What The Project Eleven Report Actually Says
A report published May 9 by Project Eleven, a quantum computing research organization, argues that the cryptocurrency industry is running out of time to protect Bitcoin (BTC) against attacks from sufficiently powerful quantum computers. The core claim is stark: millions of Bitcoin addresses carrying billions of dollars in value rely on elliptic curve cryptography that quantum hardware could theoretically break, and the coordinated upgrade required to fix that may take longer than the threat timeline allows.
That conclusion lands against a backdrop of accelerating hardware progress. IBM (IBM) publicly reported crossing 1,000 qubits with its Condor processor in late 2023, and the roadmap targets fault-tolerant logical qubits within this decade. Meanwhile, Bitcoin’s base-layer governance moves in years, not months, making the gap between threat arrival and protocol readiness a genuine structural risk.
TL;DR
- Project Eleven’s May 9 report argues that Bitcoin’s elliptic curve signature scheme could be broken by quantum computers before a network-wide migration to post-quantum cryptography completes.
- An estimated 4 to 6 million BTC sitting in exposed address formats could be targeted if a cryptographically relevant quantum computer emerges, placing tens of billions of dollars at theoretical risk.
- Bitcoin has survived existential threat narratives before, but the quantum case is distinct because it targets a mathematical primitive, not a market dynamic or regulatory action.
1. What The Project Eleven Report Actually Says
The Project Eleven report, released on May 9, does not predict imminent Bitcoin collapse. What it does is construct a threat-timeline analysis comparing projected quantum hardware capability against the minimum qubit thresholds required to break the secp256k1 elliptic curve that secures Bitcoin’s ECDSA signatures. The distinction matters enormously for how the risk should be read.
The report identifies the critical hardware benchmark as a fault-tolerant quantum computer capable of running Shor’s algorithm at scale. Breaking a 256-bit elliptic curve key using Shor’s algorithm is estimated to require roughly 2,000 to 4,000 logical qubits, depending on the implementation and error-correction overhead. Today’s best machines operate at the physical qubit layer with high error rates, meaning logical qubit equivalents remain far below that threshold.
> Project Eleven’s central finding is that the migration timeline for Bitcoin, which requires broad developer consensus, a soft or hard fork, and mass wallet migration, could stretch past the point at which quantum hardware becomes cryptographically relevant.
The nuance that headline coverage often loses is the difference between physical and logical qubits. Google’s (GOOGL) Willow chip, announced in December 2024, demonstrated 105 physical qubits with dramatically reduced error rates, a meaningful step, but still orders of magnitude below the logical qubit count needed for a Bitcoin attack. Project Eleven is not saying the threat is imminent. It is saying the preparation window is shorter than commonly assumed.
Also Read: Man Group Hit by $6.1 Billion Client Withdrawal in Q1
2. The Bitcoin Quantum Threat Explained At The Protocol Level
Bitcoin’s security rests on two distinct cryptographic layers, and quantum computers threaten them differently. The first is the SHA-256 hashing function used in proof-of-work mining and address generation. The second is the ECDSA signature scheme used to authorize transactions. These are not equally vulnerable, and conflating them produces misleading risk assessments.
Grover’s algorithm, the quantum attack relevant to hash functions, offers only a quadratic speedup. For SHA-256, that effectively halves the security level from 256 bits to 128 bits, which remains computationally secure by any practical standard for decades. The mining subsystem is not the primary concern. Shor’s algorithm, applied to ECDSA, is a different matter entirely. It provides an exponential speedup that could, with sufficient logical qubits, derive a private key from a public key in polynomial time, a complete break of the signature scheme.
> The asymmetry between Grover’s and Shor’s algorithmic speedups means Bitcoin’s proof-of-work mining is quantum-resistant in practice, while its transaction authorization layer is not, a nuance that is almost universally missed in popular coverage.
