Starkware CPO Unveils Quantum-Safe Bitcoin Transactions with Zero Protocol Changes, Costing $75-$150

Starkware CPO Unveils Quantum-Safe Bitcoin Transactions with Zero Protocol Changes, Costing $75-$150

N
News Editor 01
2026-07-08 14:40:17
Avihu Levy, Chief Product Officer at Starkware, published QSB—a quantum-safe Bitcoin transaction scheme built on existing protocol rules. It achieves ~118-bit pre-image resistance against quantum attacks using RIPEMD-160 hashing, with off-chain GPU costs of $75–$150 per transaction. No softfork or consensus change required.
BitcoinQuantum SecurityStarkwareCryptocurrencyTechnology Breakthrough

On April 9, 2026, Avihu Levy, Chief Product Officer at Starkware and co-author of BIP-360, released a full research paper and open-source implementation of a scheme called Quantum Safe Bitcoin (QSB). The scheme enables Bitcoin transactions to be secure against quantum computing attacks using only the existing legacy Script rules—no softfork, no new opcodes, and no community coordination.

Why Quantum Threat Matters

Bitcoin's current signature scheme, ECDSA over the secp256k1 elliptic curve, is fully breakable by Shor's algorithm on a sufficiently powerful quantum computer. An attacker could recover private keys from any exposed public key, forge signatures, and redirect funds. P2PK outputs, legacy addresses, and Taproot keyspend paths are all at risk once a public key appears onchain. QSB severs this dependency by replacing elliptic curve hardness with the pre-image resistance of RIPEMD-160, a hash function that quantum computers can only attack with Grover's algorithm—providing only a quadratic speedup rather than a total break. A 160-bit hash retains roughly 80 bits of pre-image resistance against a quantum adversary, leaving a comfortable margin.

How QSB Works

Levy's construction builds on an earlier scheme called Binohash by Robin Linus, fixing two critical flaws: a signature-size proof-of-work puzzle that depended on small elliptic curve r-values (easily broken by Shor's algorithm), and an unresolved sighash flag vulnerability that could allow signature reuse. QSB replaces the signature-size puzzle with a hash-to-sig puzzle. The spender iterates over transaction parameters until the RIPEMD-160 hash of a transaction-derived public key produces a valid DER-encoded ECDSA signature—an event with probability roughly 1 in 70 trillion. Because the puzzle uses a hardcoded SIGHASH_ALL flag, the sighash vulnerability is eliminated.

The spender then runs two digest rounds using a HORS-style Lamport signature structure, selecting subsets of dummy signatures that alter the transaction's sighash via a legacy Script mechanism called FindAndDelete. Each subset produces a different hash output. The subset that yields a valid DER-encoded signature becomes the digest for that round. Revealing the corresponding pre-images in the witness completes the quantum-safe spend. The recommended configuration, called Config A, fits within the 201-opcode limit and achieves approximately 118-bit pre-image resistance and 78-bit collision resistance. A quantum attacker running Grover's algorithm faces roughly 2^69 work for a second pre-image attack—Shor's algorithm provides no advantage since no elliptic curve assumptions remain.

Costs and Limitations

Off-chain computation costs between $75 and $150 in cloud GPU time per transaction at current spot pricing. The work is embarrassingly parallel and can be completed in hours across multiple GPUs. The GPU farm only handles public computations (key recovery and hashing); private HORS pre-images never leave the spender's secure device. QSB transactions are consensus-valid but non-standard, exceeding default relay policies. They require direct submission to a mining pool that accepts non-standard transactions, such as via Marathon's Slipstream service. The scheme does not yet cover Lightning Network channels, and full on-chain assembly and broadcast are still pending in the open-source implementation. Levy describes QSB as a last-resort measure, not a general replacement for standard Bitcoin usage.

Community Reaction and Next Steps

Starkware co-founder Eli Ben-Sasson publicly endorsed the work, stating: "THIS IS HUGE. Bitcoin is Quantum-Safe TODAY. Even if a quantum computer appeared that breaks conventional Bitcoin signatures, QSB shows a practical way to create safe Bitcoin transactions WITH NO CHANGE TO BITCOIN PROTOCOL!" Taproot Wizard Eric Wall commented: "Starkware has some of the best hackers on the planet. It is beautiful to see when hackers use their powers for good." The full paper, GPU-accelerated CUDA code, Python pipeline, and complete Bitcoin Scripts are available on Levy's GitHub repository. For everyday Bitcoin holders, no quantum-capable computer exists today, and most researchers estimate the threat window at 3–10 years. However, the clock starts the moment a public key appears onchain—every time a user spends from an address. QSB does not yet ship inside any consumer wallet, but Levy has provided cryptographic proof that quantum-safe transactions are possible using rules already inside Bitcoin, at a cost roughly equivalent to a plane ticket in GPU compute. The remaining work is engineering, adoption, and time.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.