Earlier this month, StarkWare’s chief product officer Avihu Levy published a proposal that has been the focus of active debate within the Bitcoin community. His scheme, Quantum Safe Bitcoin (QSB), allows users to transact in a way that remains secure even against a large-scale quantum computer running Shor’s algorithm, and it does so without requiring any change to the Bitcoin protocol itself. The engineering is genuinely clever and does deserve the attention it has received.
Levy’s proposal has been perceived in some quarters as a kind of relief valve for Bitcoin: finally, a way to make the network quantum-safe without the slow, contentious process of a protocol upgrade. The urgency around quantum resilience has intensified over the past year as governments and major technology firms accelerate post-quantum migration planning. But the proposal answers a much smaller question than many people seem to think it does.
One kind of solution for one kind of user
Quantum Safe Bitcoin replaces Bitcoin’s elliptic curve signatures with a hash-based signature puzzle that a quantum computer cannot efficiently shortcut, all within Bitcoin’s existing legacy script framework. The trade-off is cost: each transaction requires an estimated $75 to $150 in GPU compute, which is why the researchers themselves frame the scheme as a last-resort mechanism for securing large balances rather than a scalable replacement for everyday transactions.
What QSB delivers is a way for an individual holder to make a quantum-resistant transaction today without waiting for a network-wide upgrade. That is meaningful, particularly for institutions, custodians and large BTC holders seeking contingency options against future quantum threats.
What it does not deliver, and was never designed to deliver, is a path for Bitcoin itself to reach post-quantum security at the network level. Much of the enthusiasm surrounding the proposal has blurred those two questions together, even though they are fundamentally different problems. The cryptographic component of Bitcoin’s transition has, in many ways, been the least difficult part for years.
The National Institute of Standards and Technology (NIST) finalized its first post-quantum standards in August 2024. Governments across the United States, United Kingdom and European Union have since published migration roadmaps extending into the early 2030s, while proposals for post-quantum address types already exist within Bitcoin’s BIP process. Traditional finance, cloud infrastructure providers and national security systems are already actively planning migrations toward post-quantum cryptography, underscoring how comparatively unresolved Bitcoin’s path remains.
The technical groundwork for a quantum-resistant address type in Bitcoin is largely in place. The much harder problem is the coordination required to move the decentralized network onto one.
The problems that actually are
Strip away the cryptography, and you are left with two problems that Bitcoin still has not solved. First, how does Bitcoin migrate hundreds of millions of addresses, spread across exchanges, custodians, hardware wallets, paper backups, dormant cold storage and lost devices? A migration of that scale to a post-quantum address standard would require at minimum a soft fork, and quite possibly, a hard fork later on, alongside years of coordination across a decentralized ecosystem that has historically struggled to reach consensus even on comparatively narrow technical upgrades. Bitcoin’s years-long battles over SegWit activation and block-size limits offer a reminder of how contentious governance changes can become even when far less is at stake.
Centralized systems can mandate a migration, but Bitcoin has no comparable mechanism.
The second question is even bigger. There are roughly 1.7 million BTC trapped in early pay-to-public-key (P2PK) addresses, where the public key is already exposed on-chain. Some are believed to belong to Satoshi Nakamoto, the pseudonymous creator of Bitcoin. Many others are almost certainly lost forever. Researchers from Google Quantum AI have separately estimated that as much as 6.9 million BTC across all script types may ultimately face some level of quantum exposure depending on implementation details and wallet behavior. As soon as a capable enough quantum computer comes along, these addresses could (and probably will be) exploited immediately.
And the expected timeline is tightening. In March, Google’s Quantum AI team published revised estimates suggesting that breaking Bitcoin’s elliptic curve cryptography may require roughly 20 times fewer physical qubits than projections calculated just one year prior. Practical attacks are still widely believed to be years away, but the direction of travel is becoming difficult for the industry to ignore.
The Bitcoin community has not reached consensus on what to do with these vulnerable coins, and every available option carries significant tradeoffs. Leave them untouched, and they effectively become a free harvest for whoever reaches quantum capability first. Freeze them, and Bitcoin’s principle of credible neutrality is compromised. Burn them, and the network crosses a different but equally consequential governance line. And underneath all three possibilities is a political question nobody has answered either: who actually gets to decide?
Bitcoin Core developers can write code, but they cannot move coins, and any solution that touches dormant balances would require agreement from miners, exchanges, custodians, node operators and the broader holder community.
The precedent of any of those groups deciding what happens to someone else’s BTC is the kind of thing Bitcoin was specifically designed to prevent. That is the part of the problem QSB does not engage with, and it’s also the part that no standalone cryptographic proposal can solve.
The decisions that don’t get a second pass
The default assumption underlying much of decentralized infrastructure has been that anything can be eventually upgraded, given enough time and enough consensus. Bitcoin’s quantum problem is the first serious test of that assumption against a deadline that the network does not control. Unlike previous governance disputes over scaling or throughput, the pressure is being imposed externally by advances in physics, computing and cryptography.
If the migration succeeds, it succeeds on terms the network’s holders dictate, which almost certainly means slowly and at a significant cost. If it fails, it fails because an external deadline technological timeline arrived before Bitcoin’s internal coordination mechanisms could catch up.
Either way, the result is the same: cryptographic decisions made at launch are not intended to last forever, and the assumption that a decentralized network can adapt to anything given enough runway is one that this transition is going to challenge.
The problem underneath the problem
None of this diminishes what QSB actually accomplishes. It offers transaction-level quantum resistance for individual holders who can afford the associated computation costs, and that is a useful capability to have on the table.
But the problem the network has to solve is the one underneath the cryptography itself: how does a decentralized system with no central authority migrate hundreds of millions of addresses onto a new cryptographic standard, and what does it do about the coins that will never move on their own?
Whatever solution eventually emerges will depend on governance, coordination and collective agreement. And those processes move far more slowly, and far more easily, than cryptographic breakthroughs do. Bitcoin’s quantum problem, in other words, may ultimately reveal less about the limits of cryptography than the limits of decentralized coordination under technical pressure.
