A Researcher Just Broke a 15-Bit Elliptic Curve Key on a Quantum Computer. Here's Why That Should Concern You.
On April 24, 2026, Project Eleven awarded 1 BTC to researcher Giancarlo Lelli for breaking a 15-bit elliptic curve key on publicly accessible quantum hardware. Here's what that means, why the trajectory matters more than today's number.
On April 24, 2026, Project Eleven awarded one Bitcoin — worth roughly $78,000 at the time — to an independent researcher named Giancarlo Lelli. The reason: he broke a 15-bit elliptic curve cryptography key on a publicly accessible quantum computer using a variant of Shor's algorithm.
Every headline that covered this either panicked or dismissed it. "Bitcoin is broken." "This is nothing, Bitcoin uses 256-bit keys." Both responses missed the point.
The 15-bit result is not a threat to Bitcoin today. Nothing about this announcement means your wallet is at risk right now. But the reason this matters has nothing to do with 15 bits. It has everything to do with trajectory — the rate at which the resource requirements for a real attack are collapsing, and the rate at which the cryptographic infrastructure securing $2.5 trillion in digital assets is not being replaced.
Let me be direct about what I think: this is a canary moment. Not because Lelli's result is dangerous in isolation, but because when you put it alongside Google's March 2026 whitepaper, the Caltech/Oratomic paper from the same week, and the seven-month progression from 6-bit to 15-bit on public hardware, the direction of travel is unmistakable. The question is no longer "can quantum computers break ECC." It's "how much engineering work separates current hardware from the scale that does."
We've covered the implications of AI-assisted vulnerability discovery at CoderOasis — the Claude Mythos sandbox escape and Project Glasswing showed us what happens when a capability curve crosses a threshold and nobody's ready. The quantum threat to ECC has the same structural shape. You don't want to be migrating cryptographic infrastructure on the day the attack becomes feasible.
What Actually Happened
What Is Elliptic Curve Cryptography?
Before the quantum angle, you need to understand what ECC actually is and why it's everywhere.
Elliptic curve cryptography is the mathematical backbone of digital signature schemes. In Bitcoin and Ethereum, it's specifically secp256k1 — the elliptic curve equation:
y² = x³ + 7 (mod p)
where p is a specific 256-bit prime. Your Bitcoin private key is a randomly chosen 256-bit integer. Your public key is derived by multiplying a specific point on this curve (the "generator point" G) by your private key:
Public Key = Private Key × G
The security of the entire system rests on one assumption: given only the public key and G, deriving the private key requires solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). In the classical computing world, the best algorithms for this problem require roughly √p operations — for a 256-bit prime, that's 2^128 operations. More compute than exists on Earth, by orders of magnitude.
Shor's algorithm, proposed by Peter Shor in 1994, breaks this assumption on a quantum computer. It can solve ECDLP in polynomial time — specifically O((log n)³) quantum operations rather than the classical 2^128. A sufficiently large quantum computer running Shor's algorithm on a 256-bit ECC key would complete the computation orders of magnitude faster than any classical approach.
"Sufficiently large" is the critical qualifier. Shor's algorithm requires quantum coherence across many qubits for an extended time. Every qubit interaction introduces errors. Error correction requires redundant physical qubits to encode each logical qubit. The engineering challenge is getting enough high-fidelity qubits, working together coherently, for long enough to run the algorithm to completion.
What Lelli Actually Did
Lelli's result was not breaking Bitcoin. It was demonstrating the attack class on a problem small enough that current quantum hardware can handle it.
A 15-bit elliptic curve key has a search space of 2^15 = 32,767 possible values. To put that in context:
- A classical computer solves this in microseconds by brute force
- A 256-bit Bitcoin key has a search space of
2^256— approximately10^77values - The difference between 15 bits and 256 bits is not linear. It's
2^241— a number with 72 decimal digits
The machine Lelli used had approximately 70 qubits. The attack ran in minutes. He derived the private key from its corresponding public key using a variant of Shor's algorithm adapted for the small parameter space.
