All Crypto Blogs

Bitcoin’s quantum problem gets a recovery tool, but not for Satoshi’s 1.1 million coins

coindesk.com · Jul 19, 2026 at 10:00

Bitcoin’s quantum problem gets a recovery tool, but not for Satoshi’s 1.1 million coins
coindesk.com Jul 19, 2026

The proposal to freeze bitcoin's quantum-vulnerable coins has always carried an asterisk.

BIP-361, published in April by Jameson Lopp and five co-authors, would block new deposits to vulnerable addresses after three years and freeze whatever remained after five, stranding coins in more than a third of bitcoin's supply, including the roughly 1.1 million BTC attributed to pseudonymous creator Satoshi Nakamoto.

A later step of that plan promised a recovery path using zero-knowledge proofs, a technology that lets someone prove to another person that they know a fact without ever revealing it.

Quantum research outfit Project Eleven says it has now built exactly that, and made it fast enough to use.

Q-Day is a theoretical point at which a quantum computer could derive a private key from a public key, allowing an attacker to sign transactions from any address whose public key has ever been exposed.

More than 34% of all bitcoin sits in that category, according to BIP-361. After Q-Day, a signature would prove nothing because the attacker can produce one as easily as the owner. The chain cannot tell them apart.

Bitcoin signatures rely on elliptic curve cryptography, a system in which a private key generates a public key through math that runs only one way. Anyone can check the public key, but nobody can work backward to the private one. However, Shor’s algorithm, a quantum method published in 1994 for problems that ordinary computers cannot crack, can be fed a public key and return the private key that generated it.

Hashing is a different kind of problem. A hash scrambles an input into a fixed-length fingerprint and cannot be run backward, and the best quantum attack on it, called Grover's algorithm, only halves the exponent rather than collapsing it, taking a 256-bit hash from 2^256 guesses down to 2^128.

That is still more guesses than a machine making a billion a second could get through in the lifetime of the universe.

Modern wallets are built on hashing. A wallet generates addresses in a tree, deriving each key from its parent, and a "hardened" derivation step feeds the parent's private key through HMAC-SHA512 to produce the child key.

That is a one-way function. An attacker who breaks an address after Q-Day ends up holding exactly the key held, and cannot climb the tree to the key it came from.

Project Eleven and Jim Posen, lead developer of the Binius proof system, built a zero-knowledge proof around it.

Source

This article is syndicated for educational reading. For the latest updates, visit the original publisher.

Read on coindesk.com

Recently Used