The proposal to freeze bitcoin's quantum-vulnerable coins has always carried an asterisk.
BIP-361, published in April by Jameson Lopp and five co-authors, would block new deposits to vulnerable addresses after three years and freeze whatever remained after five, stranding coins in more than a third of bitcoin's supply, including the roughly 1.1 million BTC attributed to pseudonymous creator Satoshi Nakamoto.
A later step of that plan promised a recovery path using zero-knowledge proofs, a technology that lets someone prove to another person that they know a fact without ever revealing it.
Quantum research outfit Project Eleven says it has now built exactly that, and made it fast enough to use.
Q-Day is a theoretical point at which a quantum computer could derive a private key from a public key, allowing an attacker to sign transactions from any address whose public key has ever been exposed.
More than 34% of all bitcoin sits in that category, according to BIP-361. After Q-Day, a signature would prove nothing because the attacker can produce one as easily as the owner. The chain cannot tell them apart.
Bitcoin signatures rely on elliptic curve cryptography, a system in which a private key generates a public key through math that runs only one way. Anyone can check the public key, but nobody can work backward to the private one. However, Shor’s algorithm, a quantum method published in 1994 for problems that ordinary computers cannot crack, can be fed a public key and return the private key that generated it.
Hashing is a different kind of problem. A hash scrambles an input into a fixed-length fingerprint and cannot be run backward, and the best quantum attack on it, called Grover's algorithm, only halves the exponent rather than collapsing it, taking a 256-bit hash from 2^256 guesses down to 2^128.
That is still more guesses than a machine making a billion a second could get through in the lifetime of the universe.

Modern wallets are built on hashing. A wallet generates addresses in a tree, deriving each key from its parent, and a "hardened" derivation step feeds the parent's private key through HMAC-SHA512 to produce the child key.
That is a one-way function. An attacker who breaks an address after Q-Day ends up holding exactly the key held, and cannot climb the tree to the key it came from.
coindesk.com