Quantum Computer Cracks Cryptographic Key: Is Bitcoin at Risk?

📋 En bref (TL;DR)
- A researcher has cracked a 15-bit elliptic curve cryptography key on a publicly accessible quantum computer, winning the Q-Day Prize of 1 BTC (approximately $78,000) awarded by Project Eleven.
- The previous record was 6 bits — this breakthrough represents a 512-fold improvement, but remains extremely far from the 256 bits used by Bitcoin to secure wallets.
- Google estimates that fewer than 500,000 physical qubits would be needed to break Bitcoin’s cryptography, while a team from Caltech and Oratomic suggests 10,000 qubits could suffice using a neutral-atom architecture.
- 6.9 million BTC (approximately 34% of total supply) are stored in addresses whose public key is visible on-chain, making them theoretically vulnerable to a sufficiently powerful quantum attack.
- BIP-361 proposes freezing unmigrated bitcoins that haven’t moved to post-quantum addresses after a 5-year grace period, sparking intense debate over Bitcoin governance.
- Jefferies dropped its 10% Bitcoin allocation from its model pension portfolio as early as January 2026, citing quantum risk as a long-term existential threat.
- Adam Back estimates the threat is at least 20 years away but insists on starting the post-quantum migration now, with tests already underway on the Liquid network.
A quantum computer cracks an elliptic curve cryptography key: what happened?
On April 24, 2026, independent researcher Giancarlo Lelli successfully derived a private key from its public key on a 15-bit elliptic curve, using a publicly accessible quantum computer. Project Eleven, a firm specializing in quantum security, awarded him the Q-Day Prize — a bounty of 1 BTC (approximately $78,000 at the current price).
To understand the significance of this announcement, you first need to grasp what it concretely means. Lelli used a variant of Shor’s algorithm on a machine with roughly 70 qubits to explore a search space of 32,767 possible values and recover the private key corresponding to a given public key. The entire operation took a few minutes once the quantum circuit was optimized.
The previous record, set in September 2025 by Steve Tippeconnic, involved a key of only 6 bits. Lelli’s result therefore represents a 512-fold improvement — a significant leap in the field of quantum cryptanalysis.
Why 15 bits don’t (yet) threaten Bitcoin
Bitcoin uses 256-bit elliptic curve cryptography (ECDSA with the secp256k1 curve). The gap between 15 bits and 256 bits is staggering: the search space jumps from 32,767 to a 77-digit number. Breaking a 256-bit key would require incomparably greater quantum resources than those used in this demonstration.
As CryptoSlate points out, headlines proclaiming that “quantum computing breaks Bitcoin’s math” massively exaggerate the actual risk. But the key takeaway lies elsewhere: this gap is increasingly seen as an engineering problem, not a fundamental physical impossibility.
Estimates are tightening: how many qubits to threaten Bitcoin?
What makes Lelli’s announcement particularly significant is that it comes in a context where theoretical estimates for breaking Bitcoin’s cryptography have dropped dramatically in just a few months.
The Google paper: fewer than 500,000 qubits
In March 2026, Google Quantum AI published a research paper that shook the community. The researchers estimated that breaking 256-bit ECDSA — the standard protecting Bitcoin and Ethereum — could require fewer than 500,000 physical qubits. That’s roughly a 20-fold reduction from previous estimates, which commonly cited “millions” of qubits.
Even more concerning: Google’s study identified a scenario where a quantum system could prepare part of the computation in advance, then complete the attack in approximately 9 minutes once a transaction appears on the network. Bitcoin transactions take an average of 10 minutes to be confirmed. This would give an attacker roughly a 41% chance of beating the confirmation — a figure that sent shockwaves across the industry.
Caltech and Oratomic: would 10,000 qubits be enough?
