From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 20 Aug 2025 17:07:37 -0700 Received: from mail-qv1-f59.google.com ([209.85.219.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uosq8-0008Ct-Kg for bitcoindev@gnusha.org; Wed, 20 Aug 2025 17:07:37 -0700 Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-70d7c7e9735sf22944576d6.3 for ; Wed, 20 Aug 2025 17:07:36 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1755734850; cv=pass; d=google.com; s=arc-20240605; b=bcBn5V6AywGGmgs+kK3K4Zs2p1rDm55vKyfkp1RRnqbMNWpf1ynGQY0uaAqmXaDW5h TmMwZeGRMg5B1CspB42P/3ytq6s877RkVLNhmE6nJBbTIS6eDiGGQh3Irvbsik5CfRlU I5u7f/spyNhJ8lpdQcuFtntC7OVn2HtOpx6JjlhQR4cn3C/PWVAmgZTL7Dk0QuDgocRE SgU42QY6zl4DhZd/i9JHaY0roo/NQFsFr574sYpZvW6aWpwEmltl7Tyd5e3epBm5HRA6 smwLEmmIzB5pQWgQ4M/GH/A0e2ogR2Z0RF8Cy/mqJkQqj5CJQ1qm7znCRt41/c3hqKT1 Q/og== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:from:to:date :dkim-signature; bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=; fh=YAmGQ5G5M4kKxFxVILSH4RnUc6XyRdVl8I4OMzCOT8s=; b=Q5nxpQIJMHgF5+so8oGofOyHkOh+4xQwZrT016htre+vHD0mls7YrlNqOeFBE79iLJ Htsde+EbtLa/b7vI1Y985KzFWu3rVrEGQnP5nOhgCOvv1jv+u6KoVKgRAz+yy3ZDHMep VG+ePXd2OhNiK2gDIZ01+f8A8c8BO5VVVQUGRCFN/wHzxaXzw/QnYvu21Fsc7WgQ+6gi dCHgsh6A/zb8sZgs5c7fRNk3mwNU9wfGYokYzOzohwogPjRbY/I0fpVIXllFjRLB7Vl+ EYFIsxu/chR/C7Uo/YbpqRxJwb324bQPYejg2JC6AukMOxBYw5epoG2ru4dhFnENqIE+ vhCQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV; spf=pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1755734850; x=1756339650; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:from:to:date :from:to:cc:subject:date:message-id:reply-to; bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=; b=gdWOIMZcdb7g2DnrMNFIbjW/0cyZhdS9vp7Vf3IHblXAl+XIoBPK0E9CGLlSKG0AQf lq5DGOC4FUNpKZx2rWtQdvmTJSg2lv2VYXTBsjinPEaL/mOuw+TkH/3v+0UN/laoOPQh 9z9mvHhU9bUrbimKB9znBI5nDtMWKkNoGo49zb3y3oJlTeQ4MQqVE0X/I/KRO1rnfAha pS6BoZCh5YP9Xp8oD3XXHB9+HQqZM0Hltqqj0zo2F7FCUf8/ws+LDCybq+AEB4dFqGft 20am2NRNUa+h9OCxlulVSjNGi4yrFAGwBzStmBTQ8gI1zP1lGqW3u7MsqDnjlFBBbKM3 csKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755734850; x=1756339650; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:from:to:date :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=; b=B6lAISbH7XX//1jCtqYC3kPfMcmkF6cz2UQncvTa3N1pxEqSRZJYhSbnA9w4jWWg1v rczan2PoVvOoPAJV4yjmCm0RaWeru0DyFUjwH/XKMB3T3+ONqyBJFXEoyawdiavxYPX+ W7O8a7zxmRO4X+2v0f1epOebrH9PRsmoVgBG4P1GTSoox8sIfDE9s46kxqCBeBIJIFSV uUZbKSMrY5Y6TajPzJidWhFQjQrKyFEXyZF4/iwTCHQeWwmZ+nk0oiT9VxSgRJMNUsi8 YH+S+PfAHFXcPMxAgPwvCc9AcMxaAQ+0K3NM4KhZqX41/rKq727Bzc2TRlKT2/tRXqbT 4mpA== X-Forwarded-Encrypted: i=2; AJvYcCXjuAE/PEqs6LBg9uDBV4C7FoCLGHKfu9kmFFIOFuvmu/v8YcZbYScnRBoNpBOSADXwVJX2IjTL5DTc@gnusha.org X-Gm-Message-State: AOJu0YzFvaGiQ156SZfS7NAKNwxr4J4D/lvjWVgl9/ZYKppR6Up2dYxQ 5AquQqT2nRhrRG2GKcoQsKLexPD1bQXwsmw2ITplQuYMxVW7UCCtOz4T X-Google-Smtp-Source: AGHT+IHsh0+dkQ3qduVFSv8cmWm1+l7mORf8Mui4rZpftQq6f900Dw9b51FsdLKdsOMS+s8zW5oUlA== X-Received: by 2002:a05:6214:5090:b0:70d:81ce:ec1f with SMTP id 6a1803df08f44-70d88e386a3mr5685896d6.12.1755734849922; Wed, 20 Aug 2025 17:07:29 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZcG5eYCCHth6OqX6wfrK3yu8zwL74UBn5acj6x9VjtrfA== Received: by 2002:ad4:5967:0:b0:70b:b18a:cc7f with SMTP id 6a1803df08f44-70d85a04151ls8770036d6.0.-pod-prod-06-us; Wed, 20 Aug 2025 17:07:26 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWuJF4EbAMnBK6+Gj2bEG9uqZdBRDaVo9QIX1Fg2lqbuCSz8jJrxHRXyLA7CWM8m7ETIxIYMyGhbQY6@googlegroups.com X-Received: by 2002:a05:620a:3908:b0:7e8:19d3:24da with SMTP id af79cd13be357-7ea08db6028mr53416385a.29.1755734845902; Wed, 20 Aug 2025 17:07:25 -0700 (PDT) Received: by 2002:a05:600c:1c11:b0:456:53b:5b5e with SMTP id 5b1f17b1804b1-45b471384a3ms5e9; Wed, 20 Aug 2025 13:15:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWNOFYWEj5Sqm6WMObK1cox3ENOl3VG8eqiLIVbN71vmGNvjXu+MapFRxC+uog8KwOZQD5MRApby74x@googlegroups.com X-Received: by 2002:a05:600c:548e:b0:459:d780:3602 with SMTP id 5b1f17b1804b1-45b479f99e1mr37919865e9.23.1755720922104; Wed, 20 Aug 2025 13:15:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1755720922; cv=none; d=google.com; s=arc-20240605; b=jpjK70hq5UjrXexuNs1i8ZWrhpH3Oax02Z9W/RZK2XvKnh5CMzVpVxwjUvcxlTX6k9 0Bky5duZdSsLRWf1Ng3KyfKqspIINdSfE8QFX9N5nypCaHDMmML4X+i6EJKgfKWt8BU0 LD9LJand7uQySnGfLL8uFSCWhe3chQABGa7+YDrQWqImW9mJkeFORsM6BjESTLk7bYR5 6PauqwG7uSew5LulbrKIyU6QaXdT7rtAJmn5axYDN4dKe2Sx1im+ycy1KejcJA8JHEMp Ma0ApYt2lFrxjzjTDKBgtsaudDimRj4TBUDoX+HdokItgbE++bhmthglj2OkY44SKkIl qcQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :from:to:date:dkim-signature; bh=ybTJae8vZC4Lo0Ir2ci2/tyyyq0amA6HIYmYb9hjxt4=; fh=HPPaTbDvciVGpHVhAbJXZ+sNq8E+bOpi59BashMVVxo=; b=kzn/puTSmja1zIUUbiFbOiyjQXc5BdxBF+N+/jv2/d+Y4EiAU1enAQUMPBcWVo5ryY 60ilb6P9ZUDxJ1OqPJFZ9/WEJGrBmeuT9V64F4WunA4/tKRHTsCPEkvy0hnEfKshacX0 uPezRaD2FENdT1qSTK/ISsfIcoYWlEzc5cq3sGnjtIxpxOtIkWJvrXMrNjvQDUmSO4L3 rp95SpfjgOoEREP1ZzIPPp/lcAPTIOctRKD20sQRGv77KjDwOmuyqHuWa4QrVod+/NGB WGvtdRD1zg+7GdRP+mlP6YG4WtbMftpoV2znIXfIjD4K/WxIhqtFQ0oQOeuj87DfSdOs XgHg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV; spf=pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com Received: from mail-10628.protonmail.ch (mail-10628.protonmail.ch. [79.135.106.28]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-45b47c2ba84si550705e9.1.2025.08.20.13.15.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Aug 2025 13:15:22 -0700 (PDT) Received-SPF: pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) client-ip=79.135.106.28; Date: Wed, 20 Aug 2025 20:15:18 +0000 To: Bitcoin Foundation , Bitcoin Development Mailing List From: "'ArmchairCryptologist' via Bitcoin Development Mailing List" Subject: Re: [bitcoindev] Re: [Draft BIP] Quantum-Resistant Transition Framework for Bitcoin Message-ID: <-a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kjJZvYnaNu1g0oXC9axoltclOgN628CMDc=@protonmail.com> In-Reply-To: References: <4d6ecde7-e959-4e6c-a0aa-867af8577151n@googlegroups.com> <6532d72c-fc2b-485a-9984-a9ade31e1760n@googlegroups.com> <1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com> Feedback-ID: 24244585:user:proton X-Pm-Message-ID: 86adb03ae316d239b44d5c7cb034102409e80d00 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA" X-Original-Sender: armchaircryptologist@protonmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV; spf=pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com X-Original-From: ArmchairCryptologist Reply-To: ArmchairCryptologist Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) --b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable When it comes to the NIST recommendation for the deprecation timeline, ther= e is now a (very) recent paper available, released on August 19th 2025 (i.e= . yesterday as of this writing), which suggests the timeline should be move= d up somewhat. This paper targets ECDLP and ECC in general, and secp256k1 a= s used in Bitcoin specifically. You can find this here: https://arxiv.org/abs/2508.14011 Some key takeaways: "When algorithmic curves and vendor trajectories are overlaid on this commo= n ruler, the earliest inter- sections appear in the late 2020s; more conservative crossings cluster in t= he early 2030s. We therefore indicate a first plausible window for cryptanalytically relevant quantum co= mputers (CRQCs) around 2027=E2=80=932033. The endpoints move mainly with three levers: reliable ma= gic-state supply at scale (dis- tillation or cultivation), code distance sufficient for multi-hour jobs, an= d classical-control latency that keeps pace with fast error-correction cycles. If any lever stalls, the wind= ow shifts to the right; if severalimprove together, it shifts to the left." "The classical record remains consistent with =CE=98(2b/2) scaling for gene= ric prime-field curves (Section 3); constant-factor engineering wins have not changed the asymptotics. In paral= lel, logical-to-physical translations suggest that credible ECC-256 attacks via Shor=E2=80=99s algor= ithm require mid-10^5 to low-10^6 noisy qubits under surface code assumptions, with cat-qubit architectures o= ffering alternative overhead tradeoffs (Section 4; [37, 39, 46]) by trading fewer physical qubits for an= increased complexity of their architecture. Overlaying algorithmic cost with public roadmaps yields a fir= st plausible window forcryptanalytically relevant quantum computers in roug= hly 2027=E2=80=932033, albeit with wide error bars." The lower bound of the window seems highly optimistic to me when compared t= o the actual roadmaps for physical qubits provided by Google and IonQ (the = most optimistic of the bunch) which are summarized on page 15, but targetin= g 2030 as an actual deadline for having quantum-resistant addresses ready f= or use is starting to look necessary. Even if the surface code assumptions = that are relied upon to combine physical qubits into logical ones turn out = to not hold water, and this ultimately means that the current approach to q= uantum computers is unworkable, if nothing else, it would to counter the in= evitable FUD. -- Best, ArmchairCryptologist