Lelli derived a private key from its public key across a search space of 32,767 using a variant of Shor's algorithm. Shor's targets the Elliptic Curve Discrete Logarithm Problem (ECDLP), the math underlying the digital signature schemes securing Bitcoin, Ethereum, and most blockchains.
What matters about this result isn't the 15-bit number. It's that it happened on a cloud-accessible machine with no national lab infrastructure, no proprietary hardware, no specialized chip. The barrier to attempting this class of attack is dropping in proportion to the size of attack it can execute.
The Seven-Month Progression
Quantum attacks on ECC have moved from theory to practice over the last seven months. Steve Tippeconnic's 6-bit demonstration in September 2025 was the first public break on quantum hardware. Lelli's 15-bit result extends it by a factor of 512.
Six bits to fifteen bits in seven months, publicly, on accessible hardware. The factor-of-512 jump in search space demonstrates that the techniques are improving rapidly, not just incrementally.
Both of these demonstrations are toy problems. But the significance is the establishment of proof of concept for the attack methodology. Researchers can now measure what works, optimize their implementations, and apply those improvements to progressively larger parameter spaces. The engineering science of running Shor's algorithm on real quantum hardware is being actively developed.
Why the March 2026 Papers Changed the Calculus
The Lelli result did not exist in isolation. It dropped on April 24, 2026 — three weeks after two papers that fundamentally changed the resource estimates for a real attack.
Google's March 2026 Whitepaper
Google Quantum AI published a 57-page paper titled "The Quantum Threat to Elliptic Curve Cryptocurrencies: Resource Estimates, Vulnerabilities, and Mitigations." The authors include Craig Gidney — who has been publishing landmark work on quantum circuit optimization for years — Stanford cryptographer Dan Boneh, and Justin Drake of the Ethereum Foundation.
The first paper, from Google Quantum AI, shows that an optimized version of Shor's algorithm for breaking 256-bit elliptic curve cryptography — the exact standard used by Bitcoin and Ethereum — can now be executed on a superconducting quantum computer with fewer than 500,000 physical qubits. Under realistic assumptions, the attack could complete in roughly nine minutes per key.
This is the number that matters: 500,000 physical qubits, nine minutes per key.
For context, the previous state-of-the-art estimate from Webber et al. (2022) required approximately 13 million physical qubits. Google reduced that by a factor of 26 — with better circuit optimization, improved error correction schemes, and algorithmic refinements. The hardware requirements haven't improved by 26x; the software understanding of how to run the algorithm efficiently has.
Nine minutes per key is significant for a specific reason. Bitcoin's average block time is ten minutes. A transaction broadcast to the network has roughly ten minutes of exposure in the mempool before it's included in a block. When a Bitcoin transaction is pending in the mempool, the sender's public key is visible to anyone watching. Because Bitcoin's average block time is about ten minutes, this speed is fast enough to enable real-time "on-spend" attacks, where an attacker steals coins while a transaction is still sitting in the public mempool.
This is the specific threat model to understand. Most Bitcoin addresses use a scheme where the public key is only revealed when funds are spent. Before a spend transaction, the public key is hidden behind a hash. But the moment you broadcast a spending transaction, your public key is visible for up to ten minutes before the transaction confirms. A quantum computer that can derive a private key in nine minutes could, in theory, intercept a transaction, derive the private key, create a competing transaction to a different address, and have it confirmed before the original.
That scenario requires a quantum computer with 500,000 high-fidelity qubits running surface-code error correction. Current best hardware operates in the 1,000-1,500 qubit range, with noise characteristics far from what error correction requires at scale. We are not there. But the distance is now measured in engineering scale-up, not fundamental physics impossibility.