Google’s study wasn’t even the most alarming. A paper by researchers from Caltech and the startup Oratomic suggested that a neutral-atom quantum computer could break ECC-256 cryptography with as few as 10,000 physical qubits, in approximately 10 days. For reference, Manuel Endres, co-founder of Oratomic, has already trapped arrays of 6,000 atoms in his lab.
This should be taken with a grain of salt, however: nine of the paper’s authors are shareholders in Oratomic, six of whom are employed there. The paper serves as much as a commercial roadmap as a scientific result. But even applying a healthy dose of skepticism, the trend is clear: theoretical barriers are falling faster than expected.
Taproot: an upgrade that broadens the attack surface
Google also pointed to a Bitcoin-specific problem: the 2021 Taproot upgrade makes public keys visible by default in transactions. As a result, approximately 6.9 million BTC (34% of the total circulating supply) are stored in addresses whose public key is exposed on-chain. These bitcoins would be the first to be vulnerable if a sufficiently powerful quantum computer were to emerge.
The quantum threat is a governance problem, not an engineering one
This is the central thesis defended by Guillaume Girard of UTXO Management in an article for Bitcoin Magazine: the real danger isn’t that we don’t know how to protect Bitcoin against quantum computing — it’s that the network might fail to reach consensus on implementing protections in time.
The BIP-361 dilemma: freeze or let them be stolen?
On April 14, 2026, Jameson Lopp (CTO of Casa) and five other developers formally proposed BIP-361, titled “Post Quantum Migration and Legacy Signature Sunset.” The plan unfolds in three phases:
- Phase A (approximately 3 years after BIP-360 activation): wallets can no longer send funds to legacy address types. Users are pushed toward new post-quantum address formats.
- Phase B (2 years after Phase A): all legacy signatures (ECDSA and Schnorr) become invalid at the consensus level. Unmigrated bitcoins are frozen — impossible to move.
- Phase C (under research): holders of frozen coins could prove ownership via a zero-knowledge proof tied to their BIP-39 seed phrase.
Lopp himself acknowledged the harshness of the proposal on X (formerly Twitter): “I know people don’t like this proposal. I don’t either. But I wrote it because I hate the alternative even more.”
The alternative in question: letting a quantum attacker potentially drain 6.9 million BTC — a catastrophe that would destroy trust in the network.
Adam Back: voluntary migration rather than forced freeze
Adam Back, CEO of Blockstream and inventor of Hashcash (the predecessor to Bitcoin’s proof-of-work), advocates a radically different approach. According to him, the concrete quantum threat is at least 20 years away. He recommends a voluntary and gradual migration, with roughly a decade for users to transfer their funds to quantum-resistant addresses.
Back points to concrete work: a 20-person team is working on post-quantum cryptography at Blockstream, and quantum-resistant signatures are already being tested on the Liquid network. He believes Taproot was designed with enough flexibility to integrate new signature schemes without disrupting the existing network.
The “Hourglass” approach: accept theft, limit the damage
A third path has been proposed: the “Hourglass” model. This scenario accepts that some quantum thefts will occur, but seeks to throttle the flow of stolen bitcoins to mitigate price impact and limit market disruption. It’s a pragmatic strategy that acknowledges some coins — particularly those attributed to Satoshi Nakamoto — may be impossible to migrate.
The fundamental problem remains the same: Bitcoin evolves through consensus, like a legislative assembly. Every protocol change requires agreement from the developer community, miners, and nodes. Previous major upgrades (SegWit, Taproot) took years of debate. Faced with a threat that may require a rapid response, this structural slowness itself becomes a risk.
The industry mobilizes: who’s preparing for the post-quantum era?
Coinbase launches a dedicated advisory committee
In January 2026, Coinbase formed an independent advisory committee on quantum computing and blockchain. In April, this committee published a guidance report estimating that the crypto industry has a 3 to 5-year window to transition to post-quantum security. The NIST (National Institute of Standards and Technology) recommends a complete migration by 2035 — a deadline the report considers potentially optimistic.