The practical attack window is narrow but real. When a user spends Bitcoin, their public key is briefly exposed on-chain before the transaction confirms. A quantum computer fast enough to derive the private key within that window, estimated at roughly 10 minutes for a standard confirmation, could theoretically redirect funds. More worryingly, addresses that have already spent Bitcoin, exposing their public key permanently on-chain, are vulnerable at any future point once quantum hardware reaches the relevant threshold. Chainalysis data shows that a substantial fraction of the circulating BTC supply sits in reused or pay-to-public-key addresses where the public key is already visible.
Also Read: Swiss Bitcoin Reserve Bid Fails
3. How Many Bitcoin Are Actually At Risk
Quantifying the exposed supply is where analysis becomes genuinely difficult. The vulnerability is not uniform across all Bitcoin holdings. It depends on address format, spending history, and whether the public key has ever been broadcast to the network.
Research published on the Bitcoin wiki and in academic work by Deloitte’s cryptography team has attempted to count exposed addresses by type. Pay-to-public-key (P2PK) outputs, the original address format Satoshi Nakamoto used, expose the public key directly in the locking script. These include a significant portion of early-mined coins. Pay-to-public-key-hash (P2PKH) addresses expose the public key only when spent; once spent, those coins have typically moved, but the original address remains permanently exposed on-chain. Deloitte estimated in prior research that approximately 4 million BTC sit in provably exposed address formats.
> If quantum-capable adversaries emerge before Bitcoin completes a post-quantum migration, addresses with exposed public keys representing an estimated 4 million BTC or more could become targets, a figure that at current valuations exceeds $400 billion.
The figure is not a precise on-chain measurement but a category estimate. Satoshi’s known early-mined coins, which have never moved, sit in P2PK format and are quantum-exposed by default. The irony is that the pseudonymous creator’s own holdings may be among the most structurally vulnerable to the technology that did not exist when Bitcoin was designed. Project Eleven’s May 9 report does not revise these estimates dramatically upward, but it does stress that the absence of a migration mechanism means the vulnerable pool is static while quantum hardware continues to progress.
Also Read: Bitcoin Quantum Migration Warning
4. The Quantum Hardware Timeline And What It Means For Bitcoin
The gap between today’s physical qubit counts and the logical qubit threshold for a Bitcoin attack is wide but not infinite, and the pace of closure matters more than the absolute distance. Understanding that pace requires separating vendor roadmaps from independent benchmarks.
IBM’s published quantum roadmap targets 100,000 physical qubits by 2033, with fault-tolerant logical qubit operations as an intermediate milestone. Google’s December 2024 Willow announcement demonstrated below-threshold error correction, meaning errors decreased as the system scaled, a landmark result that had not been achieved before. Microsoft (MSFT) separately announced in February 2025 its topological qubit approach with claims of higher inherent stability. These are not competing claims about who is ahead; they are different architectural bets on how to reach fault tolerance.
> Independent academic consensus, reflected in a 2022 NIST report and subsequent updates, holds that cryptographically relevant quantum computers capable of breaking elliptic curve cryptography are unlikely before 2030 but cannot be ruled out by 2035, a window that overlaps uncomfortably with Bitcoin’s governance timeline.
The National Institute of Standards and Technology (NIST) finalized its first three post-quantum cryptographic standards in August 2024, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. These standards are designed to replace ECDSA precisely because elliptic curve schemes are quantum-vulnerable. The existence of standardized alternatives is good news. The bad news is that integrating them into Bitcoin requires a protocol-level change that the network has historically taken years to debate and deploy.
Also Read: Tenerife Braces for Hantavirus Cruise Ship as Passengers Fear What Comes Next
5. Bitcoin Governance And Why Migration Is Not Simple
The quantum threat to Bitcoin’s cryptography is a technical problem with a known solution class. Post-quantum signature schemes exist, are standardized, and are being deployed across traditional internet infrastructure. What makes Bitcoin’s situation distinct is not the absence of a fix but the process required to implement it.
