From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 15 Jul 2025 04:37:31 -0700 Received: from mail-yw1-f187.google.com ([209.85.128.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1ubdyS-0002nb-Se for bitcoindev@gnusha.org; Tue, 15 Jul 2025 04:37:31 -0700 Received: by mail-yw1-f187.google.com with SMTP id 00721157ae682-710e75f9229sf79358667b3.2 for ; Tue, 15 Jul 2025 04:37:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1752579443; x=1753184243; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=QALUM2hGhrjUykFQ9sPzWH4a0227F6OARHdOi4H3xHY=; b=lNcT91tny4JdnJC/FMGMxsHznr1B/u39GHbNIb0qGI+R8hDcmgZHuJCCDAQxTiWTJs De4JqoA1DGrLyKY9CLAdNeKDX9pFMV0sd4DB7x4lgp44ZcWTP2IM7h9eHRJrmduT4BsD DDUyN9SMhLfUI6WNM72t37oPYS2nHFB5UlUTD7ytnsNB35FFHffBSMsAa5N1ZIvyrQBW Bxd2gbOmZD98vbW8MwDt7IwEGWPk7Oh8kWHVPvkHBLsXpFv+GXQ3l/YGj5uwtBjJqT0P FC/bvlODTJd0TiK60P5BkfZYX7hDi5GTQetNHSnx3Db2dKhC3tkB8739WKNnzpMh2Zj/ hRxw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752579443; x=1753184243; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=QALUM2hGhrjUykFQ9sPzWH4a0227F6OARHdOi4H3xHY=; b=TmsxjfVBpguB4xxUdEvHG4BVbnpp6v91nRSCobX0X8WWXr9BwOXT1aFk0YeKw7YnRz UMIHzAdOrQOhjWj2qHMRmeiDa5EZcFh6831DyWTqPGdq5s9i9u4BTafe77+YcAProt5s Kvil7HdGjTkUyFlUJGL8aC4FxShcSeVEqY4wF3FUmFZpLbdTFAfmvnPvokElxXbhHyCD td7H24CdhpSyhGb+FOt2PN1F+TWsR0JqbI79GPLhM3qTJsbsLD3V0FYR8jsNDN0Hzlpj hp6CJfg9idrnKtLe+pRWtDvk76Uj6SsfzTFXv0oZpPiPJhwhy4q0sz58lJ9P5NIrSkjD ZoSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752579443; x=1753184243; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=QALUM2hGhrjUykFQ9sPzWH4a0227F6OARHdOi4H3xHY=; b=mMf8+03JI+eC3xqqzuJ47k1G3s7R5xKcWmZDIn9ooiERMkRyKnPpQPUg61mh/gZBwi qWi6b7JfISlEKM2psbEpY02xsrFBTW1nWLaa7/I7uG0Rx4T6wkAXKOotN+ZQAx6NNoje 0wVztDDDFBWLWy0Ji+Eq9x78gT9jywGmbTaz2yrR1nzKRvXHV3nf4JPbRLlJ4vyIEHgV +JgEi8GWY454rLjR6YFk3WeOxGU9gSG823Boxz5611hp7A0GbC3yz8cABVX0ksRF4KBv J6yAj7GskaEM+jbwVlIU/r0tdTjHIhdhCR8v6XGPuoa5id3coZgyclGnGFh3jcRCke1A vIVw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCXvD3t7+ZzuKIQQ9BkVbtVWgwu5ABxyKTSFqKDko5MNdav/mYaQW3gQbmkMyE44Gb7l0R+mbz9hi7pm@gnusha.org X-Gm-Message-State: AOJu0YzlAxyPKJBCHr6R77d6YM7w1xzf/F345rZhnZ16g2FME0K1hiM1 +ZSbdCU9htyxwEDlk5d5E9PqicXsz9kYmJuDnsY+Ju3RsruMB7Ths9kR X-Google-Smtp-Source: AGHT+IFFus2HR4dXMVVujuYoy2RBgkueAiM24AKWsu/JrIHJ1mgKPKGWLChRDQdtKa2kBLy93JFa0Q== X-Received: by 2002:a05:6902:6d01:b0:e8b:62dd:e8b0 with SMTP id 3f1490d57ef6-e8b85c35307mr12407594276.35.1752579442541; Tue, 15 Jul 2025 04:37:22 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZdICQ9tN6P+nRE/uKx/Lj9NWyzS86FdR/RJOJkSroZ38w== Received: by 2002:a25:c1c5:0:b0:e82:307f:5561 with SMTP id 3f1490d57ef6-e8b7795f27bls5533143276.2.-pod-prod-06-us; Tue, 15 Jul 2025 04:37:18 -0700 (PDT) X-Received: by 2002:a05:690c:7092:b0:6ef:6d61:c254 with SMTP id 00721157ae682-717d5e39b00mr225114787b3.38.1752579438278; Tue, 15 Jul 2025 04:37:18 -0700 (PDT) Received: by 2002:a05:690c:2f05:b0:710:f35d:a3b2 with SMTP id 00721157ae682-71801389965ms7b3; Mon, 14 Jul 2025 19:50:57 -0700 (PDT) X-Received: by 2002:a05:690c:380b:b0:70f:8883:ce60 with SMTP id 00721157ae682-717d5df1253mr245746307b3.26.1752547856055; Mon, 14 Jul 2025 19:50:56 -0700 (PDT) Date: Mon, 14 Jul 2025 19:50:55 -0700 (PDT) From: Boris Nagaev To: Bitcoin Development Mailing List Message-Id: <6bb6953c-7784-4bd9-b271-ba5dc88b84b1n@googlegroups.com> In-Reply-To: References: <37ed2e5d-34cd-4391-84b8-5bcc6d42c617n@googlegroups.com> <4d9ce13e-466d-478b-ab4d-00404c80d620n@googlegroups.com> Subject: Re: [bitcoindev] Re: A Post Quantum Migration Proposal MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_255736_1315472411.1752547855637" X-Original-Sender: bnagaev@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_255736_1315472411.1752547855637 Content-Type: multipart/alternative; boundary="----=_Part_255737_1954571789.1752547855637" ------=_Part_255737_1954571789.1752547855637 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Monday, July 14, 2025 at 4:06:17=E2=80=AFPM UTC-3 Ethan Heilman wrote: I want to clarify two points: > Even if go all to upgrade to lattices-based schemes, we have no certainty= =20 that novels flaws won't be found, one can just go to see the modifications= =20 of the NIST-approved schemes in between their rounds of selection that=20 we'll never reach something like "self-sovereign peace of mind"... The informational proposal for post-quantum signatures in BIP-360 has one= =20 lattice-based scheme and one hash-based scheme (SLH-DSA SPHINCS+). The=20 intention of including a hash-based scheme is to ensure that there will=20 always be at least one signature scheme in Bitcoin that is secure.=20 Cryptographic hashes are considered one of the safest assumptions possible= =20 and are used throughout Bitcoin (merkle tree, PoW, TXID, etc...). Using P2QRH + SLH_DSA, you can have: - a tapleaf for SLH-DSA=20 - and a tapleaf for a more efficient signature scheme (ML-DSA, Schnorr,=20 whatever) Then no matter what happens to any of the other signature schemes, you can= =20 use that SLH-DSA tapleaf to spend safely. This strategy isn't just about=20 quantum resistance but protecting against unexpected cryptanalytic=20 breakthroughs. If I wanted to store Bitcoins in cold storage for 100 years,= =20 this is how I would do it. > This is especially worrying as if I'm understanding you correctly you're= =20 justifying this position as that somehow we should protect the price of the= =20 currency as an end in itself (i.e "Beyond its impact on price, ..."). It's= =20 unclear the price of bitcoin versus what fiat or hard asset (e.g oil) you= =20 have in mind. [...] To put it simply, even if a quantum attacker can=20 tomorrow starts to steal vulnerable coins, 1 BTC will be always equal to 1= =20 BTC. Full stop. I can't speak for Jameson, but let me put forward my own concern. If miners= =20 can buy much less electricity for 1-BTC this is a major problem for=20 Bitcoin. If the price of electricity denominated in Bitcoin goes way up,=20 miners will have to mine at a massive loss. Many will stop mining, then the= =20 block rate will go down and Bitcoin will appear to be less valuable (high= =20 fees, slow confirmation, panic), which makes mining even more of a loss,=20 and so on. This also invites miners who have nothing left to lose to engage= =20 in mining attacks. One reason I believe a soft fork to freeze quantum vulnerable coins is=20 likely, is that miners will be incentivized to mine on such a soft fork.