What Project Eleven Actually Said And Why It Matters
The bitcoin quantum threat has moved from theoretical white paper territory into formal risk assessment, and the conclusions are deeply uncomfortable. A May 2026 report from Project Eleven, a quantum computing research organization, argues that the window for an orderly cryptographic migration across the Bitcoin network may already be closing, given the pace at which quantum hardware is advancing versus the pace at which Bitcoin governance moves.
At the center of the report is a claim that roughly 4 million Bitcoin (BTC) are held in addresses whose public keys are either permanently exposed or trivially derivable, meaning a sufficiently powerful quantum computer could theoretically drain those wallets without needing a private key. The report draws on published quantum hardware roadmaps from IBM, Google, and IonQ (IONQ), combined with academic benchmarks from the University of Sussex and the University of Waterloo, to project that cryptographically relevant quantum computers could arrive within a decade, possibly sooner.
TL;DR
- Project Eleven’s May 2026 report identifies roughly 4 million BTC in addresses with permanently exposed public keys, making them theoretically vulnerable to future quantum attacks.
- Bitcoin’s elliptic curve signature scheme, secp256k1, is not quantum-resistant, and the network has no ratified post-quantum upgrade path despite NIST finalizing standards in 2024.
- Governance inertia, wallet-migration coordination failures, and the sheer scale of dormant coins mean a full protocol transition could take longer than the quantum hardware timeline allows.
1. What Project Eleven Actually Said And Why It Matters
Project Eleven published its full findings on May 9, with a companion technical appendix hosted on its research portal. The core claim is precise: approximately 4 million BTC sit in Pay-to-Public-Key (P2PK) addresses or reused Pay-to-Public-Key-Hash (P2PKH) addresses where the public key has already been broadcast to the blockchain. Once a public key is on-chain, the only barrier between an attacker and the corresponding private key is the computational hardness of the elliptic curve discrete logarithm problem (ECDLP).
Classical computers cannot solve ECDLP for Bitcoin’s 256-bit secp256k1 curve in any practical timeframe. A sufficiently powerful quantum computer running Shor’s algorithm, however, could solve ECDLP in polynomial time. The 1994 paper by Peter Shor of MIT established this theoretical result, and every subsequent quantum computing milestone has brought that polynomial-time solution incrementally closer to physical reality.
> Project Eleven estimates that a quantum computer with roughly 317 logical qubits operating at sufficient fidelity could break Bitcoin’s elliptic curve cryptography, a threshold it benchmarks against the University of Sussex 2022 estimate of 317 x 10^6 physical qubits needed under current error rates.
What makes the report significant is not the abstract vulnerability, which has been documented in academic literature for years, but the governance analysis layered on top of it. Project Eleven argues that even if quantum hardware took fifteen years to reach the relevant threshold, Bitcoin’s historically slow soft-fork process makes fifteen years an uncomfortably thin margin for a network holding over $1 trillion in assets.
Also Read: Bitcoin Open Interest Hits Record as Futures Market Signals Return of Leverage
2. The Scale Of On-Chain Exposure Is Larger Than Most Holders Realize
The 4 million BTC figure requires unpacking because it conflates several distinct categories of exposure. Unchained Capital researcher Jameson Lopp has historically categorized exposed Bitcoin into three buckets, and Project Eleven’s methodology broadly aligns with that taxonomy.
The first and most severe category is P2PK outputs, the address format Satoshi Nakamoto used in the genesis block and in early mining rewards. P2PK outputs embed the raw public key directly in the locking script, meaning the public key has been on the blockchain since the coin was created. On-chain analytics data from Dune Analytics shows approximately 1.7 million BTC still locked in P2PK outputs, the majority of which are attributed to early miners and potentially to Satoshi’s own wallets.
> Research compiled by Deloitte in a 2022 paper estimated that roughly 25% of all Bitcoin in circulation was vulnerable to quantum attack under conservative assumptions, a figure that maps closely to the Project Eleven 4 million BTC estimate when applied to the current supply of approximately 19.7 million BTC.
The second category is reused P2PKH addresses. Every time a Bitcoin address is used to send a transaction, the public key is revealed in the spending transaction’s signature. Addresses that have both received and spent funds have therefore permanently revealed their public key. Chain analysis shows millions of such addresses hold non-trivial balances. The third category is addresses that could have their public keys pre-computed from patterns in early wallet software, a much smaller and more contested group. Together these three categories produce the 4 million figure Project Eleven cites.
Also Read: GM Settles California Driver Data Privacy Case for $12.75 Million
3. How Shor’s Algorithm Turns Elliptic Curves Into A Liability
To understand the severity of the bitcoin quantum threat, it helps to understand what secp256k1 actually provides and what Shor’s algorithm dissolves. Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) with the secp256k1 curve. A private key is a 256-bit integer. A public key is a point on the curve computed by scalar multiplication of the private key with the generator point. Reversing that multiplication classically requires solving ECDLP, which has no known polynomial-time classical algorithm.
