Skip to main content

Project Eleven's $20M Bet: Inside the Race to Quantum-Proof Bitcoin Before Q-Day

· 13 min read
Dora Noda
Dora Noda
Software Engineer

What if the same physics that gives quantum computers their power could empty Satoshi's wallet — and an estimated $440 billion of Bitcoin alongside it? In January 2026, a small New York startup called Project Eleven raised $20 million at a $120 million valuation to make sure that day never arrives without a defense ready. Backed by Castle Island Ventures, Coinbase Ventures, Variant, and Balaji Srinivasan, the round marks the first serious capital cycle into "quantum-safe crypto" — and the moment Bitcoin's quietest existential risk becomes a fundable industry.

For years, "quantum risk" lived in academic footnotes. In 2026, it moved into venture term sheets, NIST standards, and a live BIP debate. Here's why, and what's actually getting built.

The Funding Round That Made Quantum Real

Project Eleven's Series A closed on January 14, 2026, led by Castle Island Ventures, with Coinbase Ventures, Variant, Fin Capital, Quantonation, Nebular, Formation, Lattice Fund, Satstreet Ventures, Nascent Ventures, and Balaji Srinivasan filling out the cap table. The $20 million ticket lifted Project Eleven's post-money valuation to $120 million and brought its total funding to roughly $26 million in 16 months — the company had previously raised a $6 million seed in mid-2025.

Founder Alex Pruden, a former U.S. Army Infantry and Special Operations officer, frames the company's mandate plainly: digital assets need a structured migration to quantum-resistant cryptography, and somebody has to build the picks and shovels.

What's notable isn't just the dollar amount. It's the investor mix. Castle Island and Coinbase Ventures don't write seven-figure checks on speculative thesis. Variant, Nascent, and Lattice are crypto-native funds. Quantonation is a quantum-focused investor. Together they're signaling that quantum-safe infrastructure has crossed the line from research curiosity into a budget line item — and that Bitcoin's $1.4T+ market cap is enough motivation to fund a defense before the offense exists.

Why Bitcoin's Cryptography Is Suddenly on the Clock

Bitcoin secures roughly 19.7 million coins with elliptic-curve digital signatures over the secp256k1 curve. ECDSA is unbreakable on classical hardware, but Shor's algorithm — a 1994 quantum algorithm — can factor large integers and compute discrete logarithms in polynomial time. The instant a sufficiently large fault-tolerant quantum computer exists, every exposed Bitcoin public key becomes a private key in waiting.

The threat sat dormant for decades because the hardware looked decades away. That window collapsed in March 2026.

On March 31, Google Quantum AI published new resource estimates showing that breaking Bitcoin's secp256k1 curve requires fewer than 1,200 logical qubits and about 90 million Toffoli gates — translating to under 500,000 physical qubits on a superconducting surface-code architecture. The previous estimate was roughly 9 million physical qubits. A 20× reduction in one paper.

A Google researcher attached a probability to the milestone: at least a 10% chance that by 2032 a quantum computer could recover a secp256k1 ECDSA private key from an exposed public key. Google's own corporate guidance now urges developers to migrate by 2029.

Today's hardware is nowhere near 500,000 qubits. Google's Willow chip sits at 105 physical qubits. IBM's Condor crossed the 1,121-qubit threshold in 2023 and the company's Nighthawk reached 120 logical qubits in 2025. But the gap between "nowhere near" and "uncomfortably close" is exactly where insurance pricing lives — and Bitcoin's exposure isn't a 2035 problem if it takes a decade to migrate.

What's Actually Vulnerable — and What's Not

Not all Bitcoin is equally exposed. The vulnerability depends on whether a coin's public key has ever been broadcast on-chain.

  • Pay-to-Public-Key (P2PK) outputs from Bitcoin's earliest years — including roughly 1 million BTC mined by Satoshi — embed the raw public key directly in the script. These are permanently exposed and offer a quantum attacker a long, undefended runway.
  • Reused addresses of any type expose the public key the moment the first spend transaction confirms, after which any remaining balance becomes vulnerable.
  • Modern addresses (P2PKH, P2WPKH, P2TR with key-path spends) reveal only a hash until first spend. They're safe in cold storage but lose protection during a transaction broadcast — a window an adversary with quantum capability could potentially front-run.

