Avihu Levy, a researcher at StarkWare, has published a scheme that would make Bitcoin transactions resistant to quantum attacks without requiring soft forks or consensus changes.
On April 9, 2026, Avihu Levy of StarkWare published a paper titled “Quantum-Safe Bitcoin Transactions Without Softforks”, introducing a scheme called Quantum Safe Bitcoin (QSB). The proposal claims to make Bitcoin transactions resistant to quantum computer attacks while maintaining full compatibility with the existing protocol, without requiring any changes to consensus rules or the introduction of soft forks.
The problem QSB aims to solve is a known vulnerability in Bitcoin’s current architecture. Standard transactions rely on ECDSA signatures on the secp256k1 curve. In theory, a sufficiently powerful quantum computer running Shor’s algorithm could solve the discrete logarithms underlying this system, allowing an attacker to forge signatures and spend other people’s funds. QSB replaces reliance on elliptic curve security with assumptions based on hash functions, using ECDSA as a verification mechanism rather than as a cryptographic foundation. The approach draws inspiration from earlier work known as Binohash, which incorporates single-use signature schemes into Bitcoin scripts.
At the core of the QSB mechanism is a puzzle called “hash-to-signature”. The system applies the RIPEMD-160 function to a public key derived from the transaction and treats the output as an ECDSA signature candidate. Only a small fraction of random hashes satisfy the strict formatting rules required for a valid signature, creating a proof-of-work condition. The paper estimates the probability of success at roughly one in 70.4 trillion attempts. Because the puzzle depends on the properties of hash functions rather than the difficulty of elliptic curves, it remains resistant to Shor’s algorithm. A quantum attacker would only gain a quadratic speedup through Grover’s algorithm, preserving significant security margins. The paper estimates approximately 118 bits of resistance against second pre-image attacks under the Shor threat model.
The scheme operates within Bitcoin’s existing scripting constraints, including a cap of 201 opcodes and a maximum script size of 10,000 bytes, using legacy script structures. The transaction process unfolds in three phases: a “pinning” phase that searches for transaction parameters producing a valid hash-to-signature output; two digest rounds that select subsets of embedded signatures to generate additional proofs tied to the transaction hash; and finally transaction assembly with all required preimages and verification data.
The proposal does come with notable trade-offs. QSB transactions exceed the network’s standard relay policy limits, meaning they would not propagate through the network with default settings. They would instead require direct transmission to miners via services such as Slipstream. The scripts also consume significant space and computational resources. Despite these constraints, the cost of generating a valid transaction remains accessible: the paper estimates total computational expenses of between $75 and $150 using cloud GPUs, with the workload distributable across parallel hardware. Preliminary tests report successful puzzle solutions after several hours using multiple GPUs.
The project remains incomplete: while the paper and script generation tools are finished, parts of the pipeline — including full transaction assembly and on-chain broadcasting — have not yet been demonstrated in production. The proposal nonetheless adds to a growing body of research exploring how Bitcoin might adapt to a future shaped by quantum computing. By avoiding protocol changes, QSB presents a path that relies on existing rules rather than consensus upgrades — an approach that could influence the debate around the long-term security of the network.
