Bitcoin Can Become Quantum-Safe Without a Protocol Upgrade. Here Is What That Actually Means

Quantum computing and Bitcoin have been discussed in the same breath for years, mostly in terms of threat. A sufficiently powerful quantum computer could break the cryptography that secures Bitcoin wallets. What gets less attention is whether Bitcoin can address that threat without going through the politically complicated process of a protocol upgrade. A recent proposal from StarkWare suggests it can, at least partially.

Understanding what the proposal actually does, and what it deliberately leaves unsolved, matters for anyone building on Bitcoin or advising clients about long-term custody.

The quantum threat to Bitcoin, explained

Bitcoin’s security model rests on elliptic curve cryptography, specifically the Elliptic Curve Digital Signature Algorithm (ECDSA). When you sign a transaction, you prove ownership of funds by producing a signature that only your private key could have generated. The math behind this relies on a problem that classical computers cannot solve efficiently: deriving a private key from a public key.

Quantum computers change that equation. Shor’s algorithm, running on a sufficiently large quantum machine, could factor the underlying math fast enough to derive private keys from public keys. In practice, this means a powerful enough quantum adversary could steal funds from any wallet whose public key is exposed.

The operative phrase is “sufficiently large.” Current quantum hardware tops out around 1,500 to 2,000 physical qubits. Breaking ECDSA-256, the algorithm Bitcoin uses, requires somewhere in the range of 500,000 error-corrected logical qubits. A March 2026 Google research paper updated the efficiency estimates for Shor’s algorithm, but even under optimistic assumptions the gap between current hardware and what would be needed remains substantial. Most credible timelines put a genuine quantum threat to Bitcoin cryptography at five to ten years out, not months.

That timeline is long enough that the industry is not in immediate danger, but short enough that preparation makes sense.

Why ECDSA is the specific vulnerability

Not all Bitcoin wallets face the same level of exposure. The risk depends on whether a wallet’s public key has been revealed on-chain.

Modern Bitcoin wallets using Pay-to-Public-Key-Hash (P2PKH) or SegWit formats only expose the public key at the moment a transaction is signed. Until that point, only a hash of the public key is visible. Quantum computers cannot reverse a cryptographic hash the same way they can reverse elliptic curve math, so funds sitting in an address that has never sent a transaction are relatively safer.

The more exposed category is Pay-to-Public-Key (P2PK), an older format that puts the public key directly on-chain from the first transaction. Estimates suggest roughly four million Bitcoin, including coins associated with early mining activity, sit in P2PK addresses. These wallets are permanently exposed in the sense that their public keys are already visible to anyone watching the chain.

This distinction matters for how any quantum-resistance proposal is evaluated.

The QSB proposal: quantum-safe Bitcoin without a fork

Avihu Levy, Chief Product Officer at StarkWare, published a proposal in early 2026 called Quantum-Safe Bitcoin (QSB). The central claim is that Bitcoin can achieve meaningful quantum resistance for future transactions using only the cryptographic primitives already present in Bitcoin Script. No fork required.

The mechanism relies on hash-based signatures rather than ECDSA. Hash preimage resistance, the property that makes it hard to find an input that produces a given hash output, is not broken by Shor’s algorithm. Lamport signatures and similar constructions build signing schemes on top of this property. They are larger and more expensive than ECDSA signatures, but they are considered post-quantum secure under current cryptographic understanding.

Bitcoin Script already supports the hash operations needed to verify these signatures. Levy’s proposal shows how they can be composed within existing script capabilities to produce a valid post-quantum signature scheme, fitting inside current transaction formats without requiring any changes to consensus rules.

The cost of this approach is real. Post-quantum signatures are significantly larger than ECDSA signatures, which increases transaction size and therefore fees. Current estimates put the compute and fee overhead for a QSB-style transaction at roughly 75 to 150 US dollars per transaction at current network conditions. For high-value transactions, that cost is a reasonable premium for quantum resistance. For small payments, it is prohibitive.

What the proposal does not solve

QSB protects future transactions. It does nothing for wallets that have already exposed their public keys.

The approximately four million Bitcoin in legacy P2PK addresses cannot be retroactively protected by a script-based scheme. Migrating those funds would require the private key holders to sign transactions moving coins to new, quantum-resistant addresses. For lost wallets, including coins from early Bitcoin history that have not moved in over a decade, that migration is not possible. Those funds would remain vulnerable if a cryptographically relevant quantum computer ever exists.

This is not a flaw in Levy’s proposal specifically. Any scheme that does not require a hard fork cannot retroactively change the security properties of funds already on-chain. A migration program that incentivized moving coins to quantum-safe addresses could address part of the problem, but it would require broad ecosystem coordination and would still leave unclaimed wallets exposed.

There is also the question of whether hash-based signatures will remain the right answer as the post-quantum cryptography field continues to develop. NIST finalized its first set of post-quantum cryptographic standards in 2024. Some of those standards may eventually find their way into Bitcoin through future upgrades, providing different tradeoffs on signature size and security assumptions. The script-based approach is a near-term bridge, not necessarily the permanent solution.

What this means for Bitcoin developers and custody providers

For developers building on Bitcoin today, the practical implication is that quantum resistance can be incorporated into wallet and custody architectures without waiting for protocol-level changes. Applications that handle high-value Bitcoin custody have a path to offering quantum-safe transaction signing now, with existing tooling, at a cost that is acceptable for institutional use cases.

For custody providers and institutional holders, the more pressing near-term issue is auditing existing key management infrastructure to identify P2PK exposure and develop migration plans for any vulnerable wallets still under active control. The quantum threat is not imminent, but the lead time for institutional custody changes is long enough that starting that audit now is reasonable.

For protocol developers and researchers, the more interesting question the proposal raises is whether Bitcoin’s existing script capabilities are sufficient for a post-quantum transition, or whether future upgrades like OP_CAT, which is under active discussion, would enable cleaner and more efficient quantum-safe constructions. The answer will shape the upgrade roadmap for the next several years.

The broader picture for post-quantum cryptography in blockchain

Bitcoin is not the only network thinking about this. Ethereum’s roadmap includes post-quantum account abstraction as a longer-term goal. Layer 2 protocols built on zero-knowledge proofs, which Boosty Labs works with extensively, already rely on hash-based constructions that are more naturally post-quantum than ECDSA.

The StarkWare QSB proposal is notable partly because it demonstrates that quantum resistance does not require treating Bitcoin as a static system waiting for protocol updates. The existing script language, constrained as it is, has more flexibility than is often assumed. That is a useful data point regardless of whether QSB itself becomes a standard practice.

The quantum threat to Bitcoin is real, measured in years rather than decades, and specific enough to plan around. The tools to address it for future transactions are available today. The harder problem, protecting already-exposed funds, remains open and is worth taking seriously before the window for action closes.