Bitcoin faces a quantum computing problem, and the fix might be bigger than anyone expected
Post-quantum signatures could bloat Bitcoin transactions by up to 70x, forcing a choice between massive block size increases and cutting-edge STARK proof compression.
Bitcoin’s cryptographic backbone has an expiration date. Nobody knows exactly when quantum computers will be powerful enough to crack the elliptic curve digital signature algorithm (ECDSA) that secures every Bitcoin transaction, but the crypto industry is already wrestling with what comes next. The answer, it turns out, involves some uncomfortable trade-offs.
The core issue is deceptively simple. Bitcoin currently relies on ECDSA signatures that clock in at roughly 65 bytes each. The post-quantum alternatives blessed by NIST, specifically ML-DSA (formerly known as Dilithium) and SLH-DSA (formerly SPHINCS+), produce signatures that are 10 to 70 times larger. In English: swapping to quantum-safe signatures would be like replacing every compact car on a highway with a semi-truck and expecting traffic to flow the same way.
The block size dilemma returns
ML-DSA signatures alone can reach 2.4 to 4.6 KB per signature, compared to ECDSA’s trim 65 bytes. Multiply that across every transaction in a block, and Bitcoin’s current capacity gets obliterated.
Some experimental proposals have floated increasing Bitcoin’s block size limit to 32 or even 64 MiB to accommodate quantum-safe transaction variants. For context, Bitcoin’s current block size limit sits at around 4 MB with SegWit. A jump to 64 MiB would represent a roughly 16x increase.
BTQ Technologies demonstrated a quantum-safe implementation of Bitcoin using NIST’s ML-DSA standard in October 2025, operating with that 64 MiB block limit.
STARK proofs offer a compression alternative
Instead of simply making blocks bigger to fit bloated signatures, developers are exploring a more elegant solution: using STARK proofs to compress multiple post-quantum signatures into a single compact proof.
STARKs, or Scalable Transparent Arguments of Knowledge, are zero-knowledge proof systems that rely on hash functions rather than elliptic curves, which means STARKs themselves are quantum-resistant.
In April 2025, a proposal emerged suggesting that miners could use recursive STARKs to aggregate all the signatures in a block into one proof. The blockchain only needs to store and verify the compact proof, not every individual signature.
StarkWare, the company behind the StarkNet layer-2 ecosystem, is actively involved in this effort. The firm co-authored BIP 360, a Bitcoin Improvement Proposal proposed in February 2026 by co-author Isabel Foxen Duke, that introduces Pay-to-Merkle-Root (P2MR) outputs designed to create quantum-hardening opportunities while maintaining compatibility with existing features like Taproot.
BIP 360 takes a pragmatic approach. Rather than immediately overhauling Bitcoin’s signature scheme, it focuses on building the infrastructure that would allow quantum-resistant upgrades to happen smoothly when the time comes.
Why this matters for Bitcoin investors
The quantum threat to Bitcoin isn’t theoretical hand-wraving. Shor’s algorithm, running on a sufficiently powerful quantum computer, could derive private keys from public keys that are exposed on-chain. Every time a Bitcoin address sends a transaction, its public key becomes visible. Reused addresses are particularly vulnerable.
For investors, the path Bitcoin chooses here carries real portfolio implications. A block size increase could affect mining profitability and transaction fee dynamics. STARK proof integration would add computational overhead for miners generating proofs, potentially favoring larger mining operations with more processing power.
The Bitcoin Optech newsletters throughout 2025 and into 2026 have extensively covered SLH-DSA optimizations and STARK aggregation techniques, signaling that serious engineering work is already underway. BIP 360’s progress and any consensus around STARK-based signature aggregation are the specific developments worth tracking.