Bitcoin Magazine
Bitcoin Could Be Quantum-Safe Without Protocol Changes, New Proposal Claims
A new research proposal claims it can make Bitcoin transactions resistant to quantum attacks without changing the network’s core rules, a goal that has drawn attention as concerns grow over future cryptographic risks.
In a paper published on April 9, Avihu Levy of StarkWare outlined “Quantum-Safe Bitcoin Transactions Without Softforks,” introducing a scheme called Quantum Safe Bitcoin, or QSB. The design aims to protect transactions from threats posed by quantum computers while remaining compatible with the existing Bitcoin protocol.
The proposal targets a known vulnerability in Bitcoin’s current design. Standard transactions rely on ECDSA signatures over the secp256k1 curve. In theory, a sufficiently powerful quantum computer running Shor’s algorithm could potentially break this system by solving discrete logarithms, which would allow attackers to forge signatures and spend funds.
QSB replaces reliance on elliptic curve security with hash-based assumptions. Instead of trusting ECDSA, the scheme uses it as a verification mechanism while shifting security to hash pre-image resistance. This approach draws from earlier work known as Binohash, which embeds one-time signature schemes into Bitcoin Script.
JUST IN: Bitcoin developer Avihu Levy introduces “Quantum-Safe Bitcoin Transactions Without Softforks” pic.twitter.com/enghEoOq10— Bitcoin Magazine (@BitcoinMagazine) April 9, 2026
At the core of QSB is a “hash-to-signature” puzzle. The system hashes a transaction-derived public key using RIPEMD-160 and treats the output as a candidate ECDSA signature. Only a small fraction of random hashes meet the strict formatting rules required for valid signatures, creating a proof-of-work condition. The paper estimates the probability of success at about one in ~70.4 trillion attempts.
Bitcoin resistant to quantum attacks
Because the puzzle depends on hash properties rather than elliptic curve hardness, it remains resistant to Shor’s algorithm. A quantum attacker would gain only a quadratic speedup from Grover’s algorithm, leaving meaningful security margins. The paper estimates about 118-bit second pre-image resistance under a Shor threat model.
The construction works within Bitcoin’s existing scripting limits, including a cap of 201 opcodes and a maximum script size of 10,000 bytes. It uses legacy script structures and avoids any need for consensus changes or soft forks, a feature that may appeal to developers wary of protocol fragmentation.
The transaction process unfolds in three stages, the proposal claims. First, a “pinning” phase searches for transaction parameters that produce a valid hash-to-signature output, binding the transaction to a fixed structure. Next, two digest rounds select subsets of embedded signatures to generate additional proofs tied to the transaction hash. Finally, the transaction is ass
