Multiple devs and founders have been talking publicly about concrete post‐quantum paths for Bitcoin. Two different proposals have caught the crypto world’s attention.
Bitcoin’s Net-Watchers Start Building Their Blackwall
The ticking clock marking 2029 as the possible “deadline” for quantum computers to be able to break Bitcoin and Ethereum’s cryptography has made devs roll up their sleaves and get to work.
The recent spike of the Bitcoin quantum-panic or “quantum FUD” (fear, uncertainty and doubt) has moved on from the initial chaos that ensued following Google’s “doomsday” whitepaper to a race against an enemy that doesn’t yet exist. In the past days, two Bitcoin devs landed at different proposals aimed to protect Bitcoin from the future threat of quantum attacks.
One of them consists in a “Taproot kill‐switch + zk‐proof recovery” path for existing UTXOs (Unspent Transaction Outputs). The other is a QSB (Quantum Safe Bitcoin), a transaction‐level construction that makes individual spends quantum‐safe today without any soft fork (rule changes that stay compatible with old software).
Both approaches assume Shor‐style quantum computers (quantum computers based on Shor’s algorithm) will nuke the math behind Bitcoin’s current signatures (ECDSA/Schnorr), but they differ on how much of Bitcoin needs to change: consensus rules vs user‐level tooling.
Let’s examine both proposals closely.
Solution #1
The first solution comes from Olaoluwa Osuntokun, co‐founder and CTO of Lightning Labs (the main company building the Lightning Network implementation) and Tim Ruffing, co‐author and contributor on Schnorr/Taproot, multisignature schemes like MuSig2 and a maintainer of Bitcoin’s core elliptic‐curve library.
On a post made on the social media X on April 8, Osuntokun resurfaced Ruffing’s July 2025 whitepaper on Bitcoin’s post-quantum security in order to propose a solution for one of the problems presented in the paper: “to create a variant of seed-lifting that doesn’t reveal the wallet’s master secret”. He called this “zk-STARK proof”.
in the face of quantum adversary, a commonly discussed emergency soft fork for Bitcoin would be to disable the Taproot keyspend path (https://t.co/Gzx8NVui3N), effectively turning it into something that resembling BIP-360
assuming an existing precautionary soft-fork to add a pq...
— Olaoluwa Osuntokun (@roasbeef) April 8, 2026
In plain language, Osuntokun’s tool creates a special cryptographic proof (the zk‐STARK) that lets you prove you really have the original wallet secret behind a given Taproot address, and that you used the standard wallet rules to get from that secret to this address. They crucial aspect of the zk-STARK proof is that it does this without ever revealing the secret itself, or any private keys, to anyone.
If, in the future, Bitcoin does a quantum‐defense soft fork that disables normal key‐based spends, many BIP‐86 Taproot wallets could be stuck and unable to move coins. With this proof, those users get an extra “escape hatch”: they can prove ownership of their Taproot coins via the seed‐derivation proof and move funds in a new, quantum‐safe way, even though the old key‐spend path is turned off.
He discussed all the technicalities behind this on the Bitcoin dev mailing list.
The solution has found acceptance, and it’s been generally received very well in the crypto community.
Looks like this potentially solves the thorniest issue around quantum proofing Bitcoin: confiscation of coins.
A PQ soft fork like BIP360 effectively “confiscates” coins by permanently disabling spends from certain “vulnerable” wallets where public keys have been revealed.... https://t.co/wV49BIXmx2
— Vijay Selvam (@VijaySelvam) April 9, 2026
Solution #2
The second, and more polemic solution, comes from Avihu Mordechai Levy, a cryptography engineer at StarkWare who works on zero‐knowledge proofs and STARKs. His whitepaper, published yesterday, shows how to make individual Bitcoin transactions quantum‐safe today, using Lamport‐style one‐time signatures plus a “hash‐to‐signature” proof‐of‐work puzzle, with zero changes to Bitcoin’s base protocol.
Quantum-Safe Bitcoin Transactions Without Softforkshttps://t.co/1lx5waX9VV pic.twitter.com/Ni7pA6dEsC
— Avihu Levy ✨🐺 (@avihu28) April 9, 2026
QSB replaces the old signature‐size PoW (which quantum attacks could completely break by finding tiny ECDSA r‐values) with a RIPEMD‐160‐based puzzle that only relies on hash pre‐image resistance, which is merely weakened, not destroyed, by Grover’s algorithm (quantum tech).
Again in plain language, what QSB does is it throws away the old “make the signature tiny” proof‐of‐work trick, because a strong quantum computer could cheat that by exploiting the elliptic‐curve math. Instead, QSB uses a new puzzle built on the RIPEMD‐160 hash function. Breaking a hash like that is extremely hard, even with a quantum computer.
QSB fits in legacy script limits and gives around 118‐bit post‐quantum pre‐image security. However, it costs hundreds of dollars in off‐chain GPU work per transaction and requires non‐standard bare scripts mined via private relay services. This is why many are calling QSB a “last resort” or even a “whale-grade band-aid”.
I’m not claiming this isn’t grossly inefficient, nor that it wouldn’t make sense to eventually improve the protocol layer if a cleaner solution emerges.
My point is simply that it’s false to say this kind of whale-grade band-aid doesn’t already exist at the current protocol...
— Coinjoined Chris ⚡ (@coinjoined) April 10, 2026
A Philosophical Split
The community is no longer arguing if quantum breaks ECDSA/Schnorr, but how to stage an orderly migration. Let’s remember that the creator of Bitcoin, Satoshi Nakamoto himself, assured in 2010 that a gradual transition to post-quantum, stronger technology, was possible for Bitcoin.
A post from Satoshi Nakamoto regarding the quantum threat for Bitcoin. Source: Bitcoin Magazine on X.
Taproot‐based recovery tries to protect the entire UTXO set with minimal value destruction, whereas some prominent voices still argue non‐migrated coins should simply expire rather than be “rescue” in weird ways, to preserve Bitcoin’s monetary story.
At the moment of writing, BTC trades for the high $71ks on the daily chart. Source: BTCUSD on Tradingview.
Cover image from Perplexity. BTCUSD chart from Tradingview.