=20 The non-frozen chain will simply not be affordable to mine on and will be= =20 abandoned. In the moment of crisis, all someone has to do is create a=20 client that does a soft fork freeze of quantum vulnerable coins and=20 the miner will have no choice but to adopt it or stop mining. The worst=20 time to do a soft fork like this would be in a moment of crisis. The original chain, where P2PK coins are not frozen, could actually=20 generate significant fees for miners -- especially if multiple parties with= =20 quantum computers are competing to claim the same outputs. While the price= =20 of 1 BTC on that chain might be lower, miners' profits (measured in dollars= =20 or in electricity) could still be higher. As a result, miners may be=20 incentivized to switch to that chain in order to collect a cut of P2PK=20 coins. However, the more important factor is where holders choose to go. There=20 will be a market to trade coins between the original chain and the fork=20 that implements freezing. Everyone who held satoshis prior to the fork will= =20 have an equal number of satoshis on both chains, and each individual will= =20 decide which to keep and which to convert on the market. The market will=20 ultimately answer the question: what matters more -- preventing private=20 theft via quantum computers, or preventing organized confiscation through= =20 consensus rules? =20 Note that such a death spiral and the incentives for a soft fork are=20 possible prior to quantum attacks on Bitcoin. Merely the threat of quantum= =20 attacks and the widespread belief that Bitcoin will not freeze unspendable= =20 coins and thereby inflate the supply of spendable bitcoin. Eventually, facts, not fears, are what matter. If quantum attacks do not=20 materialize, someone could buy discounted bitcoins and profit later when,= =20 after several years, the attacks still haven't occurred. =20 On Mon, Jul 14, 2025 at 10:09=E2=80=AFAM Antoine Riard wrote: Hi Jameson, Thanks for your thoughts on this complex subject. First and foremost, I think your following statement: "Never before has=20 Bitcoin faced an existential threat to its cryptographic primitives" is very myopic,=20 given that cryptanalysts and number theorists are making progress every year in their= =20 works, and each bitcoin cryptographic primitive has been and is constantly analyzed to= =20 uncover potential weaknesses. So in my view the quantum threat is a bit less specific that the image=20 you're painting of it. Even if go all to upgrade to lattices-based schemes, we have no=20 certainty that novels flaws won't be found, one can just go to see the modifications of=20 the NIST-approved schemes in between their rounds of selection that we'll never reach=20 something like "self-sovereign peace of mind"...Unless we start to forbid people of=20 practicing the art of mathematics, practice which has been ongoing since Euclide and=20 Pythagore... I do concede that quantum is a bit different, as after all new physics=20 paradigm do not happen often (Heisenberg published in the 20s iirc), though that's= =20 in my view the flaw of your reasoning as you're assuming some "post-quantum"=20 upgraded state where bitcoin, as a community and a network, would be definitely safe= =20 from advances in applied science. At minima, in my understanding, you're arguing= =20 this time is different to justify extra-ordinary technical measures never seen= =20 before, namely the freezing of "vulnerable" coins. I'm worried this is opening a Pandora box, where we would introduce a=20 precedent that it is legitimate as a community to technicaly confiscate some coins of= =20 users,=20 without their _consents_, for extra-ordinary reasons. That's opening a=20 worms of shenanigans in the future...There is no guarantee that this precedent won't be leveraged in the future by any group of entities to justify future=20 upgrades eroding one of the "fundamental property" you're yourself deeming as=20 valuable. This is especially worrying as if I'm understanding you correctly you're=20 justifying this position as that somehow we should protect the price of the currency= =20 as an end in itself (i.e "Beyond its impact on price, ..."). It's unclear the price= =20 of bitcoin versus what fiat or hard asset (e.g oil) you have in mind. And in anyway,= =20 as far as I know, none of the bitcoin devs is seating on the board of the FED, the= =20 ECB or the BoJ... To put it simply, even if a quantum attacker can tomorrow starts to steal vulnerable coins, 1 BTC will be always equal to 1 BTC. Full stop. In my=20 humble opinion, let's not introduce the idea that, we, as a community of=20 stakeholders and developers we have a positive "fiduciary" duty to act to maintain the= =20 price of bitcoin in some "monetary snake" with another class of assets... That's also the problem with game theory, all the matrices of analysis are based on some scale of utilitarism. See Von Neuman's Theory of Games, the section on "The Notion of Utility". My subjective appreciation of the value of my coins might not be your subjective appreication of the value of your coins. Now I do understand the perspective of the institutional holders, the=20 exchanges, the custodians or any other industry providers, who might be in the full=20 uncertainty about their business responsibilities in case of a quantum threat affecting= =20 their custodied coins. But, first legally speaking there is something call "force= =20 majeure" and in view of the quantum threat, which is a risk discussed far beyond the= =20 bitcoin industry, they should be able to shield themselves behind that. Secondly,= =20 if there is any futute upgrade "opt-in" only path a la BIP360, you can move your=20 funds or the ones under custody under a PQC scheme like Dilthium or Falcon and be= =20 good without caring about what the others users are doing. Thirdly, if you're an= =20 actor in the industry like Coinbase and you're deeply concerned about how=20 extended maelstrom on the price might affect the viability of your operations, it is unclear= =20 to me why you don't call MunichRe or any other company like that tomorrow to craft=20 and be covered by specific insurance on quantum threats... To be frank, all those considerations on how "I cannot see how the currency= =20 can maintain any value at all in such a setting", is a strong red flag of low= =20 time preferences. It's not like we're used to strong volatility in bitcoin with= =20 the almost 2 decades of operations of the network. In my view, it's more a hint= =20 of very high-exposition by some to a single class of asset, i.e bitcoin,=20 rather than wise diversification... And a push to sacrify a "fundamental property" i.e=20 "conservatism" in view of short-term concerns (i.e the stability of the currency price=20 along a period of few years). Do not get me wrong, I'm certainly not of the school "let's reward quantum attackers". Leveraging techical superiority and employing CRQRC to steal vulnerable coins would be clearly a theft. But ethically, the best we can= =20 do is to have an opt-in upgrade path and be pro-active, by education and outreach= , to have the maximum of coin owners upgrading to non-vulnerable addresses=20 types. Then show the level of "fortitude" or "endurance" as a community in face of= =20 price fluctuations for a while, while seeing regularly old P2PK coins hacked.