A new technical breakthrough offers a potential lifeline for Bitcoin holders facing the theoretical threat of quantum computing—but with a significant catch. According to reporting by CoinDesk, quantum research firm Project Eleven has demonstrated a working zero-knowledge proof system that could recover coins locked under BIP-361’s proposed quantum vulnerability freeze, yet the system cannot protect the network’s most famous dormant holding: Satoshi Nakamoto’s 1.1 million Bitcoin.
The distinction matters because it exposes a fundamental tension in how Bitcoin evolved. While the recovery mechanism works elegantly for modern wallets, it becomes useless for coins generated before 2012—precisely the population BIP-361 was designed to protect.
The Quantum Threat and BIP-361’s Promise
Bitcoin faces a real if distant problem. Quantum computers running Shor’s algorithm could theoretically break elliptic curve cryptography, the mathematical foundation of Bitcoin signatures. Once a quantum computer reaches sufficient scale—a theoretical moment known as “Q-Day”—an attacker could derive any private key from its corresponding public key exposed on the blockchain.
More than 34% of all Bitcoin sits in this vulnerable category, according to BIP-361. Published in April by Jameson Lopp and five co-authors, the proposal would gradually freeze quantum-vulnerable addresses: blocking new deposits after three years, then freezing remaining balances after five years. This would strand coins across more than a third of the network, including Satoshi’s legendary stash.
The proposal always included an escape clause. It promised a recovery mechanism using zero-knowledge proofs—a way for coin owners to prove they control their Bitcoin without revealing private keys. Project Eleven says it has now built that mechanism and made it fast enough to actually use.
How the Recovery Proof Works
The elegance of the system lies in exploiting a cryptographic asymmetry. While quantum computers can break elliptic curve signatures, they cannot reverse one-way hashing functions. Grover’s algorithm, the best known quantum attack on hashing, only halves the exponent—reducing a 256-bit hash from 2^256 guesses to 2^128. That remains computationally infeasible even for advanced quantum machines.
Modern wallets exploit this property. They generate addresses through hierarchical key derivation, where each address stems from a parent key via HMAC-SHA512. This one-way function means an attacker who cracks a single address cannot climb the tree to recover its parent key—the master seed remains safe.
Project Eleven built a zero-knowledge proof around this structure. A user proves they possess the key material above their vulnerable address in the derivation tree, that it mathematically derives the address in question, and binds the proof to a specific migration transaction. Crucially, no actual keys are disclosed.
The performance metrics are striking. On an M5 MacBook Air, the system generates a proof in 243 milliseconds using four cores, with verification taking 40 milliseconds. The entire process uses roughly 2 gigabytes of RAM and requires no GPU or trusted setup. Project Eleven reports this is roughly 60 times faster than previous approaches.
The Satoshi Problem
Here lies the fatal limitation. The recovery mechanism depends entirely on the existence of a parent key in a derivation tree—and trees didn’t exist when Satoshi mined.
Bitcoin’s hierarchical deterministic wallet standard, BIP-32, wasn’t assigned until February 11, 2012. Before that, wallets generated every key independently and at random. Satoshi stopped mining in 2010. His coins sit in pay-to-public-key outputs with no seed phrase, no derivation path, and no parent key to prove knowledge of.
The same applies to the entire class of pre-2012 Bitcoin, which represents a meaningful portion of the oldest, most dormant coins—exactly the population BIP-361 aimed to protect.
Project Eleven acknowledges the constraints. The prototype remains unaudited, supports only three address types rather than Taproot, and has not recovered any coins on a live blockchain. But the company’s work reframes an important debate around BIP-361’s social implications.
Freezing vs. Burning
Jameson Lopp has been explicit: he dislikes BIP-361 but published it because he considers the alternatives worse. The most sustained objection to the proposal is philosophical—that freezing coins violates Bitcoin’s promise of permanent ownership.
A functional recovery mechanism reshapes that argument. Rather than burning coins, a freeze becomes a lock, and recovery proves to be the key. Anyone with a seed phrase could eventually reclaim their Bitcoin even after Q-Day.
But Satoshi never had one. That 1.1 million Bitcoin would remain permanently inaccessible, not because the recovery tool failed, but because the technology to create it didn’t exist when those coins were generated.