The Caltech/Oratomic Paper
On the same day that Google Quantum AI published its landmark ECDLP-256 resource estimates, a team from Oratomic, Caltech, and UC Berkeley quietly dropped a paper making an even more startling claim: Shor's algorithm can be executed at cryptographically relevant scales with as few as 10,000 reconfigurable neutral atom qubits.
The Caltech/Oratomic team used a different architecture — neutral atoms rather than superconducting qubits. The tradeoff: neutral-atom platforms are slower (millisecond-scale gate operations versus microseconds for superconducting), but potentially more space-efficient because atoms can be reconfigured and rearranged during computation in ways superconducting circuits cannot.
Under the Caltech/Oratomic assumptions, a 26,000-qubit system could break ECC-256 in about ten days, allowing an attacker to systematically derive private keys and drain funds.
Ten days per key is not fast enough for on-spend attacks. It's fast enough for attacking dormant wallets — Bitcoin addresses that haven't moved funds in years, whose public keys are permanently exposed on the blockchain. Around 6.9 million BTC in wallets with exposed public keys could be at risk from future quantum attacks.
At Bitcoin's current price, that's approximately $540 billion sitting in addresses where the public key is permanently visible. The Caltech scenario — 26,000 qubits, ten days per key — is still out of reach. But the neutral-atom architecture is exactly what companies like QuEra, Pasqal, and now Oratomic are actively scaling. The 10,000-qubit threshold is not a theoretical limit; it's a near-term engineering target for these platforms.
The important caveat: Neither set of academics claims to have broken Bitcoin or to have a working quantum computer — they are simply proposing new improved algorithmic constructions. The way to think about the race is in terms of resource requirements versus physical capabilities. In recent years, the software side has been advancing faster than the hardware, and it seems like there are still more gains to come in terms of algorithmic efficiency.
Understanding Shor's Algorithm: Why It Breaks ECC
Most articles about this topic skip the actual math. I'm going to give you enough to understand why classical computers can't solve ECDLP fast but quantum computers can.
The Classical Difficulty
The ECDLP asks: given points P and Q on an elliptic curve, find integer k such that Q = kP.
The best classical algorithms for this are "baby-step giant-step" and the "Pollard rho" algorithm, both running in O(√n) time where n is the order of the curve. For secp256k1, n is a 256-bit number — roughly 10^77. The square root of that is about 10^38 operations. Running 10^38 operations at modern CPU speeds would take longer than the age of the universe. Literally. This is not a matter of getting faster computers; it's a mathematical impossibility with classical approaches in any reasonable timeframe.
How Shor's Algorithm Breaks It
Shor's algorithm solves ECDLP by reducing it to a period-finding problem — specifically, finding the period of a function that encodes the discrete logarithm. Quantum computers can find periods exponentially faster than classical computers through a technique called the Quantum Fourier Transform (QFT).
The quantum algorithm for ECDLP works roughly as follows:
- State preparation: Create a superposition of quantum states encoding the problem. A quantum register in superposition represents all possible answers simultaneously — this is the core quantum advantage.
- Controlled point additions: Apply the quantum gate sequence that computes multiples of the generator point, entangled with the register state. This is the computationally expensive step — it requires thousands of quantum gate operations per logical qubit, all executed coherently.
- Quantum Fourier Transform: Apply the QFT to the register. This destructively interferes all incorrect answers and constructively interferes the correct answer — the period, and from it, the discrete logarithm.
- Measurement: Measure the result. With high probability, this gives you the private key directly.
The total gate count for ECDLP-256 in the Google implementation is approximately 70-90 million Toffoli gates (a specific type of quantum gate used in error-corrected computation). With 1,200-1,450 logical qubits at the error rates needed for fault-tolerant operation, and translating to physical qubits with surface-code error correction at a code distance sufficient for this operation depth, you arrive at the <500,000 physical qubit estimate.
The reason error correction requires so many physical qubits: each logical qubit is encoded in a grid of physical qubits. Errors in individual physical qubits are detected and corrected without collapsing the quantum state. At code distance d, you need roughly d² physical qubits per logical qubit. For the depth of computation required by Shor's algorithm on a 256-bit key, you need a large enough code distance to keep the logical error rate below a threshold that allows the full computation to complete. This is the engineering challenge that hasn't been solved at scale.