=20 Marcus Aurelius can be bought for few bucks in most of decent libraries... I'm definitely on the "no old coins confiscation" position you're=20 underlighting: "I don't see why old coins should be confiscated. The better option is to= =20 let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the=20 inflation is transitory. Those with low time preference should support returning lost coins to circulation". Notwhitstanding that I disagree with your position, one can only appreciate the breadth and depth with which you're gathering and articulating all the elements on this complex problem. Best, Antoine OTS hash: c064b43047bf3036faf098b5ac8e74930df63d25629f590a4195222979402826 Le lundi 14 juillet 2025 =C3=A0 00:53:34 UTC+1, Tadge Dryja a =C3=A9crit : Hi =20 While I generally agree that "freeze" beats "steal", and that a lot of lead= =20 time is good, I don't think this plan is viable. To me the biggest problem is that it ties activation of a PQ output type to= =20 *de*activation of EC output types. That would mean that someone who wants= =20 to keep using all the great stuff in libsecp256k1 should try to prevent=20 BIP360 from being activated. Sure, there can be risks from CRQCs. But this proposal would go the other= =20 direction, disabling important functionality and even destroying coins=20 preemptively, in anticipation of something that may never happen. Also, how do you define "quantum-vulnerable UTXO"? Would any P2PKH, or=20 P2WPKH output count? Or only P2PKH / P2WPKH outputs where the public key= =20 is already known? I can understand disabling spends from known-pubkey=20 outputs, but for addresses where the public key has never been revealed,=20 commit/reveal schemes (like the one I posted about & am working on a=20 follow-up post for) should safely let people spend from those outputs=20 indefinitely. With no evidence of a QRQC, I can see how there would be people who'd say= =20 "We might never really know if a CRQC exists, so we need to disable EC=20 spends out of caution" and others who'd say "Don't disable EC spends, since= =20 that's destroying coins", and that could be a persistent disagreement. But= =20 I hope if we did in fact have a proof that a CRQC has broken secp256k1,=20 there would be significant agreement on freezing known-pubkey EC outputs. -Tadge On Saturday, July 12, 2025 at 8:46:09=E2=80=AFPM UTC-4 Jameson Lopp wrote: Building upon my earlier essay against allowing quantum recovery of bitcoin= =20 I=20 wish to formalize a proposal after several months of discussions. This proposal does not delve into the multitude of issues regarding post=20 quantum cryptography and trade-offs of different schemes, but rather is=20 meant to specifically address the issues of incentivizing adoption and=20 migration of funds *after* consensus is established that it is prudent to= =20 do so. As such, this proposal requires P2QRH as described in BIP-360 or potential= =20 future proposals. Abstract This proposal follows the implementation of post-quantum (PQ) output type= =20 (P2QRH) and introduces a pre-announced sunset of legacy ECDSA/Schnorr=20 signatures. It turns quantum security into a private incentive: fail to=20 upgrade and you will certainly lose access to your funds, creating a=20 certainty where none previously existed.=20 -=20 =20 Phase A: Disallows sending of any funds to quantum-vulnerable addresses,= =20 hastening the adoption of P2QRH address types. -=20 =20 Phase B: Renders ECDSA/Schnorr spends invalid, preventing all spending= =20 of funds in quantum-vulnerable UTXOs. This is triggered by a=20 well-publicized flag-day roughly five years after activation. -=20 =20 Phase C (optional): Pending further research and demand, a separate BIP= =20 proposing a fork to allow recovery of legacy UTXOs through ZK proof of= =20 possession of BIP-39 seed phrase. =20 =20 Motivation We seek to secure the value of the UTXO set and minimize incentives for=20 quantum attacks. This proposal is radically different from any in Bitcoin= =E2=80=99s=20 history just as the threat posed by quantum computing is radically=20 different from any other threat in Bitcoin=E2=80=99s history. Never before= has=20 Bitcoin faced an existential threat to its cryptographic primitives. A=20 successful quantum attack on Bitcoin would result in significant economic= =20 disruption and damage across the entire ecosystem. Beyond its impact on=20 price, the ability of miners to provide network security may be=20 significantly impacted. =20 -=20 =20 Accelerating quantum progress.=20 -=20 =20 NIST ratified three production-grade PQ signature schemes in 2024;=20 academic road-maps now estimate a cryptographically-relevant quantum= =20 computer as early as 2027-2030. [McKinsey=20 ] -=20 =20 Quantum algorithms are rapidly improving -=20 =20 The safety envelope is shrinking by dramatic increases in algorithms= =20 even if the pace of hardware improvements is slower. Algorithms are i= mproving=20 up to 20X=20 ,=20 lowering the theoretical hardware requirements for breaking classical= =20 encryption. -=20 =20 Bitcoin=E2=80=99s exposed public keys.=20 -=20 =20 Roughly 25% of all bitcoin have revealed a public key on-chain; those= =20 UTXOs could be stolen with sufficient quantum power. =20 -=20 =20 We may not know the attack is underway.=20 -=20 =20 Quantum attackers could compute the private key for known public keys= =20 then transfer all funds weeks or months later, in a covert bleed to n= ot=20 alert chain watchers. Q-Day may be only known much later if the attac= k=20 withholds broadcasting transactions in order to postpone revealing th= eir=20 capabilities. -=20 =20 Private keys become public.=20 -=20 =20 Assuming that quantum computers are able to maintain their current=20 trajectories and overcome existing engineering obstacles, there is a = near=20 certain chance that all P2PK (and other outputs with exposed pubkeys)= =20 private keys will be found and used to steal the funds. -=20 =20 Impossible to know motivations.=20 -=20 =20 Prior to a quantum attack, it is impossible to know the motivations= =20 of the attacker. An economically motivated attacker will try to rema= in=20 undetected for as long as possible, while a malicious attacker will a= ttempt=20 to destroy as much value as possible. =20 -=20 =20 Upgrade inertia.