-361 proposed a mechanism for users to migrate funds to quantum-resistant addresses before the threat materializes — a "freeze or lose" approach that would give holders a transition window.
Bitcoin Core 31.0, released days ago, continues strengthening the protocol's foundation, and post-quantum signature schemes are under active research by multiple teams.
The practical timeline matters enormously. Most Bitcoin security researchers estimate the threat window at 10-20 years for a cryptographically relevant quantum computer. That's enough time to upgrade — if the community acts deliberately and doesn't wait for a crisis.
What About Exposed Keys?
There's an important nuance here. Bitcoin addresses that have never spent — where only the hash of the public key is exposed — are more resistant to quantum attacks because an attacker would need to break both the hash function and the elliptic curve.
But addresses that have spent transactions have their public keys exposed on-chain. Estimates suggest roughly 5-10 million BTC sit behind exposed public keys. These would be the first targets in any quantum attack scenario.
This is partly why BIP-361's "freeze" mechanism targets exposed keys specifically — giving holders a deadline to move funds to quantum-safe addresses.
Bitcoin Gate Take
The Q-Day Prize is a useful signal, not an alarm. The 2^241 gap between a 15-bit demo and Bitcoin's 256-bit keys is still staggering, and the fact that random noise matches the result undercuts claims of genuine quantum advantage. But the direction of travel is clear: the question has shifted from "if" to "when." Long-term holders should watch BIP-361's progress and ensure their coins aren't sitting behind exposed public keys. The math isn't urgent today — but complacency would be the real threat.