The Error Correction Gap
Current quantum hardware has physical error rates around 10^-3 to 10^-2 per gate — one error per hundred to thousand operations. Fault-tolerant quantum computation requires logical error rates around 10^-15 per operation to run Shor's algorithm completely.
Getting from 10^-3 physical to 10^-15 logical requires aggressive error correction, which requires many physical qubits per logical qubit. The code distance needed, and therefore the physical qubit overhead, depends on the physical error rate. Better hardware (lower physical error rate) needs less error correction overhead for the same logical error rate.
This is why both hardware improvements and algorithmic improvements matter. Google's paper achieves the 500,000 qubit estimate partly through better circuit optimization (fewer operations = less time for errors to accumulate = less error correction overhead needed). Oratomic's claim of 10,000 qubits assumes advances in the neutral-atom error rate that haven't been demonstrated at scale yet.
The Exposed Bitcoin Address Problem
Bitcoin's threat model is specific. Not all addresses are equally vulnerable.
Pay-to-Public-Key (P2PK): Early Bitcoin used P2PK addresses, where the public key is stored directly in the transaction output. These addresses have permanently exposed public keys. Satoshi Nakamoto's earliest mined Bitcoin are P2PK. Approximately 1.7 million BTC sits in P2PK addresses.
Pay-to-Public-Key-Hash (P2PKH, "1..." addresses): The standard address type from roughly 2010-2018. The public key is hashed before storage. The hash is public, the key is not — until the address spends. Once any output from a P2PKH address is spent, the public key is permanently visible in the transaction history. An address that has received Bitcoin but never spent is protected. An address that has spent, even once, has its public key on the blockchain forever. Approximately 5.2 million BTC sits in addresses that have spent and therefore have exposed public keys.
P2WPKH (SegWit, "bc1q..." addresses) and P2TR (Taproot, "bc1p..." addresses): These also reveal the public key on first spend but not before. They don't provide meaningfully stronger quantum resistance for the exposed case.
The 6.9 million BTC figure for quantum-vulnerable addresses is the rough sum of P2PK holdings and P2PKH addresses with exposed public keys. At $78,000 per BTC, that's approximately $540 billion.
Here's the uncomfortable math. A quantum computer that can break one ECC-256 key in nine minutes (Google's estimate with 500,000 qubits) could work through all 6.9 million exposed addresses at a rate of roughly 6-7 per hour. At that rate, clearing all exposed addresses would take approximately 117 years. But that's one machine. A state-level actor with multiple machines working in parallel could systematically drain significant portions of the exposed holdings much faster.
This is not an imminent threat. The hardware doesn't exist. But the strategic calculus for attackers — especially state-level actors with long time horizons who can begin harvesting public keys now and wait until hardware matures — is worth understanding.
What the Cryptographic Community Is Actually Doing
NIST Post-Quantum Standards
NIST completed its first post-quantum cryptography standardization in August 2024. Three algorithms were standardized:
CRYSTALS-Kyber (now ML-KEM, FIPS 203): A lattice-based key encapsulation mechanism for key exchange and encryption. Replaces ECDH (Diffie-Hellman on elliptic curves) for establishing shared secrets.
CRYSTALS-Dilithium (now ML-DSA, FIPS 204): A lattice-based digital signature scheme. Directly relevant to blockchain — digital signatures are the core operation quantum attacks target.
SPHINCS+ (now SLH-DSA, FIPS 205): A hash-based signature scheme. More conservative design, slower, but relies only on hash function security rather than lattice assumptions.
A fourth algorithm, FALCON (FN-DSA), is also being standardized. All four are believed to be resistant to known quantum attacks including Shor's algorithm, because they rely on mathematical problems (lattice problems, hash function collision resistance) for which no efficient quantum algorithm is known.