=20 -=20 =20 Coordinating wallets, exchanges, miners and custodians historically= =20 takes years. -=20 =20 The longer we postpone migration, the harder it becomes to coordinate= =20 wallets, exchanges, miners, and custodians. A clear, time-boxed pathw= ay is=20 the only credible defense. -=20 =20 Coordinating distributed groups is more prone to delay, even if=20 everyone has similar motivations. Historically, Bitcoin has been slow= to=20 adopt code changes, often taking multiple years to be approved. =20 Benefits at a Glance =20 -=20 =20 Resilience: Bitcoin protocol remains secure for the foreseeable future= =20 without waiting for a last-minute emergency. -=20 =20 Certainty: Bitcoin users and stakeholders gain certainty that a plan is= =20 both in place and being implemented to effectively deal with the threat = of=20 quantum theft of bitcoin. =20 -=20 =20 Clarity: A single, publicized timeline aligns the entire ecosystem=20 (wallets, exchanges, hardware vendors). -=20 =20 Supply Discipline: Abandoned keys that never migrate become unspendable,= =20 reducing supply, as Satoshi described=20 . =20 =20 Specification Phase What Happens Who Must Act Time Horizon Phase A - Disallow spends to legacy script types Permitted sends are from legacy scripts to P2QRH scripts Everyone holding or accepting BTC. 3 years after BIP-360 implementation Phase B =E2=80=93 Disallow spends from quantum vulnerable outputs At a preset block-height, nodes reject transactions that rely on=20 ECDSA/Schnorr keys.=20 Everyone holding or accepting BTC. 2 years after Phase A activation. Phase C =E2=80=93 Re-enable spends from quantum vulnerable outputs via ZK P= roof Users with frozen quantum vulnerable funds and a HD wallet seed phrase can= =20 construct a quantum safe ZK proof to recover funds. Users who failed to migrate funds before Phase B. TBD pending research, demand, and consensus. Rationale =20 -=20 =20 Even if Bitcoin is not a primary initial target of a cryptographically= =20 relevant quantum computer, widespread knowledge that such a computer exi= sts=20 and is capable of breaking Bitcoin=E2=80=99s cryptography will damage fa= ith in the=20 network .=20 -=20 =20 An attack on Bitcoin may not be economically motivated - an attacker may= =20 be politically or maliciously motivated and may attempt to destroy value= =20 and trust in Bitcoin rather than extract value. There is no way to know= in=20 advance how, when, or why an attack may occur. A defensive position mus= t=20 be taken well in advance of any attack. =20 -=20 =20 Bitcoin=E2=80=99s current signatures (ECDSA/Schnorr) will be a tantalizi= ng=20 target: any UTXO that has ever exposed its public key on-chain (roughly = 25=20 % of all bitcoin) could be stolen by a cryptographically relevant quantu= m=20 computer. -=20 =20 Existing Proposals are Insufficient. =20 1.=20 =20 Any proposal that allows for the quantum theft of =E2=80=9Clost=E2=80= =9D bitcoin is=20 creating a redistribution dilemma. There are 3 types of proposals: 1.=20 =20 Allow anyone to steal vulnerable coins, benefitting those who=20 reach quantum capability earliest. 2.=20 =20 Allow throttled theft of coins, which leads to RBF battles and=20 ultimately miners subsidizing their revenue from lost coins. 3.=20 =20 Allow no one to steal vulnerable coins. -=20 =20 Minimizes attack surface 1.=20 =20 By disallowing new spends to quantum vulnerable script types, we=20 minimize the attack surface with each new UTXO. =20 2.=20 =20 Upgrades to Bitcoin have historically taken many years; this will=20 hasten and speed up the adoption of new quantum resistant script type= s.=20 3.=20 =20 With a clear deadline, industry stakeholders will more readily=20 upgrade existing infrastructure to ensure continuity of services. =20 -=20 =20 Minimizes loss of access to funds=20 1.=20 =20 If there is sufficient demand and research proves possible,=20 submitting a ZK proof of knowledge of a BIP-39 seed phrase correspond= ing to=20 a public key hash or script hash would provide a trustless means for = legacy=20 outputs to be spent in a quantum resistant manner, even after the sun= set. =20 =20 Stakeholder Incentive to Upgrade Miners =E2=80=A2 Larger size PQ signatures along with incentive for users to migra= te will=20 create more demand for block space and thus higher fees collected by miners= . =E2=80=A2 Post-Phase B, non-upgraded miners produce invalid blocks. =E2=80=A2 A quantum attack on Bitcoin will significantly devalue both their= =20 hardware and Bitcoin as a whole.=20 Institutional Holders =E2=80=A2 Fiduciary duty: failing to act to prevent a quantum attack on Bit= coin=20 would violate the fiduciary duty to shareholders. =20 =E2=80=A2 Demonstrating Bitcoin=E2=80=99s ability to effectively mitigate e= merging threats=20 will prove Bitcoin to be an investment grade asset. Exchanges & Custodians =E2=80=A2 Concentrated risk: a quantum hack could bankrupt them overnight. =E2=80=A2 Early migration is cheap relative to potential losses, potential = lawsuits=20 over improper custody and reputational damage. Everyday Users =E2=80=A2 Self-sovereign peace of mind. =E2=80=A2 Sunset date creates a clear deadline and incentive to improve the= ir=20 security rather than an open-ended =E2=80=9Csome day=E2=80=9D that invites = procrastination. Attackers =E2=80=A2 Economic incentive diminishes as sunset nears, stolen coins canno= t be=20 spent after Q-day. Key Insight: As mentioned earlier, the proposal turns quantum security into= =20 a private incentive to upgrade. =20 This is not an offensive attack, rather, it is defensive: our thesis is=20 that the Bitcoin ecosystem wishes to defend itself and its interests=20 against those who would prefer to do nothing and allow a malicious actor to= =20 destroy both value and trust. =20 "Lost coins only make everyone else's coins worth slightly more. Think of= =20 it as a donation to everyone." - Satoshi Nakamoto If true, the corollary is: "Quantum recovered coins only make everyone else's coins worth less. Think= =20 of it as a theft from everyone." The timelines that we are proposing are meant to find the best balance=20 between giving ample ability for account owners to migrate while=20 maintaining the integrity of the overall ecosystem to avoid catastrophic=20 attacks. =20 Backward Compatibility As a series of soft forks, older nodes will continue to operate without=20 modification. Non-upgraded nodes, however, will consider all post-quantum= =20 witness programs as anyone-can-spend scripts. They are strongly encouraged= =20 to upgrade in order to fully validate the new programs. Non-upgraded wallets can receive and send bitcoin from non-upgraded and=20 upgraded wallets until Phase A. After Phase A, they can no longer receive= =20 from any other wallets and can only send to upgraded wallets. After Phase= =20 B, both senders and receivers will require upgraded wallets. Phase C would= =20 likely require a loosening of consensus rules (a hard fork) to allow=20 vulnerable funds recovery via ZK proofs. --=20 You received this message because you are subscribed to the Google Groups= =20 "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an= =20 email to bitcoindev+...@googlegroups.com. To view this discussion visit=20 https://groups.google.com/d/msgid/bitcoindev/4d9ce13e-466d-478b-ab4d-00404c= 80d620n%40googlegroups.com=20 . --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 6bb6953c-7784-4bd9-b271-ba5dc88b84b1n%40googlegroups.com. ------=_Part_255737_1954571789.1752547855637 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Monday, July 14, 2025 at 4:06:17=E2=80=AFPM UTC-3= Ethan Heilman wrote:
I want to clarify two points:


