Key Takeaways:
- Starkware CPO Avihu Levy published QSB on April 9, 2026, enabling quantum-safe bitcoin transactions with zero protocol changes.
- Levy’s scheme costs $75 to $150 in GPU compute per transaction and achieves roughly 118-bit pre-image resistance against quantum attack.
- QSB is the first known scheme to secure live bitcoin transactions against Shor’s algorithm using only Bitcoin’s existing legacy Script rules.
How a Starkware Executive Built Quantum Resistance Into Bitcoin Without Touching the Protocol
Avihu Levy, chief product officer at Starkware and co-author of BIP-360, released a full research paper and open-source implementation on April 9, 2026. The scheme is called Quantum Safe Bitcoin, or QSB. It requires no softfork, no community coordination, and no new opcodes. It runs entirely within Bitcoin’s existing legacy Script constraints of 201 opcodes and 10,000 bytes.
The threat QSB addresses is specific. Bitcoin’s primary signature scheme, ECDSA over the secp256k1 elliptic curve, is fully breakable by Shor’s algorithm on a sufficiently powerful quantum computer. An attacker with that capability could recover private keys from any exposed public key, forge signatures, and redirect funds. P2PK outputs, legacy addresses, and Taproot keyspend paths are all at risk the moment a public key appears onchain.
Levy’s scheme severs that dependency at the transaction level. Instead of relying on elliptic curve hardness, QSB builds security on the pre-image resistance of RIPEMD-160, a hash function that quantum computers can only attack with Grover’s algorithm, which provides a quadratic speedup rather than a total break. A 160-bit hash retains roughly 80 bits of pre-image resistance against a quantum adversary, leaving a comfortable margin.
The construction modifies an earlier scheme called Binohash, developed by Robin Linus, and fixes two problems that made Binohash unsafe against quantum attack. The first was a signature-size proof-of-work (PoW) puzzle that depended on finding small elliptic curve r-values, something Shor’s algorithm trivially breaks. The second was an unresolved sighash flag vulnerability that could allow an attacker to reuse a valid puzzle signature across different transactions.
Replacing the Signature-Size Puzzle
QSB replaces the signature-size puzzle with what Levy calls a hash-to-sig puzzle. The spender iterates over transaction parameters until the RIPEMD-160 hash of a transaction-derived public key produces a valid DER-encoded ECDSA signature. That event occurs with probability roughly 1 in 70 trillion. Because the puzzle uses a hardcoded SIGHASH_ALL flag, the sighash vulnerability is eliminated as a side effect.
The spender then runs two digest rounds using a HORS-style Lamport signature structure, selecting subsets of dummy signatures that alter the transaction’s sighash via a legacy Script mechanism called FindAndDelete. Each subset produces a different hash output. The subset that yields a valid DER-encoded signature becomes the digest for that round. Revealing the corresponding pre-images in the witness completes the quantum-safe spend.
The recommended configuration, which Levy calls Config A, fits within the 201-opcode limit and achieves approximately 118-bit pre-image resistance and 78-bit collision resistance. A quantum attacker running Grover’s algorithm against this configuration faces roughly 2 to the 69th power work for a second pre-image attack. Shor’s algorithm provides no advantage at all, since there are no elliptic curve assumptions left to break.
Off-chain computation costs between $75 and $150 in cloud GPU time per transaction at current spot pricing. The work is embarrassingly parallel and completed in hours across multiple GPUs in early tests. The GPU farm only handles public computations, including key recovery and hashing. Private HORS pre-images never leave the spender’s secure device.
There are real limitations. QSB transactions are consensus-valid but non-standard, exceeding default relay policies. They require direct submission to a mining pool that accepts non-standard transactions, such as through Marathon’s Slipstream service. The scheme does not yet cover Lightning Network channels. Full on-chain assembly and broadcast are still pending in the open-source implementation. Levy describes the scheme as a last-resort measure, not a general replacement for standard Bitcoin usage.
Starkware co-founder Eli Ben-Sasson publicly endorsed the work, stating Bitcoin can be quantum-safe immediately. He said:
“THIS IS HUGE. Bitcoin is Quantum-Safe TODAY. Even if a quantum computer appeared, one that breaks the conventional Bitcion signatures, it shows a practical way to create safe Bitcoin transactions. WITH NO CHANGE TO BITCOIN PROTOCOL!”
Levy shared the paper and repository on X and credited Robin Linus for foundational work on Binohash and for a key correction that shaped the final cost-security tradeoff. The community was quite pleased with the white paper as it was shared widely on social media. Taproot Wizard Eric Wall wrote on X:
“Starkware has some of the best hackers on the planet. It is beautiful to see when hackers use their powers for good.”
The full paper, GPU-accelerated CUDA code, Python pipeline, and complete Bitcoin Scripts are available at Levy’s GitHub repository. The news follows the recent prototype meant to secure bitcoin wallets from quantum risk. That specific prototype was created by Lightning Labs CTO Olaoluwa Osuntokun.
What This Means for Everyday Bitcoin Holders
For everyday bitcoin (BTC) holders, the practical takeaway is straightforward. No quantum computer capable of breaking Bitcoin’s cryptography exists today, and most researchers place that threat at least three years to a decade out. But the clock starts the moment a public key appears onchain, which happens every time a user spends from an address.
Bitcoin sitting in a wallet that has never made an outgoing transaction carries less exposure. Bitcoin parked at a reused or already-spent address is a different story. When quantum computing reaches the threshold, those exposed public keys become targets. Moving funds before that window closes matters more than moving them after.
QSB does not yet ship inside any consumer wallet. Users cannot open a standard wallet today and toggle a quantum-safe setting. What Levy has delivered is the cryptographic proof that the path exists, built from rules already inside Bitcoin, costing roughly the price of a plane ticket in GPU compute.
The remaining work is engineering, adoption, and time. For a person holding BTC, the action item is simple: watch for post-quantum support from your wallet provider, avoid reusing addresses, and move funds to a quantum-safe address when that option becomes available in mainstream software. The tools to protect that bitcoin are being built right now.
Other Articles
AAVE price risks $77 as $100 flips to resistance
No Comment! Be the first one.