Skip to main content

Project Eleven's $120M Bet: How a Special Forces Veteran Convinced Coinbase the Quantum Threat Is Already Here

· 11 min read
Dora Noda
Dora Noda
Software Engineer

In April 2026, a researcher named Giancarlo Lelli pocketed one bitcoin for breaking a 15-bit elliptic curve key on real quantum hardware. Fifteen bits. Bitcoin uses 256. The gap sounds vast — until you remember that RSA-129 fell in 1994, RSA-768 fell in 2009, and RSA-829 fell in 2020. The line on the chart only bends one way.

The bounty came from Project Eleven, a quiet post-quantum security startup founded by a former U.S. Special Forces officer. Three months earlier, the same firm closed a $20 million Series A at a $120 million valuation, led by Castle Island Ventures with checks from Coinbase Ventures, Variant, Quantonation, Fin Capital, Nebular, Formation, Lattice Fund, Satstreet Ventures, Nascent, and Balaji Srinivasan personally. Seven months between a $6 million seed and a 20x mark-up is not a normal venture cadence. It is the cadence of investors who have looked at a timeline and decided the window is shorter than the consensus believes.

This post unpacks what those investors saw.

The product nobody else is shipping

Most "quantum crypto" companies are building greenfield Layer 1s — Naoris Protocol, QANplatform, and Circle's lattice-native Arc chain all bake post-quantum signatures into a fresh genesis block. That's the easy version of the problem. The hard version, the one Project Eleven took on, is retrofitting cryptographic assurance onto chains that already exist and already hold trillions of dollars.

The shipped product is called yellowpages. It is a free, open-source registry that lets a Bitcoin holder do something that should not be possible: prove, today, that they own a UTXO under post-quantum keys, without moving the coin, without a hard fork, and without exposing anything sensitive.

The flow is mechanically tight. The yellowpages client generates an ML-DSA key pair and an SLH-DSA key pair (the lattice-based and hash-based digital-signature standards finalized by NIST in August 2024 as FIPS 204 and FIPS 205) deterministically from the user's existing 24-word seed. The user then signs a challenge with their Bitcoin private key and with the new post-quantum keys. The bundle is sent over an ML-KEM-secured channel to a trusted execution environment, which validates the signatures and writes a single proof to a public directory permanently linking the legacy address to the new keys.

The result is a verifiable claim that survives Q-Day. If, ten years from now, a sufficiently large quantum computer derives a private key from an exposed public key on-chain, the legitimate owner can point to a yellowpages proof — pre-dated, signed by both keys, irrefutable — and contest any quantum-derived spend. It is a cryptographic alibi. The chain doesn't have to change. The wallet doesn't have to move. The proof is the migration.

That property is what makes yellowpages structurally different from every other post-quantum proposal in Bitcoin. BIP-360 (Hunter Beast's quantum-resistant address proposal) requires soft-fork consensus. The various Taproot extensions assume the holder will eventually transact. Yellowpages assumes nothing — it works for cold-storage coins whose owners are dead, asleep, or simply unwilling to touch them.

Why Coinbase Ventures actually led

Coinbase custodies more than a million bitcoin across institutional clients. That is not a number you can casually migrate. Every coin sitting in Coinbase Custody represents an unhedged tail risk against a probabilistic event with no fixed date. The exchange has two motivations that no other strategic investor matches:

  1. Operational: protect existing custody assets without forcing 50,000 institutional clients into a coordinated key rotation that could span years.
  2. Regulatory: NIST IR 8547 sets a 2035 deadline to deprecate quantum-vulnerable algorithms entirely, with high-risk systems migrating earlier. Federal regulators read the Federal Reserve's October 2025 working paper on harvest-now-decrypt-later risks to distributed ledgers. They are not going to let a publicly traded custodian carry that exposure indefinitely.

Coinbase Ventures funding Project Eleven is the closest thing crypto has to a TSMC funding ASML moment — a downstream giant capitalizing the supplier that owns the only viable migration path. Castle Island and Variant participated for the same reason a decade ago they wrote checks into key infrastructure: when an entire asset class needs a primitive, and one team has the production volume and integration scars to deliver it, the rest is just math.

The Solana paradox

While yellowpages addresses Bitcoin's coordination problem, Project Eleven's other arm is doing something more painful: showing chains exactly how much performance they will lose when they migrate.

In April 2026, the Solana Foundation ran a Project Eleven-backed testnet that swapped Ed25519 signatures for lattice-based post-quantum equivalents. The results were brutal:

  • Signature size grew 20–40x compared to current compact signatures.
  • Network throughput dropped roughly 90% in early benchmarks.
  • Bandwidth, storage, and validator hardware requirements increased proportionally.

For Solana, whose entire value proposition is monolithic high throughput, this is an existential trade-off — security against the marketed performance edge. The chain's architects are now stuck choosing between three uncomfortable options: ship lattice signatures and lose the performance story, wait for hash-based or zero-knowledge wrappers that compress the overhead, or hope quantum hardware milestones slip far enough that they never have to commit.

