A Quantum Computer Just Cracked a 15-Bit Key. Bitcoin Uses 256. The Math Between Them Is Changing Faster Than Anyone Expected.
In seven months, the largest public quantum attack on elliptic curve cryptography jumped from 6 bits to 15 bits, a 512-fold increase in search space. In seven years, the estimated qubit requirement for a full-scale break dropped from 20 million to 10,000. Roughly 6.9 million Bitcoin with exposed public keys have no migration plan. Ethereum published one two months ago.
Thirty-two thousand seven hundred sixty-seven. That is the size of the search space Giancarlo Lelli searched when he derived a private key from its public key on a cloud-accessible IBM quantum computer in April 2026, winning Project Eleven's Q-Day Prize and one Bitcoin. He used a variant of Shor's algorithm with six different oracle strategies including V-chain decomposition with dedicated ancilla qubits, and the entire codebase is on GitHub for anyone to reproduce. Lelli is not a quantum physicist but a cloud solutions architect from Microsoft's partner network with ten years in enterprise software, and he ran the entire attack on hardware that anyone with a credit card can rent.
Fifteen bits sounds trivial next to 256-bit elliptic curve keys. Bitcoin uses secp256k1 specifically, which means the real search space is not 32,767 but a number with 77 digits. Nobody is breaking Bitcoin tomorrow, but three things happened in the past seven months that should concern anyone who holds cryptocurrency, manages a certificate authority, or depends on any system secured by the Elliptic Curve Discrete Logarithm Problem.
The 512x Jump Nobody Expected This Fast
In September 2025, Steve Tippeconnic demonstrated the first public quantum attack on an ECC key, breaking a 6-bit key with a search space of 64. Seven months later, Lelli broke a 15-bit key with a search space of 32,767, a 512-fold expansion that nobody in the field expected to arrive this fast.
"The resource requirements for this type of attack keep dropping, and the barrier to running it in practice is dropping with them," said Alex Pruden, CEO of Project Eleven. "The winning submission came from an independent researcher working on cloud-accessible hardware. No national lab, no private chip."
The naive math is tempting: 9 additional bits in 7 months equals roughly 1.3 bits per month, which extrapolates to 256 bits being reachable around 2041, but that calculation is wrong in ways that cut both directions, and understanding why is more important than the number itself.
Why Naive Extrapolation Fails (In Both Directions)
Scaling quantum attacks on ECC is not linear. Each additional bit roughly doubles the circuit depth, the gate count, and the error budget. Lelli's 6-to-15-bit jump was driven substantially by algorithmic improvements rather than raw hardware: his efficient permutation decomposition strategy replaced dense unitary matrices that scale as O(4n) with cycle-decomposed transpositions that scale as O(N⋅n), a qualitative improvement in how oracle queries are structured. Algorithmic tricks that produce dramatic gains at 15 qubits do not automatically transfer to 256. It is not just 17 times wider. It is exponentially harder across multiple dimensions simultaneously: qubit count, coherence time, error correction overhead, and circuit depth.
Complacency fails just as badly as panic, though, because the theoretical estimates for how many qubits a real attack would require have been collapsing at a pace that outstrips even optimistic hardware projections. In 2019, IBM estimated that breaking RSA-2048 would require 20 million qubits. In March 2026, Google Quantum AI published a whitepaper showing that fewer than 500,000 superconducting qubits could break ECC-256 in 9 to 23 minutes. That same month, a team from Caltech, Oratomic, and UC Berkeley published a preprint on arXiv demonstrating that the same attack is achievable with as few as 10,000 reconfigurable neutral atom qubits using high-rate quantum low-density parity-check codes.
That is a 2,000-fold reduction in estimated qubit requirements in seven years. Theoretical estimates shrank two orders of magnitude faster than hardware advanced.
The Resource Estimate Collapse
| Year | Source | Target | Physical Qubits | Runtime |
|---|---|---|---|---|
| 2019 | IBM/Gidney | RSA-2048 | ~20,000,000 | ~8 hours |
| 2024 | Gidney (revised) | RSA-2048 | ~1,000,000 | ~1 day |
| Mar 2026 | Google Quantum AI | ECC-256 | <500,000 | 9-23 min |
| Mar 2026 | Caltech/Oratomic | ECC-256 | 9,700-26,000 | 10-264 days |
A critical nuance separates the Google and Oratomic estimates. Google's number assumes superconducting qubits with microsecond error correction cycles, which produces a fast attack on large hardware. Oratomic's number assumes neutral atom qubits with millisecond cycles, roughly 1,000 times slower, which produces a slow attack on small hardware. Oratomic's space-efficient architecture uses approximately 9,700 physical qubits but requires 264 days. Their balanced architecture needs around 13,000 qubits and finishes in roughly 10 days.
Both papers build on each other in ways that amplify the threat. Oratomic's resource estimates explicitly use Google's circuit compilations, the same circuits Google verified with a zero-knowledge proof, meaning Google showed those circuits are efficient while Oratomic showed they can run on dramatically fewer physical qubits on a different type of machine. John Preskill, one of the founders of quantum error correction theory and a coauthor on the Oratomic paper, put it plainly: "I've been working on fault-tolerant quantum computing longer than some of my co-authors have been alive. Now at last we're getting close."
$531 Billion in Exposed Wallets
Roughly 6.9 million Bitcoin sit in wallets whose public keys are already visible on the blockchain. At approximately $77,000 per Bitcoin, that is $531 billion in assets directly exposed to a future quantum attack without any additional hacking required. An attacker would need only a sufficiently powerful quantum computer and the publicly available on-chain data.