= > Even if go all to upgrade to lattices-based schemes, we have no certainty t= hat novels flaws won't be found, one can just go to see the modifications o= f the NIST-approved schemes in between their rounds of selection that we'll= never reach something like "self-sovereign peace of mind"...

The=C2=A0informational proposal for post-quantum signa= tures in BIP-360 has one lattice-based scheme and one hash-based scheme (SL= H-DSA SPHINCS+). The intention of including a hash-based scheme is to ensur= e that there will always be at least one signature scheme in Bitcoin that i= s secure. Cryptographic hashes are considered one of the safest assumptions= possible and are used throughout Bitcoin (merkle tree, PoW, TXID, etc...).=

Using P2QRH + SLH_DSA, you can have:
- a tapleaf for SLH-D= SA
- and a tapleaf for a more efficient signature scheme (ML-DSA, Sch= norr, whatever)

Then no matter what happens to any of the other = signature schemes, you can use that SLH-DSA tapleaf to spend safely. This s= trategy isn't just about quantum resistance but protecting against unexpect= ed cryptanalytic breakthroughs. If I wanted to store Bitcoins in cold stora= ge for 100 years, this is how I would do it.

>=C2=A0 This is especially worrying as if I'm understanding you correctly you're ju= stifying this position as that somehow we should protect the price of the c= urrency as an end in itself (i.e "Beyond its impact on price, ..."). It's u= nclear the price of bitcoin versus what fiat or hard asset (e.g oil) you ha= ve in mind. [...] To put it simply, even if a quantum attacker can tomorrow= starts to steal vulnerable coins, 1 BTC will be always equal to 1 BTC. Ful= l stop.

I can't speak for Jameson, but let me put forward my own= concern. If miners can buy much less electricity=C2=A0for 1-BTC this is a = major problem for Bitcoin. If the price of electricity denominated in Bitco= in goes way up, miners will have to mine at a massive loss. Many=C2=A0will = stop mining, then the block rate will go down and Bitcoin will appear to be= less valuable (high fees, slow confirmation, panic), which makes mining ev= en more of a loss, and so on. This also invites miners who have nothing lef= t to lose to engage in mining attacks.

One reason I believe a so= ft fork to freeze quantum vulnerable coins is likely, is that miners will b= e incentivized to mine on such a soft fork. The non-frozen chain will simpl= y not be affordable to mine on and will be abandoned. In the moment of cris= is, all someone has to do is create a client that does a soft fork freeze o= f quantum vulnerable coins and the=C2=A0miner will have no choice but to ad= opt it or stop mining. The worst time to do a soft fork like this would be = in a moment of crisis.

The or= iginal chain, where P2PK coins are not frozen, could actually generate sign= ificant fees for miners -- especially if multiple parties with quantum comp= uters are competing to claim the same outputs. While the price of 1 BTC on = that chain might be lower, miners' profits (measured in dollars or in elect= ricity) could still be higher. As a result, miners may be incentivized to s= witch to that chain=C2=A0in order to collect a cut of P2PK coins.

