Bitcoin’s quantum problem has no shortage of proposed solutions. What it has lacked, until now, is a way to do something about it today, without asking Bitcoin’s notoriously slow governance machine to first agree on anything. A new paper published Thursday by a StarkWare researcher may have changed that, at least partially.
Avihu Levy, StarkWare’s chief product officer and a leading Bitcoin researcher, released a full research paper and open-source implementation of what he’s calling Quantum Safe Bitcoin, or QSB, a scheme that enables quantum-resistant Bitcoin transactions using only the network’s existing consensus rules, requiring no soft fork, no protocol upgrade, and no community-wide coordination.
RadThat last part is worth sitting with for a moment. The thing that makes quantum resistance so hard for Bitcoin is particularly the governance. Getting any meaningful change through Bitcoin’s development process takes years, sometimes close to a decade. Taproot, for reference, took roughly seven and a half years from concept to deployment. QSB sidesteps that problem entirely.
How the scheme actually works
The threat QSB is responding to is specific and well understood. Bitcoin’s primary signature scheme, ECDSA over the secp256k1 elliptic curve, is fully breakable by Shor’s algorithm on a sufficiently powerful quantum computer.
A machine capable of running that algorithm could reverse-engineer a private key from a public key and steal funds, the kind of scenario that has been theorized for years and is now drawing closer on the timeline than most people expected.
QSB’s approach is to swap out what the security depends on. Instead of trusting ECDSA, the scheme uses it as a verification mechanism while shifting the actual security to hash pre-image resistance. At the core is a “hash-to-signature” puzzle, the system hashes a transaction-derived public key using RIPEMD-160 and treats the output as a candidate ECDSA signature.
Only a tiny fraction of random hashes meet the strict formatting rules required for valid signatures, creating a proof-of-work condition. The paper estimates the probability of success at about one in roughly 70.4 trillion attempts.
Because the puzzle depends on hash properties rather than elliptic curve math, Shor’s algorithm offers no advantage. A quantum attacker would be limited to Grover’s algorithm, which delivers only a quadratic speedup, not the total break that Shor’s enables. The paper estimates roughly 118-bit second pre-image resistance under a Shor threat model, leaving a meaningful security margin.
The scheme builds on earlier work called Binohash, developed by Robin Linus, but fixes two vulnerabilities that made Binohash unsafe in a quantum context. The first was a signature-size proof-of-work puzzle that depended on finding small elliptic curve r-values, something Shor’s algorithm trivially breaks.
The second was an unresolved sighash flag vulnerability that could allow an attacker to reuse a valid puzzle signature across different transactions. QSB addresses both.
The catch: it’s expensive and experimental
None of this comes cheap. Generating a valid transaction requires searching through billions of possible candidates, a process Levy estimates would cost between $75 and $200 using commodity cloud GPUs. That compares to the current average Bitcoin transaction fee of around 33 cents. So this isn’t something you’d use to buy coffee, or, realistically, to do most things.
Levy is explicit about this in the paper. QSB is framed as a last-resort measure, not a general replacement for standard usage. The required computation can be done in parallel across multiple GPUs, which makes it more scalable than a flat cost figure might imply, but the user experience remains far from simple.
QSB transactions are consensus-valid but non-standard, exceeding default relay policies, meaning they wouldn’t propagate across the Bitcoin network under default settings. Instead, they require direct submission to a miner through services like Marathon’s Slipstream. The scheme also doesn’t yet cover Lightning Network channels, which account for a significant chunk of Bitcoin’s everyday transaction volume.
The GPU computation phase has been successfully tested over roughly six hours across eight Nvidia RTX PRO 6000 GPUs, but the digest search and onchain broadcast have not yet been completed end-to-end. So what Levy has delivered is a proof of concept and a cryptographic blueprint, not a finished product ready for wallet integration.
StarkWare co-founder Eli Ben-Sasson was notably enthusiastic about the result, describing it as proof that Bitcoin can be quantum-safe immediately, even without protocol changes. That may be overstating it somewhat, the cost and complexity mean this is protection for edge cases, not mass adoption, but the underlying claim holds. The path demonstrably exists.
The bigger conversation around bitcoin and quantum
QSB matters partly as a technical achievement, but also for what it signals about where Bitcoin finds itself right now. BIP-360, the quantum-resistance proposal that was merged into Bitcoin’s official improvement proposal repository in February, has no Bitcoin Core implementation and faces years of governance delay. Polymarket bettors are currently pricing in low odds of it activating this year.
Google researchers recently warned that a sufficiently powerful quantum computer could break Bitcoin’s core cryptography in under nine minutes, raising concerns that such a threat could emerge as soon as 2029. That timeline puts real pressure on the pace of Bitcoin’s response and Bitcoin’s governance has never been great at responding to pressure quickly.
The debate within the Bitcoin community remains genuinely divided. Charles Edwards of Capriole has argued for a 2026 deployment timeline and suggested penalizing coins that don’t migrate. Adam Back and Samson Mow, on the other end, maintain that the quantum threat is not imminent and have pushed back on urgency.
QSB doesn’t resolve that debate. What it does is demonstrate that the wait for consensus doesn’t have to mean complete vulnerability in the meantime. It runs entirely within Bitcoin’s existing legacy Script constraints, 201 opcodes and a 10,000-byte script limit and can be used by anyone willing to pay the compute cost and route around default relay policies.
That’s a limited use case, for now. But in a scenario where quantum computing advances faster than the Bitcoin governance process, limited is considerably better than nothing.