There’s a Way to Make Bitcoin Quantum-Safe Without a Fork, Researchers Argue
Bitcoin may not need a disruptive network upgrade to survive the coming age of quantum computing, according to a new cryptographic proposal that fits entirely inside the system’s existing rules.
Avihu Mordechai Levy, a researcher at StarkWare, has outlined a transaction design he calls “Quantum-Safe Bitcoin” (QSB). The approach aims to keep Bitcoin secure even if powerful quantum computers one day break the elliptic-curve cryptography that underpins the network today-without touching Bitcoin’s core consensus protocol.
Instead of asking miners and nodes to adopt new opcodes or activate a soft fork, the scheme relies solely on Bitcoin’s current scripting capabilities. In other words, if the proposal is practical, users could start creating quantum-resistant transactions on-chain using tools that already exist.
Levy’s central claim is clear: QSB is a transaction structure that “requires no changes to the Bitcoin protocol and remains secure even in the presence of Shor’s algorithm,” the famous quantum algorithm that threatens elliptic-curve and RSA-based cryptography.
Why Quantum Is a Problem for Bitcoin
Bitcoin’s security model assumes that certain math problems are effectively impossible to solve with classical computers. Public keys are protected by elliptic-curve cryptography (specifically, secp256k1). With current hardware, deriving a private key from a public key by brute force would take longer than the age of the universe.
Quantum computers, at least in theory, could change that. Shor’s algorithm can efficiently solve the mathematical problems behind today’s widely used public-key schemes. Once large, stable quantum machines exist, they could:
– Derive private keys from exposed public keys
– Forge valid signatures
– Seize funds from addresses whose public keys are visible on-chain
Not all Bitcoin is equally vulnerable. For unspent outputs that have never revealed a public key (only a hash of it), the risk is lower. But once coins are spent from a regular address, the public key is broadcast to the network and becomes a potential target for a future quantum adversary who can record blockchain data now and attack later.
This looming threat has pushed researchers to explore “post-quantum” or “quantum-resistant” cryptography-systems designed to remain secure even in the presence of quantum computers.
How QSB Works in Principle
QSB proposes to swap out elliptic-curve signatures at the transaction level and replace them with primitives believed to be robust against quantum attacks: hash-based cryptography and Lamport signatures.
Lamport signatures are one of the earliest digital signature schemes. They are built entirely from one-way hash functions rather than algebraic structures like elliptic curves. Since quantum algorithms don’t offer dramatic speedups against hashing in the same way they do against elliptic curves, hash-based schemes are considered much more resilient to quantum attacks.
The key ideas behind QSB include:
– Using Bitcoin’s existing scripting language to verify hash-based proofs instead of elliptic-curve signatures
– Designing scripts that lock coins behind Lamport-style signature conditions
– Avoiding any change to consensus rules, so existing nodes can continue to validate blocks as usual
From the network’s perspective, these special scripts are just another form of spending condition. They might be larger and more complex, but they still fit inside the constraints of Bitcoin Script as it exists today.
No Fork Required: Why That Matters
Most large-scale changes to Bitcoin’s security assumptions are expected to require a soft fork at minimum, and in some cases a controversial hard fork. These events are technically and politically challenging. They demand broad agreement among miners, node operators, wallet providers, and users, and they risk network splits if consensus cannot be reached.
A proposal that sidesteps protocol changes altogether has major advantages:
– No consensus drama: Miners and nodes don’t need to upgrade to new rules.
– Backward compatibility: Existing infrastructure continues to function unchanged.
– Gradual opt-in: Users can start adopting quantum-safe scripts on a voluntary basis, at their own pace.
– Lower coordination cost: Wallets and services can implement QSB as a feature instead of lobbying for a network-wide upgrade.
In practice, this means quantum defense could start as a niche option for security-conscious holders and gradually become more widespread-without waiting for a formal activation process.
Why Lamport and Hash-Based Signatures?
Lamport signatures and similar hash-based schemes are attractive in a quantum context for several reasons:
– Security relies on hash functions, which are far harder for quantum computers to break than elliptic-curve systems.
– They are conceptually simple and well-studied.
– They can be implemented using primitives Bitcoin already supports, such as standard hash functions.
However, they come with trade-offs:
– Key and signature sizes are much larger than for elliptic-curve signatures.