However, the more important factor is where holders choos= e to go. There will be a market to trade coins between the original chain a= nd the fork that implements freezing. Everyone who held satoshis prior to t= he fork will have an equal number of satoshis on both chains, and each indi= vidual will decide which to keep and which to convert on the market. The ma= rket will ultimately answer the question: what matters more -- preventing p= rivate theft via quantum computers, or preventing organized confiscation th= rough consensus rules?
=C2=A0
Note that such a death spiral and the i= ncentives for a soft fork are possible prior to quantum attacks on=C2=A0Bit= coin. Merely the threat of quantum attacks and the widespread belief that B= itcoin will not freeze unspendable coins and thereby inflate the supply of = spendable bitcoin.

Eventually= , facts, not fears, are what matter. If quantum attacks do not materialize,= someone could buy discounted bitcoins and profit later when, after several= years, the attacks still haven't occurred.
=C2=A0
On Mon, Jul 14,= 2025 at 10:09=E2=80=AFAM Antoine Riard <a= ntoin...@gmail.com> wrote:
Hi Jameson,

Thanks for your thoughts on this = complex subject.

First and foremost, I think your following stat= ement: "Never before has Bitcoin faced
an existential threat to its cr= yptographic primitives" is very myopic, given that
cryptanalysts and n= umber theorists are making progress every year in their works, and
eac= h bitcoin cryptographic primitive has been and is constantly analyzed to un= cover
potential weaknesses.

So in my view the quantum threa= t is a bit less specific that the image you're painting
of it. Even if= go all to upgrade to lattices-based schemes, we have no certainty that
novels flaws won't be found, one can just go to see the modifications of = the NIST-approved
schemes in between their rounds of selection that we= 'll never reach something like
"self-sovereign peace of mind"...Unless= we start to forbid people of practicing the
art of mathematics, pract= ice which has been ongoing since Euclide and Pythagore...

I do c= oncede that quantum is a bit different, as after all new physics paradigmdo not happen often (Heisenberg published in the 20s iirc), though that= 's in my
view the flaw of your reasoning as you're assuming some "post= -quantum" upgraded
state where bitcoin, as a community and a network, = would be definitely safe from
advances in applied science. At minima, = in my understanding, you're arguing this
time is different to justify = extra-ordinary technical measures never seen before,
namely the freezi= ng of "vulnerable" coins.

I'm worried this is opening a Pandora = box, where we would introduce a precedent
that it is legitimate as a c= ommunity to technicaly confiscate some coins of users,
without their = _consents_, for extra-ordinary reasons. That's opening a worms of
shen= anigans in the future...There is no guarantee that this precedent won't
be leveraged in the future by any group of entities to justify future upg= rades
eroding one of the "fundamental property" you're yourself deemin= g as valuable.

This is especially worrying as if I'm understandi= ng you correctly you're justifying
this position as that somehow we sh= ould protect the price of the currency as an end
in itself (i.e "Beyon= d its impact on price, ..."). It's unclear the price of bitcoin
versus= what fiat or hard asset (e.g oil) you have in mind. And in anyway, as far<= br />as I know, none of the bitcoin devs is seating on the board of the FED= , the ECB
or the BoJ...

To put it simply, even if a quantum= attacker can tomorrow starts to steal
vulnerable coins, 1 BTC will be= always equal to 1 BTC. Full stop. In my humble
opinion, let's not int= roduce the idea that, we, as a community of stakeholders
and developer= s we have a positive "fiduciary" duty to act to maintain the price
of = bitcoin in some "monetary snake" with another class of assets...

That's also the problem with game theory, all the matrices of analysis are=
based on some scale of utilitarism. See Von Neuman's Theory of Games,= the
section on "The Notion of Utility". My subjective appreciation of= the value
of my coins might not be your subjective appreication of th= e value of your
coins.

Now I do understand the perspective = of the institutional holders, the exchanges,
the custodians or any oth= er industry providers, who might be in the full uncertainty
about thei= r business responsibilities in case of a quantum threat affecting their
custodied coins. But, first legally speaking there is something call "for= ce majeure"
and in view of the quantum threat, which is a risk discuss= ed far beyond the bitcoin
industry, they should be able to shield them= selves behind that. Secondly, if there
is any futute upgrade "opt-in" = only path a la BIP360, you can move your funds or
the ones under custo= dy =C2=A0under a PQC scheme like Dilthium or Falcon and be good
withou= t caring about what the others users are doing. Thirdly, if you're an actor=
in the industry like Coinbase and you're deeply concerned about how e= xtended maelstrom
on the price might affect the viability of your oper= ations, it is unclear to me why
you don't call MunichRe or any other c= ompany like that tomorrow to craft and be
covered by specific insuranc= e on quantum threats...

To be frank, all those considerations on= how "I cannot see how the currency can
maintain any value at all in s= uch a setting", is a strong red flag of low time
preferences. It's not= like we're used to strong volatility in bitcoin with the
almost 2 dec= ades of operations of the network. In my view, it's more a hint of
ver= y high-exposition by some to a single class of asset, i.e bitcoin, rather t= han wise
diversification... And a push to sacrify a "fundamental prope= rty" i.e "conservatism"
in view of short-term concerns (i.e the stabil= ity of the currency price along
a period of few years).

Do = not get me wrong, I'm certainly not of the school "let's reward quantum
attackers". Leveraging techical superiority and employing CRQRC to steal<= br />vulnerable coins would be clearly a theft. But ethically, the best we = can do is
to have an opt-in upgrade path and be pro-active, by educati= on and outreach,
to have the maximum of coin owners upgrading to non-v= ulnerable addresses types.
Then show the level of "fortitude" or "endu= rance" as a community in face of price
fluctuations for a while, while= seeing regularly old P2PK coins hacked. Marcus
Aurelius can be bought= for few bucks in most of decent libraries...

I'm definitely on = the "no old coins confiscation" position you're underlighting:

"= I don't see why old coins should be confiscated. The better option is to le= t
those with quantum computers free up old coins. While this might hav= e an
inflationary impact on bitcoin's price, to use a turn of phrase, = the inflation
is transitory. Those with low time preference should sup= port returning lost
coins to circulation".

