Earlier this month, StarkWare chief product officer Avihu Levy published a proposal that has been the focus of active debate within the Bitcoin community. His scheme, Quantum Safe Bitcoin (QSB), allows users to transact in a way that remains secure even in the face of a large quantum computer using Shor’s algorithm, and it does so without requiring any change to the Bitcoin protocol itself. The engineering is truly brilliant and deserves the attention it has received.
Levy’s proposal was made seen in other places as a kind of relief valve for Bitcoin: finally, a way to make the network quantum-safe without the slow, controversial process of protocol development. The urgency around quantum stability has intensified over the past year as governments and major technology companies accelerate planning for the post-quantum migration. But the proposal answers a much smaller question than most people think it does.
One type of solution for one type of user
Quantum Safe Bitcoin replaces Bitcoin’s convolutional signatures with a hash-based signature puzzle that a quantum computer can crack, all within the existing Bitcoin legacy script framework. The trade-off is the cost: each transaction requires about $75 to $150 for the GPU computer, which is why the researchers themselves include this system as a last resort to obtain large balances rather than changing so many daily tasks.
What QSB brings is a way for each owner to implement quantum resistance today without waiting for network-wide upgrades. That makes sense, especially for institutions, custodians and large BTC managers looking for emergency options against future quantum threats.
What it does not deliver, and was not designed to deliver, is Bitcoin’s own means of achieving post-quantum security at the network level. The great enthusiasm surrounding this proposal has blurred those two questions together, although they are very different problems. The cryptographic part of Bitcoin’s evolution has, in many ways, been the most difficult part for years.
The National Institute of Standards and Technology (NIST) completed the first post-quantum levels in August 2024. Governments across the United States, United Kingdom again European Union has since published a migration roadmap that extends to the early 2030s, while proposals for post-quantum address types already exist within Bitcoin’s BIP process. Traditional finance, cloud infrastructure providers and national security systems are already actively planning to migrate to post-quantum cryptography, underscoring just how unsolved Bitcoin’s path remains.
The technical basis of the type of addresses against the value in Bitcoin is widely used. The most difficult problem is the integration required to deploy a single distributed network.
Problems actually
Take out cryptography, and you’re left with two problems that Bitcoin still hasn’t solved. First, how does Bitcoin move hundreds of millions of addresses, spread across exchanges, custodians, hardware wallets, paper backups, dormant cold storage and lost devices? A migration of that scale to a post-quantum address level would require at least a soft fork, and possibly a hard fork later, and years of communication within a historically decentralized ecosystem that has historically struggled to reach consensus even on limited technological advances. Bitcoin’s years-long battles over SegWit activation and block size limits provide a reminder of how contentious governance changes can be even when there is little risk.
Centralized systems can authorize migration, but Bitcoin has no comparable mechanism.
The second question is even bigger. There are approx 1.7 million BTC are locked up in early public key payment (P2PK) addresses, where the public key has already been disclosed on the chain. Some are believed to belong to Satoshi Nakamoto, the anonymous creator of Bitcoin. Many others are probably lost forever. Researchers from Google Quantum AI have separately estimated that about 6.9 million BTC in all types of scripts may eventually face some level of quantum exposure depending on the details of the implementation and behavior of the fund. As soon as a sufficiently powerful quantum computer arrives, these addresses can (and probably will) be used immediately.
And the expected timeline is tight. In March, Google’s Quantum AI team published updated estimates suggesting that breaking Bitcoin’s elliptic curve cryptography may require approx. 20 times a few physical qubits than estimates calculated just one year earlier. A virtual invasion is still widely believed to be years away, but the trajectory is becoming increasingly difficult for the industry to ignore.
The Bitcoin community has yet to agree on what to do with these vulnerable coins, and every available option carries significant trade-offs. Leave them untouched, and they become a free harvest for whoever achieves quantum mastery first. Freeze them, and Bitcoin’s principle of trust neutrality is in jeopardy. Burn them out, and the network crosses a different but equal management line. And under all three of these possibilities is a political question that no one has answered: who will actually make the decision?
Bitcoin Core developers can write code, but they cannot move coins, and any solution affecting the dormant balance would require the agreement of miners, traders, custodians, node operators and the wider community of owners.
The premise of any of those parties deciding what happens to someone else’s BTC is the kind of thing Bitcoin was specifically designed to prevent. That’s part of the problem that QSB doesn’t deal with, and it’s also part that no independent cryptographic proposal can solve.
Decisions that don’t get a second pass
The default assumption underlying heterogeneous infrastructure has been that anything can eventually be improved, given enough time and enough consistency. Bitcoin’s quantum problem is the first serious test of that idea against a deadline the network doesn’t control. Unlike previous management disputes about scale or performance, pressure is being put outside by advances in physics, computing and cryptography.
If the migration is successful, it is successful in the terms that the network owners say, which means slowly and at great cost. If it fails, it fails because the external technical deadline arrived before Bitcoin’s internal coordination mechanisms did.
Either way, the result is the same: cryptographic decisions made at launch are not meant to last forever, and the idea that a decentralized network can adapt to anything given an adequate runway is one that the revolution will challenge.
The problem under the problem
None of this detracts from what QSB actually accomplishes. It provides transaction value resistance to individual owners who can afford the associated accounting costs, and that’s a useful skill to have at the table.
But the problem the network must solve is one that lies beneath cryptography itself: how does a decentralized system with no central authority migrate hundreds of millions of addresses to a new cryptographic standard, and what does it do with coins that will never travel alone?
Whatever solution eventually emerges will depend on governance, communication and mutual consent. And those processes are much slower, and much easier, than cryptographic success. Bitcoin’s quantum problem, in other words, may end up revealing less about the limits of cryptography than the limits of decentralized networks under technological pressure.