The Coinbase report identifies Algorand and Aptos as the blockchains best prepared for a post-quantum future, while Bitcoin and Ethereum are ranked among the most exposed due to their protocol inertia.
NIST standards and the signature size challenge
NIST finalized three post-quantum cryptography standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). These algorithms are designed to resist quantum attacks while remaining usable on classical hardware.
The problem for Bitcoin: post-quantum digital signatures are 10 to 100 times larger than current signatures. According to some estimates, replacing existing signatures with quantum-resistant alternatives could multiply block sizes by a factor of 38. For a network already under strain in terms of throughput capacity, this is a considerable technical challenge.
Jefferies sounds the financial alarm
Perhaps the most striking signal came from the world of traditional finance. In January 2026, Christopher Wood, chief equity market strategist at Jefferies, removed his entire 10% Bitcoin allocation from his model pension portfolio, replacing it with 5% in physical gold and 5% in gold mining stocks. His rationale: quantum risk poses an “existential” threat to the thesis of Bitcoin as a long-term store of value.
This type of institutional decision, even if it remains isolated, could have a domino effect if other fund managers follow the same reasoning.
Should you worry today? Perspective and timeline
The short answer: no, not right now. The long answer: it’s time to start preparing seriously.
The gap between cracking a 15-bit key and a 256-bit key remains astronomical. Today’s most advanced quantum computers have roughly 1,000 to 1,500 qubits — far from the estimated 10,000 to 500,000 needed. No serious expert predicts a concrete threat before at least 5 to 10 years, and Adam Back puts it at 20 years.
But several signals deserve attention:
- The pace of progress: the record jumped from 6 bits to 15 bits in 7 months, a 512-fold increase.
- Plummeting theoretical estimates: three papers in three months have significantly reduced the estimated number of qubits needed.
- Bitcoin’s governance inertia: protocol upgrades take years. If the transition window is 3 to 5 years, discussions must begin now.
- Real-world exposure: 6.9 million BTC already have their public keys visible on-chain — a potential treasure trove for the first quantum actor powerful enough.
For Bitcoin holders, the practical recommendation is straightforward: never reuse an address after making an outgoing transaction (which exposes your public key), and closely follow developments around BIP-360/361, which will define the future quantum-resistant address formats.
Glossary
- Elliptic Curve Cryptography (ECC): an encryption method that uses the mathematical properties of elliptic curves to generate public/private key pairs. Bitcoin uses the secp256k1 curve with 256-bit keys. Its security relies on the difficulty of the “discrete logarithm problem” — easy in one direction, virtually impossible to reverse with a classical computer.
- Proof-of-Work: a consensus mechanism used by Bitcoin where miners must solve complex mathematical problems to validate blocks. Proof-of-work itself is not directly threatened by quantum computing — it’s the signature cryptography (ECDSA) that constitutes the weak link.
- ECDSA (Elliptic Curve Digital Signature Algorithm): a digital signature algorithm used by Bitcoin to prove that a wallet holder possesses the associated private key without revealing it. This specific component is what Shor’s algorithm, running on a sufficiently powerful quantum computer, could theoretically break.
- Quantum computer: a type of computer that leverages the principles of quantum mechanics (superposition, entanglement) to perform certain calculations exponentially faster than a classical computer. Unlike a classical computer that processes bits (0 or 1), it uses qubits that can exist in multiple states simultaneously.
- Qubit: the fundamental unit of quantum information, equivalent to the classical “bit.” Thanks to quantum superposition, a qubit can simultaneously represent 0 and 1, enabling a quantum computer to explore numerous solutions in parallel. The number of qubits determines the computational power of a quantum computer.
- Post-quantum cryptography: a set of cryptographic algorithms designed to withstand attacks from quantum computers. NIST finalized three standards in August 2024 (FIPS 203, 204, 205). The challenge for Bitcoin: integrating these algorithms while handling signatures that are 10 to 100 times larger than current ones.
