Bitcoin Can Be Quantum-Safe Today — But At a Steep Price

Bitcoin Can Be Quantum-Safe Today — But At a Steep Price

The quantum computing threat to Bitcoin has long been treated as a distant, theoretical problem — something future developers will sort out with future tools. That assumption is being challenged. A new proposal published this month argues that Bitcoin transactions can be made quantum-resistant today, using nothing but the protocol's existing rules. The catch? It costs up to $150 per transaction and cannot scale to everyday use. But in the escalating arms race between cryptographic security and quantum computing capability, even an imperfect solution commands serious attention.

The proposal arrives at a moment of genuine urgency. Google's March research paper rattled the Bitcoin community by suggesting that quantum computers may be able to crack Bitcoin's cryptography using far fewer resources than previously assumed. That revelation has accelerated a debate that was already simmering — and it has made any credible near-term solution, however limited, worth examining carefully.

The Facts

On April 9, Avihu Levy, chief product officer at StarkWare, published a paper outlining a scheme called Quantum Safe Bitcoin, or QSB ^[2]. The proposal describes a method for securing Bitcoin transactions against quantum attacks without requiring any changes to Bitcoin's consensus rules, meaning no soft fork, no community-wide upgrade, and no protocol fragmentation ^[1].

The core innovation is a mechanism Levy calls a "hash-to-signature" puzzle. Standard Bitcoin transactions rely on ECDSA signatures over the secp256k1 elliptic curve — a system that a sufficiently powerful quantum computer running Shor's algorithm could theoretically break by solving discrete logarithms, enabling an attacker to forge signatures and steal funds ^[2]. QSB sidesteps this vulnerability by shifting the security foundation away from elliptic curve mathematics entirely. Instead, the scheme hashes a transaction-derived public key using RIPEMD-160 and treats the output as a candidate ECDSA signature. Because only a tiny fraction of random hashes meet the strict formatting requirements for valid signatures — roughly one in 70.4 trillion attempts — the sender must perform substantial brute-force computational work to find a valid input ^[2]. Crucially, this work depends on hash pre-image resistance rather than elliptic curve hardness, meaning Shor's algorithm offers an attacker no meaningful advantage. The best a quantum adversary could do is apply Grover's algorithm, which provides only a quadratic speedup and leaves approximately 118 bits of second pre-image resistance intact ^[2].

The entire construction operates within Bitcoin's existing scripting constraints, including the 201-opcode limit and the 10,000-byte maximum script size, and requires no consensus changes whatsoever ^[2]. StarkWare CEO Eli Ben-Sasson called the development "huge," arguing it essentially makes Bitcoin quantum-safe today ^[1]. The computational cost of generating a valid QSB transaction is estimated at between $75 and $150 using cloud GPU infrastructure, with the workload parallelizable across multiple machines ^[1][2].

However, the proposal comes with significant limitations that its authors openly acknowledge. QSB transactions exceed standard relay policy limits, meaning they cannot propagate through the Bitcoin network under default node settings and would instead require direct submission to miners via services like Slipstream ^[2]. The scheme also does not address exposed public keys in legacy P2PK addresses — an estimated 1.7 million BTC in early wallets that remain vulnerable to quantum attack regardless of this proposal ^[1]. Bitcoin ESG specialist Daniel Batten pushed back on Ben-Sasson's enthusiasm, calling the claim an "overstatement" precisely because those dormant coins and exposed keys fall entirely outside QSB's scope ^[1]. The researchers themselves concede the point, describing QSB as a "last-resort measure" and reaffirming that protocol-level changes remain the preferred long-term path ^[1]. Separately, Lightning Labs CTO Olaoluwa Osuntokun published a complementary "escape hatch" prototype that would allow users to prove wallet ownership from a seed phrase without revealing it — another stopgap approach operating outside formal protocol upgrades ^[1].

Analysis & Context

To understand why QSB matters despite its limitations, it helps to appreciate how slowly Bitcoin protocol changes move. The SegWit upgrade took years of acrimonious debate before activation in 2017. Taproot, widely regarded as a straightforward improvement, required nearly three years from proposal to activation in 2021. Any quantum-resistant signature scheme requiring a soft fork — such as integrating NIST-standardized post-quantum algorithms like CRYSTALS-Dilithium or SPHINCS+ — would face the same grueling consensus process, potentially taking half a decade or more. QSB is valuable precisely because it is available now, without waiting for that process to conclude. For holders of large cold-storage positions who are genuinely concerned about the quantum timeline, a $75–$150 fee is arguably negligible compared to the value being protected.

The deeper issue QSB cannot resolve is also the most politically contentious one in Bitcoin today: what to do about the roughly 1.7 million BTC sitting in early P2PK addresses with exposed public keys. This Bitcoin, much of it attributed to Satoshi Nakamoto's mining era, represents a genuine systemic vulnerability. Three camps have emerged — leave the coins alone to preserve Bitcoin's immutability ethos, freeze or burn the vulnerable outputs before a quantum attacker can claim them, or upgrade the protocol to migrate them to quantum-safe addresses. None of these options is politically easy, and QSB does nothing to resolve that standoff. What it does do is buy time and demonstrate that creative engineering within existing constraints is still possible — a reminder that Bitcoin's scripting system, often dismissed as limited, retains surprising flexibility.

The broader pattern here is one Bitcoin has navigated before: incremental, layered solutions developing in parallel with longer-term structural debates. Lightning Network began as a research paper before becoming a functioning payment layer. Taproot began life as a theoretical improvement before becoming consensus reality. QSB and Osuntokun's escape hatch prototype are early-stage contributions to what will almost certainly become a multi-year, multi-layered response to quantum risk. The fact that serious researchers are publishing concrete proposals — rather than hand-waving at the problem — should be read as a healthy sign of the ecosystem's maturity.

Key Takeaways

• QSB is a real but limited tool: StarkWare's proposal genuinely achieves quantum resistance for new Bitcoin transactions without any protocol changes, but at $75–$150 per transaction it is only practical for securing large holdings, not everyday use.
• The exposed-key problem remains unsolved: Approximately 1.7 million BTC in legacy P2PK addresses with exposed public keys lie completely outside QSB's protection, and the community remains bitterly divided on how to address them.
• Protocol upgrades are still the end goal: Both the QSB authors and the broader research community agree that proper quantum safety requires consensus-level changes — QSB is a bridge, not a destination.
• Multiple parallel solutions are emerging: From QSB to Lightning Labs' seed-phrase escape hatch, the ecosystem is developing a toolkit of interim measures that could collectively reduce quantum exposure while long-term upgrades are debated.
• The quantum timeline is compressing: Google's March paper shortened the community's assumed runway, making even imperfect near-term solutions strategically important for holders with significant BTC exposure.