Bitcoin’s Post-Quantum Ownership Problem: Project Eleven Pitches Derivation Proofs for Q-Day Recovery

Project Eleven unveils a post-quantum proof to verify Bitcoin wallet ownership after Q-Day, built with Binius and “signature lifting.” Prototype needs audits and protocol support.

Bitcoin
Cryptocurrency
Regulations
Economy
Because Bitcoin
Because Bitcoin

Because Bitcoin

July 16, 2026

Bitcoin’s real quantum risk isn’t just broken signatures—it’s the chaos that follows when anyone can produce them. Project Eleven is targeting that specific failure mode with a new post-quantum ownership proof designed to let users reclaim control after “Q-Day,” the point at which quantum machines can break the elliptic curve cryptography that underpins Bitcoin transactions.

Rather than hardening today’s signatures, the proposal reframes the dispute: when signatures become indistinguishable, how do you tell the rightful owner from an attacker? Project Eleven’s answer leans on wallet derivation itself.

What’s new - Project Eleven introduced a prototype proof that allows a user to demonstrate control of the parent key used to derive a compromised wallet key—without revealing the parent key. - CEO Alex Pruden argued the critical task after Q-Day is not preventing quantum forgery outright, but establishing credible ownership once forgeries are trivial. - The method builds on “signature lifting,” a technique first proposed by researchers Alon Sattath and Robert Wyborski, and was implemented with Jim Posen, the lead maintainer of the Binius zero-knowledge system. - The prototype is unaudited and would require changes at the protocol level before it can be relied on.

How the derivation proof helps In a BIP32-style hierarchy, many addresses descend from a single seed (the “parent” or master key). A quantum attacker might derive a private key from a known public key and produce valid ECDSA signatures, but they typically cannot reconstruct the upstream seed that generated that key. By proving knowledge of the parent key through a zero-knowledge proof, a legitimate owner can separate themselves from a forger—even after the child private key is exposed.

Project Eleven funded Posen to implement the approach using Binius, an open-source prover designed to accelerate hash-heavy workloads common in modern proof systems. The intent is pragmatic: offer a fallback path for users who miss a future migration to quantum-safe addresses. Derivation proofs become a recovery rail rather than a replacement for a full network upgrade.

Why this matters now The ecosystem is already moving toward post-quantum readiness: - February: Bitcoin developers advanced BIP-360 into formal review, paving the way for quantum-resistant upgrades. - March: BTQ Technologies shipped the first working BIP-360 implementation on its Bitcoin Quantum testnet, surfacing the social challenge of building consensus for a network-wide change. - June: Coinbase’s quantum advisory council urged teams to plan migrations, warning that roughly 7 million BTC could be at risk if funds remain on vulnerable addresses. - Later in June: President Donald Trump signed executive orders to accelerate the U.S. government’s shift to post-quantum cryptography, adding policy momentum.

My read on the core trade-off Derivation proofs go after the identity layer of Bitcoin—who has a superior claim—once the signature layer loses exclusivity. That’s smart because it aligns with user behavior: seeds live offline; addresses leak on-chain. Technically, this leverages knowledge asymmetry that survives Q-Day. Psychologically, it gives late movers a credible safety net without signaling complacency. Commercially, it offers wallet providers and custodians a concrete, deployable primitive to integrate into migration playbooks. Ethically, it narrows the gap between sophisticated and casual users, though it won’t erase it—proof UX and key hygiene will still separate outcomes.

There are real hurdles: - Protocol plumbing: The chain must recognize and prioritize derivation-based proofs in contention scenarios. That likely means new script paths, standardness rules, and mempool policies to prevent griefing. - Coordination risk: If miners or relays disagree on treatment, adversaries might exploit timing and fee games. - Assurance: The prototype is unaudited; soundness, circuit constraints, and side-channel resistance need rigorous review. - Scope: This is a recovery mechanism for stragglers, not a substitute for migrating coins to quantum-safe addresses.

Where this fits A credible Q-Day plan probably has three tracks: migrate proactively to quantum-resistant scripts; add protocol support for derivation-based adjudication as a last resort; and run public drills on testnets, à la BTQ’s environment, to battle-test assumptions. If BIP-360 or a successor lands, derivation proofs can serve as the emergency brake for those who inevitably miss the window.

If you hold keys, treat this as a bridge, not a destination. Teams that prepare for both migration and recovery will likely preserve the most value when quantum pressure moves from theory to practice.