CoinDesk

Bitcoin’s quantum problem gets a recovery tool, but not for Satoshi’s 1.1 million coins

Bitcoin’s quantum problem gets a recovery tool, but not for Satoshi’s 1.1 million coins

Project Eleven says it has funded a proof that lets a wallet's own key-derivation path stand in as ownership after quantum computers can forge its signatures. It runs in 243 milliseconds on a laptop.

A new zero-knowledge proof system from Project Eleven offers a practical way to recover bitcoin locked under BIP-361’s proposed freeze of quantum-vulnerable coins, including Satoshi Nakamoto’s holdings.

The scheme exploits the fact that quantum computers can break elliptic curve signatures but not the one-way hashing used in modern wallet key derivation, allowing only true owners with seed material to prove control.

Benchmarks show Project Eleven’s prototype is dramatically faster than prior work, but it remains unaudited, incomplete, and would require contentious changes to blockchain rules before it could protect any live coins.

The freeze proposal and its asterisk

The proposal to freeze bitcoin's quantum-vulnerable coins has always carried an asterisk. BIP-361, published in April by Jameson Lopp and five co-authors, would block new deposits to vulnerable addresses after three years and freeze whatever remained after five, stranding coins in more than a third of bitcoin's supply, including the roughly 1.1 million BTC attributed to pseudonymous creator Satoshi Nakamoto.

A later step of that plan promised a recovery path using zero-knowledge proofs, a technology that lets someone prove to another person that they know a fact without ever revealing it. Quantum research outfit Project Eleven says it has now built exactly that, and made it fast enough to use.

The quantum threat: Q-Day

Q-Day is a theoretical point at which a quantum computer could derive a private key from a public key, allowing an attacker to sign transactions from any address whose public key has ever been exposed. More than 34% of all bitcoin sits in that category, according to BIP-361.

After Q-Day, a signature would prove nothing because the attacker can produce one as easily as the owner. The chain cannot tell them apart.

Bitcoin signatures rely on elliptic curve cryptography, a system in which a private key generates a public key through math that runs only one way. Anyone can check the public key, but nobody can work backward to the private one. However, Shor’s algorithm, a quantum method published in 1994 for problems that ordinary computers cannot crack, can be fed a public key and return the private key that generated it.

Hashing as a defense

Hashing is a different kind of problem. A hash scrambles an input into a fixed-length fingerprint and cannot be run backward, and the best quantum attack on it, called Grover's algorithm, only halves the exponent rather than collapsing it, taking a 256-bit hash from 2^256 guesses down to 2^128. That is still more guesses than a machine making a billion a second could get through in the lifetime of the universe.

Modern wallets are built on hashing. A wallet generates addresses in a tree, deriving each key from its parent, and a "hardened" derivation step feeds the parent's private key through HMAC-SHA512 to produce the child key. That is a one-way function. An attacker who breaks an address after Q-Day ends up holding exactly the key held, and cannot climb the tree to the key it came from.

The zero-knowledge proof solution

Project Eleven and Jim Posen, lead developer of the Binius proof system, built a zero-knowledge proof around it. The user proves they know the key material sitting above their address in the wallet's derivation tree, that it derives the address in question, and binds the proof to a specific message, so the same proof can authorize the migration transaction. None of the key material is disclosed.

The benchmarks are what make it interesting. On an M5 MacBook Air:

  • Generating the proof takes 243 milliseconds on four cores
  • Verification takes 40 milliseconds
  • The whole thing uses about 2 gigabytes of memory and no GPU at all
  • There is no trusted setup

Project Eleven's runs in 910 milliseconds on the CPU alone, counting circuit construction, proof generation and self-checking, which it puts at 16 times faster. Excluding the one-time setup, which a real prover would build once and reuse, the gap widens to roughly 60 times.

The Satoshi problem

Which brings it back to Satoshi. The entire trick depends on there being a key above a user’s address to prove knowledge of, and that the tree structure arrived with BIP-32, which was assigned on February 11, 2012. Before it, as Bitcoin's own documentation puts it, wallets generated every key independently and at random.

Satoshi mined through 2009 and 2010 and was gone by 2011. Those coins sit in pay-to-public-key outputs with the public key written directly onchain, generated by software that had no seed phrase, no derivation path and no parent key. There is nothing above them in a tree, because trees did not exist yet.

The same gap applies to every other pre-2012 wallet, which is a meaningful share of the oldest and most dormant bitcoin, the exact population BIP-361 was written about.

Current limitations

As such, the company conceded that the prototype is unaudited, supports three Bitcoin address types rather than Taproot, roots the proof at the coin-type key rather than the seed, and recovers nothing on any live blockchain as of today.

But the shape of the argument changes. Lopp has said plainly that he does not like BIP-361 and wrote it because he prefers the alternative less, and the loudest objection to it has been that freezing coins breaks bitcoin's promise of permanent ownership. That objection assumes the freeze is final. A working recovery proof makes the freeze a lock rather than a burn, and hands the key to anyone who still holds their seed phrase. Satoshi never had one.

Comments

No comments yet. Start the discussion.