Skip to main content

Quantum-Safe Bitcoin Without a Soft Fork at $200 a Transaction

· 10 min read
Dora Noda
Dora Noda
Software Engineer

What if you could quantum-proof your Bitcoin today — no hard fork, no soft fork, no waiting seven years for governance consensus — as long as you were willing to pay about $200 per transaction?

That's the offer on the table from a new StarkWare paper that has quietly become one of the most important Bitcoin research artifacts of 2026. On April 9, StarkWare researcher Avihu Levy published "QSB: Quantum Safe Bitcoin Transactions Without Softforks," and within 24 hours CoinDesk, The Quantum Insider, and Bitcoin Magazine had all framed it as a potential escape hatch for the roughly 4 million BTC — more than $280 billion at April's prices — that already sit in quantum-vulnerable addresses.

The catch is real. So is the relief. Together, they reshape how serious Bitcoin holders should be thinking about Q-Day.

Why Bitcoin Suddenly Has a Quantum Clock

For most of Bitcoin's history, quantum risk was a footnote — an engineering problem dated "sometime after 2035." That timeline has tightened dramatically.

Google's Quantum AI team pulled its own cryptographically relevant quantum computer (CRQC) estimate forward to 2029. A U.S. Federal Reserve working paper on "harvest now, decrypt later" risk now treats post-quantum migration as a near-term policy concern, not a science-fiction one. Project Eleven and other research groups routinely cite that roughly 4 million BTC, about 25% of the circulating supply, sit in addresses with already-exposed public keys: pay-to-public-key (P2PK) outputs from the earliest era, and reused pay-to-public-key-hash (P2PKH) addresses whose public keys were revealed the moment coins were spent.

Those 4 million BTC are the juicy target. A sufficiently powerful quantum computer running Shor's algorithm could derive the private key from the exposed public key, and the coins — including the roughly 1 million BTC attributed to Satoshi — would be drainable.

The "harvest now, decrypt later" thesis is that state-level adversaries are already archiving those public keys today, waiting for the hardware to catch up. That is what turns a distant cryptographic risk into an immediate governance emergency.

The Two Standard Answers — and Why Both Are Slow

Bitcoin's developer community has converged on two structural fixes, neither of which is available to a holder who wants protection this week.

BIP 360 (Pay-to-Merkle-Root) is the leading soft fork proposal, merged into the official BIP repository with co-authors from StarkWare and Ethan Heilman. It introduces a new output type that removes the public key from on-chain scripts and sets up the scaffolding for future post-quantum signatures like ML-DSA (Dilithium) and SLH-DSA (SPHINCS+). It is thoughtful, carefully specified, and — by the BIP 360 co-author's own admission to Cointelegraph — roughly a seven-year journey to full activation once you account for client implementation, testing, soft-fork signaling, and user migration.

BIP 361 extends that by proposing a phased sunset of legacy ECDSA signatures, which critics have flagged as a philosophical departure from Bitcoin's "your keys, your coins forever" ethos because unmigrated UTXOs would eventually become unspendable.

Both proposals are the right long-term engineering. Neither helps a custodian whose compliance team is asking, today, how many of the 12,000 BTC sitting in a corporate treasury are exposed.

What QSB Actually Does

Levy's QSB scheme is clever precisely because it refuses to touch the protocol. It uses only capabilities that Bitcoin script already supports, and it leans on one cryptographic primitive that quantum computers do not meaningfully weaken: the hash function.

The mechanic is a two-step commit/reveal:

  1. Commit: In a first on-chain transaction, the holder publishes a hash commitment that binds a future quantum-resistant public key (or a hash-based, one-time signature) to the UTXO they want to protect.
  2. Reveal: In a later transaction, the holder reveals the quantum-resistant material and spends the UTXO. Because a quantum computer cannot invert a cryptographic hash, the adversary who only saw the commitment learns nothing useful in the window between the two steps.

QSB layers hash-based proofs and off-chain GPU work on top of this pattern so that the on-chain footprint stays within what existing Bitcoin nodes will accept. No new opcode. No consensus change. No upgrade coordination.

The Quantum Resistant Ledger team's public critique of the paper — titled "It's Clever. But Read the Fine Print" — is worth taking seriously: the scheme is expressive enough to transfer value quantum-safely, but it shifts the security budget from on-chain consensus to off-chain compute that the user has to pay for. Which brings us to the bill.

