StarkWare chief product officer Avihu Levy published a “Quantum Safe Bitcoin” transaction scheme that aims to keep individual BTC spends secure against Shor’s algorithm without any Bitcoin protocol upgrade. The design shifts the security burden to brute-force hashing work, trading off cost, complexity, and limited deployability.
Key Takeaways
- A “Quantum Safe Bitcoin” (QSB) spend scheme was proposed that stays within Bitcoin’s existing legacy script constraints and does not require a soft fork.
- The approach replaces elliptic-curve hardness with a brute-force “hash-to-sig puzzle” that is described as not being shortcuttable even by a quantum computer.
- Estimated GPU compute runs about $75–$150 per transaction, pushing QSB toward large transfers rather than everyday payments.
- The design is framed as a last-resort, non-standard path that does not cover Lightning Network use cases, keeping protocol upgrades as the preferred long-term fix.
QSB: A Quantum-Resistant Spend Path That Avoids a Soft Fork
Levy’s proposal targets a narrow but urgent question: can a Bitcoin holder make a quantum-resistant spend today, without waiting for a network-wide upgrade. QSB’s answer is yes, at least for specific transactions, by operating entirely inside Bitcoin’s current legacy script constraints.
The claim is scoped to transaction-level protection. Levy argued the scheme would remain secure “even against an adversary with a large-scale quantum computer running Shor’s algorithm.” That matters because Shor’s algorithm is the canonical threat model for public-key cryptography, including the elliptic-curve assumptions that underpin Bitcoin’s ECDSA signatures.
StarkWare CEO Eli Ben-Sasson endorsed the significance, saying “This is huge,” and arguing it “essentially makes Bitcoin quantum-safe today.” That framing is contested, and the pushback is where the market-relevant nuance sits.
How the “Hash-to-Sig Puzzle” Works Inside Legacy Script
Bitcoin spends typically prove authorization with ECDSA, which relies on elliptic-curve math that becomes fragile if a sufficiently capable quantum computer can run Shor’s algorithm at scale.
QSB pivots away from that dependency. Instead of treating the signature as something produced by a private key, the spender brute-forces an input until its hash output randomly resembles a valid ECDSA signature. The proposal describes this as a “hash-to-sig puzzle,” and the security intuition is simple: brute-force hashing is expensive, and the work is not described as something a quantum computer can shortcut in the way it can shortcut elliptic-curve problems.
That is why QSB can be pitched as “no-upgrade” quantum resistance for a single spend. It does not require new opcodes or new consensus rules. It uses the script system Bitcoin already has.
The Price of Safety: $75–$150 GPU Cost and Non-Standard Transaction Limits
The tradeoff is explicit. Levy estimated QSB could cost between $75 and $150 per transaction in GPU computing power, and he described it as more complex than a typical Bitcoin transaction. In practice, that cost profile reads like a tool for whales, treasuries, and high-value UTXO consolidation, not retail flow.
Deployability is the second constraint. The researchers characterized QSB as “non-standard,” meaning it may be valid under consensus rules but still fail to propagate cleanly across default node relay policies or get picked up by miners without policy changes. They also flagged that the approach does not cover Lightning Network use cases, limiting its relevance for off-chain payment channels.
The authors framed the scheme as a stopgap, not a migration plan. Their own language is blunt: “While this article describes a solution that works today for quantum-safe Bitcoin transactions, it should be treated as a last-resort measure.”
Criticism also centers on what QSB does not touch. Bitcoin ESG specialist Daniel Batten called the “quantum-safe today” framing “an overstatement” because exposed public keys and dormant wallets are “not addressed in the paper.” Batten pointed to an estimate of 1.7 million BTC in early P2PK outputs as potentially vulnerable to quantum cracking, a separate risk surface from making a new spend harder to attack.
Quantum Risk Roadmap Signals for Bitcoin Traders
The near-term tell is policy, not theory. If QSB remains “non-standard” in practice, the market impact is mostly narrative and contingency planning. If pools or major node operators explicitly accept and mine these transactions, QSB becomes a usable emergency lane for large holders.
The longer-term signal is whether follow-on work moves from transaction-level workarounds to protocol-level quantum-safe signatures, which the researchers still describe as the preferred end state.
Two open variables need tightening before desks can model real adoption: replication of the $75–$150 GPU estimate, including hardware and electricity assumptions, and any observed on-chain examples that demonstrate reliable relay and inclusion.
A parallel track is emerging around alternative authorization. Lightning Labs CTO Olaoluwa Osuntokun published a quantum “escape hatch” prototype that would let users prove wallet ownership from the original seed phrase without revealing it. Whether that stays a prototype or becomes a credible recovery path is another signal for how the ecosystem plans to handle key exposure.
Marcus Hale’s Take: QSB as a Stopgap, Not a Network-Wide Quantum Migration Plan
QSB reads like an emergency procedure for specific UTXOs, not a credible path to migrate the whole network. The researchers themselves label it last-resort, non-standard, and not applicable to Lightning, which is enough to cap expectations even if the cryptographic idea holds up.
The threshold that matters is miner and relay acceptance. If QSB transactions can be reliably propagated and mined, large holders get a practical, expensive escape route for high-value spends. If it stays policy-fragile and costly, the setup looks more like a sentiment catalyst than a fundamental shift, and the only development that truly matters is momentum toward protocol-level quantum-safe signatures that cover the full surface area, including dormant-key exposure.
Sources
btc$71,664-1.57%
eth$2,216.93-0.81%
usdt$1+0.00%
xrp$1.33-1.40%
bnb$594.71-1.80%
usdc$1+0.03%
sol$82.21-2.62%
trx$0.32+0.47%
doge$0.09-1.82%
ada$0.24-3.91%
bch$425.82-3.49%
link$8.8-2.46%
xlm$0.15-1.36%
ltc$53.89-1.24%
avax$9.03-2.91%
hbar$0.09-2.35%
sui$0.91-2.44%
dot$1.23-4.53%
uni$3.08-2.27%
etc$8.21-1.91%
algo$0.11-1.21%
atom$1.74-2.58%
fil$0.87-3.96%
vet$0.01-2.30%
