The work - called QSB, Quantum Safe Bitcoin - is based on [Binohash](Robin Linus(mined on-chain(https://bitcoinops.org/en/newsletters/2026/03/13/) as a proof of concept.

The problem with Binohash, however, is that its security mechanism still depends on an assumption about elliptic curves: it presumes that a certain ECDSA value cannot be calculated more efficiently. A quantum computer with Shor's algorithm could do it, making the puzzle vulnerable to exactly the threat it should protect against.

Levy solves the problem by eliminating the dependency on elliptic curves and replacing it with hash functions - mathematical operations whose security is not affected by quantum computers.

The QSB scheme operates in three phases, all within the limits of legacy Bitcoin Script: P2SH transactions, at most 201 opcodes and 10,000 bytes per script.

Phase 1 - Transaction pinning: the locking script contains an ECDSA signature with known values. Whoever wants to spend provides a public key that is bound to the current transaction via \OP_CHECKSIGVERIFY\. So far, standard Bitcoin mechanics. The trick: the script takes that public key, calculates its RIPEMD-160 hash, and tries to interpret the result as a valid DER signature. The probability that a random 20-byte string satisfies the structural constraints of a DER signature is about 1 in 70 trillion. The spender must therefore search for combinations of transaction parameters until finding one that works. A significant computational effort, but feasible with modern GPUs.

Phase 2 - Digest rounds: for the transaction pinned in phase 1, specific subsets are searched among approximately 150 dummy signatures included in the script. Each subset produces a different hash of the transaction, which in turn generates a different public key. The subset whose resulting hash is also a valid DER signature is sought. The indices of the selected signatures form a digest - a collision-resistant fingerprint of the transaction, analogous to a Lamport-type signature.

Phase 3 - Assembly: all derived public keys are recovered, the necessary preimages are extracted, and the final transaction is constructed.

The result: approximately 118 bits of security against Shor's algorithm - up from 0 bits with standard ECDSA - without touching the protocol. Against Grover's algorithm (which offers only a quadratic advantage, not exponential) security stands between 59 and 69 bits.

To try to simplify, imagine that Bitcoin is a building with a safe in the center. Today the safe is protected by a very sophisticated lock, elliptic curve cryptography. A quantum computer would be like a lockpick capable of opening that type of lock.

What Levy discovered is that inside the building the materials already exist to build a completely different lock, one that the lockpick doesn't know how to open. No one needs to renovate the building (hard fork), no one needs to add a new room (soft fork). The bricks are already there, in Bitcoin's original rules. They just need to be assembled the right way.

The right way requires significant computational work. That's why it's not practical to do for every daily transaction. But if one day the lockpick were to actually appear, anyone with something valuable in the safe could protect it immediately, without waiting for someone to redesign the entire building.

This is the takeaway worth bringing home: the Bitcoin protocol, designed in 2008, already contains within itself the ability to defend against a purely theoretical threat. Eli Ben-Sasson, co-founder of StarkWare, wrote on X: "Bitcoin is quantum-safe today. Even if a quantum computer appeared, one capable of breaking conventional signatures, there is already a practical way to create safe transactions. With no change to the Bitcoin protocol."

[ Eli Ben-Sasson | Starknet.io@EliBenSasson THIS IS HUGE. Bitcoin is Quantum-Safe TODAY. Even if a quantum computer appeared, one that breaks the conventional Bitcion signatures, it shows a practical way to create safe Bitcoin transactions. WITH NO CHANGE TO BITCOIN PROTOCOL!!! Avihu Levy ✨🐺@avihu28 Quantum-Safe Bitcoin Transactions Without Softforks https://t.co/1lx5waX9VV 6:11 PM · Apr 9, 2026 · 284K Views 114 Replies · 275 Reposts · 2.53K Likes](https://x.com/EliBenSasson/status/2042304531132715035?s=20)

As mentioned, QSB presents bottlenecks, particularly in terms of costs, time, and user experience.

The cost: between \$75 and \$200 in GPU computing power for each single transaction. Six to eight hours on high-end GPUs. To move your savings in case of a quantum emergency, it's acceptable. To buy a coffee, evidently not.

The user experience, then, is much more complex than a standard Bitcoin transaction. Specialized tools, technical skills, and patience are required.

Distribution: QSB transactions are valid at the consensus level - any Bitcoin node accepts them - but they are non-standard, meaning they exceed the default relay policy limits. To get them to miners, direct channels like [Slipstream](https://bitcoinmagazine.com/technical/marathon-launches-slipstream-tech-stack-to-process-non-standard-bitcoin-transactions) are needed, Marathon Digital's service that accepts non-standard transactions.

Development status: the GPU pin search works and has produced real results. But the digest search and complete assembly have not yet been tested end-to-end. No QSB transaction has been broadcast on-chain yet.

And it doesn't cover everything: Lightning Network channels, for example, would require separate adaptations.

That said. QSB is not the only development front. On March 20, BTQ Technologies [announced](https://www.prnewswire.com/news-releases/btq-technologies-announces-first-deployment-of-bip-360-on-bitcoin-quantum-testnet-v0-3-0--302718592.html) the first working deployment of BIP-360 on the Bitcoin Quantum Testnet v0.3.0.

BIP-360 is a different approach: it introduces a new transaction type - Pay-to-Merkle-Root, with \bc1z\ addresses and requires a soft fork. The testnet has already surpassed 100,000 mined blocks with over 50 active miners and full wallet support for creating, signing, and spending P2MR transactions.

Levy himself sees BIP-360 as the long-term solution. QSB is plan B - or rather, the plan that already exists in case plan A doesn't arrive in time.

Subscribe to Morning Blend by Atlas21: Monday through Friday, at 07:00, the newsletter that brings you the most relevant news of the day on Bitcoin, technology, and finance. Subscribe for free [from here](https://subscribepage.io/morningblend).