Bitcoin upgrades require rough consensus among core developers, miners, node operators, and the broader economic majority of users. The 2017 block-size debate, which consumed roughly three years of community bandwidth and ultimately produced a contentious hard fork in Bitcoin Cash, illustrates how difficult it is to push through changes that restructure incentives or touch core parameters. A post-quantum migration would be considerably more technically demanding. It would require introducing a new signature algorithm, creating a mechanism for users to migrate their keys, and potentially invalidating old address formats after a sunset period, all without disrupting the existing UTXO set.
> Bitcoin’s upgrade history shows that even uncontroversial improvements, like the Taproot soft fork activated in November 2021, took approximately four years from proposal to activation, suggesting post-quantum migration could require a decade of preparation even under favorable conditions.
Taproot, activated at block height 709,632, took from the initial BIP-340 proposal in January 2020 to network activation in November 2021. That timeline involved relatively low controversy and broad developer agreement. A post-quantum transition would face harder trade-offs, including the question of what happens to coins in exposed addresses whose owners never migrate, and whether any form of forced migration or confiscation-prevention mechanism could be implemented at the protocol layer. These are open governance problems with no obvious resolution, and Project Eleven’s report argues that the community has not yet seriously begun the formal process.
Also Read: Nvidia Crosses $40 Billion in AI Equity Bets This Year
6. What Post-Quantum Cryptography Would Look Like For Bitcoin
The technical path to a quantum-resistant Bitcoin is reasonably well-mapped even if the political path is not. Developers and researchers have proposed several candidate approaches, each with different trade-offs in terms of signature size, verification speed, and backward compatibility.
The NIST-standardized CRYSTALS-Dilithium scheme, now formally designated ML-DSA under FIPS 204, produces signatures roughly 2,420 bytes in size compared to ECDSA’s 71 bytes. That size difference is not trivial for a blockchain that imposes strict block weight limits. Larger signatures mean fewer transactions per block, lower throughput, and either higher fees or the need for a complementary block-size adjustment. Alternatively, SPHINCS+, a hash-based signature scheme that is more conservative cryptographically, produces even larger signatures of around 8,000 bytes, making it impractical for on-chain use without significant engineering work.
> Signature size is the central engineering obstacle for post-quantum Bitcoin: the leading NIST-standardized scheme produces signatures 34 times larger than current ECDSA outputs, which would reduce transaction throughput by an equivalent factor without compensating changes to block weight limits.
A more promising candidate for Bitcoin specifically may be lattice-based schemes that have not yet reached full NIST standardization but show considerably smaller footprints. Researchers have also proposed hybrid schemes that combine existing ECDSA with a post-quantum signature in a single transaction, providing backward compatibility while adding quantum resistance. This approach has precedent in how TLS 1.3 deployed hybrid key exchange for internet security. The Lightning Network, Bitcoin’s primary layer-2 scaling solution, adds another layer of complexity because channel state transitions also rely on ECDSA, meaning a migration would need to propagate both to the base layer and to off-chain protocols simultaneously.
Also Read: ONDO Finance and the on-Chain Yield Race Heating up in 2026
7. How Other Blockchains Are Approaching The Same Problem
Bitcoin is not the only blockchain facing quantum exposure, and examining how other networks are responding provides useful context for what a realistic migration path might look like. Some have moved more aggressively, either because their governance structures are more centralized or because their founders prioritized the issue earlier.
Ethereum (ETH) developers have discussed post-quantum migration explicitly in the context of the Ethereum (ETH) roadmap. Vitalik Buterin wrote in early 2024 that Ethereum’s account abstraction model makes post-quantum migration considerably easier than Bitcoin’s UTXO model, because smart contract wallets can be upgraded to use new signature schemes without changing the base layer. The Ethereum Foundation has identified this as a medium-term priority within the broader roadmap, though no concrete activation timeline exists. The QRL (Quantum Resistant Ledger) project was designed from the ground up with hash-based signatures, demonstrating technical viability but achieving minimal adoption.
