Project Eleven just awarded 1 BTC for "the largest quantum attack on ECC to date", a 17-bit elliptic curve key recovered on IBM Quantum hardware. Yuval Adam replaced the quantum computer with /dev/urandom. It still recovers the key.
logicallee•Apr 25, 2026
but does the quantum hardware do it any faster?
petterroea•Apr 25, 2026
> The author's own CLI recovers every reported private key at statistically indistinguishable rates from the IBM hardware runs.
xienze•Apr 25, 2026
I think that means success rate, not speed.
dogma1138•Apr 25, 2026
Just to point it out this isn’t a jab at QC but rather a jab at project 11 and possibly the submission author, basically they failed to validate the submission properly and the code proves that the solution is classical.
Recovering a 17bit ecc key isn’t a challenge for current classical computers via brute force.
logicallee•Apr 25, 2026
if the solution is faster than random it could still be a real solution on a quantum computer.
amoshebb•Apr 25, 2026
“recovers every reported private key at statistically indistinguishable rates from the IBM hardware runs.”
PunchyHamster•Apr 25, 2026
well, it's slower than random
iberator•Apr 25, 2026
Quantum computing is 3 decades old scam.
Not even Google was able to prove that their quantum computer works LOL.
weakened algorithms to the extreme (17 bits in 2026 LOL).
wasting_time•Apr 25, 2026
Didn't Google recently report a verifiable quantum advantage?
Dont they report an advantage based on simulating quantum effects every other year? I was promissed a quick way to decrypt my old harddrives decades ago, can we have that at some point before the sun burns out?
IshKebab•Apr 25, 2026
The funny thing is we already have PQC so even if quantum computing works, it will be immediately irrelevant.
At least for breaking crypto, which seems to be its headline feature. Maybe there are other useful things it can do?
somenameforme•Apr 25, 2026
I expect they're just banking on getting their investment back with some fat returns by licensing it to the NSA to decrypt their hoovered up encrypted coms, with their data storage now reaching up to the yottabyte level. That's a lotta byte.
mistercow•Apr 25, 2026
Are your old hard drives encrypted using asymmetric cryptography? If not, I'm not sure who made you that promise.
PunchyHamster•Apr 25, 2026
On what? They can't run it against anything real
somenameforme•Apr 25, 2026
You know you're blowing your reputation when such claims are met by scientific articles with the headline, "Google claims 'quantum advantage' again." [1]
A 17 bit key has 131072 possibilities, which is trivially easy to brute force. Defeating it with a quantum computer is still very much a physics demonstration, and not at all attempting to be a useful computing task.
arcfour•Apr 25, 2026
Perhaps I'm ignorant, but isn't the idea that you can do it faster than brute force?
If the results are statistically identical to guessing then it seems like you've just built a Rube Goldberg contraption.
tsimionescu•Apr 25, 2026
The point here is that the quantum computer component of the original solution is not doing anything - that the algorithm being run overall is not actually a quantum algorithm, but a classical probabilistic algorithm.
If the quantum computer were a key component of the solution, replacing it with an RNG would have either no longer yielded the right result, or at least would have taken longer to converge to the right result. Instead, the author shows that it runs exactly the same, proving all of the relevant logic was in the classical side and the QC was only contributing noise.
nkrisc•Apr 25, 2026
But if the QC’s contribution is indistinguishable from that of a random number generator, then what is being demonstrated?
Strilanc•Apr 25, 2026
This was exactly the premise of my sigbovik April Fool's paper in 2025 [1]: for small numbers, Shor's algorithm succeeds quickly when fed random samples. And when your circuit is too long (given the error rate of the quantum computer), the quantum computer imitates a random number generator. So it's trivial to "do the right thing" and succeed for the wrong reason. It's one of the many things that make small factoring/ecdlp cases bad benchmarks for progress in quantum computing.
I warned the project11 people that this would happen. That they'd be awarding the bitcoin to whoever best obfuscated that the quantum computer was not contributing (likely including the submitter fooling themselves). I guess they didn't take it to heart.
Imagine investing trillions of dollars on slightly worse random numbers. I suppose it's a better use of money than DEI hiring and political correctness initiatives. At least random numbers don't destroy society systematically.
NooneAtAll3•Apr 25, 2026
does the number of calls to "QM" match between the implementations?
9 Comments
Recovering a 17bit ecc key isn’t a challenge for current classical computers via brute force.
weakened algorithms to the extreme (17 bits in 2026 LOL).
https://blog.google/innovation-and-ai/technology/research/qu...
At least for breaking crypto, which seems to be its headline feature. Maybe there are other useful things it can do?
[1] - https://www.nature.com/articles/d41586-025-03300-4
If the results are statistically identical to guessing then it seems like you've just built a Rube Goldberg contraption.
If the quantum computer were a key component of the solution, replacing it with an RNG would have either no longer yielded the right result, or at least would have taken longer to converge to the right result. Instead, the author shows that it runs exactly the same, proving all of the relevant logic was in the classical side and the QC was only contributing noise.
I warned the project11 people that this would happen. That they'd be awarding the bitcoin to whoever best obfuscated that the quantum computer was not contributing (likely including the submitter fooling themselves). I guess they didn't take it to heart.
[1]: https://sigbovik.org/2025/proceedings.pdf#page=146
perfection