Shor’s algorithm reduces the ECDLP to a quantum Fourier transform problem, solvable in O((log n)^3) time on a fault-tolerant quantum computer. The critical parameter is not the raw qubit count but the number of logical, error-corrected qubits. Physical qubits are noisy and require significant overhead for error correction. A 2022 paper from the University of Sussex calculated that breaking Bitcoin’s 256-bit ECDSA within one hour would require approximately 317 million physical qubits using surface code error correction at current fidelity levels.
> IBM’s public quantum roadmap targets 100,000 physical qubits by 2033, which represents a three-order-of-magnitude gap versus the Sussex attack threshold, but the relevant metric is improving error rates, not raw qubit counts. As error rates fall, the qubit overhead for each logical qubit drops sharply, compressing the timeline.
Google‘s Willow chip, announced in December 2024, achieved below-threshold error correction for the first time, a milestone the company’s researchers said said demonstrated that adding more qubits to Willow reduces rather than increases the error rate. That result does not bring Google close to 317 million physical qubits, but it validates the error correction architecture that every serious quantum attack model depends on. The gap is large. The direction of travel is unambiguous.
Also Read: Bitcoin’s Quantum Security Gap Could Expose Trillions in Digital Assets Within a Decade
4. NIST’s Post-Quantum Standards Exist, But Bitcoin Has Not Adopted Them
The good news is that post-quantum cryptography (PQC) is no longer hypothetical. The National Institute of Standards and Technology finalized its first set of post-quantum cryptographic standards in August 2024 after an eight-year selection process. The three primary standards are CRYSTALS-Kyber (now FIPS 203) for key encapsulation, CRYSTALS-Dilithium (now FIPS 204) for digital signatures, and SPHINCS+ (now FIPS 205) for hash-based signatures.
CRYSTALS-Dilithium and SPHINCS+ are the most relevant to Bitcoin because Bitcoin’s security rests on digital signatures. Both algorithms are believed to be resistant to Shor’s algorithm and to Grover’s algorithm, the other quantum threat that reduces hash security from 256-bit to an effective 128-bit level. NIST’s selection process subjected all four finalists to six years of public cryptanalysis by leading academic teams worldwide.
> NIST’s August 2024 finalization marked the first time in the agency’s history that a cryptographic standard was designed from inception to resist quantum attacks, a milestone that major financial infrastructure providers began immediately integrating into their upgrade roadmaps.
The problem for Bitcoin is that adopting any of these standards would require replacing secp256k1 across the entire protocol stack. That means a soft fork or hard fork, miner signaling, wallet software updates, exchange integration, and ultimately a migration period during which users must move funds from vulnerable addresses to quantum-safe ones. Every one of those steps involves coordination across a global, permissionless network with no central authority.
Also Read: Canton Network Holds a $6 Billion Cap as Institutional Blockchain Gains Retail Attention
5. Bitcoin’s Governance History Makes Fast Migration Unlikely
Bitcoin’s governance track record is the most sobering element of Project Eleven’s analysis. The network’s soft-fork process via Bitcoin Improvement Proposals (BIPs) has historically taken years from concept to activation even for non-controversial upgrades. Taproot, widely regarded as one of the least contentious major Bitcoin upgrades, took approximately three years from initial proposal to activation in November 2021.
The SegWit upgrade, which was less technically radical than a full cryptographic migration, triggered a two-year civil war in the Bitcoin community between 2015 and 2017 that ultimately produced the 2017 Bitcoin Cash fork. A post-quantum migration is technically far more complex than either Taproot or SegWit. It involves changing the fundamental signature algorithm, not merely restructuring transaction data.
> A 2023 SSRN paper by researchers at the University of Cambridge estimated that a full cryptographic migration of the Bitcoin network, including wallet software rollout and user participation, would realistically require between seven and fifteen years from BIP finalization to practical completion even under cooperative governance conditions.
The governance challenge is compounded by the question of what to do with coins that never migrate. Satoshi’s wallets, estimated at roughly 1.1 million BTC and almost certainly dormant permanently, cannot be migrated by any living party. If a quantum-safe fork requires migrating to new address formats, those coins either remain permanently vulnerable or the community must make an unprecedented social decision to burn or freeze them. Neither outcome has any precedent in Bitcoin’s history.
Also Read: Bitmine Loads Over 5 Million ETH as Corporate Ether Treasury Strategy Expands
6. The Satoshi Wallet Problem Has No Clean Solution
The roughly 1.1 million BTC attributed to Satoshi Nakamoto’s early mining activity represents one of the most unusual dimensions of the quantum vulnerability debate. These coins sit in P2PK outputs from blocks mined between January 2009 and mid-2010, making them among the most quantum-exposed BTC on the network. The addresses have never spent a transaction, meaning no one has proven they can be moved. But the public keys are visible in the coinbase outputs.
