From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 14 Jul 2025 07:09:14 -0700 Received: from mail-yw1-f184.google.com ([209.85.128.184]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1ubJrk-0007Bs-F9 for bitcoindev@gnusha.org; Mon, 14 Jul 2025 07:09:14 -0700 Received: by mail-yw1-f184.google.com with SMTP id 00721157ae682-7152520f9f9sf50844777b3.2 for ; Mon, 14 Jul 2025 07:09:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1752502146; x=1753106946; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=PNUtav0beH1Q7UTv+pZVk0nnXdLS6cbvOIWdM7UH0n4=; b=hnltwIm+K7uDtqB5HKo+MIBh182WzW1UfTA46qsSGdZ8HauH19+o6sjpmi6gp7NZ4D 3C13Dm8N8N8BEKdWcWb6+/cBJbAwvwyiAJMKSlMSC21vHhivx5+Gkm3aNICIxUhfniql CjNLWGZyer3y43PNAbYzGlou8WpA8PA9dfi6uEg9qcRs4nuV8X8DXstLS22C4ulTM4VA 4Ro1+ilJ/6CfvKYF9yOIb87/ycpXyAtYHAx31Ctj9DOYx6or3wjF78yQuEmyELUtxpWf eTgYAQs1wXjoMjKUoYXMlvaHjqLxfBv5QleXzpsZ5D1x+2gYccvErBKv6vXI72erhn6k eOnw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752502146; x=1753106946; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=PNUtav0beH1Q7UTv+pZVk0nnXdLS6cbvOIWdM7UH0n4=; b=BzNpQM3ZKaQXwYNFLZBr21hgd7dyebOv1xI5dm7YKQDGmX+4zVJ/n62qduPom8NgR9 7NmbPliR9QXq7CfZB2qbsnEv3pGUmWFxDqnjqd68j0VeWl7sTjrboSjzAwYCZYiRX5pK oiNY9IhoYvogQ0PaoB1fGfZ6kqXFV2vnDCz+vwYUW0R6A5YgRtbngvqLpeI7xRRnlS7l zliBQJCM9I/88CZHumB9wZKnhdKv2zeezXlmH34j3eGs2FtRxEBNld6c0wswFzngs7lj XyxNH8aHeautItAYXCIYcdkqtz0x617YeRN34K+J/8VbPzDyi7Q/PFyPBCRf/qiECGDi x5aQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752502146; x=1753106946; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=PNUtav0beH1Q7UTv+pZVk0nnXdLS6cbvOIWdM7UH0n4=; b=TCTAiHJfcOQDTHmu0tstT+J+81I+7P9HgdqpKmgR5ZDer/QWRG2o/kOYiPklXF6GUG iMHCJ1xt9KwTetovPTk97uY+BCKrUbDD1m+EFFDqA7L9OvoOQkLy9wWjtuyEhmvpuRUB MdvICwdc5C6/exJj7pVdqQN2/IWY6yfn44GCCQObzHPp8U8rjILYbqWjygA8DPV4x9wY Aq/st4WRYeeuBOLuqB6GUDZdFxqEyXX/g2KDaYXTzTWDgNeF/j8Izwlsyp5RFPnr1Luy JlA7JeU//jEDZxUNVbyV8hM4xmxs6Lq3ey6+m6XWJEAdOtosp3D2XOCR7S/zMEZKVsZd 0GSA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCWkF80FOlmACJ+5i9cOxFPBsN7e/nI8sbmVzQF2mzAoRylJiutYkT7UUeutN8YvuroK6Gqc0YMg4Nu1@gnusha.org X-Gm-Message-State: AOJu0YyFKorxt5sckpJkhMXYmndAQSyy2nK3YZ0cTImyQJ0QV+BM1mib cGzxKkhCLdPRtwJDPsIh2rzNuMDqN0ASrXZMA/rOc3lUlrH6YRuDlExx X-Google-Smtp-Source: AGHT+IFt3sCwFFoZZwASFFr83QFMuZMpadcBXCmJMc2VU7v/Q5+RY7GEBCBPkJniZ5u+Qw26jXsVWw== X-Received: by 2002:a05:690c:f14:b0:6ef:5097:5daa with SMTP id 00721157ae682-717d5e2c359mr208126597b3.34.1752502145700; Mon, 14 Jul 2025 07:09:05 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZcK9KCjoZ6RB/9NV19Qkyw8kDMiih5ZAFpXgg8wASDEFg== Received: by 2002:a25:e0c9:0:b0:e87:bdd0:75fc with SMTP id 3f1490d57ef6-e8b77958404ls4297231276.2.-pod-prod-03-us; Mon, 14 Jul 2025 07:09:00 -0700 (PDT) X-Received: by 2002:a05:690c:9c08:b0:70e:404:85e5 with SMTP id 00721157ae682-717d5d7e0b7mr227052197b3.11.1752502140243; Mon, 14 Jul 2025 07:09:00 -0700 (PDT) Received: by 2002:a81:c805:0:b0:710:fccf:6901 with SMTP id 00721157ae682-71801526bd3ms7b3; Sun, 13 Jul 2025 19:07:42 -0700 (PDT) X-Received: by 2002:a05:690c:6083:b0:712:cc11:af8 with SMTP id 00721157ae682-717d5ede770mr188521897b3.27.1752458861290; Sun, 13 Jul 2025 19:07:41 -0700 (PDT) Date: Sun, 13 Jul 2025 19:07:40 -0700 (PDT) From: Antoine Riard To: Bitcoin Development Mailing List Message-Id: <4d9ce13e-466d-478b-ab4d-00404c80d620n@googlegroups.com> In-Reply-To: <37ed2e5d-34cd-4391-84b8-5bcc6d42c617n@googlegroups.com> References: <37ed2e5d-34cd-4391-84b8-5bcc6d42c617n@googlegroups.com> Subject: [bitcoindev] Re: A Post Quantum Migration Proposal MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_411050_1470926048.1752458860757" X-Original-Sender: antoine.riard@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_411050_1470926048.1752458860757 Content-Type: multipart/alternative; boundary="----=_Part_411051_711094452.1752458860757" ------=_Part_411051_711094452.1752458860757 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Jameson, Thanks for your thoughts on this complex subject. First and foremost, I think your following statement: "Never before has=20 Bitcoin faced an existential threat to its cryptographic primitives" is very myopic,=20 given that cryptanalysts and number theorists are making progress every year in their= =20 works, and each bitcoin cryptographic primitive has been and is constantly analyzed to= =20 uncover potential weaknesses. So in my view the quantum threat is a bit less specific that the image=20 you're painting of it. Even if go all to upgrade to lattices-based schemes, we have no=20 certainty that novels flaws won't be found, one can just go to see the modifications of=20 the NIST-approved schemes in between their rounds of selection that we'll never reach=20 something like "self-sovereign peace of mind"...Unless we start to forbid people of=20 practicing the art of mathematics, practice which has been ongoing since Euclide and=20 Pythagore... I do concede that quantum is a bit different, as after all new physics=20 paradigm do not happen often (Heisenberg published in the 20s iirc), though that's= =20 in my view the flaw of your reasoning as you're assuming some "post-quantum"=20 upgraded state where bitcoin, as a community and a network, would be definitely safe= =20 from advances in applied science. At minima, in my understanding, you're arguing= =20 this time is different to justify extra-ordinary technical measures never seen= =20 before, namely the freezing of "vulnerable" coins. I'm worried this is opening a Pandora box, where we would introduce a=20 precedent that it is legitimate as a community to technicaly confiscate some coins of= =20 users,=20 without their _consents_, for extra-ordinary reasons. That's opening a=20 worms of shenanigans in the future...There is no guarantee that this precedent won't be leveraged in the future by any group of entities to justify future=20 upgrades eroding one of the "fundamental property" you're yourself deeming as=20 valuable. This is especially worrying as