On Monday, August 18th, 2025 at 7:12 PM, 'Bitcoin Foundation' via Bitcoin D= evelopment Mailing List wrote: > Dear ArmchairCryptologist, > > We appreciate your engagement with our quantum resistance proposal. > Let us address your points with additional technical context: > > NIST Reference DocumentationThe referenced blog post includes a link to N= IST Internal Report 8547 (Initial Public Draft) [0], which offers critical = guidance regarding the migration to post-quantum cryptographic standards. W= e strongly recommend thorough review of this document by all stakeholders e= valuating quantum-resistant solutions. > > Pre-Quantum UTXO Sunset PolicyRegarding the migration of pre-quantum UTXO= s: > > - Our current draft proposes freezing these outputs around 2033 > - This timeline appears in the "Migration Path: Phased Implementation" se= ction ([https://quantum-resistant-bitcoin.bitcoin.foundation](https://quant= um-resistant-bitcoin.bitcoin.foundation/)) > - We explicitly designed this as an adjustable parameter > - Based on community feedback, we're prepared to extend this sunset perio= d beyond 2035 > The proposed recovery mechanism provides optional pathways for legacy UTX= Os while maintaining network security. > > We remain open to community input regarding the sunset period for pre-qua= ntum UTXOs. The current 2033 (block 1,327,121) proposal aligns conservative= ly with NIST's recommendation to deprecate ECDSA by 2035 [0], though we ack= nowledge reasonable arguments exist for adjusting this timeline. > > [0]: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf > > On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 ArmchairCryptolo= gist wrote: > >>> An astute observation. To clarify the quantum computing landscape: Goog= le's current quantum processors do not possess 50 logical qubits, and even = if they did, this would be insufficient to compromise ECDSA - let alone RSA= -2048, which would require approximately 20 million noisy physical qubits f= or successful cryptanalysis [0]. >> >> That paper is pretty old. There is a recent paper from a couple of month= s ago by the same author (Craig Gidney from Google Quantum AI) claiming tha= t you could break RSA-2048 with around a million noisy qubits in about a we= ek. >> >> Paper: https://arxiv.org/pdf/2505.15917 >> >> Blog post: https://security.googleblog.com/2025/05/tracking-cost-of-quan= tum-factori.html >> >> I can't say for sure whether this approach can be applied to ECDSA; I ha= ve seen claims before that it has less quantum resistance than RSA-2048, bu= t I'm unsure if this is still considered to be the case. And while these pa= pers are of course largely theoretical in nature since nothing close to the= required amount of qubits exists at this point, I haven't seen anyone refu= te these claim at this point. These is still no hard evidence I'm aware of = that a quantum computer capable of breaking ECDSA is inevitable, but given = the rate of development, there could be some cause of concern. >> >> Getting post-quantum addresses designed, implemented and activated by 20= 30 in accordance with the recommendations in this paper seems prudent to me= , if this is at all possible. Deactivating inactive pre-quantum UTXOs with = exposed public keys by 2035 should certainly be considered. But I still don= 't feel like deactivating pre-quantum UTXOs without exposed public keys in = general is warranted, at least until a quantum computer capable of breaking= public keys in the short time between they are broadcast and included in a= block is known to exist - and even then, only if some scheme could be devi= sed that still allows spending them using some additional cryptographic pro= of of ownership, ZKP or otherwise. >> >> -- >> Best, >> ArmchairCryptologist > > -- > You received this message because you are subscribed to the Google Groups= "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoinde= v/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= -a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kj= JZvYnaNu1g0oXC9axoltclOgN628CMDc%3D%40protonmail.com. --b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
When it comes to the NIST r= ecommendation for the deprecation timeline, there is now a (very) recent pa= per available, released on August 19th 2025 (i.e. yesterday as of this writ= ing), which suggests the timeline should be moved up somewhat. This paper t= argets ECDLP and ECC in general, and secp256k1 as used in Bitcoin specifically. You can find this here:


