Project Eleven warns Q-Day could arrive by 2030

Project Eleven published a report Wednesday saying the point at which quantum computers can break widely used encryption, often called “Q-Day,” could come as early as 2030 and is “more likely than not” by 2033. The startup argues progress in quantum hardware and algorithms may compound and produce sudden jumps in capability rather than steady gains. The report cites a recent demonstration in which a researcher recovered a 15-bit elliptic curve key using quantum hardware as partial evidence of accelerating progress, while noting that remains far short of the 256-bit keys used by Bitcoin.

Project Eleven estimates about 6.9 million bitcoins could be exposed under specific conditions if Q-Day arrives before users adopt quantum-resistant protections. At current prices, those holdings are worth more than $560 billion. The report highlights that migrating large user bases, exchanges and custodians to post-quantum cryptography could take many years.

The report references Mosca’s inequality: if the time required to upgrade a system exceeds the time until a threat arrives, the system is already at risk. That reasoning underlies proposals now circulating in the crypto community to prepare for a potential quantum threat well before practical quantum attacks appear.

Researchers and engineers have proposed concrete mitigation steps. One proposal would let bitcoin holders create timestamped proofs of wallet ownership today; those proofs could be used later to reclaim funds on a quantum-safe version of Bitcoin without revealing past on-chain activity. Another plan, BIP-361, outlines a multi-year migration window during which users would move funds to addresses that use quantum-resistant signature schemes. Major technology companies are also adjusting schedules and setting targets for migrating to quantum-resistant cryptography.

Quantum risk varies by how addresses are used. Elliptic curve signatures become vulnerable if an adversary can derive private keys from public data. Some address types reveal public keys only after a spend, which offers temporary protection for unspent outputs. Wallets that reuse addresses or expose public keys earlier would be at greater risk.

Technical hurdles remain for building quantum machines capable of breaking 256-bit elliptic curve keys at scale. Researchers continue to work on error correction, qubit fidelity and algorithms that could scale Shor’s algorithm to the sizes required. The report frames its timeline to reflect these uncertainties and the possibility of sudden, large-scale breakthroughs.

The report calls on wallet developers, exchanges, custodians and protocol maintainers to accelerate planning and begin staged migrations to quantum-resistant cryptography. It recommends combining technical changes to key and address formats with operational measures such as timestamped proofs and defined migration windows to reduce the risk to long-held funds if a practical quantum attack appears sooner than expected.