I was just about to post about this.

I spent WAY to much time trying to understand Binohash (#1442276), but luckily people smarter than me were thinking about it to.

QSB (Quantum Safe Bitcoin) builds on Binohash (Linus, 2026), which uses a HORS-like one-time signature scheme embedded in Bitcoin Script. Binohash achieves transaction integrity through a proof-of-work puzzle based on signature sizes (OP_SIZE). However, this puzzle relies on the assumption that the smallest known ECDSA r-value cannot be improved — a quantum adversary running Shor's algorithm could compute the discrete logarithm of r = 1, breaking the puzzle entirely.

From what I understood of Binohash, it relies on a quirk of how legacy script works in Bitcoin where a signature gets included in a script, but must be stripped out in order to validate the script (I probably have this a little wrong, but it's something like this). The result is that you can use this functionality to trick Bitcoin script into introspection. I'm still fuzzy on this and I doubt I could actually explain it well.

Anyhow, this new idea, Quantum Safe Bitcoin, uses some of the technique in Binohash to do something different:

QSB replaces this with a hash-to-signature puzzle: the script hashes a transaction-bound public key via OP_RIPEMD160 and interprets the 20-byte output as a DER-encoded ECDSA signature. A random 20-byte string satisfies the DER structural constraints with probability ~2^-46 — providing the proof-of-work target. Since this puzzle depends only on the pre-image resistance of RIPEMD-160 (not on any elliptic curve assumption), it is fully resistant to Shor's algorithm.

So my grug brained explanation is that this lets you treat a hash as a valid Bitcoin signature.

Of course, supertestnet has a pretty good response too:

source