The catch: Bitcoin and Ethereum don't use any of these. They use secp256k1 and ECDSA/Schnorr signatures. Migrating to post-quantum signatures is a hard fork — a breaking change requiring consensus from the entire network.
Bitcoin's Post-Quantum Migration Challenge
Bitcoin has no governance mechanism for rapid coordinated changes. Soft forks (backward-compatible changes) have a realistic path to adoption through miner signaling. Hard forks (breaking changes) are extremely contentious.
Migrating Bitcoin's signature scheme to a post-quantum algorithm would require:
- Choosing a PQC signature algorithm (likely a variant of Dilithium or SPHINCS+)
- Implementing it in Bitcoin's script system
- Achieving consensus among miners, nodes, and economic actors
- Deploying the change
- Migrating existing funds — the hard part
The migration of funds is where it gets technically complex. Bitcoin's scripting system would need to support both old and new signature schemes during a transition period. Funds in old (ECC) addresses would need to be moved to new (PQC) addresses before the old scheme becomes insecure. This requires active participation from every holder who wants to protect their funds.
Funds in P2PK addresses, some of which are controlled by early miners who may be lost, dead, or unreachable, simply may never be migrated. At some point, a quantum-capable attacker could claim them.
The Bitcoin development community has proposals in progress. QuBit (BIP-360) is a soft-fork proposal from developer Hunter Beast that would add pay-to-quantum-resistant-hash (P2QRH) addresses using CRYSTALS-Dilithium. It's in early draft. It has not been merged. It has not been assigned a BIP number finalized through the process. Progress exists; urgency is not yet matched by implementation timeline.
Ethereum's Situation
Ethereum's situation is somewhat better and somewhat worse. Better: Ethereum has a more agile governance process and has executed hard forks with broad community support multiple times (the Merge being the most significant). Worse: Ethereum's account-based model means public keys are more broadly exposed than Bitcoin's UTXO model — nearly every Ethereum account that has ever transacted has a permanently visible public key.
Ethereum developers, including Justin Drake (who co-authored the Google paper), are actively working on post-quantum migration paths. Account abstraction (EIP-4337 and later improvements) provides a framework for using alternative signature schemes without a full protocol change. But production deployment of PQC signatures in Ethereum is still years away.
What This Means If You Hold Cryptocurrency
Direct practical advice, no hedging:
For new addresses you're creating: Use fresh addresses that have never been used as outputs. Use a hardware wallet that generates addresses from a secure entropy source. Don't reuse addresses. These practices don't protect you from a sufficiently advanced quantum attack, but they minimize your exposure window to the period when you're actively spending, not the indefinite period you're holding.
For funds in old addresses that have spent: You are in the "exposed public key" category. In the near term (years), this doesn't matter — no hardware exists. If you're holding significant value and concerned about multi-year time horizons, migrating to a fresh address reduces your risk profile. The migration transaction itself exposes your public key briefly, but a brief exposure window is better than permanent exposure.
For funds in Satoshi-era P2PK addresses: These are permanently exposed and will be until someone drains them or Bitcoin migrates its cryptographic foundation. If Satoshi is dead or inaccessible, those coins will be at risk from the first sufficiently advanced quantum computer.
For developers building on cryptographic primitives: Stop using ECDSA or secp256k1 for anything you're designing now with a 10+ year operational horizon. NIST's ML-DSA (Dilithium) is standardized and implemented in major cryptographic libraries. For key encapsulation, ML-KEM (Kyber) is standardized. Use them.
We covered RSA's similar vulnerability in the RSA from scratch series — RSA is also vulnerable to Shor's algorithm, requiring approximately 102,000 qubits at 3 months per key on the Caltech/Oratomic estimates. For RSA-2048 specifically, the Caltech paper puts it at roughly 102,000 qubits and three months. The mitigation path is the same: NIST's post-quantum standards.