The aggregate is striking. Estimates suggest about 6.5 to 7 million BTC sit in quantum-vulnerable UTXOs, worth roughly $440 billion at current prices. That's not a tail risk hidden in the corner of the order book. That's the fifth-largest "asset class" in crypto, owned by an attacker who hasn't shown up yet.

Three Mitigation Pathways Now Competing

Project Eleven's $20 million isn't being deployed in isolation. It lands in the middle of a three-way debate over how Bitcoin actually transitions, and the answers are very different.

1. Migration Tooling: Project Eleven's Yellowpages

Project Eleven's flagship product, Yellowpages, is a post-quantum cryptographic registry. Users generate a hybrid key pair using lattice-based algorithms, create a cryptographic proof linking the new quantum-safe key to their existing Bitcoin address, and timestamp that proof on a verifiable off-chain ledger. When (or if) Bitcoin adopts a post-quantum address standard, Yellowpages users have already pre-committed to the keys that can claim their coins.

Crucially, Yellowpages is the only post-quantum cryptographic solution actually deployed in production for Bitcoin today. The company has also constructed a post-quantum testnet for Solana — quietly positioning itself as the cross-chain migration vendor while everyone else is still drafting whitepapers.

2. Protocol-Level Address Standards: BIP-360

BIP-360, championed by developer Hunter Beast, proposes a new Bitcoin output type called Pay-to-Merkle-Root (P2MR). P2MR functions like Pay-to-Taproot but strips out the quantum-vulnerable key-path spend, replacing it with FALCON or CRYSTALS-Dilithium signatures — both lattice-based schemes considered quantum-resistant.

If activated via soft fork, BIP-360 gives users a destination to migrate to. It does not, however, automatically rescue exposed coins.

3. Coin Freezing: BIP-361

BIP-361, proposed in April 2026, is the most controversial response: freeze the roughly 6.5 million quantum-vulnerable BTC in place — including Satoshi's million coins — preventing any movement that an attacker could front-run. Recovery would only be possible for wallets generated from BIP-39 mnemonics. P2PK outputs and other early formats would be effectively burned.

The proposal has split Bitcoin's community along its oldest fault line. One camp argues immutability and credible neutrality are sacred — even if attackers eventually claim those coins. The other counters that allowing $440 billion to migrate to a hostile actor in a single weekend would be the largest wealth transfer in monetary history, and that the integrity of Bitcoin's fixed supply model is itself a property worth defending.

There is no clean answer. Either Bitcoin accepts that 6.5 million coins may be silently stolen, or it accepts that protocol-level intervention to freeze coins establishes a precedent the network has spent 17 years avoiding.

NIST FIPS 203/204 Sets the Crypto Defaults

The technical building blocks now exist because NIST finalized them. On August 13, 2024, the agency published three post-quantum cryptographic standards:

  • FIPS 203 (ML-KEM): Module-Lattice-Based Key-Encapsulation Mechanism, derived from CRYSTALS-Kyber. Replaces RSA and ECDH for key exchange.
  • FIPS 204 (ML-DSA): Module-Lattice-Based Digital Signature Algorithm, derived from CRYSTALS-Dilithium. Replaces ECDSA and RSA for signing.
  • FIPS 205 (SLH-DSA): Stateless Hash-Based Digital Signature Standard, derived from SPHINCS+, providing a conservative hash-based signature alternative.

The NSA's CNSA 2.0 roadmap mandates post-quantum deployment for new classified systems by 2027 and full transition by 2035. NIST itself projects 5–10 year adoption cycles for critical infrastructure. Cloudflare is targeting full post-quantum coverage by 2029.

Bitcoin's migration timeline is supposed to fit somewhere inside that envelope. The hard part is that nation-state IT departments can mandate a deadline. A permissionless decentralized network has to convince thousands of independent actors to coordinate without a CEO.

The Optimism Comparison: How Ethereum's Superchain Is Doing It

Bitcoin isn't alone in this race. In late January 2026, Optimism published a 10-year post-quantum roadmap for its Superchain — a useful contrast.

The OP Stack plan has three layers:

  • User layer: Use EIP-7702 to let externally owned accounts (EOAs) delegate signing authority to smart contract accounts that can verify post-quantum signatures, without forcing users to abandon their addresses.
  • Consensus layer: Migrate L2 sequencers and batch submitters off ECDSA and onto post-quantum schemes.
  • Migration window: Dual-support both ECDSA and post-quantum signatures until the January 2036 deadline.