The $200 Per Transaction Problem

Reported cost ranges cluster between $75 and $200 per transaction, depending on GPU prices, parameter choices, and Bitcoin fee conditions. Two forces drive that:

  • Heavy off-chain compute. Hash-based proof generation is cheap per operation but enormous in aggregate. QSB requires serious GPU time per transaction — not something a mobile wallet is going to run locally.
  • Large signatures on-chain. Even with compression tricks, hash-based signatures like SPHINCS+/SLH-DSA land at roughly 8 KB and up, versus ECDSA's 64 bytes. Block space is a real cost.

For a holder moving a single $8,000 UTXO, $200 is a 2.5% haircut — uneconomic. For a custodian consolidating a $5 million cold-storage balance into a quantum-safe commitment, $200 is a rounding error on an insurance premium.

That cost curve quietly determines who QSB is for.

Three Tiers of Quantum Defense Are Now Visible

Zoom out, and a clean tiering is emerging across the industry. Think of it as defense-in-depth with very different unlock timelines:

  1. Retrofit (available now): commit/reveal schemes like QSB. No governance needed. Economically viable for large UTXOs. This is the tier that protects Satoshi-era coins and institutional balances while the rest of the stack catches up.
  2. Protocol upgrade (multi-year): BIP 360 and successors. A native Bitcoin output type that removes exposed public keys and adds a clean slot for post-quantum signatures. Long activation horizon, but the eventual equilibrium state.
  3. Built-from-scratch (live today on other chains): Naoris Protocol, Circle Arc. Naoris launched its mainnet on April 2, 2026 as a natively post-quantum Layer 1 using CRYSTALS-Dilithium (ML-DSA-87) at NIST Security Level 5. Circle has announced that its Arc L1 will ship with quantum-resistant wallet signatures from mainnet and upgrade validator signatures over time. These chains will never have to migrate a legacy address base.

Each tier targets a different audience: QSB for Bitcoin holders who cannot wait, BIP 360 for Bitcoin the protocol, and Naoris/Arc for new capital that wants quantum resistance as a default rather than a retrofit.

The Market That QSB Might Accidentally Create

If you are a custodian — Coinbase Custody, Fidelity Digital Assets, BitGo, Anchorage — the QSB paper is arguably the most interesting Bitcoin research published this year, not because of its cryptographic novelty but because of what it enables commercially.

A plausible product offering is already visible in outline:

  • Quantum Migration Services as a premium tier on top of institutional custody. Clients pay a per-UTXO migration fee (say, $250–$500 batched) to move their holdings into QSB-protected commitments.
  • Batching economics. A custodian holding 50,000 BTC across 8,000 UTXOs can amortize GPU compute across many clients and negotiate block space strategically, turning a $200 retail cost into a $30–$60 wholesale cost.
  • Regulatory tailwind. As "harvest now, decrypt later" enters the vocabulary of the SEC, OCC, and European banking regulators, expect enterprise clients to start asking whether their Bitcoin exposure is quantum-migrated. "Not yet" is about to become an uncomfortable answer at board meetings.

Cardano's Charles Hoskinson, never shy, used an April 16 CoinDesk interview to argue that Bitcoin's quantum fix ultimately needs a hard fork that "can't save Satoshi's coins." QSB is a direct counter-argument: a retrofit that can protect any UTXO whose owner is still alive to move it, without touching consensus at all.

What Holders Should Actually Do

A pragmatic playbook starts to fall out of this:

  • Audit exposure first. If your Bitcoin lives in a freshly generated P2WPKH or Taproot address that has never been spent from, your public key is not on-chain. You are in materially better shape than P2PK/reused P2PKH holders, though still not immune long-term.
  • Prioritize large, long-held cold UTXOs. These are the ones where $200 in fees is negligible and where the "harvest now, decrypt later" archive is most likely to have already captured your public key.
  • Watch BIP 360 like a hawk. When it activates, the economics flip — native quantum-safe outputs will be far cheaper than QSB retrofits.
  • Expect custodian products by Q4 2026. Any custodian serving institutional clients will be under pressure to offer a quantum migration path; the ones that move first will win mandates.

The deeper shift QSB represents isn't cryptographic — it's governance. For years, Bitcoin's quantum conversation was trapped in a binary: either we wait for a soft fork that may take most of a decade, or we accept tail risk. A credible retrofit option breaks that binary. Holders with conviction and capital can now buy protection today, at a knowable price, without asking anyone's permission.

That is a very Bitcoin answer to a very Bitcoin problem.

BlockEden.xyz provides enterprise-grade RPC and indexing infrastructure across Bitcoin, Sui, Aptos, Ethereum, and 27+ other chains. If you're building tooling that needs to track UTXO state, monitor mempool activity, or index commit/reveal patterns at scale, explore our API marketplace — infrastructure designed to outlast the next decade of protocol change.

Sources

Share on Twitter