en.Wedoany.com Reported - StarkWare researcher Avihu Mordechai Levy published a technical paper on the Quantum-Secure Bitcoin (QSB) transaction scheme in April 2026, proposing a transaction construction method that can resist quantum computing attacks without changing Bitcoin's network consensus rules. According to Levy's paper, the QSB scheme modifies the existing Binohash construction, replacing the proof-of-work puzzle based on signature size with a hash-to-signature puzzle. It relies solely on the preimage resistance of the RIPEMD-160 hash function, achieving approximately 118-bit second-preimage resistance under the Shor's algorithm threat model and about 59-bit under Grover's algorithm. Levy explicitly wrote in the paper: "Since the puzzle relies only on the preimage resistance of RIPEMD-160 (and not on any elliptic curve assumptions), it is completely unaffected by Shor's algorithm."

In the technical paper, Levy pointed out that Bitcoin's currently used ECDSA and Schnorr signature schemes are vulnerable to attacks from sufficiently powerful quantum computers. A quantum computer running Shor's algorithm could break the elliptic curve discrete logarithm problem, thereby forging signatures and stealing funds. There was previously a quantum-resistant Bitcoin transaction scheme called Binohash, which ensured transaction integrity through a proof-of-work puzzle based on signature length, but quantum computing could also crack this puzzle—attackers could use a quantum computer to calculate the smallest possible r-value (equal to 1), thereby bypassing the signature size check. The QSB scheme eliminates this vulnerability by creating a "hash-to-signature" puzzle based purely on hashing rather than elliptic curve mathematics, requiring the payer to solve a cryptographic puzzle that relies solely on the preimage resistance of a hash function. Levy explained: "We replace the proof-of-work puzzle based on signature size with a hash-to-signature puzzle."

The QSB scheme complies with Bitcoin's old script limits—201 opcodes and 10,000 bytes—and can be deployed via a soft fork without requiring a network-wide upgrade. The paper notes that these limits are extremely stringent; even if an opcode appears in an unused script branch, it still counts towards the total. Its core mechanism involves hashing a transaction-bound public key via RIPEMD-160 and checking if the output is a valid DER signature, an event with a probability of approximately 2^(-46). Based on this, a cryptographically strong identifier for the spending transaction is derived, and a Lamport signature—an early signature scheme considered resistant to quantum attacks—is verified on it. Levy wrote in the paper: "Since Lamport signatures are post-quantum secure, and they sign the cryptographically strong identifier of the transaction, it is impossible to modify the transaction without creating a new Lamport signature—attackers cannot forge this signature even with quantum computing capabilities." The scheme also hardcodes the puzzle's signature to SIGHASH_ALL, eliminating the risk of transaction tampering due to limited sighash flag visibility.

An implementation cost assessment in the paper estimates that finding a valid solution requires approximately 70 trillion attempts. The off-chain cost of solving the puzzle using commercial GPUs is estimated at about $75 to $150, significantly higher than the current average Bitcoin transaction fee of around 33 cents. Levy positions QSB as a "last resort" measure against quantum threats, providing an emergency backup plan while permanent solutions like BIP-360 may still take years to activate. The technical paper also acknowledges current limitations: due to scalability issues and high transaction generation complexity, QSB transactions might be considered non-standard by current relay policies and may require services like Slipstream to be submitted directly to miners; it also does not yet cover some Bitcoin use cases like Lightning Network channels. Levy emphasized: "To the extent that the quantum threat can be considered real, it remains necessary to continue investing in research and implementing the best possible solution for Bitcoin—one that maximizes efficiency and user-friendliness and can respond to Bitcoin's needs through protocol-level changes."

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com