Earlier this month, StarkWare Chief Product Officer Avihu Levy published a proposal which has been the focus of active debate within the Bitcoin community. His scheme, Quantum Safe Bitcoin (QSB), allows users to transact in a way that remains secure even against a large-scale quantum computer running Shor’s algorithm, and it does so without requiring any changes to the Bitcoin protocol itself. The engineering is really clever and deserves the attention it has received.
Levi’s proposal was perceived in some circles as a kind of relief valve for Bitcoin: finally, a way to make the network quantum secure without the slow and controversial process of a protocol upgrade. The urgency around quantum resilience has intensified over the past year as governments and major technology firms accelerate post-quantum migration planning. But the proposal answers a much smaller question than many seem to think it does.
One type of solution for one type of user
Quantum Safe Bitcoin replaces Bitcoin’s elliptic curve signatures with a hash-based signature puzzle that a quantum computer cannot efficiently truncate, all within the existing Bitcoin legacy script framework. The trade-off is cost: each transaction requires about $75 to $150 in GPU computation, which is why the researchers themselves pitch the scheme as a last-ditch mechanism for securing large balances rather than a scalable replacement for daily transactions.
What QSB provides is a way for an individual holder to perform a quantum-resistant transaction today without waiting for a network-wide upgrade. This is significant, especially for institutions, custodians and large BTC holders looking for contingency options against future quantum threats.
What it does not provide, and was never designed to provide, is a path for Bitcoin itself to achieve network-level post-quantum security. Much of the enthusiasm surrounding the proposal has blurred these two questions together, even though they are fundamentally different problems. The cryptographic component of Bitcoin’s transition has been, in many ways, the least difficult part for years.
The National Institute of Standards and Technology (NIST) finalized the first post-quantum standards in August 2024. Governments across the United States, United Kingdom AND European Union have since published migration roadmaps stretching back to the early 2030s, while proposals for post-quantum address types already exist within Bitcoin’s BIP process. Traditional finance, cloud infrastructure providers, and national security systems are already actively planning migrations to post-quantum cryptography, underscoring how uncharted Bitcoin’s path remains.
The technical basis for a kind of quantum-resistant address in Bitcoin is largely in place. The much more difficult problem is the coordination required to move the decentralized network into one.
The problems that are in fact
Take away the cryptography and you are left with two problems that Bitcoin has yet to solve. First, how does Bitcoin migrate hundreds of millions of addresses, spread across exchanges, custodians, hardware wallets, paper backups, dormant cold storage, and lost devices? A migration of that scale to a post-quantum addressing standard would require at least a soft fork, and most likely a hard fork later, along with years of coordination in a decentralized ecosystem that has historically struggled to reach consensus on even relatively narrow technical improvements. Bitcoin’s years-long battles over SegWit activation and block size limits provide a reminder of how governance changes can become contentious even when much less is at stake.
Centralized systems can mandate a migration, but Bitcoin has no comparable mechanism.
The second question is even bigger. There are approx 1.7 million BTC blocked in early payment-for-public-key (P2PK) addresses, where the public key is already exposed on the chain. Some are believed to belong Satoshi Nakamotothe pseudonymous creator of Bitcoin. Many others are almost certainly lost forever. Researchers from Google Quantum AI have separately estimated that up to 6.9 million BTC across all types of scripts could eventually face some level of quantum exposure depending on implementation details and wallet behavior. Once a sufficiently capable quantum computer emerges, these addresses can (and probably will) be exploited immediately.
And the expected timeline is tightening. In March, Google’s Quantum AI team published revised estimates suggesting that breaking Bitcoin’s elliptic curve cryptography could require approx. 20 times fewer physical qubits than the forecasts calculated only one year ago. Practical attacks are still widely believed to be years away, but the direction of travel is becoming hard for the industry to ignore.
The Bitcoin community has not reached consensus on what to do with these vulnerable coins, and each available option carries significant trade-offs. Leave them intact and they effectively become a free harvest for whoever reaches the quantum skill first. Raise them and Bitcoin’s principle of trust neutrality is at risk. Burn them down and the grid crosses a different but equally important governance line. And beneath all three possibilities is a political question that no one has even answered: who should really decide?
Bitcoin Core developers can write code, but they can’t move coins, and any solution that affects dormant balances would require agreement from miners, exchanges, custodians, node operators, and the wider community of holders.
The precedent of any of those groups deciding what happens to someone else’s BTC is the kind of thing Bitcoin was specifically designed to prevent. This is the part of the problem that QSB does not engage with, and it is also the part that no independent cryptographic proposal can solve.
Decisions that don’t get a second pass
The default assumption underlying much decentralized infrastructure has been that everything can be improved eventually, given enough time and enough consensus. Bitcoin’s quantum problem is the first serious test of this assumption against a deadline that the network does not control. Unlike previous governance disputes over scalability or throughput, pressure is being externally imposed by advances in physics, computing and cryptography.
If the migration succeeds, it succeeds on terms dictated by the network owners, which almost certainly means slowly and at considerable cost. If it fails, it fails because an external technological deadline arrived before Bitcoin’s internal coordination mechanisms did.
Either way, the result is the same: cryptographic decisions made at launch are not meant to last forever, and the assumption that a decentralized network can adapt to anything given enough runway is one that this transition will challenge.
The problem under the problem
None of this detracts from what QSB actually accomplishes. It provides transaction-level quantum resistance for individual holders who can afford the associated computational costs, and it’s a useful capability to have on the table.
But the problem the network must solve is one beneath cryptography itself: how does a decentralized system with no central authority migrate hundreds of millions of addresses to a new cryptographic standard, and what does it do with coins that will never move on their own?
Whatever solution ultimately emerges will depend on governance, coordination and collective bargaining. And these processes move much more slowly and much more easily than cryptographic discoveries. Bitcoin’s quantum problem, in other words, may ultimately reveal less about the limits of cryptography than the limits of decentralized coordination under technical pressure.
