A StarkWare researcher says Bitcoin can be made resistant to future quantum attacks without changing the protocol — by shifting the hard work off-chain and staying inside Bitcoin’s existing scripting rules.
What was proposed
- Avihu Mordechai Levy, a researcher at StarkWare, published a paper describing “Quantum-Safe Bitcoin” (QSB). The scheme replaces today’s elliptic-curve signatures (vulnerable to Shor’s algorithm) with hash-based cryptography and Lamport signatures, a simple, well-known post-quantum signature method.
- Crucially, Levy’s design works within Bitcoin’s current scripting limits and would not require a soft fork or other protocol upgrade. “We present QSB, a Quantum Safe Bitcoin transaction scheme that requires no changes to the Bitcoin protocol and remains secure even in the presence of Shor's algorithm,” he writes.
How it works, simply
- Instead of changing consensus rules, QSB has users solve a cryptographic puzzle before broadcasting a transaction. The transaction includes proof that the puzzle was solved and a Lamport signature over a cryptographic identifier of the transaction.
- Because Lamport signatures are post-quantum secure, an attacker who can run Shor’s algorithm could not forge the signature to alter the transaction without solving the puzzle again.
- Levy estimates a valid puzzle solution would require on the order of 70 trillion attempts. That work happens off-chain (before broadcasting) using commodity hardware such as GPUs and would cost on the order of a few hundred dollars per transaction.
Design constraints and techniques
- Bitcoin’s script size and opcode limits (201 opcodes and 10,000 bytes) are extremely restrictive. To fit inside them, QSB combines Lamport signatures with hash-based puzzles in a layered transaction structure and adds a mechanism Levy calls “transaction pinning,” which forces any modifier of the transaction to re-solve the puzzle.
- Because Lamport-style schemes tend to produce large, one-time-use signatures, the system is intentionally described as a “last-resort” measure rather than a general, scalable replacement for current signatures.
Trade-offs and practical limits
- QSB avoids Shor-based attacks on elliptic-curve signatures, but it is not a free lunch:
- Grover’s algorithm still offers a theoretical quadratic speedup for searching hash spaces, so hash-based defenses require parameter tuning to maintain margins.
- The off-chain computational cost and on-chain size make QSB impractical for routine, high-throughput use. Levy frames it as a fallback for high-value or particularly sensitive transactions rather than a day-to-day solution.
- The transactions are more complex than standard ones and could be considered non-standard under current relay policies, which may limit propagation via the public mempool. Users might need to submit such transactions directly to mining pools.
Bigger picture: an interim tool, not the final answer
- Levy stresses that QSB is a mitigation, not a substitute for protocol-level, user-friendly, scalable post-quantum migration. “It remains necessary to continue the ongoing effort to research and implement the best possible solution for Bitcoin—one that is maximally efficient, user-friendly, and answers Bitcoin's needs, through protocol-level changes,” he writes.
- His paper joins other Bitcoin post-quantum proposals, including BIP-360 (Pay-to-Merkle-Root), which aims to support quantum-safe signatures at the address/protocol level.
- While the quantum threat to Bitcoin remains theoretical today, major tech companies — including Google and Cloudflare — already plan to migrate to post-quantum cryptography, with transition targets around 2029.
Bottom line
QSB is a clever, pragmatic way to harden individual Bitcoin transactions against a future quantum attacker without changing the network itself. But it’s costly, bulky, and likely only useful as a niche or emergency tool while the ecosystem develops a more scalable, protocol-level post-quantum path.
Read more AI-generated news on: undefined/news
