Public Quantum Demo Cracks 15‑Bit ECC for 1 BTC—Why Bitcoin’s Real Risk Is Exposed Public Keys

A small but telling milestone just landed in the quantum-versus-crypto saga. An Italian researcher, Giancarlo Lelli, used publicly accessible quantum hardware and a Shor-style approach to recover a 15‑bit elliptic curve key—enough to claim Project Eleven’s 1 Bitcoin Q‑Day Prize, worth roughly $78,000. The accomplishment is nowhere near Bitcoin’s 256‑bit security level, yet it marks the largest publicly verified quantum attack on elliptic curve cryptography (ECC) to date, and it inches the conversation away from theory toward timelines.

The demonstration matters less for its immediate power and more for what it invalidates. Project Eleven launched the Q‑Day Prize in 2025 to test whether public systems could move beyond toy problems (think factoring 21). Lelli’s result expanded the search space to a 15‑bit ECC instance—32,767 possibilities—and represented a 512x jump over the prior public demo. According to the team, the attack ran on a roughly 70‑qubit machine and, once engineered, completed in minutes. A review panel from academia and industry—including researchers at the University of Wisconsin–Madison and quantum software firm qBraid—validated the submission.

What makes this a live issue for Bitcoin and Ethereum is simple: both rely on ECC for digital signatures. While current quantum machines can’t threaten 256‑bit keys, the cadence is quickening. Google set a 2029 deadline to shift its infrastructure to post‑quantum cryptography, citing better hardware, improving error correction, and shrinking attack estimates. One Google-affiliated analysis suggested that fewer than 500,000 physical qubits might jeopardize Bitcoin’s signatures; a separate study from Caltech and Oratomic pointed to a neutral‑atom design requiring roughly 10,000–20,000 qubits. Project Eleven CEO Alex Pruden framed a “worst‑case” Q‑Day around 2029, emphasizing that clever engineering tends to surprise on timing.

Here’s the actual pressure point that often gets missed: public-key exposure. Project Eleven estimates around 6.9 million BTC currently sit at addresses where the public key is already visible on‑chain. Those coins become the earliest targets the moment sufficiently capable quantum machines exist, because the attacker doesn’t need to wait for a user to sign again—they can work directly from the exposed public key.

That reframes the priority for protocols and institutions. The problem isn’t brute‑forcing every 256‑bit key at once; it’s the migration of already‑exposed keys before an attacker can sweep them. This is a coordination challenge at wallet, exchange, and custodian layers: upgrade policies, automate sweeping, and minimize address reuse. On Bitcoin, developers are weighing two proposals—BIP‑360 for a quantum‑resistant transaction format and BIP‑361 to deprecate legacy signature schemes and, eventually, freeze coins that fail to move. Freezing unmigrated funds is controversial: it may save assets otherwise vulnerable to theft, yet it raises property-rights and governance questions that Bitcoin’s culture is typically reluctant to touch. Ethereum’s path looks more iterative; the Foundation has assembled a post‑quantum security team, and Vitalik Buterin has mapped approaches to swap out vulnerable primitives over time.

Artificial intelligence could compress timelines further. Pruden suggested AI may streamline quantum error correction and help adversaries find weak cryptographic edges faster. That’s plausible: AI‑guided compilation, calibration, and error‑modeling can improve effective qubit quality, which matters as much as raw qubit counts.

How should serious holders interpret a 15‑bit win? Treat it as a progress marker and start planning around migration, not catastrophe. The realistic sequence is: public‑key‑exposed coins face first‑order risk; then widely used signature schemes get replaced; and only later do we worry about at‑rest, never‑revealed public keys. Teams should rehearse sweeping procedures, fee‑market contingencies during mass migrations, and clear user prompts for upgrades. For investors and boards, the business question becomes vendor readiness: Does your custodian have a PQC roadmap and the operational muscle to execute it under time pressure?

We’re still far from breaking Bitcoin’s 256‑bit signatures with public hardware. But the incentive gradient is shifting. When credible experiments move from “cute” to “capable,” the friction isn’t the math—it’s coordination at scale. Those who prepare early tend to keep their coins.