– Many hash-based schemes are one-time use or few-time use; reusing keys can break security.
– Managing key material is more complex and storage-intensive.
QSB’s design has to accommodate these realities. Transactions must be crafted so that each Lamport key is used only as intended, while still fitting into Bitcoin’s size limits and fee market.
Practical Challenges and Trade-Offs
While QSB is compelling in theory, applying it at scale raises several practical questions:
1. Transaction size and fees
Hash-based signatures are bulky. Growing signature payloads increases transaction size, which directly impacts fees. On a congested network like Bitcoin, larger transactions are more expensive and compete for limited block space.
2. User experience
If every address needs multiple large keys and one-time signature material, wallet design becomes more complex. Users may need more sophisticated backup, rotation, and key management strategies.
3. Migration path
Not all funds can be easily moved into quantum-safe outputs-for example, lost coins or unresponsive holders. That means some portion of bitcoin will likely remain vulnerable even if new transactions adopt QSB-like protections.
4. Risk of implementation errors
Hash-based schemes are unforgiving. Reusing keys or mismanaging randomness can completely undermine security. Wallets must be carefully engineered and audited to avoid subtle bugs.
Despite these hurdles, the mere fact that a quantum-resistant scheme fits inside today’s rules is a strong signal: Bitcoin’s scripting system is more flexible than its day-to-day use suggests.
How QSB Could Be Deployed
If researchers, developers, and wallet providers found QSB or a similar scheme sufficiently robust, deployment could follow an incremental path:
– Experimental wallets integrate QSB as an “advanced security” option.
– Long-term holders and institutional custodians adopt quantum-safe scripts for cold storage.
– Best practices emerge around key rotation, backups, and recovery for hash-based schemes.
– Over time, a growing share of circulating bitcoin moves into outputs protected by quantum-resistant conditions.
Importantly, this process can happen without waiting for miners to activate a new opcode or for the ecosystem to coordinate around a formal upgrade path. Adoption becomes a matter of market demand and product design, not protocol governance.
What This Means for Bitcoin’s Long-Term Security
QSB does not magically erase quantum risk. Several realities remain:
– Quantum computers capable of breaking elliptic-curve cryptography at scale do not yet exist, but research is advancing.
– Many current outputs have already exposed public keys, especially addresses that have been reused or spent from.
– Some coins can never migrate to safer outputs because their owners are inactive or have lost keys.
However, the proposal reshapes the conversation:
– It shows that Bitcoin has tools today to start defending against a future quantum attacker.
– It reduces dependence on politically difficult protocol changes as the only path to quantum resilience.
– It encourages the ecosystem to think of quantum resistance as a transaction-level design problem, not just a consensus problem.
Instead of asking, “When will Bitcoin fork to become quantum-safe?” the more relevant question becomes, “When will users and services start offering and using quantum-safe transaction types?”
How QSB Compares to Other Quantum-Resistant Approaches
There are many parallel efforts in the broader cryptographic world to develop post-quantum standards. Most of these focus on lattice-based, code-based, or multivariate polynomial schemes rather than purely hash-based designs.
Compared to those:
– Hash-based schemes like Lamport are conservative and simple, but less efficient.
– Lattice-based schemes often have smaller signatures and keys but rely on newer hardness assumptions.
– Integrating non-hash-based post-quantum schemes directly into Bitcoin’s core layer would likely require new opcodes or a soft fork.
QSB essentially chooses the most conservative route that is already within Bitcoin’s reach: use the hash functions the network already trusts, even if it means paying more in bytes and fees.
The Road Ahead for Quantum-Safe Bitcoin
For now, QSB is a research proposal, not a standard or widely adopted practice. To move from paper to production, several steps would be needed:
– Independent cryptographers would need to review and challenge the scheme.
– Prototype implementations in wallets and libraries would be built and tested.
– Performance, fee impact, and usability would be evaluated in real-world conditions.
– The Bitcoin community would debate whether this is the right balance between security and practicality.
Even if QSB itself is not the final answer, it sets an important precedent: truly quantum-safe Bitcoin transactions are possible without rewriting the protocol rulebook.
The emergence of quantum-ready transaction designs suggests that Bitcoin’s long-term survival in a post-quantum world may depend less on a single dramatic fork and more on many small, opt-in choices by users, wallets, and custodians-starting well before powerful quantum computers arrive.