Sergio Demian Lerner, whose 2013 analysis first identified the pattern of early mining outputs attributable to a single miner, has estimated the Satoshi holdings at between 750,000 and 1.1 million BTC across several hundred P2PK addresses. That range represents between $60 billion and $90 billion at Bitcoin prices as of May 2026, a sum large enough that a successful quantum attack would constitute one of the largest single theft events in financial history.
> The Satoshi wallet problem creates a game-theoretic dilemma for any migration proposal: a soft fork that protects quantum-safe addresses but leaves P2PK outputs accessible would merely delay the problem, while a protocol rule that freezes unmigrated coins would represent an unprecedented unilateral confiscation that the Bitcoin community is extremely unlikely to approve.
Bitcoin developer Pieter Wuille, one of the authors of the Taproot proposal, has written about this dilemma in public forums, arguing that any migration scheme must provide a generous but finite window for owners to migrate, after which unmigrated coins should be treated as permanently burned rather than stolen. That position has not achieved consensus among core contributors, and no formal BIP addressing quantum migration has yet been merged into the Bitcoin development repository as of May 2026.
Also Read: Nvidia’s AI Investment Bets Surpass $40 Billion in 2026
7. How The Quantum Hardware Race Compresses The Safety Margin
The Project Eleven report dedicates significant attention to the quantum hardware roadmap because the viability of an orderly migration depends entirely on how much time remains before a cryptographically relevant quantum computer exists. The report surveys public commitments from all four major superconducting qubit programs and the leading trapped-ion platforms.
IBM’s 2023 Condor processor reached 1,121 physical qubits. The company’s public roadmap, published on its quantum development portal, targets a “quantum-centric supercomputer” architecture by 2033 that would combine multiple processors via quantum communication links. IBM does not publish a specific fault-tolerant qubit target, but the architectural direction is consistent with eventually reaching the logical qubit counts needed for Shor-class attacks.
IonQ‘s trapped-ion platform pursues a different hardware path. Trapped-ion qubits achieve higher gate fidelity than superconducting qubits at current scales, meaning the error-correction overhead is lower. IonQ’s published 2026 roadmap targets an “Algorithmic Qubit” count, a fidelity-weighted metric, of 64 AQ by the end of 2026. The company projects AQ counts scaling to the hundreds by the late 2020s.
> An analysis by researchers at the University of Waterloo published on arXiv in June 2023 constructed three scenarios for quantum hardware progress, labeled pessimistic, moderate, and optimistic, and concluded that under the optimistic scenario a Bitcoin-breaking quantum computer could arrive as early as 2029, while the moderate scenario places the threshold between 2035 and 2040.
The optimistic scenario requires assumptions about error rate improvements that current hardware does not yet validate. Google’s Willow result, however, moved the goalposts. It demonstrated that error rates can be reduced by adding qubits rather than requiring new physics, which is the precondition for the optimistic timeline. Project Eleven argues that prudent risk management demands treating the optimistic scenario as the planning horizon, not the moderate one.
Also Read: Internet Computer Protocol Pulls Back 10% as Developer Ecosystem Faces Scale Questions
8. What A Quantum Attack Would Actually Look Like In Practice
Academic papers tend to discuss quantum attacks as threshold events: either a computer is powerful enough or it is not. In practice, the attack surface is more nuanced, and understanding the realistic threat model helps separate genuine risk from hype.
A quantum attacker targeting Bitcoin would face two distinct attack windows. The first is the static attack: targeting exposed public keys in unspent P2PK outputs. The attacker needs only to run Shor’s algorithm against the public key to derive the private key, then broadcast a spending transaction. There is no time pressure because the public key is permanently on-chain. This is the attack that makes the 4 million BTC figure most alarming.
> The second attack window is the transit attack: targeting a P2PKH transaction while it is in the mempool, before confirmation. The attacker must derive the private key from the revealed public key and broadcast a competing transaction, all within the ten-minute block interval. An arXiv paper from 2022 by Mark Webber and colleagues at the University of Sussex calculated this would require approximately 317 million physical qubits at current error rates, but fewer than 14 million with error rates projected for near-term hardware.
The transit attack is harder because of the time constraint. The static attack against permanently exposed public keys has no time constraint and is therefore the more immediately concerning threat. This distinction matters for triage: protecting freshly generated addresses against transit attacks is easier than migrating the millions of permanently exposed P2PK outputs that belong to unknown or unreachable parties. Bitcoin’s quantum migration must solve both problems, but they have different urgency profiles.