Notwhitstanding = that I disagree with your position, one can only appreciate
the breadt= h and depth with which you're gathering and articulating all the
eleme= nts on this complex problem.

Best,
Antoine
OTS hash: c= 064b43047bf3036faf098b5ac8e74930df63d25629f590a4195222979402826
<= div dir=3D"auto">Le lundi 14 juillet 2025 =C3=A0 00:53:34 UTC+1, Tadge Dryj= a a =C3=A9crit=C2=A0:
Hi =C2= =A0

While I generally agree that "freeze" beats "steal", and th= at a lot of lead time is good, I don't think this plan is viable.
To m= e the biggest problem is that it ties activation of a PQ output type to *de= *activation of EC output types.=C2=A0 That would mean that someone who want= s to keep using all the great stuff in libsecp256k1 should try to prevent B= IP360 from being activated.

Sure, there can be risks from CRQCs.= =C2=A0 But this proposal would go the other direction, disabling important = functionality and even destroying coins preemptively, in anticipation of so= mething that may never happen.

Also, how do you define "quantum-= vulnerable UTXO"?=C2=A0 Would any P2PKH, or P2WPKH output count?=C2=A0 Or o= nly P2PKH / P2WPKH outputs where the public key is already known?=C2=A0 I c= an understand disabling spends from known-pubkey outputs, but for addresses= where the public key has never been revealed, commit/reveal schemes (like = the one I posted about & am working on a follow-up post for) should saf= ely let people spend from those outputs indefinitely.

With no ev= idence of a QRQC, I can see how there would be people who'd say "We might n= ever really know if a CRQC exists, so we need to disable EC spends out of c= aution" and others who'd say "Don't disable EC spends, since that's destroy= ing coins", and that could be a persistent disagreement.=C2=A0 But I hope i= f we did in fact have a proof that a CRQC has broken secp256k1, there would= be significant agreement on freezing known-pubkey EC outputs.
-Tadge
On Saturday, July 12, 202= 5 at 8:46:09=E2=80=AFPM UTC-4 Jameson Lopp wrote:

Building upon my earlier essay against allowing quantum recovery of bitcoin I wish to formalize a proposal a= fter several months of discussions.

This proposal does not delve into the multitude of issues regarding = post quantum cryptography and trade-offs of different schemes, but rather i= s meant to specifically address the issues of incentivizing adoption and mi= gration of funds after consensus is established that it is pr= udent to do so.

As such, this proposal requires P2QRH = as described in BIP-360 or potential future proposals.

Abstract

This proposal follows the implementation of post-quantu= m (PQ) output type (P2QRH) and introduces a pre-announced sunset of legacy = ECDSA/Schnorr signatures. It turns quantum security into a private incentive: fail to upgrade and you will certainly lose access = to your funds, creating a certainty where none previously existed.=C2=A0

  • Phase A: Disallows sending of= any funds to quantum-vulnerable addresses, hastening the adoption of P2QRH= address types.

  • Phase B: Renders ECDSA/Schnorr spends invalid, preventing= all spending of funds in quantum-vulnerable UTXOs. This is triggered by a = well-publicized flag-day roughly five years after activation.

  • Phase C (optional): Pending further research and demand, a separate BIP proposing a fo= rk to allow recovery of legacy UTXOs through ZK proof of possession of BIP-= 39 seed phrase.=C2=A0=C2=A0

Motivation

We seek to secure the value of = the UTXO set and minimize incentives for quantum attacks= . This proposal is radically different from any in Bitcoin=E2=80=99s histor= y just as the threat posed by quantum computing is radically different from= any other threat in Bitcoin=E2=80=99s history.=C2=A0 Never before has Bitc= oin faced an existential threat to its cryptographic primitives. A successf= ul quantum attack on Bitcoin would result in significant economic disruptio= n and damage across the entire ecosystem. Beyond its impact on price, the a= bility of miners to provide network security may be significantly impacted.= =C2=A0=C2=A0

    <= li dir=3D"ltr" style=3D"list-style-type: disc; font-size: 11pt; font-family= : "Courier New", monospace; color: rgb(0, 0, 0); background-color= : transparent; font-variant-numeric: normal; font-variant-east-asian: norma= l; font-variant-alternates: normal; vertical-align: baseline; white-space: = pre-wrap;">

    Accelerating quantum progress.=C2=A0

    • NIST ratified three production-grade PQ signature schemes in 2= 024; academic road-maps now estimate a cryptographically-relevant quantum c= omputer as early as 2027-2030. [McKinsey]

  • Quantum algorithms are rapidly improving

    • The safety envelope = is shrinking by dramatic increases in algorithms even if the pace of hardwa= re improvements is slower. Algorithms are improving up to 20X, lowering the theoretical hardware= requirements for breaking classical encryption.

    • <= li dir=3D"ltr" style=3D"list-style-type: disc; font-size: 11pt; font-family= : "Courier New", monospace; color: rgb(0, 0, 0); background-color= : transparent; font-variant-numeric: normal; font-variant-east-asian: norma= l; font-variant-alternates: normal; vertical-align: baseline; white-space: = pre-wrap;">

    Bitcoin=E2=80=99s exposed public keys.=C2=A0

    • Roughly 25% of all bitcoin have revealed a public key = on-chain; those UTXOs could be stolen with sufficient quantum power.=C2=A0= =C2=A0

  • We = may not know the attack is underway.=C2=A0

    • Quantum attackers cou= ld compute the private key for known public keys then transfer all funds we= eks or months later, in a covert bleed to not alert chain watchers. Q-Day m= ay be only known much later if the attack withholds broadcasting transactio= ns in order to postpone revealing their capabilities.

    <= /li>

  • Private keys become public.=C2=A0

    • Assuming that quantum computers are able to maintain their current= trajectories and overcome existing engineering obstacles, there is a near = certain chance that all P2PK (and other outputs with exposed pubkeys) priva= te keys will be found and used to steal the funds.

  • Impossible to know motivations.=C2=A0

    • Prior to a quantum attack, it is impossible to know the motivations= of the attacker.=C2=A0 An economically motivated attacker will try to rema= in undetected for as long as possible, while a malicious attacker will atte= mpt to destroy as much value as possible.=C2=A0=C2=A0

    <= /li>

  • Upgrade inertia.=C2=A0

      =

    • Coordinating wallets, exchanges, miners and custodians historically take= s years.

