On July 15, post-quantum cryptography company Project Eleven unveiled an early prototype of a zero-knowledge proof. This mechanism could help Bitcoin wallet owners verify control over their funds once quantum computers become a reality.
Project Eleven has funded the development of a new post-quantum primitive that could help solve one of crypto's hardest migration problems:
How do you prove ownership of a wallet after quantum computers can forge its signatures?
Project Eleven and Jim Posen (@jimpo_potamus),…
— Project Eleven (@projecteleven) July 15, 2026
Zero-knowledge proofs allow for the verification of knowledge without revealing the data itself. In the proposed scheme, the user proves control not only over the key of a specific address but also over an earlier key within the wallet structure.
This mechanism is not yet operational on the Bitcoin network. Its implementation will require the protocol to separately recognize such proofs and allow their use for transferring funds to post-quantum addresses.
How the Proof Works
The moment when a sufficiently powerful quantum computer can recover a private key from a public one is referred to as "Q-Day." At that point, both an attacker and the legitimate wallet owner could create equally valid digital signatures.
1/ It's not everyday that my primary cryptographic interests (PQC and ZK) collide. But today is one of those days!
Excited to announce this collaboration between @projecteleven and @jimpo_potamus (lead maintainer of Binius) for post Q-Day wallet recovery using a ZK… https://t.co/L4phu49suZ
— Alex Pruden (@apruden08) July 15, 2026
"After Q-Day, a valid signature no longer proves ownership," said Project Eleven co-founder and CEO Alex Pruden.
The proposed mechanism utilizes a derivation path in a hierarchical deterministic wallet. In such a system, multiple addresses are generated from a single root secret through a sequence of parent and child values.
The user must prove knowledge of data located above the desired address in this structure. The system then verifies that the private key for the Bitcoin address is indeed derived from them, without revealing the parent secret.
The scheme relies on a secure derivation step, where the child key is created using the private parent key and the HMAC-SHA512 cryptographic algorithm.
According to Project Eleven, a quantum computer could derive the private key of an address from its public key but would not be able to practically recover the parent key through the secure step. Grover's algorithm reduces the complexity of brute-forcing hash functions but does not make such an operation feasible in practice.
The proof can be linked to a specific message. For example, it can confirm the owner's permission to transfer remaining funds to a new post-quantum address.
What We Know About the Prototype
Project Eleven funded the development alongside leading proof system developer Jim Posen. The source code has been published in the Binius64 repository on GitHub. The approach is based on the signature lifting method described by researchers Or Sattath and Shai Vaybursky in 2023.
This method allows for replacing a signature vulnerable to quantum attacks with a post-quantum proof using the same keys. A one-way function resistant to quantum computation must be used in the path between the secret and public keys.
Project Eleven calls the prototype developed by Lightning Labs CTO Olaoluwa Osuntokun the first working implementation of this approach. He utilized the RISC Zero zero-knowledge proof virtual machine and published the code in April 2026.
The new version operates on the Binius64 system. According to Project Eleven's tests, generating a proof on a MacBook Air with an M5 chip took 243 ms using four cores. The entire first cycle required about 910 ms, including system preparation, proof creation, and self-verification.
Verifying the completed proof took 40 ms. Peak memory consumption during generation was 2.1 GB, and the file size was 358 KiB. Currently, the prototype supports three types of Bitcoin addresses:
- legacy P2PKH;
- native SegWit P2WPKH;
- nested SegWit P2SH-P2WPKH.
Taproot addresses are not yet supported.
The developers have labeled the implementation as early and unaudited. It does not allow for the recovery or transfer of assets in the existing network and does not protect funds that an attacker has already withdrawn.
For the mechanism to be operational, network rules will need to be changed or a separate verification system added. The community will also need to decide when to stop accepting regular signatures for vulnerable addresses and how to handle competing claims from the owner and the attacker.
Preparing Bitcoin for Quantum Migration
The Project Eleven scheme is aimed at users who may not be able to transfer their funds during a potential post-quantum migration period. It complements proposals for creating new types of addresses but does not replace them.
On February 11, 2026, the BIP-360 proposal was added to the official Bitcoin Improvement Proposals repository with Draft status. It describes a new type of Pay-to-Merkle-Root (P2MR) output that can be activated through a soft fork.
P2MR replicates the core structure of Taproot but removes the ability to spend funds solely with a key. Transactions must pass through a script tree, where post-quantum spending conditions can later be added.
In March, BTQ Technologies launched the Bitcoin Quantum test network implementing BIP-360. In June, the Coinbase Quantum Advisory Council estimated that about 1.7 million BTC are on old P2PK outputs with already exposed public keys. Considering address reuse, around 7 million BTC are at potential risk.
Among the interim options, the council mentioned special cryptographic proofs instead of regular signatures. Project Eleven's proposal demonstrates one possible way to implement such an approach, but the decision to include it in network rules rests with the Bitcoin community members.
In June, experts pointed out the technical and governance challenges of post-quantum migration for the first cryptocurrency. Unresolved issues include the fate of old coins, wallet compatibility, and achieving consensus on protocol updates.