The Intellectual Honesty Section
I want to be clear about what we don't know, because the discourse around this topic is full of overconfidence in both directions.
We don't know the actual qubit requirements. Google's 500,000 estimate and Oratomic's 10,000 estimate both depend on architectural assumptions, error rate targets, and algorithmic optimizations that haven't been validated at scale. These are theoretical lower bounds based on current best algorithmic knowledge. Actual requirements could be higher.
We don't know when fault-tolerant quantum computers will exist. Projections from 2019 said 2027. Projections from 2022 said 2030. Google says 2029. Some researchers say 2040. Some say never-at-practical-scale. The honest answer is nobody knows. Quantum computing has surprised researchers with both faster and slower progress than expected.
We do know the trajectory. The gap between "theory" and "practice" on ECC attacks closed from infinity to six bits in September 2025, to fifteen bits in April 2026. The resource estimates for a full 256-bit attack dropped from 13 million qubits (2022) to under 500,000 qubits (Google, March 2026) to potentially 10,000 qubits (Caltech/Oratomic, March 2026). Both the practical demonstration capabilities and the theoretical resource requirements are moving in the same direction, faster than most estimates predicted.
The engineering problem is real and hard. Even with 500,000 or 10,000 qubit estimates, current best hardware is at 1,000-1,500 qubits with error rates that need to improve by orders of magnitude. Scaling quantum hardware while simultaneously improving error rates is one of the hardest engineering challenges in physics. It may take ten years. It may take thirty. It probably won't take zero.
The position I'd argue for: the probability that ECC becomes attackable in a meaningful timeframe is low enough that you shouldn't panic, but high enough that any system being designed today for 10-20 year operational horizons should plan for post-quantum cryptography. The migration cost is manageable now. The migration cost when a functional quantum computer exists will be emergency-driven, rushed, and prone to exactly the kind of mistakes that cause catastrophic breaches.
Frequently Asked Questions
Is Bitcoin broken right now?
No. The 15-bit result is 2^241 smaller than what Bitcoin's 256-bit cryptography requires. No quantum computer in existence can attack production cryptographic keys.
When should Bitcoin and Ethereum implement post-quantum cryptography?
Yesterday, ideally. Realistically: the next several years of development and consensus-building are the window. The crypto community's failure to treat this as urgent has been well-documented; the pace of algorithmic improvement is making that complacency increasingly expensive.
Do other cryptocurrencies have the same problem?
Every blockchain using ECDSA or Schnorr signatures over secp256k1 or similar elliptic curves has the same structural vulnerability. Ethereum, Litecoin, Bitcoin Cash, Dogecoin, and essentially every major proof-of-work and proof-of-stake network use ECC-based signatures. The only exception is blockchains that have already migrated to post-quantum schemes — a very short list.
What about HTTPS and TLS? Am I vulnerable?
TLS 1.3 uses ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for key exchange, which is vulnerable to Shor's algorithm. However, TLS sessions are ephemeral — a recording of encrypted traffic today can't be decrypted later if perfect forward secrecy is used, because the session keys are never stored. The threat model for TLS is "harvest now, decrypt later" — recording encrypted traffic today and decrypting it when quantum computers are available. For non-sensitive traffic, this doesn't matter. For sensitive traffic (medical, legal, national security), organizations should already be planning hybrid quantum-classical key exchange.
Major browsers and some CDNs are already deploying hybrid post-quantum key exchange. Cloudflare, Google, and Amazon have all deployed or are deploying hybrid X25519+ML-KEM key exchange in TLS. The migration for TLS is happening in the web infrastructure layer; the migration for blockchain signatures requires user/holder action.
The CVE coverage and cryptography deep dives at CoderOasis are in the Security topic section. The RSA implementation series — Part 1, Part 2, and Part 3 — builds the mathematical foundation for understanding both classical and quantum attacks on asymmetric cryptography. If you're holding significant cryptocurrency value and want to understand the underlying math before making decisions, start there.