This category includes Satoshi Nakamoto's estimated 1.1 million Bitcoin, coins in early Pay-to-Public-Key (P2PK) addresses that never used hashed outputs, and all coins spent since Bitcoin's 2021 Taproot upgrade, which reveals public keys at transaction time. CoinDesk reported that this exposure extends beyond Bitcoin: over $2.5 trillion in ECC-secured digital assets across all blockchains face structurally identical risks.
One Blockchain Has a Plan. The Other Does Not.
| Dimension | Bitcoin | Ethereum |
|---|---|---|
| Governance model | BIP process, no central authority | Vitalik + Ethereum Foundation |
| Post-quantum roadmap | None published | 4-component plan (Feb 2026) |
| Migration mechanism | Requires contentious hard or soft fork | Account abstraction enables gradual rollout |
| Known vulnerable assets | 6.9M BTC ($531B) | All ECDSA wallets, but roadmap addresses it |
| Cultural posture | "Don't change what works" | Regular protocol evolution accepted |
In February 2026, Vitalik Buterin published a detailed quantum resistance roadmap identifying four vulnerable components of Ethereum: consensus-layer BLS signatures, KZG commitments for data availability, ECDSA signatures on externally owned accounts, and application-layer ZK proofs. He proposed concrete fixes for each: STARK-based replacements, hash-based signatures, native account abstraction, and recursive proof aggregation. Whether Ethereum executes on this plan is uncertain, but the plan exists, has a named author with authority to drive implementation, and maps to specific protocol upgrades.
Bitcoin has none of this, and its governance model, a significant strength in normal times because it resists capture by any single entity, becomes a critical vulnerability when rapid coordinated action is required. Migrating Bitcoin to post-quantum cryptography demands changing the signature scheme that secures every transaction, which requires either a hard fork that risks splitting the network or a soft fork that imposes new constraints on every participant. The SegWit upgrade in 2017 took years of acrimonious debate and nearly split the community permanently. A cryptographic migration under quantum time pressure would be orders of magnitude more complex and contentious.
The "Harvest Now, Decrypt Later" Problem Is Already Real
Even the slow Oratomic scenario, 264 days with 10,000 qubits, creates an immediate strategic threat that does not require waiting for fast quantum hardware. State-level adversaries routinely collect encrypted data today with the intent of decrypting it once quantum computers become available. For Bitcoin, the equivalent is simpler: the public keys are already public, permanently recorded on an immutable ledger. A nation-state with a 10,000-qubit neutral atom machine in 2030 could spend a year quietly deriving private keys from on-chain public keys, then drain wallets in a single coordinated operation.
Google committed to completing its own quantum-secure migration by 2029, and Cloudflare followed with the same deadline. These are organizations that can issue executive mandates and enforce compliance across their infrastructure within months, but Bitcoin cannot do this because there is no CEO of Bitcoin, no migration deadline, and no mechanism to force wallet holders to move their funds to quantum-resistant addresses before the threat materializes, which is precisely the kind of coordination problem that decentralization was never designed to solve under time pressure.
What This Analysis Does Not Prove
The gap between 15 bits and 256 bits remains enormous. It is roughly the difference between lifting a pebble and lifting a mountain, and no amount of algorithmic cleverness has changed the fundamental physics of that gap. Shor's algorithm requires maintaining quantum coherence across thousands of qubits for extended periods, and no existing machine comes close. IBM's largest processor has around 1,100 qubits with error rates far too high for cryptanalysis. The Oratomic paper assumes error rates and cycle times that represent engineering targets, not demonstrated capabilities. Manuel Endres of Caltech recently assembled the largest neutral atom qubit array at 6,100 atoms, still short of the 10,000-qubit threshold and without the error correction overhead the paper requires.
Project Eleven, which funded the Q-Day Prize, is a post-quantum security startup that benefits commercially from heightened concern about quantum threats. Their RISQ list of exposed Bitcoin wallets is useful data, but it comes from an entity with financial incentives to amplify the threat narrative. Google's 2029 migration deadline may be conservative marketing for its own post-quantum cryptography products.
The strongest counterargument against urgency is that cryptographic migrations have historically taken 15 to 20 years. SHA-1 was demonstrated broken in 2005 and was still in widespread use in 2015. DES persisted decades after being shown vulnerable. If quantum computers capable of attacking ECC-256 are 8 to 15 years away, Bitcoin's decentralized governance might have enough time to reach consensus. The counterargument against the counterargument is that those previous migrations did not involve $531 billion in assets sitting permanently exposed in a public ledger that anyone can read and that cannot be retroactively protected.
The Bottom Line
Three vectors converged in the span of seven months: practical quantum attacks on ECC jumped 512-fold, theoretical qubit requirements dropped below 10,000 for the first time, and the gap between blockchain preparedness levels became stark. None of these individually constitutes an emergency. Together, they form a picture of accelerating timeline compression against a background of governance inertia.
If you hold Bitcoin in a wallet with an exposed public key, check Project Eleven's RISQ list. Move coins to a fresh address that has never been spent from, which keeps your public key hashed until you next transact. If you manage enterprise systems that rely on ECDSA or RSA, begin evaluating post-quantum signature schemes now. NIST finalized CRYSTALS-Dilithium, CRYSTALS-KYBER, FALCON, and SPHINCS+ in 2024. Google and Cloudflare have both committed to completing migrations by 2029 for a reason. If you hold Ethereum, read Buterin's roadmap and track EIP progress on the four vulnerable components. If you contribute to Bitcoin development, the window for proposing and building consensus around a post-quantum BIP is closing, and it is far better to have a plan debated for three years than to need one implemented in three months.