> Ethereum’s account abstraction architecture gives it a structural advantage over Bitcoin in post-quantum migration: smart contract wallets can adopt new signature schemes at the application layer without requiring a base-layer hard fork, potentially compressing the migration timeline significantly.
NIST’s August 2024 finalization of post-quantum standards has accelerated planning across the technology sector. Cloudflare (NET) deployed post-quantum key exchange for all its traffic in 2023, Apple (AAPL) introduced post-quantum cryptography in iMessage’s PQ3 protocol in February 2024, and the U.S. government has mandated federal agencies begin migration planning. These deployments share one feature Bitcoin lacks: a centralized authority capable of setting a deadline and enforcing migration. The decentralized nature that makes Bitcoin censorship-resistant also makes it structurally slow to implement uniform security upgrades.
Also Read: DOJ Probes $2.6 Billion in Suspicious Oil Trades Tied to Iran War Announcements
8. The Nation-State Adversary Scenario
Most quantum computing threat analysis focuses on when the hardware will be ready. Less attention has been paid to the question of who builds it first and what their incentives are. A nation-state that achieves a cryptographically relevant quantum computer before the technology becomes widely available faces a different set of incentive structures than a private research institution.
The U.S. National Security Agency (NSA) has operated classified quantum research programs for decades. China has made quantum computing a stated national priority in its Five-Year Plans, with Baidu (BIDU) and state-funded university labs publishing results that suggest genuine competitive capability. A nation-state actor with early quantum advantage would face a strategic choice: disclose the capability and trigger global migration, or exploit it covertly against high-value targets including financial infrastructure. Bitcoin’s transparency, where all addresses and balances are public, would make it an unusually legible target for a covert quantum attack on specific wallets.
> A nation-state that achieves cryptographically relevant quantum computing before the milestone is publicly known would find Bitcoin’s open ledger uniquely exploitable, since every exposed address, its balance, and its full transaction history are permanently visible without any authentication requirement.
The classified dimension of this risk cannot be quantified from open sources, but it is taken seriously in policy circles. The White House National Security Memorandum 10, signed in May 2022, directed U.S. agencies to inventory all quantum-vulnerable cryptographic systems, a scope that implicitly acknowledges the adversarial timeline concern. Project Eleven’s May 9 report does not make explicit claims about nation-state timelines, but the framing of its urgency argument is implicitly anchored in the possibility that public hardware benchmarks may not reflect the true frontier.
Also Read: Prediction Markets Give Hantavirus Global Outbreak Just a 21% Chance
9. What Bitcoin Holders Should Do With This Information
Translating a multi-year structural risk into actionable guidance for individual Bitcoin holders requires distinguishing between the theoretical threat and the practical near-term exposure. For the vast majority of users, the quantum risk today is approximately zero in operational terms. For those with long time horizons and large holdings in old address formats, the picture is more nuanced.
The most concrete practical step available is address hygiene. Moving Bitcoin from P2PK or reused P2PKH addresses to modern SegWit (P2WPKH or P2TR) addresses does not eliminate quantum vulnerability, because the public key is still exposed at spend time, but it does mean the address itself does not permanently reveal the public key until a transaction is broadcast. Taproot addresses in particular have slightly better quantum properties because the key path spend exposes only a tweaked public key, and script-path spends using hash commitments provide additional obfuscation. The Bitcoin developer community has documented these trade-offs in the Taproot BIP specifications.
> Migrating to native SegWit or Taproot addresses does not make Bitcoin holdings quantum-proof, but it does reduce the static on-chain exposure surface compared to legacy P2PK or reused P2PKH formats, providing a marginal but real improvement in forward security.