Optimism is also lobbying Ethereum mainnet to commit to a timeline for moving validators away from BLS signatures and KZG commitments. The Foundation is reportedly engaged.

The architectural divide is instructive. Ethereum's account abstraction roadmap (and Solana's runtime flexibility) make post-quantum migration a smart contract upgrade. Bitcoin's UTXO model and minimalist scripting language make it a soft-fork debate that requires social consensus among developers, miners, and economic nodes. The same problem produces wildly different governance challenges.

The Investor Thesis: Insurance Premium Pricing

Why does a $20 million Series A make sense at a $120 million valuation when no quantum computer can break Bitcoin today?

The math is actuarial. If you assign a 10% probability to Q-day occurring before 2032 and apply that against $1.8 trillion of Bitcoin and Ethereum exposure, expected loss exceeds $180 billion. Even a one-percent insurance premium on that exposure is $1.8 billion of recurring revenue across custodians, exchanges, wallets, and regulated tokenization platforms. Project Eleven only needs to capture a sliver of that to justify a multi-billion-dollar outcome.

The competitive landscape is sparse. Zama is building FHE primitives, not signature replacement. Mina is post-quantum-friendly by design but is a separate L1, not a migration vendor. AWS KMS and Google Cloud HSM will eventually offer turnkey post-quantum signing — but a hyperscaler racing to ship general PQC services is not the same thing as a domain-expert team that has actually shipped production tooling for Bitcoin.

The risk for Project Eleven is the same one any "infrastructure for inevitability" startup faces: if the migration takes too long, customers don't budget for it; if it happens too fast, it gets absorbed by cloud vendors before Project Eleven can build distribution. The Series A buys the runway to be the default during the awkward middle period.

What Builders, Custodians, and Holders Should Do Now

The practical steps are unglamorous and don't require waiting on Bitcoin governance:

  1. Audit address reuse. Any address that has spent and still holds a balance is broadcasting its public key. Sweep funds to fresh addresses you haven't transacted from.
  2. Avoid P2PK and legacy formats. If your custody stack still touches them, plan migration to single-use modern address types.
  3. Track BIP-360 / BIP-361 progress. The activation calendar matters more than the spot price for long-horizon holders.
  4. For institutions: start the discovery phase now. NIST and the Federal Reserve both recommend completing inventory and migration planning within two to four years. That includes HSM vendor roadmaps, KYT pipelines, and treasury policy.
  5. For builders: design new systems with crypto-agility. Protocols that hard-code ECDSA today will pay a higher migration cost than those that abstract signature schemes behind an interface.

Most of these steps are useful even if Q-day never arrives in the form Google's paper describes. They reduce attack surface against classical threats, too.

The Bigger Picture: Quantum Migration Is the New Y2K — Except Real

The Y2K analogy is overused, but it's structurally apt. A long-warned, technical, governance-heavy upgrade with an externally imposed deadline, where success is invisible and failure is catastrophic. Y2K cost the global economy an estimated $300–600 billion to remediate. The post-quantum migration will likely cost more, because the install base is larger and the systems being upgraded include public blockchains that no one company controls.

Project Eleven's $20 million is the first serious admission that Bitcoin can't ignore the calendar any longer. Optimism's 10-year roadmap is the first serious admission from a major L2. Google's March 31 paper is the first serious admission from a quantum incumbent that the timeline is shorter than the industry assumed.

By 2027, expect three things: at least one BIP related to post-quantum address types reaching activation status (BIP-360 is the leading candidate), every major institutional custodian publishing a quantum readiness statement, and at least two more startups closing rounds in the Project Eleven mold. By 2030, post-quantum signing will be a checkbox in every enterprise crypto procurement RFP.

Q-day may or may not arrive on Google's schedule. The migration to defend against it has already started, and the window for getting ahead of it is narrowing fast.

BlockEden.xyz operates enterprise-grade RPC and indexing infrastructure across 15+ chains. As post-quantum standards mature and chain-level migrations roll out, our nodes are the layer where new signature schemes, address types, and dual-support windows actually need to work in production. Explore our API marketplace to build on infrastructure designed for the long arc of cryptographic transition.

Sources

Share on Twitter