Also Read: Pump.fun and the Memecoin Launchpad Economy
9. How Other Blockchains Are Approaching Post-Quantum Readiness
Bitcoin is not the only public blockchain facing this challenge, but it is the one with the largest exposure and the most constrained governance process. Examining how other networks are responding provides a useful contrast.
Ethereum (ETH) has the advantage of a more agile upgrade process. The Ethereum (ETH) Foundation has been actively researching PQC integration since 2022, and a formal proposal for a quantum-safe address scheme was circulated among core developers in late 2024. Ethereum’s account abstraction framework, introduced via EIP-4337, creates a pathway to replace ECDSA signatures at the account level without requiring a full consensus-layer fork. Ethereum researcher Justin Drake has publicly said the network could deploy a STARK-based signature scheme within the existing account abstraction framework.
The QRL (Quantum Resistant Ledger) project was designed from inception with post-quantum cryptography, using the XMSS hash-based signature scheme standardized by IETF in RFC 8391. QRL’s approach demonstrates that quantum-safe blockchains are technically buildable, but the project commands a market cap measured in tens of millions of dollars, reflecting the market’s current discounting of quantum risk.
> The Algorand Foundation published a detailed post-quantum migration roadmap in 2023 that proposed a dual-key transition period, allowing users to register quantum-safe keys alongside their existing ECDSA keys in a preparation phase before a hard cutover. This hybrid approach is increasingly cited by researchers as the most practical template for any large-scale public blockchain migration.
The contrast with Bitcoin is structural. Algorand, Ethereum, and similar networks have identifiable development teams and foundation bodies that can coordinate upgrade timelines. Bitcoin’s development process is deliberately leaderless, which is a security feature in most contexts but a coordination liability in this one. The very property that makes Bitcoin censorship-resistant makes it slow to implement mandatory cryptographic migrations.
Also Read: What BTCFi Actually Means
10. What Investors And Custodians Should Do Before The Consensus Catches Up
The institutional cryptocurrency market has begun pricing quantum risk, though the adjustment is still nascent. Galaxy Digital‘s risk research team published an internal note in Q1 2026 flagging quantum exposure as a factor in custodial address hygiene recommendations. Several major custodians, including Coinbase (COIN) and BitGo, have updated their key management documentation to recommend against P2PK address usage and to discourage address reuse, two practices that directly reduce quantum surface area.
For individual holders, the most actionable step is the one that costs nothing: never reuse a Bitcoin address. Every reuse reveals the public key and permanently converts a formerly quantum-safe address into a quantum-exposed one. Hardware wallet manufacturers including Ledger and Trezor have enforced single-use address generation by default for years, so users of modern hardware wallets are typically not reusing addresses. The risk is concentrated in older wallets, exchange hot wallets with legacy address formats, and long-dormant holdings from the early Bitcoin era.
> A 2024 Chainalysis report on institutional custody practices found that address reuse rates had declined significantly among regulated custodians between 2020 and 2024, with the top twenty custodians by assets under management all operating address-rotation policies. The remaining exposure is disproportionately concentrated in unhosted wallets and legacy exchange addresses.
At the protocol level, the most productive near-term action would be for the Bitcoin development community to formally commission a BIP framework for a quantum migration path, even if activation remains years away. Having a ratified technical standard ready before the hardware threat materializes is the only way to avoid a panicked, rushed fork under crisis conditions. Project Eleven’s report ends with exactly that recommendation, and it is hard to argue with the logic. The cost of preparing a migration plan while quantum hardware remains years away is low. The cost of not having one when the hardware arrives is incalculable.
Read Next: The Psychological Cost of Sitting Out a Bull Market
Conclusion
The bitcoin quantum threat is not a story about computers that exist today breaking Bitcoin today. It is a story about a well-understood future capability colliding with a governance process that has a demonstrated inability to move quickly. Project Eleven’s May 2026 report does not claim that quantum computers will break Bitcoin next year. It claims that the window for an orderly, deliberate, community-coordinated migration is narrower than most people in the ecosystem have acknowledged.
The 4 million BTC in quantum-exposed addresses represents a structural vulnerability that grows more acute with every advance in quantum hardware. The NIST post-quantum standards finalized in August 2024 provide a technically sound migration path. The missing ingredient is not cryptographic knowledge but governance will, specifically the political will within the Bitcoin development community to begin the multi-year process of drafting, debating, and activating a cryptographic migration before the hardware threat becomes acute.
The broader lesson is one that applies across financial infrastructure. Every cryptographic system in use today was designed assuming classical adversaries. The institutions, developers, and policymakers that treat the quantum transition as a near-term operational problem rather than a long-term theoretical one will be in a substantially better position when the hardware timelines compress further. For Bitcoin specifically, the question is not whether the network needs to upgrade its cryptography. The question is whether the community can organize itself to do so before the decision is made under duress.
—