if I'm understanding you correctly you're=20 justifying this position as that somehow we should protect the price of the currency= =20 as an end in itself (i.e "Beyond its impact on price, ..."). It's unclear the price= =20 of bitcoin versus what fiat or hard asset (e.g oil) you have in mind. And in anyway,= =20 as far as I know, none of the bitcoin devs is seating on the board of the FED, the= =20 ECB or the BoJ... To put it simply, even if a quantum attacker can tomorrow starts to steal vulnerable coins, 1 BTC will be always equal to 1 BTC. Full stop. In my=20 humble opinion, let's not introduce the idea that, we, as a community of=20 stakeholders and developers we have a positive "fiduciary" duty to act to maintain the= =20 price of bitcoin in some "monetary snake" with another class of assets... That's also the problem with game theory, all the matrices of analysis are based on some scale of utilitarism. See Von Neuman's Theory of Games, the section on "The Notion of Utility". My subjective appreciation of the value of my coins might not be your subjective appreication of the value of your coins. Now I do understand the perspective of the institutional holders, the=20 exchanges, the custodians or any other industry providers, who might be in the full=20 uncertainty about their business responsibilities in case of a quantum threat affecting= =20 their custodied coins. But, first legally speaking there is something call "force= =20 majeure" and in view of the quantum threat, which is a risk discussed far beyond the= =20 bitcoin industry, they should be able to shield themselves behind that. Secondly,= =20 if there is any futute upgrade "opt-in" only path a la BIP360, you can move your=20 funds or the ones under custody under a PQC scheme like Dilthium or Falcon and be= =20 good without caring about what the others users are doing. Thirdly, if you're an= =20 actor in the industry like Coinbase and you're deeply concerned about how=20 extended maelstrom on the price might affect the viability of your operations, it is unclear= =20 to me why you don't call MunichRe or any other company like that tomorrow to craft=20 and be covered by specific insurance on quantum threats... To be frank, all those considerations on how "I cannot see how the currency= =20 can maintain any value at all in such a setting", is a strong red flag of low= =20 time preferences. It's not like we're used to strong volatility in bitcoin with= =20 the almost 2 decades of operations of the network. In my view, it's more a hint= =20 of very high-exposition by some to a single class of asset, i.e bitcoin,=20 rather than wise diversification... And a push to sacrify a "fundamental property" i.e=20 "conservatism" in view of short-term concerns (i.e the stability of the currency price=20 along a period of few years). Do not get me wrong, I'm certainly not of the school "let's reward quantum attackers". Leveraging techical superiority and employing CRQRC to steal vulnerable coins would be clearly a theft. But ethically, the best we can= =20 do is to have an opt-in upgrade path and be pro-active, by education and outreach= , to have the maximum of coin owners upgrading to non-vulnerable addresses=20 types. Then show the level of "fortitude" or "endurance" as a community in face of= =20 price fluctuations for a while, while seeing regularly old P2PK coins hacked.=20 Marcus Aurelius can be bought for few bucks in most of decent libraries... I'm definitely on the "no old coins confiscation" position you're=20 underlighting: "I don't see why old coins should be confiscated. The better option is to= =20 let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the=20 inflation is transitory. Those with low time preference should support returning lost coins to circulation". Notwhitstanding that I disagree with your position, one can only appreciate the breadth and depth with which you're gathering and articulating all the elements on this complex problem. Best, Antoine OTS hash: c064b43047bf3036faf098b5ac8e74930df63d25629f590a4195222979402826 Le lundi 14 juillet 2025 =C3=A0 00:53:34 UTC+1, Tadge Dryja a =C3=A9crit : > Hi =20 > > While I generally agree that "freeze" beats "steal", and that a lot of=20 > lead time is good, I don't think this plan is viable. > To me the biggest problem is that it ties activation of a PQ output type= =20 > to *de*activation of EC output types. That would mean that someone who= =20 > wants to keep using all the great stuff in libsecp256k1 should try to=20 > prevent BIP360 from being activated. > > Sure, there can be risks from CRQCs. But this proposal would go the othe= r=20 > direction, disabling important functionality and even destroying coins=20 > preemptively, in anticipation of something that may never happen. > > Also, how do you define "quantum-vulnerable UTXO"? Would any P2PKH, or= =20 > P2WPKH output count? Or only P2PKH / P2WPKH outputs where the public key= =20 > is already known? I can understand disabling spends from known-pubkey=20 > outputs, but for addresses where the public key has never been revealed,= =20 > commit/reveal schemes (like the one I posted about & am working on a=20 > follow-up post for) should safely let people spend from those outputs=20 > indefinitely. > > With no evidence of a QRQC, I can see how there would be people who'd say= =20 > "We might never really know if a CRQC exists, so we need to disable EC=20 > spends out of caution" and others who'd say "Don't disable EC spends, sin= ce=20 > that's destroying coins", and that could be a persistent disagreement. B= ut=20 > I hope if we did in fact have a proof that a CRQC has broken secp256k1,= =20 > there would be significant agreement on freezing known-pubkey EC outputs. > > -Tadge > On Saturday, July 12, 2025 at 8:46:09=E2=80=AFPM UTC-4 Jameson Lopp wrote= : > >> Building upon my earlier essay against allowing quantum recovery of=20 >> bitcoin=20 >> I= =20 >> wish to formalize a proposal after several months of discussions. >> >> This proposal does not delve into the multitude of issues regarding post= =20 >> quantum cryptography and trade-offs of different schemes, but rather is= =20 >> meant to specifically address the issues of incentivizing adoption and= =20 >> migration of funds *after* consensus is established that it is prudent= =20 >> to do so. >> >> As such, this proposal requires P2QRH as described in BIP-360 or=20 >> potential future proposals. >> Abstract >> >> This proposal follows the implementation of post-quantum (PQ) output typ= e=20 >> (P2QRH) and introduces a pre-announced sunset of legacy ECDSA/Schnorr=20 >> signatures. It turns quantum security into a private incentive: fail to= =20 >> upgrade and you will certainly lose access to your funds, creating a=20 >> certainty where none previously existed.=20 >> >> -=20 >> =20 >> Phase A: Disallows sending of any funds to quantum-vulnerable=20 >> addresses, hastening the adoption of P2QRH address types. >> -=20 >> =20 >> Phase B: Renders ECDSA/Schnorr spends invalid, preventing all=20 >> spending of funds in quantum-vulnerable UTXOs. This is triggered by a= =20 >> well-publicized flag-day roughly five years after activation. >> -=20 >> =20 >> Phase C (optional): Pending further research and demand, a separate= =20 >> BIP proposing a fork to allow recovery of legacy UTXOs through ZK pro= of of=20 >> possession of BIP-39 seed phrase. =20 >> =20 >> Motivation >> >> We seek to secure the value of the UTXO set and minimize incentives for= =20 >> quantum attacks. This proposal is radically different from any in Bitcoi= n=E2=80=99s=20 >> history just as the threat posed by quantum computing is radically=20 >> different from any other threat in Bitcoin=E2=80=99s history. Never bef= ore has=20 >> Bitcoin faced an existential threat to its cryptographic primitives. A= =20 >> successful quantum attack on Bitcoin would result in significant economi= c=20 >> disruption and damage across the entire ecosystem. Beyond its impact on= =20 >> price, the ability of miners to provide network security may be=20 >> significantly impacted. =20 >> >> -=20 >> =20 >> Accelerating quantum progress.=20 >> -=20 >> =20 >> NIST ratified three production-grade PQ signature schemes in 2024;= =20 >> academic road-maps now estimate a cryptographically-relevant quant= um=20 >> computer as early as 2027-2030. [McKinsey=20 >> >> ] >> -=20 >> =20 >> Quantum algorithms are rapidly improving >> -=20 >> =20 >> The safety envelope is shrinking by dramatic increases in=20 >> algorithms even if the pace of hardware improvements is slower. Al= gorithms=20 >> are improving up to 20X=20 >> ,=20 >> lowering the theoretical hardware requirements for breaking classi= cal=20 >> encryption. >> -=20 >> =20 >> Bitcoin=E2=80=99s exposed public keys.=20 >> -=20 >> =20 >> Roughly 25% of all bitcoin have revealed a public key on-chain;=20 >> those UTXOs could be stolen with sufficient quantum power. =20 >> -=20 >> =20 >> We may not know the attack is underway.=20 >> -=20 >> =20 >> Quantum attackers could compute the private key for known public= =20 >> keys then transfer all funds weeks or months later, in a covert bl= eed to=20 >> not alert chain watchers. Q-Day may be only known much later if th= e attack=20 >> withholds broadcasting transactions in order to postpone revealing= their=20 >> capabilities. >> -=20 >> =20 >> Private keys become public.=20 >> -=20 >> =20 >> Assuming that quantum computers are able to maintain their current= =20 >> trajectories and overcome existing engineering obstacles, there is= a near=20 >> certain chance that all P2PK (and other outputs with exposed pubke= ys)=20 >> private keys will be found and used to steal the funds. >> -=20 >> =20 >> Impossible to know motivations.=20 >> -=20 >> =20 >> Prior to a quantum attack, it is impossible to know the=20 >> motivations of the attacker. An economically motivated attacker w= ill try=20 >> to remain undetected for as long as possible, while a malicious at= tacker=20 >> will attempt to destroy as much value as possible. =20 >> -=20 >> =20 >> Upgrade inertia.=20 >> -=20 >> =20 >> Coordinating wallets, exchanges, miners and custodians=20 >> historically takes years. >> -=20 >> =20 >> The longer we postpone migration, the harder it becomes to=20 >> coordinate wallets, exchanges, miners, and custodians. A clear, ti= me-boxed=20 >> pathway is the only credible defense. >> -=20 >> =20 >> Coordinating distributed groups is more prone to delay, even if=20 >> everyone has similar motivations. Historically, Bitcoin has been s= low to=20 >> adopt code changes, often taking multiple years to be approved. >> =20 >> Benefits at a Glance >> =20 >> -=20 >> =20 >> Resilience: Bitcoin protocol remains secure for the foreseeable=20 >> future without waiting for a last-minute emergency. >> -=20 >> =20 >> Certainty: Bitcoin users and stakeholders gain certainty that a plan= =20 >> is both in place and being implemented to effectively deal with the t= hreat=20 >> of quantum theft of bitcoin. =20 >> -=20 >> =20 >> Clarity: A single, publicized timeline aligns the entire ecosystem=20 >> (wallets, exchanges, hardware vendors). >> -=20 >> =20 >> Supply Discipline: Abandoned keys that never migrate become=20 >> unspendable, reducing supply, as Satoshi described=20 >> . =20 >> =20 >> Specification >> >> Phase >> >> What Happens >> >> Who Must Act >> >> Time Horizon >> >> Phase A - Disallow spends to legacy script types >> >> Permitted sends are from legacy scripts to P2QRH scripts >> >> Everyone holding or accepting BTC. >> >> 3 years after BIP-360 implementation >> >> Phase B =E2=80=93 Disallow spends from quantum vulnerable outputs >> >> At a preset block-height, nodes reject transactions that rely on=20 >> ECDSA/Schnorr keys.=20 >> >> Everyone holding or accepting BTC. >> >> 2 years after Phase A activation. >> >> Phase C =E2=80=93 Re-enable spends from quantum vulnerable outputs via Z= K Proof >> >> Users with frozen quantum vulnerable funds and a HD wallet seed phrase= =20 >> can construct a quantum safe ZK proof to recover funds. >> >> Users who failed to migrate funds before Phase B. >> >> TBD pending research, demand, and consensus. >> Rationale >> =20 >> -=20 >> =20 >> Even if Bitcoin is not a primary initial target of a=20 >> cryptographically relevant quantum computer, widespread knowledge tha= t such=20 >> a computer exists and is capable of breaking Bitcoin=E2=80=99s crypto= graphy will=20 >> damage faith in the network .=20 >> -=20 >> =20 >> An attack on Bitcoin may not be economically motivated - an attacker= =20 >> may be politically or maliciously motivated and may attempt to destro= y=20 >> value and trust in Bitcoin rather than extract value. There is no wa= y to=20 >> know in advance how, when, or why an attack may occur. A defensive= =20 >> position must be taken well in advance of any attack. =20 >> -=20 >> =20 >> Bitcoin=E2=80=99s current signatures (ECDSA/Schnorr) will be a tantal= izing=20 >> target: any UTXO that has ever exposed its public key on-chain (rough= ly 25=20 >> % of all bitcoin) could be stolen by a cryptographically relevant qua= ntum=20 >> computer. >> -=20 >> =20 >> Existing Proposals are Insufficient. =20 >> 1.=20 >> =20 >> Any proposal that allows for the quantum theft of =E2=80=9Clost=E2= =80=9D bitcoin=20 >> is creating a redistribution dilemma. There are 3 types of proposa= ls: >> 1.=20 >> =20 >> Allow anyone to steal vulnerable coins, benefitting those who= =20 >> reach quantum capability earliest. >> 2.=20 >> =20 >> Allow throttled theft of coins, which leads to RBF battles and= =20 >> ultimately miners subsidizing their revenue from lost coins. >> 3.=20 >> =20 >> Allow no one to steal vulnerable coins. >> -=20 >> =20 >> Minimizes attack surface >> 1.=20 >> =20 >> By disallowing new spends to quantum vulnerable script types, we= =20 >> minimize the attack surface with each new UTXO. =20 >> 2.=20 >> =20 >> Upgrades to Bitcoin have historically taken many years; this will= =20 >> hasten and speed up the adoption of new quantum resistant script t= ypes.=20 >> 3.=20 >> =20 >> With a clear deadline, industry stakeholders will more readily=20 >> upgrade existing infrastructure to ensure continuity of services. = =20 >> -=20 >> =20 >> Minimizes loss of access to funds=20 >> 1.=20 >> =20 >> If there is sufficient demand and research proves possible,=20 >> submitting a ZK proof of knowledge of a BIP-39 seed phrase corresp= onding to=20 >> a public key hash or script hash would provide a trustless means f= or legacy=20 >> outputs to be spent in a quantum resistant manner, even after the = sunset. =20 >> =20 >> >> Stakeholder >> >> Incentive to Upgrade >> >> Miners >> >> =E2=80=A2 Larger size PQ signatures along with incentive for users to mi= grate=20 >> will create more demand for block space and thus higher fees collected b= y=20 >> miners. >> >> =E2=80=A2 Post-Phase B, non-upgraded miners produce invalid blocks. >> >> =E2=80=A2 A quantum attack on Bitcoin will significantly devalue both th= eir=20 >> hardware and Bitcoin as a whole.=20 >> >> Institutional Holders >> >> =E2=80=A2 Fiduciary duty: failing to act to prevent a quantum attack on = Bitcoin=20 >> would violate the fiduciary duty to shareholders. =20 >> >> =E2=80=A2 Demonstrating Bitcoin=E2=80=99s ability to effectively mitigat= e emerging=20 >> threats will prove Bitcoin to be an investment grade asset. >> >> Exchanges & Custodians >> >> =E2=80=A2 Concentrated risk: a quantum hack could bankrupt them overnigh= t. >> >> =E2=80=A2 Early migration is cheap relative to potential losses, potenti= al=20 >> lawsuits over improper custody and reputational damage. >> >> Everyday Users >> >> =E2=80=A2 Self-sovereign peace of mind. >> >> =E2=80=A2 Sunset date creates a clear deadline and incentive to improve = their=20 >> security rather than an open-ended =E2=80=9Csome day=E2=80=9D that invit= es procrastination. >> >> Attackers >> >> =E2=80=A2 Economic incentive diminishes as sunset nears, stolen coins ca= nnot be=20 >> spent after Q-day. >> >> Key Insight: As mentioned earlier, the proposal turns quantum security= =20 >> into a private incentive to upgrade. =20 >> >> This is not an offensive attack, rather, it is defensive: our thesis is= =20 >> that the Bitcoin ecosystem wishes to defend itself and its interests=20 >> against those who would prefer to do nothing and allow a malicious actor= to=20 >> destroy both value and trust. =20 >> >> >> "Lost coins only make everyone else's coins worth slightly more. Think o= f=20 >>> it as a donation to everyone." - Satoshi Nakamoto >> >> >> If true, the corollary is: >> >> >> "Quantum recovered coins only make everyone else's coins worth less.=20 >>> Think of it as a theft from everyone." >> >> >> The timelines that we are proposing are meant to find the best balance= =20 >> between giving ample ability for account owners to migrate while=20 >> maintaining the integrity of the overall ecosystem to avoid catastrophic= =20 >> attacks. =20 >> >> Backward Compatibility >> >> As a series of soft forks, older nodes will continue to operate without= =20 >> modification. Non-upgraded nodes, however, will consider all post-quantu= m=20 >> witness programs as anyone-can-spend scripts. They are strongly encourag= ed=20 >> to upgrade in order to fully validate the new programs. >> >> Non-upgraded wallets can receive and send bitcoin from non-upgraded and= =20 >> upgraded wallets until Phase A. After Phase A, they can no longer receiv= e=20 >> from any other wallets and can only send to upgraded wallets. After Pha= se=20 >> B, both senders and receivers will require upgraded wallets. Phase C wou= ld=20 >> likely require a loosening of consensus rules (a hard fork) to allow=20 >> vulnerable funds recovery via ZK proofs. >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 4d9ce13e-466d-478b-ab4d-00404c80d620n%40googlegroups.com. ------=_Part_411051_711094452.1752458860757 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Jameson,

Thanks for your thoughts on this complex subject.
First and foremost, I think your following statement: "Never befor= e has Bitcoin faced
an existential threat to its cryptographic primiti= ves" is very myopic, given that
cryptanalysts and number theorists are= making progress every year in their works, and
each bitcoin cryptogra= phic primitive has been and is constantly analyzed to uncover
potentia= l weaknesses.

So in my view the quantum threat is a bit less spe= cific that the image you're painting
of it. Even if go all to upgrade = to lattices-based schemes, we have no certainty that
novels flaws won'= t be found, one can just go to see the modifications of the NIST-approvedschemes in between their rounds of selection that we'll never reach som= ething like
"self-sovereign peace of mind"...Unless we start to forbid= people of practicing the
art of mathematics, practice which has been = ongoing since Euclide and Pythagore...

I do concede that quantum= is a bit different, as after all new physics paradigm
do not happen o= ften (Heisenberg published in the 20s iirc), though that's in my
view = the flaw of your reasoning as you're assuming some "post-quantum" upgraded<= br />state where bitcoin, as a community and a network, would be definitely= safe from
advances in applied science. At minima, in my understanding= , you're arguing this
time is different to justify extra-ordinary tech= nical measures never seen before,
namely the freezing of "vulnerable" = coins.

I'm worried this is opening a Pandora box, where we would= introduce a precedent
that it is legitimate as a community to technic= aly confiscate some coins of users,
without their _consents_, for ext= ra-ordinary reasons. That's opening a worms of
shenanigans in the futu= re...There is no guarantee that this precedent won't
be leveraged in t= he future by any group of entities to justify future upgrades
eroding = one of the "fundamental property" you're yourself deeming as valuable.

This is especially worrying as if I'm understanding you correctly yo= u're justifying
this position as that somehow we should protect the pr= ice of the currency as an end
in itself (i.e "Beyond its impact on pri= ce, ..."). It's unclear the price of bitcoin
versus what fiat or hard = asset (e.g oil) you have in mind. And in anyway, as far
as I know, non= e of the bitcoin devs is seating on the board of the FED, the ECB
or t= he BoJ...

To put it simply, even if a quantum attacker can tomor= row starts to steal
vulnerable coins, 1 BTC will be always equal to 1 = BTC. Full stop. In my humble
opinion, let's not introduce the idea tha= t, we, as a community of stakeholders
and developers we have a positiv= e "fiduciary" duty to act to maintain the price
of bitcoin in some "mo= netary snake" with another class of assets...

That's also the pr= oblem with game theory, all the matrices of analysis are
based on some= scale of utilitarism. See Von Neuman's Theory of Games, the
section o= n "The Notion of Utility". My subjective appreciation of the value
of = my coins might not be your subjective appreication of the value of your
coins.

Now I do understand the perspective of the institutiona= l holders, the exchanges,
the custodians or any other industry provide= rs, who might be in the full uncertainty
about their business responsi= bilities in case of a quantum threat affecting their
custodied coins. = But, first legally speaking there is something call "force majeure"
an= d in view of the quantum threat, which is a risk discussed far beyond the b= itcoin
industry, they should be able to shield themselves behind that.= Secondly, if there
is any futute upgrade "opt-in" only path a la BIP3= 60, you can move your funds or
the ones under custody =C2=A0under a PQ= C scheme like Dilthium or Falcon and be good
without caring about what= the others users are doing. Thirdly, if you're an actor
in the indust= ry like Coinbase and you're deeply concerned about how extended maelstromon the price might affect the viability of your operations, it is uncle= ar to me why
you don't call MunichRe or any other company like that to= morrow to craft and be
covered by specific insurance on quantum threat= s...

To be frank, all those considerations on how "I cannot see = how the currency can
maintain any value at all in such a setting", is = a strong red flag of low time
preferences. It's not like we're used to= strong volatility in bitcoin with the
almost 2 decades of operations = of the network. In my view, it's more a hint of
very high-exposition b= y some to a single class of asset, i.e bitcoin, rather than wise
diver= sification... And a push to sacrify a "fundamental property" i.e "conservat= ism"
in view of short-term concerns (i.e the stability of the currency= price along
a period of few years).

Do not get me wrong, I= 'm certainly not of the school "let's reward quantum
attackers". Lever= aging techical superiority and employing CRQRC to steal
vulnerable coi= ns would be clearly a theft. But ethically, the best we can do is
to h= ave an opt-in upgrade path and be pro-active, by education and outreach,to have the maximum of coin owners upgrading to non-vulnerable addresses= types.
Then show the level of "fortitude" or "endurance" as a communi= ty in face of price
fluctuations for a while, while seeing regularly o= ld P2PK coins hacked. Marcus
Aurelius can be bought for few bucks in m= ost of decent libraries...

I'm definitely on the "no old coins c= onfiscation" position you're underlighting:

"I don't see why old= coins should be confiscated. The better option is to let
those with q= uantum computers free up old coins. While this might have an
inflation= ary impact on bitcoin's price, to use a turn of phrase, the inflation
= is transitory. Those with low time preference should support returning lost=
coins to circulation".

Notwhitstanding that I disagree wit= h your position, one can only appreciate
the breadth and depth with wh= ich you're gathering and articulating all the
elements on this complex= problem.

Best,
Antoine
OTS hash: c064b43047bf3036faf0= 98b5ac8e74930df63d25629f590a4195222979402826
Le lundi 14 juillet 2025 =C3=A0 00= :53:34 UTC+1, Tadge Dryja a =C3=A9crit=C2=A0:
Hi =C2=A0

While I generally agre= e that "freeze" beats "steal", and that a lot of lead t= ime is good, I don't think this plan is viable.
To me the biggest pr= oblem is that it ties activation of a PQ output type to *de*activation of E= C output types. =C2=A0That would mean that someone who wants to keep using = all the great stuff in libsecp256k1 should try to prevent BIP360 from being= activated.

Sure, there can be risks from CRQCs. =C2=A0But this prop= osal would go the other direction, disabling important functionality and ev= en destroying coins preemptively, in anticipation of something that may nev= er happen.

Also, how do you define "quantum-vulnerable UTXO&quo= t;? =C2=A0Would any P2PKH, or P2WPKH output count? =C2=A0Or only P2PKH / P2= WPKH outputs where the public key is already known? =C2=A0I can understand = disabling spends from known-pubkey outputs, but for addresses where the pub= lic key has never been revealed, commit/reveal schemes (like the one I post= ed about & am working on a follow-up post for) should safely let people= spend from those outputs indefinitely.

With no evidence of a QRQC, = I can see how there would be people who'd say "We might never real= ly know if a CRQC exists, so we need to disable EC spends out of caution&qu= ot; and others who'd say "Don't disable EC spends, since that&= #39;s destroying coins", and that could be a persistent disagreement. = =C2=A0But I hope if we did in fact have a proof that a CRQC has broken secp= 256k1, there would be significant agreement on freezing known-pubkey EC out= puts.

-Tadge
On Saturday, July 12, 2025 at 8:46:09=E2=80= =AFPM UTC-4 Jameson Lopp wrote:

Building upon my earlier essay against allowing quantum recovery of bitcoin I wish to formalize a proposal after several months of d= iscussions.

This proposal does not delve into the multitude of i= ssues regarding post quantum cryptography and trade-offs of different schem= es, but rather is meant to specifically address the issues of incentivizing= adoption and migration of funds after consensus is established that it is prudent to do so.

=

As such, this proposal= requires P2QRH as described in BIP-360 or potential future proposals.

Abstract

This proposal follows= the implementation of post-quantum (PQ) output type (P2QRH) and introduces= a pre-announced sunset of legacy ECDSA/Schnorr signatures. It turns quantu= m security into a private incentive: fail to upgrade and you will certainly lose access to you= r funds, creating a certainty where none previously existed.=C2=A0

  • Phase A: Disallows sendi= ng of any funds to quantum-vulnerable addresses, hastening the adoption of = P2QRH address types.

  • Phase B: Renders ECDSA/Schnorr spends= invalid, preventing all spending of funds in quantum-vulnerable UTXOs. Thi= s is triggered by a well-publicized flag-day roughly five years after activ= ation.

  • Phase C= (optional): Pending further research and de= mand, a separate BIP proposing a fork to allow recovery of legacy UTXOs thr= ough ZK proof of possession of BIP-39 seed phrase.=C2=A0=C2=A0

Motivation

We seek to secure the value of the UTXO set and minimize incentives for qua= ntum attacks. This proposal is radically different from any in Bitcoin=E2= =80=99s history just as the threat posed by quantum computing is radically = different from any other threat in Bitcoin=E2=80=99s history.=C2=A0 Never b= efore has Bitcoin faced an existential threat to its cryptographic primitiv= es. A successful quantum attack on Bitcoin would result in significant econ= omic disruption and damage across the entire ecosystem. Beyond its impact o= n price, the ability of miners to provide network security may be significa= ntly impacted.=C2=A0=C2=A0

  • Accelerating quan= tum progress.=C2=A0

    • NIST = ratified three production-grade PQ signature schemes in 2024; academic road= -maps now estimate a cryptographically-relevant quantum computer as early a= s 2027-2030. [McKinsey]

    =
  • =

    Quantum al= gorithms are rapidly improving

    • The sa= fety envelope is shrinking by dramatic increases in algorithms even if the = pace of hardware improvements is slower. Algorithms are improving up to 20X, lowering the= theoretical hardware requirements for breaking classical encryption.

  • <= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt" r= ole=3D"presentation">Bitcoin=E2=80= =99s exposed public keys.=C2=A0

    • Roughly 25% of all bitcoin have revealed a public key on-chain; thos= e UTXOs could be stolen with sufficient quantum power.=C2=A0=C2=A0

  • We may not know the attack is underway.=C2=A0

    • Quantum attackers could compute the private key for known publ= ic keys then transfer all funds weeks or months later, in a covert bleed to= not alert chain watchers. Q-Day may be only known much later if the attack= withholds broadcasting transactions in order to postpone revealing their c= apabilities.

  • Private keys become public.=C2=A0

    • Assuming that quantum computers are able to maintain their cu= rrent trajectories and overcome existing engineering obstacles, there is a = near certain chance that all P2PK (and other outputs with exposed pubkeys) = private keys will be found and used to steal the funds.

    • Impossible to know motivatio= ns.=C2=A0

        • <= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt" r= ole=3D"presentation">Prior to a qua= ntum attack, it is impossible to know the motivations of the attacker.=C2= =A0 An economically motivated attacker will try to remain undetected for as= long as possible, while a malicious attacker will attempt to destroy as mu= ch value as possible.=C2=A0=C2=A0

    • Upgrade inertia.=C2= =A0

      • Coordinating wallets, exchanges, miners and custo= dians historically takes years.

      • <= span style=3D"font-size:11pt;background-color:transparent;font-variant-nume= ric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;ve= rtical-align:baseline">The longer we postpone migration, the harder it beco= mes to coordinate wallets, exchanges, miners, and custodians. A clear, time= -boxed pathway is the only credible defense.

      • Coordinating distributed groups is mor= e prone to delay, even if everyone has similar motivations. Historically, B= itcoin has been slow to adopt code changes, often taking multiple years to = be approved.

    Bene= fits at a Glance

      =

    • Resilience: Bitcoin protocol remains secure for the f= oreseeable future without waiting for a last-minute emergency.

    • Certainty: Bitcoin users and stakeholders gain cert= ainty that a plan is both in place and being implemented to effectively dea= l with the threat of quantum theft of bitcoin.=C2=A0=C2=A0

      • <= li dir=3D"ltr" style=3D"list-style-type:disc;font-size:11pt;font-family:Ari= al,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-nu= meric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;= vertical-align:baseline;white-space:pre">

      Clarity: A single, publicized timeline aligns the entir= e ecosystem (wallets, exchanges, hardware vendors).

    • Supply Discipline: Abandoned keys that never migrate become = unspendable, reducing supply, as Satoshi describe= d.=C2=A0=C2=A0

    Specification

    <= col width=3D"224"><= tr style=3D"height:0pt">

    Phase

    What Happens

    Who Must Act

    Time Horizon

    Phase A - Disallow spends to legacy script types=

    Permi= tted sends are from legacy scripts to P2QRH scripts

    Ever= yone holding or accepting BTC.

    3 years after BIP-360 i= mplementation

    Phase B =E2=80=93= Disallow spends from quantum vulnerable outputs<= /p>

    At a p= reset block-height, nodes reject transactions that rely on ECDSA/Schnorr ke= ys.=C2=A0

    		<= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><= span style=3D"font-size:10pt;font-family:"Courier New",monospace;= color:rgb(0,0,0);background-color:transparent;font-style:italic;font-varian= t-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:nor= mal;vertical-align:baseline">Everyone holding or accepti= ng BTC.

    2 years after Phase A activation.

    Phase C =E2=80=93 Re-enable spends from quan= tum vulnerable outputs via ZK Proof

    Users with frozen quantum vulnerable f= unds and a HD wallet seed phrase can construct a quantum safe ZK proof to r= ecover funds.

    Users who failed to migrate funds before Phase B.

    =

    TBD pend= ing research, demand, and consensus.