Some key take= aways:

= "When algorithmic curves and vendor trajectories are overlaid on this commo= n ruler, the earliest inter-
sections appear in the late 2= 020s; more conservative crossings cluster in the early 2030s. We therefore<= /span>
indicate a first plausible window for cryptanalytica= lly relevant quantum computers (CRQCs) around
2027= =E2=80=932033. The endpoints move mainly with three levers: reliable magic-= state supply at scale (dis-
tillation or cultivation= ), code distance sufficient for multi-hour jobs, and classical-control late= ncy that
keeps pace with fast error-correction cycle= s. If any lever stalls, the window shifts to the right; if severalimprove together, it shifts to the left."
=
"The classical record remains consistent = with =CE=98(2b/2) scaling for generic prime-field curves (Section 3);
constant-factor engineering wins have not changed the asymptoti= cs. In parallel, logical-to-physical
translations su= ggest that credible ECC-256 attacks via Shor=E2=80=99s algorithm require mi= d-10^5 to low-10^6
noisy qubits under surface code a= ssumptions, with cat-qubit architectures offering alternative overhead
tradeoffs (Section 4; [37, 39, 46]) by trading fewer phy= sical qubits for an increased complexity of their
ar= chitecture. Overlaying algorithmic cost with public roadmaps yields a first= plausible window for
cryptanalytically relevant quantum = computers in roughly 2027=E2=80=932033, albeit with wide error bars.= "
=20
=20
=20

