ZK STARKs vs block-size: Paths to quantum-safe Bitcoin
Eli Ben-Sasson urges using ZK STARKs to compress larger post-quantum signatures for Bitcoin and reports support from Adam Back and Luke Dashjr.
Eli Ben-Sasson, co-founder of StarkWare and co-inventor of ZK STARKs, argued that zero-knowledge STARK proofs can compress many large post-quantum signatures into a single compact proof for each Bitcoin block. He has said Adam Back and Luke Dashjr back the idea.
The National Institute of Standards and Technology’s approved post-quantum signature schemes produce signatures that are 10 to 100 times larger than today’s ECDSA and Schnorr signatures. Modeling of one NIST-approved scheme, ML-DSA-44, which yields about 2,420-byte signatures, suggests Bitcoin block capacity could fall from roughly 2,500–3,000 transactions to about 500–700 transactions per block.
One option is to increase Bitcoin’s block size, but that would require every node to store and verify more data and could raise costs and centralization concerns. Researchers at Blockstream have tested compressed hash-based signature schemes called SHRINCS and SHRIMPS. Typical SHRINCS signatures are about five times larger than current Bitcoin signatures and can grow as much as 40 times larger in wallet-recovery scenarios. SHRINCS has been used on a sidechain but remains under development.
Ben-Sasson described STARK aggregation as an alternative: instead of including thousands of larger signatures on-chain, a single small STARK proof would attest to all signatures for a block. He wrote on social media that without STARK aggregation the network risks becoming harder for many users to use, arguing aggregation and larger scale are needed.
StarkNet has set out a three-phase plan to become quantum secure, using account abstraction to let wallets and smart contracts upgrade cryptography without mass manual migration. Generating a STARK proof requires computation, but advocates point to lower hardware and running costs than commercial mining rigs. Specifications from projects testing this approach suggest proving equipment could cost under $100,000 and run from a home, while verification can be performed on minimal hardware such as a Raspberry Pi.
Technical proposals to add STARK support on Bitcoin include re-enabling the long-disabled OP_CAT opcode to enable proof verification, adding specific opcodes like OP_STARK_VERIFY, or building aggregation at the consensus layer. BIP-360 co-author Ethan Heilman has proposed aggregating signatures and keys into a single proof under the name BitZip and identified alternatives such as Cross Input Signature Aggregation (CISA).
Developers and researchers identify governance and consensus risk as the main barriers to on-chain STARK verification. Marin Ivezic, who models post-quantum impacts, said Bitcoin Script cannot verify a STARK today and called a production verifier a large consensus surface; he estimated a base-layer STARK verifier is likely a discussion for the 2030s. By comparison, other networks have set earlier timetables for post-quantum transitions. The debate among Bitcoin stakeholders now centers on whether to accept script or consensus changes to deploy STARK aggregation or pursue block-size increases or other aggregation methods to address post-quantum signature growth.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.








