BITCOIN

Roastbeef demo proves Bitcoin can survive quantum break

Friday, May 8, 2026 · from 1 podcast

Roastbeef’s ZK-Stark tool recovers Bitcoin without relying on broken elliptic curve math.
Binary fuse filters could speed up mobile wallets by 45x.
Slow-block demos on Cygnet prove legacy flaws still threaten consensus.

Quantum computing could break Bitcoin’s cryptography tomorrow - but Roastbeef just showed it might not matter.

On Bitcoin Optech, the developer demonstrated a recovery system using ZK-Starks on RISC Zero. Users prove ownership of a BIP-32 seed without exposing private keys, bypassing SECP256k1 entirely. Initial proofs were bulky, but recursive verification cut them to 200KB - small enough for on-chain use in an emergency.

"The idea is to prove you derived a key correctly from a seed, without revealing the seed or the key."
- Roastbeef, Bitcoin Optech

This isn’t a protocol upgrade. It’s a break-glass mechanism. If quantum computers crack ECDSA, users could reclaim funds via cryptographic proof, not signature. The tool shifts the threat model: Bitcoin’s security no longer hinges solely on unbroken math.

Meanwhile, Antoine Poinsot used Cygnet to stress-test old attack vectors. Blocks exploiting quadratic hashing took over a minute to validate - a DoS risk if centralized pools weaponize them. BIP-347 would close these loopholes, including time-warp exploits.

"We’re not proposing changes to how Bitcoin works today. We’re preparing for the day it doesn’t."
- Antoine Poinsot, Bitcoin Optech

Light client performance is advancing too. Chaba Pursky’s benchmarks show binary fuse filters speed up mobile wallet syncing by up to 45x compared to GCS. The trade-off? Slightly more false positives and bandwidth. But the shift could reduce reliance on centralized block explorers like mempool.

Protocol Privacy

Bitcoin mempool

Source Intelligence

- Deep dive into what was said in the episodes

Bitcoin Optech

Bitcoin Optech: Newsletter #403 Recap • May 6

Lalo implemented a zero-knowledge proof system using RISC-Zero to allow recovery of Bitcoin if SECP256K1 is broken. It proves a user holds the BIP32 seed corresponding to a spent public key.
Lalo's initial proof was 1.6-1.8 MB, but optimizations reduced it to 600 KB and then to 200 KB using succinct receipts. Verification takes milliseconds.
The proof system could enable batch aggregation for blockchain use, creating a single succinct proof for many claims, similar to a UTXO commitment.
Chava Pursky proposed binary fuse filters as a faster alternative to BIP-158's GCS filters. Benchmarks show a 6-45x speed-up on ARM and 9-80x on desktop with a 0-3% bandwidth increase.
Binary fuse filters have a higher false positive rate of ~1 in 65,000 compared to GCS's ~1 in 200,000. A key concern is ensuring deterministic filter construction.
Brandon Black and Lalo noted hierarchical filters spanning multiple blocks could be a better research direction to reduce total bandwidth for mobile clients using compact block filters.
A Conduition proposal describes post-quantum HD wallets that combine SECP256K1 and SPHINCS keys. SPHINCS keys don't change after the last hardened level, but this is acceptable for sweeping a wallet after a quantum break.
Brandon Black argues a pure post-quantum output type like BIP 360 is preferable to a Taproot V2 that disables key spends, as no user needs both a cheap key spend today and a disabled key spend later.
Daniel Buckner proposed defining specific post-quantum key type prefixes for use with Taproot's unknown key types, allowing scripts to commit to future PQ schemes today.
A demonstration on Signet showed BIP54 is needed. Attack blocks exploiting old script bugs took over a minute to validate, highlighting risks in a centralized mining environment.
Bitcoin Core #33671 adds a 'non-mempool' field to `getbalances` RPC, exposing balances from transactions not in mempool or blockchain, fixing accounting for stuck or non-standard transactions.
Bitcoin Core #34911 removes deprecated RBF fields from mempool RPCs as full RBF is now default. The fields can be restored with the deprecated RPC config option.
BIP 391 for binary output descriptors was closed after BIP 393 was proposed as a superior method for wallet descriptor annotations and recovery hints.
BDK #2188 fixes a security issue where the library would accept any transaction from an Electrum server without verifying it matched the requested transaction ID.

Protocol Mining Privacy

Source Intelligence

- Deep dive into what was said in the episodes

Bitcoin Optech

Bitcoin Optech: Newsletter #403 Recap • May 6

Lalo implemented a zero-knowledge proof system using RISC-Zero to allow recovery of Bitcoin if SECP256K1 is broken. It proves a user holds the BIP32 seed corresponding to a spent public key.
Lalo's initial proof was 1.6-1.8 MB, but optimizations reduced it to 600 KB and then to 200 KB using succinct receipts. Verification takes milliseconds.
The proof system could enable batch aggregation for blockchain use, creating a single succinct proof for many claims, similar to a UTXO commitment.
Chava Pursky proposed binary fuse filters as a faster alternative to BIP-158's GCS filters. Benchmarks show a 6-45x speed-up on ARM and 9-80x on desktop with a 0-3% bandwidth increase.
Binary fuse filters have a higher false positive rate of ~1 in 65,000 compared to GCS's ~1 in 200,000. A key concern is ensuring deterministic filter construction.
Brandon Black and Lalo noted hierarchical filters spanning multiple blocks could be a better research direction to reduce total bandwidth for mobile clients using compact block filters.
A Conduition proposal describes post-quantum HD wallets that combine SECP256K1 and SPHINCS keys. SPHINCS keys don't change after the last hardened level, but this is acceptable for sweeping a wallet after a quantum break.
Brandon Black argues a pure post-quantum output type like BIP 360 is preferable to a Taproot V2 that disables key spends, as no user needs both a cheap key spend today and a disabled key spend later.
Daniel Buckner proposed defining specific post-quantum key type prefixes for use with Taproot's unknown key types, allowing scripts to commit to future PQ schemes today.
A demonstration on Signet showed BIP54 is needed. Attack blocks exploiting old script bugs took over a minute to validate, highlighting risks in a centralized mining environment.
Bitcoin Core #33671 adds a 'non-mempool' field to `getbalances` RPC, exposing balances from transactions not in mempool or blockchain, fixing accounting for stuck or non-standard transactions.
Bitcoin Core #34911 removes deprecated RBF fields from mempool RPCs as full RBF is now default. The fields can be restored with the deprecated RPC config option.
BIP 391 for binary output descriptors was closed after BIP 393 was proposed as a superior method for wallet descriptor annotations and recovery hints.
BDK #2188 fixes a security issue where the library would accept any transaction from an Electrum server without verifying it matched the requested transaction ID.

Protocol Mining Privacy

Roastbeef demo proves Bitcoin can survive quantum break

Source Intelligence

Related Stories

Roastbeef demo proves Bitcoin can survive quantum break

Source Intelligence

Related Stories