Project Eleven sits on both sides of this trade. They provide the cryptographic primitives. They also provide the empirical evidence of the cost. That dual position is unusual — most security vendors would prefer you not see the bill — and it is exactly why their integration partners trust them. The numbers are what the numbers are.

The Q-Day Prize and the bending curve

Most readers have learned to discount quantum threat warnings. The 2030s feel comfortably distant. The Q-Day Prize result on April 24, 2026 is the moment when "comfortably distant" started to feel less comfortable.

Lelli's 15-bit ECC break used a hybrid classical-quantum approach with error correction across multiple physical qubits per logical qubit — the same architecture that scales as IBM's Condor (1,121 qubits, 2023) and the planned Kookaburra (4,158 qubits, 2026–2027) come online. The historical scaling pattern is not subtle:

YearAttackKey size broken
1994RSA-129~426 bits
2009RSA-768768 bits
2020RSA-829829 bits
2026ECC-15 (quantum)15 bits

The 15-bit number looks small until you realize it's the first production demonstration. The integer-factorization curve took 25 years to bend through 700 bits of progress. A quantum-attack curve, riding logical-qubit growth, may bend faster. Project Eleven's prize structure — escalating bounties for each new bit broken — turns the timeline into a leaderboard. The market gets a public, time-stamped feed of how close the threat is.

That feed is exactly the catalyst Bitcoin's institutional holders cannot ignore. BlackRock's IBIT held over $96 billion in AUM at the time of the prize. Tether's reserve held roughly 140,000 BTC. Strategy held over 200,000 BTC. None of these holders can write a 10-K disclosure that ignores a measurable, escalating capability advance.

The coordination problem nobody wants to discuss

There is a quiet number that defines Bitcoin's post-quantum dilemma: roughly 4 to 6 million BTC sit in pre-Taproot P2PKH and P2PK addresses with public keys already exposed on-chain. Some estimates of total at-risk supply run higher, with one recent analysis pegging $718 billion of bitcoin in addresses with exposed public keys. Those coins cannot be migrated by anyone except the original holder. Many of those holders are unreachable, deceased, or sitting on cold-storage hardware they have not touched in a decade. Roughly 1.1 million BTC are believed to belong to Satoshi.

Compare this to Y2K — the canonical pre-cryptographic-coordination disaster. Y2K worked because there was a fixed deadline, government coordination, mandated budgets, and central authorities that could compel migration. None of those exist for Bitcoin. The deadline is probabilistic. There is no government that can compel a wallet rotation. There is no central authority that can issue a soft-fork timeline that 100% of holders will follow.

This is what makes yellowpages quietly important. It does not solve the coordination problem — it brackets it. By creating a verifiable post-quantum claim today, holders who can commit do so cheaply. Coins whose holders are gone will eventually be susceptible to quantum-derived spends, but the legitimate owners of recoverable coins will have a cryptographic proof of priority. That proof is not a substitute for migration. It is a triage system.

Where this leaves the 2026–2029 window

The competitive map for post-quantum crypto infrastructure is clarifying:

  • Greenfield PQC chains (Naoris, QANplatform, Circle Arc): clean architectures, no migration burden, no legacy assets.
  • ZK-wrapped PQC (Trail of Bits' April 2026 sub-100ms verification result): potentially compresses signature overhead by proving validity off-chain.
  • Retrofit PQC (Project Eleven's yellowpages, Solana's lattice testnet, BIP-360 proposals): the only category that addresses the trillions already on-chain.

Project Eleven's bet — and the bet of the institutional capital backing them — is that retrofit will dominate. The greenfield chains may be technically superior, but they are not where the value sits. The ZK-wrapping approaches are promising but still measured in lab benchmarks rather than production deployments. Retrofit is where the money already is. Retrofit is where the regulators are looking.

Whether $120 million is the right valuation for a 2029-or-later threat is a fair question. Quantum hardware milestones have a habit of slipping. NIST's 2035 deprecation deadline is a long way out. But "quantum is a 2030s problem" was easy to say before April 2026. After Lelli's prize, after Solana's 90% throughput collapse, after Coinbase Ventures led the round, the conversation has shifted from whether to how fast. Project Eleven's edge is that they have spent eighteen months turning the "how fast" question into shipped code, integration partners, and a public benchmark series. That is the kind of moat that compounds.

The infrastructure for a multi-year cryptographic transition rarely gets built in the year the transition happens. It gets built in the years immediately before, by teams that started early enough to have production volume by the time the rest of the market wakes up. Project Eleven is currently the only team in the post-quantum-retrofit category with that profile.

The quantum clock is not yet ticking loudly. But it is ticking. And the people writing the largest checks have decided that the cost of being early is much smaller than the cost of being late.

BlockEden.xyz operates production blockchain infrastructure across Bitcoin, Ethereum, Sui, Aptos, Solana, and 25+ other networks — the same chains facing the post-quantum migration challenge. As cryptographic standards evolve, the teams building on stable RPC and indexing infrastructure will have the runway to focus on application logic instead of plumbing. Explore our API marketplace for chain access designed to outlast the next decade of protocol upgrades.

Sources

Share on Twitter