Project Eleven's Plan: Recovering Quantum-Vulnerable Bitcoin
By John Nada·Jul 19, 2026·4 min read
Project Eleven introduces a zero-knowledge proof system for quantum-vulnerable Bitcoin recovery, though Satoshi's coins remain unrecoverable.
A new zero-knowledge proof system from Project Eleven offers a practical recovery method for bitcoin locked under BIP-361's proposed freeze of quantum-vulnerable coins, though it won't work for Satoshi's famed 1.1 million BTC. The scheme, leveraging the resilience of modern wallet key derivation against quantum attacks, allows true owners with seed material to prove control over their holdings. Benchmarks showcase Project Eleven’s system as faster than any previous attempt, completing proof generation in 243 milliseconds on consumer hardware, as CoinDesk reports. However, this prototype is unaudited and incomplete, requiring contentious changes to blockchain rules to protect live coins.
BIP-361, published this April, aims to freeze coins exposed to potential quantum threats, impacting over a third of Bitcoin’s supply, including those of its elusive creator. Jameson Lopp and five co-authors, in publishing BIP-361, emphasized the necessity of addressing the looming quantum threat. The proposal outlines a phased approach to securing Bitcoin by blocking new deposits to vulnerable addresses after three years and freezing the remaining ones after five, leaving coins like Satoshi's 1.1 million BTC stranded. A subsequent phase includes a recovery path utilizing zero-knowledge proofs, which allow someone to demonstrate knowledge of a fact without revealing the fact itself.
Q-Day, a hypothetical moment when a quantum computer might derive private keys from public ones, poses a significant risk to Bitcoin's elliptic curve cryptography. Shor’s algorithm threatens to unravel this system, while Project Eleven's method hinges on proving knowledge of a key above an address in a wallet’s derivation tree without revealing any key material. Bitcoin signatures rely on elliptic curve cryptography, a system in which a private key generates a public key through math that runs only one way. Anyone can check the public key, but nobody can work backward to the private one.
However, Shor’s algorithm, a quantum method published in 1994 for problems that ordinary computers cannot crack, can be fed a public key and return the private key that generated it. Hashing is a different kind of problem. A hash scrambles an input into a fixed-length fingerprint and cannot be run backward, and the best quantum attack on it, called Grover's algorithm, only halves the exponent rather than collapsing it, taking a 256-bit hash from 2^256 guesses down to 2^128. That is still more guesses than a machine making a billion a second could get through in the lifetime of the universe.
Modern wallets are built on hashing. A wallet generates addresses in a tree, deriving each key from its parent, and a "hardened" derivation step feeds the parent's private key through HMAC-SHA512 to produce the child key. That is a one-way function. An attacker who breaks an address after Q-Day ends up holding exactly the key held, and cannot climb the tree to the key it came from.
Project Eleven and Jim Posen, lead developer of the Binius proof system, built a zero-knowledge proof around it. The user proves they know the key material sitting above their address in the wallet's derivation tree, that it derives the address in question, and binds the proof to a specific message, so the same proof can authorize the migration transaction. None of the key material is disclosed. The benchmarks are what make it interesting.
On an M5 MacBook Air, generating the proof takes 243 milliseconds on four cores, verification takes 40 milliseconds, and the whole thing uses about 2 gigabytes of memory and no GPU at all. There is no trusted setup. Project Eleven's runs in 910 milliseconds on the CPU alone, counting circuit construction, proof generation and self-checking, which it puts at 16 times faster. Excluding the one-time setup, which a real prover would build once and reuse, the gap widens to roughly 60 times.
And here lies the snag: Satoshi's coins, mined before the introduction of hierarchical deterministic wallets in 2012, lack this derivation path, rendering the recovery method inapplicable. This limitation extends to other pre-2012 wallets, a notable segment of dormant bitcoin. Satoshi mined through 2009 and 2010 and was gone by 2011.
