The Future of Quantum Computing

Quantum Safe Bitcoin Scheme Achieves 118-Bit Security Against Shor’s Algorithm Threat

A new quantum-safe transaction scheme for Bitcoin achieves approximately 118-bit second pre-image resistance against attacks leveraging Shor’s algorithm, despite relying on the pre-image resistance of the RIPEMD-160 hash function. Developed by Avihu Mordechai Levy of StarkWare, the QSB scheme modifies an existing construction, replacing its non-quantum-safe component, a signature-size-based proof-of-work puzzle, with a hash-to-sig puzzle. Remarkably, implementation of this quantum-resistant layer is estimated to cost only a few hundred dollars in off-chain GPU resources. The scheme fits within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes, meaning it can be deployed without requiring a network-altering soft fork. Quantum-Safe Bitcoin: QSB Scheme Introduction A scheme promises to shield Bitcoin transactions from quantum computing threats without requiring a network-altering soft fork. StarkWare’s QSB scheme, detailed by Avihu Mordechai Levy, addresses the vulnerability of Bitcoin’s signature schemes, ECDSA and Schnorr, to attacks from sufficiently powerful quantum computers. This is notable because RIPEMD-160 is considered a relatively weak hash, yet QSB achieves approximately 118-bit second pre-image resistance under the Shor threat model, roughly half under Grover’s algorithm. Levy explains that the scheme fits within Bitcoin’s legacy script constraints of 201 opcodes and 10,000 bytes, avoiding the complexities of a network upgrade. The implementation cost is surprisingly low; estimates suggest an off-chain GPU cost of a few hundred dollars to implement the quantum resistance, a figure that dramatically undercuts expectations for the expense of post-quantum cryptography. QSB derives a cryptographically strong identifier of the spending transaction and verifies a Lamport signature over that identifier. However, the scheme isn’t without limitations. Levy cautions that it should be considered a last-resort measure due to scaling issues and a more