Forkless Quantum Safety for Bitcoin? New Scheme Puts the Burden on Senders

Bitcoin now has a credible forkless path to post-quantum safety—at least on paper. StarkWare researcher Avihu Mordechai Levy outlines a “Quantum-Safe Bitcoin” (QSB) transaction design that operates entirely within today’s scripting rules, aiming to remain intact even if Shor’s algorithm renders elliptic-curve signatures obsolete. No soft fork, no new opcodes—just a different way to compose transactions.

The core idea: replace elliptic-curve assumptions with hash-based primitives and Lamport one-time signatures, then make the sender do expensive work before a transaction ever hits the mempool. Each QSB transaction includes a proof that a cryptographic puzzle was solved off-chain; only then can the network validate it. Levy estimates the puzzle requires roughly 70 trillion attempts to find a valid solution—work that can be pushed through commodity GPUs for a few hundred dollars per transaction.

That cost-shift is the interesting tension. By moving computation off-chain and onto the creator, QSB decouples security from miners and ties it to the sender’s resources and urgency. It is elegant for compatibility and risky for market dynamics: - Time-to-finality becomes a function of local compute, not just fee rate. Under congestion, users with limited hardware or budgets face real friction. - Transaction “pinning” (a feature that forces any modifier to re-solve the puzzle) hardens against tampering but also increases complexity around replacements and fee-bumping. Expect edge cases around RBF, CPFP, and MEV-style games if this ever sees production experimentation. - Relay policies matter. QSB transactions may be deemed non-standard under current rules, restricting propagation. Some users might need to submit directly to mining pools—introducing a private-orderflow dynamic that nudges centralization and creates new gatekeepers. - Miners could price acceptance of these non-standard transactions in opaque ways, fragmenting the fee market and weakening mempool-based price discovery.

Technically, the design threads a very tight needle. Bitcoin scripts cap at 201 opcodes and 10,000 bytes, and every opcode counts—even in branches that never execute. To stay within those limits, QSB layers Lamport signatures with hash-based puzzles, compressing data and logic while preserving verifiability. Lamport signatures are widely considered post-quantum hard; they protect against Shor-style attacks by authenticating a strong transaction identifier that cannot be swapped without generating a fresh (and unforgeable) signature. Still, Grover’s algorithm may quadratically accelerate brute force over hash space, so parameter choices and safety margins matter.

Levy is clear this is a last-resort workaround, not a scalable end state. The off-chain compute cost and on-chain size overhead do not align with Bitcoin’s target throughput or everyday usability. The transaction-building flow is more involved than standard ECDSA signing, and the policy friction means some wallets and nodes may never relay these constructs without bespoke integrations.

There is also the broader migration path to consider. Alternatives such as BIP-360 (a Pay-to-Merkle-Root address format that can host quantum-safe signatures) aim for a protocol-level pivot that is cleaner for users and wallets. And while the quantum threat to Bitcoin remains theoretical, large web platforms are moving ahead: companies like Google and Cloudflare are targeting 2029 to complete their post-quantum transitions.

My read: QSB is a pragmatic hedge. It keeps Bitcoin’s rules untouched, buys optionality if a credible quantum break arrives earlier than governance can respond, and pressure-tests the economics of “who pays for safety.” But security that scales only for those who can afford hundreds of dollars per send—and perhaps private submission to mining pools—creates uneven protection. If quantum timelines compress, the network will still want a standardized, protocol-level solution that preserves open access, predictable fees, and censorship resistance. QSB is the fire extinguisher in the hallway, not the new sprinkler system.