<= div style=3D"font-family: Arial, sans-serif; font-size: 14px;">The lower bo= und of the window seems highly optimistic to me when compared to the actual= roadmaps for physical qubits provided by Google and IonQ (the most optimis= tic of the bunch) which are summarized on page 15, but targeting 2030 = as an actual deadline for having quantum-resistant addresses ready for use = is starting to look necessary. Even if the surface code assumpt= ions that are relied upon to combine physical qubits int= o logical ones turn out to not hold water, and this ultimately means that t= he current approach to quantum computers is unworkable, if nothing else, it= would to counter the inevitable FUD.

--
Best,
ArmchairCryptologist

On Monday, August 18th, 2025 at 7:12 PM, 'Bitcoin Foundation' via B= itcoin Development Mailing List <bitcoindev@googlegroups.com> wrote:<= br>
Dear ArmchairCryptologist,

We appreciate your engagement= with our quantum resistance proposal.
Let us address your points with = additional technical context:

NIST Reference Documentation
The referenced blog post includes a link to NIST Internal Report 8547 (Ini= tial Public Draft) [0], which offers critical guidance regarding the migrat= ion to post-quantum cryptographic standards. We strongly recommend thorough= review of this document by all stakeholders evaluating quantum-resistant s= olutions.

Pre-Quantum UTXO Sunset Policy
Regarding the mig= ration of pre-quantum UTXOs:
  • Our current draft proposes freezing= these outputs around 2033
  • This timeline appears in the "Migration = Path: Phased Implementation" section (https://quantum-resistant-bitcoin.bitcoin.foundation)
  • = We explicitly designed this as an adjustable parameter
  • Based on com= munity feedback, we're prepared to extend this sunset period beyond 2035
The proposed recovery mechanism provides optional pathways for legac= y UTXOs while maintaining network security.

We remain open to commu= nity input regarding the sunset period for pre-quantum UTXOs. The current 2= 033 (block 1,327,121) proposal aligns conservatively with NIST's recommenda= tion to deprecate ECDSA by 2035 [0], though we acknowledge reasonable argum= ents exist for adjusting this timeline.

[0]: https://nvlpubs.nist.gov/nistpubs/ir/2024= /NIST.IR.8547.ipd.pdf

On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM = UTC+2 ArmchairCryptologist wrote:

An astute observation. To clarify the quantum computing landscape: Google's current quantum processors do not possess 50 logical qubits, and even if they did, this would be insufficient to compromise ECDSA - let alone RSA-2048, which would require approximately 20 million noisy physical qubits for successful cryptanalysis [0].

=
That paper is pretty old. There is a recent paper from a = couple of months ago by the same author (Craig Gidney from Google Quantum AI) claiming that you could break RSA-2048 with ar= ound a million noisy qubits in about a week.
<= span>
Paper: https://arxiv.org/pdf/2505.15917

I can't say for sure whether this approach can be applied to ECDSA; I have seen claims before that it has less quantum resistance than R= SA-2048, but I'm unsure if this is still considered to be the case. And whi= le these papers are of course largely theoretical in nature since nothing close to the required amount of qubits exists at this point, I haven't seen anyone refute these claim at this point. These is sti= ll no hard evidence I'm aware of that a quantum computer capable of breakin= g ECDSA is inevitable, but given the rate of development, there could be so= me cause of concern.

Getting post-quantum ad= dresses designed, implemented and activated by 2030 in accordance with the = recommendations in this paper seems prudent to me, if this is at all possib= le. Deactivating inactive pre-quantum UTXOs with exposed publi= c keys by 2035 should certainly be considered. But I still don't feel like = deactivating pre-quantum UTXOs without exposed public keys in general is wa= rranted, at least until a quantum computer capable of breaking public keys = in the short time between they are broadcast and included in a block = is known to exist - and even then, only if some scheme could be devi= sed that still allows spending them using some additional cryptographic pro= of of ownership, ZKP or otherwise.

=
--
Best,
ArmchairC= ryptologist
--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/= d/msgid/bitcoindev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com= .

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= -a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kj= JZvYnaNu1g0oXC9axoltclOgN628CMDc%3D%40protonmail.com.
--b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA--