Add Decrypt as your preferred source to see more of our stories on Google.
In brief A new proposal outlines a way to create quantum-resistant Bitcoin transactions without changing the network protocol.
The design replaces elliptic-curve assumptions with hash-based puzzles and Lamport signatures.
The approach shifts computational work to transaction creators and is presented as a temporary workaround rather than a permanent fix.
Bitcoin transactions could be made resistant to future quantum attacks without changing the network’s core protocol, according to a proposal from StarkWare researcher Avihu Mordechai Levy.
In a recent paper, Levy describes a “Quantum-Safe Bitcoin” transaction scheme designed to remain secure even if quantum computers break the elliptic-curve cryptography used today. The method works within Bitcoin’s existing scripting rules and would not require a soft fork or other network upgrade.
“We present QSB, a Quantum Safe Bitcoin transaction scheme that requires no changes to the Bitcoin protocol and remains secure even in the presence of Shor’s algorithm,” Levy wrote.
The proposal replaces elliptic-curve signatures with hash-based cryptography and Lamport signatures, an early signature scheme considered resistant to quantum attacks.
“Since Lamport signatures are post-quantum secure, and they sign a cryptographically strong identifier of the transaction, it is not possible to modify the transaction without producing a new Lamport signature—which the attacker cannot forge, even with quantum computing capabilities,” Levy wrote.
At the center of the design is a cryptographic puzzle that must be solved before a transaction is broadcast. The paper estimates that finding a valid solution would require about 70 trillion attempts.
Unlike Bitcoin mining, the computation happens before the transaction reaches the network. Users perform the work off-chain and submit a transaction that already includes proof that the puzzle was solved.
Levy estimates the puzzle could be solved using commodity hardware such as GPUs at a cost of a few hundred dollars per transaction.
The scheme is designed to operate within Bitcoin’s scripting limits of 201 opcodes and 10,000 bytes. The paper notes these limits are extremely restrictive because every opcode counts toward the total, even if it appears in an unused script branch.
To fit within those limits, the system combines Lamport signatures with hash-based puzzles in a layered transaction structure. It also introduces “transaction pinning,” which requires anyone attempting to modify the transaction to solve the puzzle again.
Levy describes the system as a “last-resort” measure rather than a scalable fix. The paper says both the off-chain computational cost and the on-chain transaction size would not scale to Bitcoin’s target throughput or the needs of most users.
Transaction creation is also more complex than standard Bitcoin usage, and may be considered non-standard under current relay policies, meaning they could face propagation issues and may need to be submitted directly to mining pools rather than broadcast through the public mempool.
The proposal also carries security trade-offs. While it avoids attacks based on Shor’s algorithm that threaten elliptic-curve signatures, Grover’s algorithm could still provide a quadratic speedup for quantum attackers.
“To the extent that the quantum threat is believed to be real, it remains necessary to continue the ongoing effort to research and implement the best possible solution for Bitcoin–one that is maximally efficient, user-friendly, and answers Bitcoin’s needs, through protocol-level changes,” Levy wrote.
Levy’s paper joins several proposals that have emerged outlining how Bitcoin could transition to quantum-resistant cryptography, including BIP-360, which introduces a Pay-to-Merkle-Root address format designed to support quantum-safe signatures.
While the quantum threat to Bitcoin remains theoretical, companies including Google and Cloudflare are already preparing for it, setting a 2029 deadline to transition their systems to post-quantum.