    Rationale

    • Even if Bitcoin is not a primary initial target of a cryptographically = relevant quantum computer, widespread knowledge that such a computer exists= and is capable of breaking Bitcoin=E2=80=99s cryptography will damage fait= h in the network .=C2=A0

    • An attack on Bitcoin may not be economically motivated - an a= ttacker may be politically or maliciously motivated and may attempt to dest= roy value and trust in Bitcoin rather than extract value.=C2=A0 There is no= way to know in advance how, when, or why an attack may occur.=C2=A0 A defe= nsive position must be taken well in advance of any attack.=C2=A0=C2=A0

    • Bitcoin=E2=80= =99s current signatures (ECDSA/Schnorr) will be a tantalizing target: any U= TXO that has ever exposed its public key on-chain (roughly 25 % of all bitc= oin) could be stolen by a cryptographically relevant quantum computer.

    • Existing Proposals are Insufficient.= =C2= =A0=C2=A0

        • Any proposal that allo= ws for the quantum theft of =E2=80=9Clost=E2=80=9D bitcoin is creating a re= distribution dilemma. There are 3 types of proposals:

        1. Allow anyone to steal vulnerable coins, benefitting t= hose who reach quantum capability earliest.

        2. Allow throttled theft of coins, w= hich leads to RBF battles and ultimately miners subsidizing their revenue f= rom lost coins.

        3. Allow no one to steal vulnerable coins.

      1. Minimiz= es attack surface

        1. By disallowing= new spends to quantum vulnerable script types, we minimize the attack surf= ace with each new UTXO.=C2=A0=C2=A0

        2. Upgrades to Bitcoin have historically taken= many years; this will hasten and speed up the adoption of new quantum resi= stant script types.=C2=A0

        3. With a clear deadline, industry stakeholders will mor= e readily upgrade existing infrastructure to ensure continuity of services.= =C2=A0=C2=A0

      2. <= span style=3D"font-size:11pt;background-color:transparent;font-variant-nume= ric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;ve= rtical-align:baseline">Minimizes loss of access to funds=C2=A0

        1. If there is sufficient demand and research = proves possible, submitting a ZK proof of knowledge of a BIP-39 seed phrase= corresponding to a public key hash or script hash would provide a trustle= ss means for legacy outputs to be spent in a quantum resistant manner, even= after the sunset.=C2=A0=C2=A0


    Stakeholder

    Incent= ive to Upgrade

    Miners<= /span>

    = =E2=80=A2 Larger size PQ signatures along with incentive for users to migra= te will create more demand for block space and thus higher fees collected b= y miners.

    =E2=80=A2 Post-Phase B, non-upgraded miners= produce invalid blocks.

    =E2=80=A2 A quantum attack o= n Bitcoin will significantly devalue both their hardware and Bitcoin as a w= hole.=C2=A0

    Institutional H= olders

    =E2=80=A2 Fiduciary duty: failing to act to prevent a quantum attack = on Bitcoin would violate the fiduciary duty to shareholders.=C2=A0=C2=A0

    =E2=80=A2 Demonstrating Bitcoin=E2=80=99s ability to ef= fectively mitigate emerging threats will prove Bitcoin to be an investment = grade asset.

    Exchanges &= ; Custodians

    		<= p dir=3D"ltr" style=3D"line-height:1.38;margin-top:0pt;margin-bottom:0pt"><= span style=3D"font-size:11pt;font-family:"Courier New",monospace;= color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;f= ont-variant-east-asian:normal;font-variant-alternates:normal;vertical-align= :baseline">=E2=80=A2 Concentrated risk: a quantum hack could bankrupt them = overnight.

    =E2=80=A2 Early migration is cheap relativ= e to potential losses, potential lawsuits over improper custody and reputat= ional damage.

    Everyday User= s

    =E2=80=A2 Self-sovereign peace of mind.

    =E2=80=A2 Su= nset date creates a clear deadline and incentive to improve their security = rather than an open-ended =E2=80=9Csome day=E2=80=9D that invites procrasti= nation.

    Attackers

    =E2=80= =A2 Economic incentive diminishes as sunset nears, stolen coins cannot be s= pent after Q-day.

    Key Insight: As mentio= ned earlier, the proposal turns quantum security into a private incentive to upgrade.=C2=A0= =C2=A0

    This is not an offensive attack, rather, it is= defensive: our thesis is that the Bitcoin ecosystem wishes to defend itsel= f and its interests against those who would prefer to do nothing and allow = a malicious actor to destroy both value and trust.=C2=A0=C2=A0


    =

    "Lost coins only make eve= ryone else's coins worth slightly more. Think of it as a donation to ev= eryone." - Satoshi Nakamoto

    If true= , the corollary is:


    The timelines that we are proposing are meant to find the best bal= ance between giving ample ability for account owners to migrate while maint= aining the integrity of the overall ecosystem to avoid catastrophic attacks= .=C2=A0=C2=A0


    Backward Compatibility

    As a series of soft forks, older nodes will continue to operat= e without modification. Non-upgraded nodes, however, will consider all post= -quantum witness programs as anyone-can-spend scripts. They are strongly en= couraged to upgrade in order to fully validate the new programs.

    =

    Non-upgraded wallets can receive and send bitcoin from non-= upgraded and upgraded wallets until Phase A. After Phase A, they can no lon= ger receive from any other wallets and can only send to upgraded wallets.= =C2=A0 After Phase B, both senders and receivers will require upgraded wall= ets.=C2=A0Phase C would likely require a loosening of consensus rules (a ha= rd fork) to allow vulnerable funds recovery via ZK proofs.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/4d9ce13e-466d-478b-ab4d-00404c80d620n%40googlegroups.com.
------=_Part_411051_711094452.1752458860757-- ------=_Part_411050_1470926048.1752458860757--