Frequently Asked Questions
Can a quantum computer break Bitcoin today?
No. The exploit achieved on April 24, 2026 involved a 15-bit key, while Bitcoin uses 256-bit keys. The gap is astronomical: the search space jumps from 32,767 possibilities to a 77-digit number. Current quantum computers (approximately 1,000-1,500 qubits) are far from the 10,000 to 500,000 qubits estimated to be needed to threaten Bitcoin. No serious expert predicts a concrete threat before at least 5 to 10 years.
How many bitcoins are vulnerable to a future quantum attack?
Approximately 6.9 million BTC — or 34% of the total circulating supply — are stored in addresses whose public key is visible on-chain. These bitcoins would be the first exposed if a sufficiently powerful quantum computer were to emerge. The most at-risk addresses are those that have already made outgoing transactions (which reveals the public key) and addresses using the Taproot format, which exposes the public key by default.
Can Bitcoin become resistant to quantum computers?
Yes, in theory. NIST has already finalized post-quantum cryptography standards (August 2024), and several proposals exist for Bitcoin, including BIP-360 (new post-quantum addresses) and BIP-361 (migration and freezing of legacy addresses). Blockstream is already testing post-quantum signatures on the Liquid network. The main challenge is governance: upgrading Bitcoin requires community consensus, which historically takes several years, and post-quantum signatures are 10 to 100 times larger.
What should you do to protect your bitcoins against the quantum threat?
The most important short-term measure is to never reuse a Bitcoin address after making an outgoing transaction, as this is the operation that exposes your public key on the blockchain. In the medium term, follow developments around BIP-360/361 and prepare to migrate your funds to new post-quantum addresses as soon as they become available. Use a wallet that updates regularly and will integrate post-quantum protections when they are deployed.
Which cryptocurrencies are best prepared for the quantum threat?
According to Coinbase’s advisory committee (April 2026), Algorand and Aptos are the blockchains best prepared for a post-quantum future. Ethereum has started exploring new resistant signatures. Bitcoin, despite its protocol inertia, benefits from certain structural advantages: its UTXO model, the absence of native smart contracts, and proof-of-work (which is not directly threatened by quantum computers) reduce the attack surface compared to other chains.
Sources
This article relies on the following sources:
- The Block — Researcher breaks 15-bit elliptic curve key in ‘largest quantum attack,’ wins 1 bitcoin bounty from Project Eleven (April 24, 2026)
- CoinDesk — Researcher wins 1 bitcoin (BTC) for largest quantum attack on elliptic curve yet (April 24, 2026)
- Bitcoin Magazine — Bitcoin’s Quantum Problem Is Really A Governance Crisis In Disguise: UTXO (April 2026)
- CoinDesk — Bitcoin’s Taproot could make quantum attacks easier than expected, new Google research says (March 31, 2026)
- CoinDesk — A quantum computer may need just 10,000 qubits to empty a Bitcoin wallet (March 31, 2026)
- CoinDesk — Coinbase advisory board warns that quantum computing threat is on the horizon (April 21, 2026)
- CoinDesk — Adam Back says bitcoin should prepare now for quantum risk despite long timeline (April 8, 2026)
- CoinDesk — BIP-361: Bitcoin’s ‘your keys, your coins’ promise just got an expiry date (April 15, 2026)
- CryptoSlate — Latest “quantum computer breaks the math behind Bitcoin” headlines massively exaggerate risk (April 2026)
- The Block — Jefferies’ Wood drops 10% bitcoin allocation over quantum computing fears (January 2026)
How to cite this article: “Quantum Computers and Bitcoin: A 15-Bit Key Cracked — Should You Worry?”, Fibo Crypto, April 25, 2026.
The simplest way to buy, swap and manage your crypto
Join the first users and get priority access. No seed phrase, fees 3.5x lower, built-in DeFi yield.
Get early access →


