Bitcoinâs quantum dilemma: Bigger blocks or STARK proofs?
Ben-Sasson has been in the news this week for his controversial suggestion on X to increase Bitcoin inflation to 4% annually. Grokâs analysis of the replies found âzero clear support for the proposal.â
But as the co-inventor of STARKs â quantum-secure, hash-based zero-knowledge proofs â heâs on much firmer ground, with some leading Bitcoin researchers supporting the concept.
Ben-Sassonâs own project Starknet last week announced its own three phase project to become quantum secure.
Adding zero-knowledge proofs to Bitcoin does not make the blockchain quantum secure by itself. ZK proofs are a way to deal with the problems caused by adding much larger post-quantum (PQ) signature schemes to Bitcoin.
The current crop of PQ signatures approved by the National Institute of Standards and Technology (NIST) is 10 to 100 times larger than Bitcoinâs existing ECDSA and Schnorr signature schemes.
Some argue this could slow the blockchain to fewer than 1 transaction per second. But all of the large transaction signatures for a block could be compressed into a tiny ZK STARK proof. Because the proof would be much smaller than even including the existing signatures, the blockchain may end up running faster.
âIf they don't allow for ZK STARK aggregation, then definitely it will be a very unfortunate move because it won't really solve the problem ... where the problem is âcan everyone actually use Bitcoin?ââ Ben-Sasson said.
âSo for that you need massive scale. And for that, you need things like signature aggregation and just increasing the block size isn't enough.â
Related: StarkWare CEO suggests 4% annual Bitcoin inflation to replace 21M cap
Marin Ivezic, author of PostQuantum.com and founder of Applied Quantum, told Cointelegraph that Bitcoinâs SegWit scheme reduced the impact of large signatures by up to 75%. But his modeling of NISTâs ML-DSA-44 scheme, which has 2,420 bytes per signature, âputs block capacity at roughly 500 to 700 transactions, down from 2,500 to 3,000 today. That is where the block-size debate comes in.â
Increasing Bitcoinâs block size is a genuine alternative, but the community split over a proposal to double the block size back in 2017. Many of the arguments against remain relevant, as itâs a blunt fix that requires every node to carry, store and verify much more data. Thatâs more expensive and requires more equipment, which critics argue pushes the network toward centralization.
Blockstream Research has been experimenting in recent months with compressing the size of hash-based post-quantum signature schemes for use with Bitcoin. It has come up with the promising SHRINCS and SHRIMPS schemes, which have everyday signatures around five times larger than Bitcoinâs current ones, but up to 40 times larger if you lose your wallet and need to resurrect it.
While SHRINCS has been used to sign real transactions on the Liquid sidechain, its development is at an early stage and there are drawbacks in terms of complexity and usability. The much larger signatures would also slow the blockchain down, unless the block size was increased.
âRaising capacity natively is the simple engineering answer and the hardest governance answer,â said Marin Ivezic, author of PostQuantum.com and founder of Applied Quantum, about a block size increase. âWe just donât have time for those debates.â
ncrease, but it would arguably be much better at preserving decentralization while also making Bitcoin more efficient.
At their simplest, ZK proofs are a way to mathematically prove that something exists without needing to include all the details. For example, a ZK proof could demonstrate that you know the combination to a safe, without telling the other person what the combination is.
Generating a ZK proof for a single block technically only needs to be done once (although itâs safer to generate additional backups for redundancy), and the equipment required to do so looks like it would be much less expensive than a commercial mining setup.
Lean Ethereumâs specs are for proving equipment that costs under $100,000 (and can be run from an ordinary home). Verifying a ZK proof, meanwhile, can be done on almost any equipment, including a Raspberry Pi.
Ben-Sasson said that early Bitcoin devs like Greg Maxwell and Mike Hearn were âvery bullish about ZK STARKs, which are post-quantum secure and have no trusted setup,â and that he believes Bitcoin Core developer Luke Dashjr and Blockstream founder Adam Back are coming around to the idea.
âI heard this myself from them. They are bullish on things related to and using ZK STARKs. I think each of them has spoken well, definitely privately but also publicly, in favor. Adam Back and Luke Dashjr don't exactly see everything eye to eye, but on this I think they actually agree that it's a great technology that, under the right terms, could find its way to Bitcoin.â
Cointelegraph contacted Back for comment, but did not receive a response.
Ethereum researcher Justin Drake has spoken publicly about his desire for Bitcoin to adopt Lean Ethereumâs ZK proof aggregation technology so that it becomes standard across the industry. This may be unfeasible for political reasons.
Ethereum aims to be post quantum by 2029. Source: Ethereum Foundation
Given Bitcoinâs conservative culture, the most politically pragmatic way to add ZK to Bitcoin would likely be to re-enable OP_CAT, which is nine lines of code written by Satoshi.
â[He] even introduced and then he removed it,â said Ben-Sasson said. âAnd if you add that, you can get things like STARK proofs and then aggregation and post-quantum security.â
âI think it's the best and safest solution that will really, really just jump-start again this journey that Satoshi really started and wanted.â
But despite a flurry of interest in OP_CAT about 12 to 24 months ago, it seems to have lost momentum more recently (although Bitcoin governance moves in mysterious ways).
There are also more speculative proposals, including OP_STARK_VERIFY, that would add opcodes specifically designed to more efficiently verify STARKs on Bitcoin. And BIP-360 co-author Ethan Heilman proposed aggregating Bitcoinâs signatures and public keys into a single STARK proof under the name BitZip.
Heilman told Cointelegraph earlier this year there are two main ways to achieve the desired result:
âEither add a bunch of general purpose opcodes to Bitcoin and then build something like a ZKRollup in Bitcoin or support STARKs at the consensus layer of Bitcoin. Alternatively, other less powerful aggregation schemes, such as CISA [Cross Input Signature Aggregation] might help here as well.â
Ivezic says Bitcoin governance, rather than technological capability, is the sticking point.
âEli's cryptography is rock solid: pure hash assumptions, no trusted setup, thousands of signatures compressed into one small proof. The problem is everything around the cryptography,â he says.
âBitcoin Script cannot verify a STARK today, and a production verifier is a massive consensus surface compared with a narrow hash-signature opcode. Given that a tiny opcode like OP_CAT has spent years in debate, a base-layer STARK verifier is realistically a 2030s conversation.â
Meanwhile, Ethereum is targeting 2029 for its transition to post-quantum, and Solana has also been experimenting with adding post-quantum signatures. StarkNetâs three-phase transition will benefit from account abstraction, which enables the underlying cryptography to be upgraded without making every user manually transfer to new accounts.
As a result, Ben-Sasson said that Solana and Ethereumâs post-quantum roadmap will be âextremely hard.â
âOn Starknet, we have this big advantage that we have already native account abstraction and smart wallets, which means that nothing is enshrined so its very easy to upgrade the wallets and the infrastructure to be post quantum.â
Features: The biggest blockchain upgrades still to come in 2026
More on the subject
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.