Hardware wallet manufacturers including Ledger and Trezor have not yet published post-quantum firmware roadmaps, which is itself informative about the industry’s current prioritization. For institutional holders, the more relevant action is to begin cataloging address exposure in preparation for a future migration, much as corporate IT teams have been directed by NIST’s National Cybersecurity Center of Excellence to inventory TLS dependencies. The preparation phase has a long lead time and essentially zero near-term cost, making it the most rational place to focus while the governance debate at the Bitcoin protocol layer develops.
Also Read: Binance Emerging Market Banking Report
10. The Broader Implications For Cryptocurrency Security
The quantum computing challenge is not a Bitcoin-specific problem. It is a challenge for the entire cryptocurrency ecosystem because virtually every major blockchain, from Ethereum to Solana (SOL) (SOL), from XRP (XRP) to Cosmos (ATOM), relies on elliptic curve cryptography at its core. The difference between Bitcoin and these alternatives in terms of quantum risk is largely a function of governance speed and architectural flexibility, not fundamental cryptographic design.
The DeFi ecosystem adds layers of complexity that the base-layer analysis does not capture. Smart contracts that hold user funds are secured by the contract code and the keys of their operators. Multi-signature wallets, threshold signature schemes, and zero-knowledge proof systems each have distinct quantum exposure profiles. Some ZK proving systems, particularly those relying on pairing-friendly curves like BN254, face potential quantum vulnerabilities in their underlying assumptions. Researchers at StarkWare and Aztec have discussed the quantum resistance properties of STARK-based proofs, which rely on hash functions rather than elliptic curve pairings, positioning them as comparatively more quantum-resistant alternatives for ZK applications.
> The DeFi ecosystem’s reliance on pairing-friendly elliptic curves in many ZK proof systems introduces quantum vulnerabilities that extend well beyond base-layer transaction signing, potentially affecting tens of billions of dollars in smart contract-secured value.
The timing of this report is not coincidental. NIST’s 2024 post-quantum standard finalization removed a key blocker for industry action. The trajectory of IBM and Google hardware development has moved from abstract roadmap to demonstrated milestones. And the political environment in Washington, shaped by the National Security Memorandum 10 framework, has placed quantum risk on the formal policy agenda in a way it was not four years ago. Bitcoin’s community now faces the same question that the broader internet security community faced in the mid-2010s with the SHA-1 deprecation: how long can an orderly, planned migration be deferred before events force a disorderly one?
Read Next: US Waits for Iran’s Answer as Hormuz Clashes Test Fragile Ceasefire
Conclusion
Project Eleven’s May 9 report is not a prediction of Bitcoin’s imminent cryptographic collapse. It is a structured argument that the preparation timeline for post-quantum migration, given how Bitcoin governance actually functions, may already be shorter than the threat timeline allows. That is a precise and important distinction. The authors are not saying quantum computers will break Bitcoin next year. They are saying that if the community waits for hardware evidence before beginning the formal migration process, the lead time required for a safe transition may have already passed.
The historical analogy to SHA-1 is instructive. Internet security researchers flagged SHA-1’s theoretical weakness as early as 2005. The first practical collision attack was demonstrated in 2017. By that point, most major browsers had already deprecated the standard through a long, coordinated process. The process worked because centralized authorities, browser vendors, certificate authorities, and enterprise IT departments could mandate migration on a schedule. Bitcoin has no equivalent institution, and that governance gap is the crux of Project Eleven’s concern.
What the broader cryptocurrency industry should take from this analysis is that quantum resistance is moving from a theoretical future concern to an active engineering and governance priority. NIST standards exist. Candidate implementations are being tested. The window for orderly preparation, which requires far less urgency and coordination than emergency response, remains open. Whether Bitcoin’s decentralized governance structure can organize a migration of this complexity before the window closes is the most important open question in long-term cryptocurrency security, and as of May 9, no credible timeline for beginning that process has been publicly proposed.
Read Next: Daniel Dae Kim Guides Viewers Through South Korea’s Global Cultural Rise
—
