Chapter 13 of Quantum from the Ground Up covers the Q-Day timeline: Google researcher Craig Gidney's 2025 estimate of roughly one million physical qubits to break RSA-2048, and the IonQ fidelity result that pulled some estimates into a 2029 to 2033 window. That chapter treats Q-Day as an encryption problem: once a quantum computer can derive a private key from a public key, the signature scheme securing a wallet fails. A proposal from the security firm Project Eleven treats it as an ownership problem instead, and the distinction matters for anyone holding funds in an address generated before a migration to quantum-safe cryptography. The July 16 announcement was framed around Bitcoin, but the mechanism targets any wallet built on BIP-32-style hierarchical derivation, which includes Ethereum and other ECDSA chains, not Bitcoin alone.
The failure mode is simple. A wallet proves ownership by signature: if you can sign a transaction with the private key tied to an address, the network accepts you as the owner. Once elliptic-curve cryptography breaks, an attacker holding your address's public key can derive the same private key and produce a signature the network cannot tell apart from yours. Ownership by signature stops meaning anything. Project Eleven CEO Alex Pruden framed the central problem as proving who owns a wallet once quantum attacks become possible, not just stopping the attack, which is the framing this post follows.
Project Eleven's fix works one level up the derivation tree. Most wallets generate addresses from a BIP-39 seed phrase, the standard list of words a wallet gives you at setup, through a hierarchical, hardened derivation path. This structural proof builds on a concept known as signature lifting—originally described by researchers Alon Sattath and Robert Wyborski—and is implemented here as a form of cryptographic lineage verification. Breaking the elliptic-curve key at the address level does not hand an attacker the parent key higher up that path, because the hardened derivation step runs through a hash function, not an elliptic-curve operation. A zero-knowledge proof lets the real owner demonstrate control of that parent key, and that it derives the compromised address, without exposing the key itself. An attacker who has only broken the address-level key cannot produce the same proof.
Jim Posen, lead maintainer of the Binius zero-knowledge proof system, built the implementation with Project Eleven's funding. The resulting Binius-based prover clocks a generation time of just 243 milliseconds on a standard laptop—over 200 times faster than the 55-second benchmark set by Olaoluwa Osuntokun’s unoptimized, CPU-based prototype earlier this year. It is exactly the kind of radical performance leap, driven by Binius's optimization for hash-heavy operations, that turns an academic curiosity into something ready for deployment.
![]() |
| Diagram Gemini generated |
None of this is available on any chain today. Project Eleven describes the release as an unaudited prototype that needs explicit protocol-level support, or a dedicated verifier, before any chain could use it for recovery. It also only applies to wallets built on compatible BIP-32-style derivation, which rules out addresses whose provenance was never recorded as a reproducible path. The stakes for getting a recovery layer right are not small: Coinbase's quantum advisory board warned in June that roughly seven million bitcoins are at risk of being stranded without a post-quantum transition.
The technique also does not generalize evenly across chains. Solana, Sui, Aptos, Near, and Stellar derive signing keys from a seed through a single hashing scheme defined at the protocol level, so one proof design covers every wallet on those chains the same way. Bitcoin and Ethereum have no such uniform scheme; wallet software implements BIP-32 derivation its own way, so each wallet family needs its own proof circuit. That is a real engineering cost, and it is why Project Eleven's Bitcoin result is a first case rather than a finished product.
What This Changes in the Book
Chapter 14 already tracks how far post-quantum migration has actually spread: 21.9 percent of the top 1,000 sites, 8.4 percent of the top 100,000, and 3 percent of banking sites had adopted PQC software as of the last edition. Those numbers describe a migration that will not finish on schedule for everyone. The book's framing up to now has been prevention: move assets and systems to quantum-resistant cryptography before Q-Day arrives. Project Eleven's proposal is the first credible recovery mechanism I've seen for the users, custodians, and exchanges who miss that window, and it is not tied to one chain. The next edition's Chapter 14 will add a paragraph on derivation-based recovery proofs as a fallback layer, noting that EdDSA chains get a uniform version of this fix while Bitcoin and Ethereum need it built wallet by wallet.
This post will fold into the September 1 edition of Quantum from the Ground Up. The current edition is available at https://gordostuff.com/p/quantum-from-ground-up-hardware.html






.png)




.png)


