Starkware Executive Unveils Quantum-Safe Bitcoin Transactions Without Protocol Changes

Starkware Executive Unveils Quantum-Safe Bitcoin Transactions Without Protocol Changes

N
News Editor 01
2026-07-08 14:34:15
Starkware CPO Avihu Levy introduced QSB, a quantum-safe Bitcoin transaction scheme built entirely from existing Bitcoin rules, though the approach still faces relay, cost, and wallet adoption hurdles.
BitcoinQuantum SecurityStarkwareCryptographyProtocol Research

Avihu Levy, chief product officer at Starkware, has published a research paper and open-source implementation for Quantum Safe Bitcoin, or QSB, a scheme designed to make new bitcoin transactions resistant to quantum attacks without changing Bitcoin consensus rules. According to the research, the construction works entirely within Bitcoin’s long-standing legacy Script limits, meaning it does not require a soft fork, new opcodes, or broad protocol coordination to function.

The proposal arrives as concerns continue to build around the long-term impact of quantum computing on Bitcoin’s current cryptographic foundations. While no practical quantum computer exists today that can break Bitcoin signatures at scale, researchers have long warned that a sufficiently capable machine running Shor’s algorithm could undermine ECDSA over secp256k1, exposing private keys once public keys appear onchain. That would create a direct path for forged signatures and unauthorized spending.

A workaround built from existing Bitcoin rules

QSB is notable because it does not attempt to change Bitcoin from the protocol layer upward. Instead, Levy’s design works within rules that have already existed in Bitcoin for years. The system fits into the network’s legacy Script framework, including the familiar constraints of opcode count and script size, and uses those rules to build a transaction flow that no longer depends on elliptic curve hardness for security at the spending stage.

In practical terms, the scheme aims to sever the most dangerous link in a post-quantum threat model: the reliance on public-key cryptography that could be broken outright by Shor’s algorithm. Rather than trust elliptic curve assumptions, QSB leans on the pre-image resistance of RIPEMD-160. That matters because quantum attacks against hash functions are generally associated with Grover’s algorithm, which offers a quadratic speedup, not the full structural break that Shor provides against elliptic curve systems.

Levy’s paper argues that this shift leaves a meaningful security margin. The recommended setup, referred to as Config A, reportedly achieves about 118-bit pre-image resistance and 78-bit collision resistance. In the paper’s framing, that puts second pre-image attacks by a quantum adversary at roughly 2^69 work, while Shor’s algorithm no longer offers a direct advantage because the relevant elliptic curve assumptions have been removed from the spending construction.

How QSB improves on earlier ideas

The work builds on an earlier concept known as Binohash from Robin Linus, but Levy says QSB fixes two key problems that made the earlier approach unsuitable against quantum attackers. One issue involved a signature-size proof-of-work puzzle tied to small elliptic curve r-values, which would not survive a Shor-capable adversary. The second involved a sighash-related vulnerability that could potentially allow a valid puzzle signature to be reused across different transactions.

QSB replaces the earlier signature-size puzzle with what Levy calls a hash-to-sig puzzle. In this setup, the spender repeatedly tweaks transaction parameters until the RIPEMD-160 hash of a transaction-derived public key happens to map to a valid DER-encoded ECDSA signature form. The paper states that this event occurs with odds of roughly 1 in 70 trillion. By hardcoding SIGHASH_ALL, the scheme also addresses the signature reuse concern that affected earlier designs.

From there, the construction uses two digest rounds and a HORS-style Lamport signature structure. It selects subsets of dummy signatures that change the transaction’s sighash through the legacy Script mechanism known as FindAndDelete. Each subset produces a different hash output, and the subset that yields a valid DER-encoded signature is used as the digest for that round. The corresponding pre-images are then revealed in the witness, completing the spend in a way intended to remain secure against the class of quantum attacks that would devastate ordinary ECDSA-based transactions.

Costs are measurable, but deployment is limited

One of the more practical details in the release is cost. Levy estimates that QSB requires about $75 to $150 in cloud GPU compute per transaction at current spot pricing. The workload is highly parallelizable, and early tests reportedly completed the required computation within hours across multiple GPUs. According to the paper, the GPU infrastructure handles public computations such as key recovery and hashing, while private HORS pre-images remain on the spender’s secure device.

That makes QSB more than a theoretical paper exercise, but far from a turnkey retail solution. The biggest immediate limitation is policy rather than consensus. QSB transactions are described as consensus-valid but non-standard, which means they exceed ordinary relay policy and will not propagate through the network in the same way as typical Bitcoin transactions. To get them mined, users would likely need direct access to a mining pool willing to accept non-standard transactions, such as through services like Marathon’s Slipstream, which the report mentions.

Additional limitations remain. The current implementation does not yet support Lightning Network channels, and full onchain assembly and broadcast are still pending in the open-source tooling. Levy himself characterizes QSB as a last-resort measure rather than a broad replacement for everyday Bitcoin transaction flows.

Community response and broader significance

The release drew supportive comments from figures connected to both Starkware and the wider Bitcoin development community. Starkware co-founder Eli Ben-Sasson publicly praised the work and argued that it demonstrates Bitcoin can be made quantum-safe immediately, at least in a practical emergency sense, without altering the underlying protocol. Levy also shared the paper and code repository on X, crediting Robin Linus for foundational work on Binohash and for a correction that helped shape the final cost-security tradeoff.

Public reaction focused less on immediate rollout and more on what the work proves conceptually: that Bitcoin may already contain enough scripting flexibility to create a viable emergency path for quantum-resistant spending if the threat landscape changes faster than expected. That does not eliminate the appeal of more systematic post-quantum upgrades in the future, but it does suggest that the ecosystem may not be entirely dependent on consensus reform to respond to a crisis.

What it means for bitcoin holders today

For everyday BTC holders, the main takeaway is not that they should start using QSB immediately. They generally cannot. No mainstream wallet currently offers a consumer-facing “quantum-safe” toggle based on this scheme. Instead, the significance lies in proof of possibility. Levy has shown a route, built from existing Bitcoin rules, that could be used if quantum risk becomes urgent before new standards are widely deployed.

The article also reinforces a familiar security point: the exposure clock starts once a public key appears onchain. Coins held in addresses that have never spent are less exposed than coins tied to reused or already-spent outputs. If quantum capabilities eventually reach the level needed to threaten Bitcoin’s signature system, those exposed public keys would become the obvious target set.

For now, the practical advice remains conservative. Users should avoid address reuse, monitor wallet providers for post-quantum support, and be prepared to move funds when more accessible tools become available. QSB does not solve the adoption problem, and it does not remove the engineering work still ahead. But it provides a concrete demonstration that Bitcoin’s existing rule set may already support a meaningful line of defense against future quantum threats.

That may prove to be the most important part of the announcement. In a debate often framed as protocol upgrade or nothing, QSB introduces a third possibility: a costly, specialized, but workable emergency method that can be deployed using the Bitcoin network as it exists today.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
100

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.