Authored by Micah Zimmerman via Bitcoin Magazine.coim
A new research proposal claims it can make Bitcoin transactions resistant to quantum attacks without changing the network’s core rules, a goal that has drawn attention as concerns grow over future cryptographic risks.
In a paper published on April 9, Avihu Levy of StarkWare outlined “Quantum-Safe Bitcoin Transactions Without Softforks,” introducing a scheme called Quantum Safe Bitcoin, or QSB. The design aims to protect transactions from threats posed by quantum computers while remaining compatible with the existing Bitcoin protocol.
The proposal targets a known vulnerability in Bitcoin’s current design. Standard transactions rely on ECDSA signatures over the secp256k1 curve. In theory, a sufficiently powerful quantum computer running Shor’s algorithm could potentially break this system by solving discrete logarithms, which would allow attackers to forge signatures and spend funds.
QSB replaces reliance on elliptic curve security with hash-based assumptions. Instead of trusting ECDSA, the scheme uses it as a verification mechanism while shifting security to hash pre-image resistance. This approach draws from earlier work known as Binohash, which embeds one-time signature schemes into Bitcoin Script.
At the core of QSB is a “hash-to-signature” puzzle.
The system hashes a transaction-derived public key using RIPEMD-160 and treats the output as a candidate ECDSA signature. Only a small fraction of random hashes meet the strict formatting rules required for valid signatures, creating a proof-of-work condition. The paper estimates the probability of success at about one in ~70.4 trillion attempts.
Because the puzzle depends on hash properties rather than elliptic curve hardness, it remains resistant to Shor’s algorithm. A quantum attacker would gain only a quadratic speedup from Grover’s algorithm, leaving meaningful security margins. The paper estimates about 118-bit second pre-image resistance under a Shor threat model.
The construction works within Bitcoin’s existing scripting limits, including a cap of 201 opcodes and a maximum script size of 10,000 bytes. It uses legacy script structures and avoids any need for consensus changes or soft forks, a feature that may appeal to developers wary of protocol fragmentation.
The transaction process unfolds in three stages, the proposal claims.
First, a “pinning” phase searches for transaction parameters that produce a valid hash-to-signature output, binding the transaction to a fixed structure.
Next, two digest rounds select subsets of embedded signatures to generate additional proofs tied to the transaction hash.
Finally, the transaction is assembled with all required preimages and verification data.
The design introduces tradeoffs. QSB transactions exceed standard relay policy limits, which means they would not propagate across the network under default settings. Instead, they would require direct submission to miners through services such as Slipstream. The scripts also consume significant space and computational resources.
Despite these constraints, the cost of generating a valid transaction appears within reach. The paper estimates total compute expenses between $75 and $150 using cloud GPUs, with the workload scaling across parallel hardware. Early testing reports successful puzzle solutions after several hours using multiple GPUs.
The project remains incomplete. While the paper and script generation tools are finished, parts of the pipeline, including full transaction assembly and broadcast, have not been demonstrated on-chain.
Still, the proposal adds to a growing body of research exploring how Bitcoin could adapt to a future with quantum computing. By avoiding protocol changes, QSB presents one path that relies on existing rules rather than consensus upgrades, a direction that may shape further debate on long-term network security.
[ZH: Brain fogged over? QSB makes the hard math puzzle at the heart of Bitcoin... harder...]