    • The longer we postpone migr= ation, the harder it becomes to coordinate wallets, exchanges, miners, and = custodians. A clear, time-boxed pathway is the only credible defense.

    • <= span style=3D"font-size: 11pt; background-color: transparent; font-variant-= numeric: normal; font-variant-east-asian: normal; font-variant-alternates: = normal; vertical-align: baseline;">Coordinating distributed groups is more = prone to delay, even if everyone has similar motivations. Historically, Bit= coin has been slow to adopt code changes, often taking multiple years to be= approved.

Benefits at a Glance

  • Resilience: Bitcoin pr= otocol remains secure for the foreseeable future without waiting for a last= -minute emergency.

  • Certainty: Bitcoin users an= d stakeholders gain certainty that a plan is both in place and being implem= ented to effectively deal with the threat of quantum theft of bitcoin.=C2= =A0=C2=A0

  • Clarity: A single, publicized timeli= ne aligns the entire ecosystem (wallets, exchanges, hardware vendors).

  • Supply Discipline: Abandoned keys that never migr= ate become unspendable, reducing supply, = as Satoshi described.=C2=A0=C2=A0

= Specificatio= n

Phase

What Happens=

Wh= o Must Act

Time Horizon

= Phase A - Disallow spends to legacy script types

= Permitted sends are from legacy scripts to P= 2QRH scripts

holding or accepting BTC.<= /span>

3 years after BIP-360 implement= ation

Phase B =E2=80=93 Disallow spends from quantum vulnerable outputs

At a preset block-height, nodes reject transactions= that rely on ECDSA/Schnorr keys.=C2=A0

Everyone= holding or accepting BTC.

2 ye= ars after Phase A activation.

Phase C =E2=80=93 = Re-enable spends from quantum vulnerable out= puts via ZK Proof

Users with fr= ozen quantum vulnerable funds and a HD wallet seed phrase can construct a q= uantum safe ZK proof to recover funds.

Users who failed to migrate funds before Phase B.

=

TBD pending research, demand, and consensus.

Rationale

  • Even if Bitcoin is no= t a primary initial target of a cryptographically relevant quantum computer= , widespread knowledge that such a computer exists and is capable of breaki= ng Bitcoin=E2=80=99s cryptography will damage faith in the network .=C2=A0<= /span>

  • An attack on Bitcoin may not be econom= ically motivated - an attacker may be politically or maliciously motivated = and may attempt to destroy value and trust in Bitcoin rather than extract v= alue.=C2=A0 There is no way to know in advance how, when, or why an attack = may occur.=C2=A0 A defensive position must be taken well in advance of any = attack.=C2=A0=C2=A0

  • Bitcoin=E2=80=99s = current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO t= hat has ever exposed its public key on-chain (roughly 25 % of all bitcoin) = could be stolen by a cryptographically relevant quantum computer.

  • Existing Proposals are Insufficient.=C2=A0=C2=A0=

    1. <= p dir=3D"ltr" style=3D"line-height: 1.38; text-align: justify; margin-top: = 0pt; margin-bottom: 0pt;" role=3D"presentation">Any proposal that allows for the quantum theft of =E2=80=9Clost=E2= =80=9D bitcoin is creating a redistribution dilemma. There are 3 types of p= roposals:

      1. Allow anyone to steal vulnerable coins, benefittin= g those who reach quantum capability earliest.

      2. Allow throttled theft of coins, which leads to RBF battles = and ultimately miners subsidizing their revenue from lost coins.

        =

      3. Allow no one to steal vulnerable coins.

  • M= inimizes attack surface

    1. By disallowing new spends to quantum= vulnerable script types, we minimize the attack surface with each new UTXO= .=C2=A0=C2=A0

    2. Upgrades to Bitco= in have historically taken many years; this will hasten and speed up the ad= option of new quantum resistant script types.=C2=A0

    3. With a clear deadline, industry stakeholders will mor= e readily upgrade existing infrastructure to ensure continuity of services.= =C2=A0=C2=A0

  • Minimizes loss of access to funds=C2=A0

    1. If there is suf= ficient demand and research proves possible, submitting a ZK proof of knowl= edge of a BIP-39 seed phrase corresponding to a public key hash or script = hash would provide a trustless means for legacy outputs to be spent in a qu= antum resistant manner, even after the sunset.=C2=A0=C2=A0

      2. <= /ol>

Stakehold= er

Incentive to = Upgrade

Miners

=E2=80=A2 Larger size PQ signatures along with incentive for u= sers to migrate will create more demand for block space and thus higher fee= s collected by miners.

=E2= =80=A2 Post-Phase B, non-upgraded miners produce invalid blocks.

=

=E2=80=A2 A quantum attack on Bitcoin = will significantly devalue both their hardware and Bitcoin as a whole.=C2= =A0

Institutional Holders

=E2=80=A2 Fiduciary duty: failing to act to prevent a quan= tum attack on Bitcoin would violate the fiduciary duty to shareholders.=C2= =A0=C2=A0

=E2=80=A2 Demonstr= ating Bitcoin=E2=80=99s ability to effectively mitigate emerging threats wi= ll prove Bitcoin to be an investment grade asset.

<= span style=3D"height: 52pt;">

E= xchanges & Custodians

=E2=80= =A2 Concentrated risk: a quantum hack could bankrupt them overnight.=

=E2=80=A2 Early migration is cheap= relative to potential losses, potential lawsuits over improper custody and= reputational damage.

Everyday Users

=E2=80=A2 Self-sovereign peace of mind.

=E2=80=A2 Sunset date creates a clea= r deadline and incentive to improve their security rather than an open-ende= d =E2=80=9Csome day=E2=80=9D that invites procrastination.

Attackers

=E2=80=A2 E= conomic incentive diminishes as sunset nears, stolen coins cannot be spent = after Q-day.

Key Insight: As mentioned earlier, the proposal turn= s quantum security into a private incentive to upgrade= .=C2=A0=C2=A0

This is not an= offensive attack, rather, it is defensive: our thesis is that the Bitcoin = ecosystem wishes to defend itself and its interests against those who would= prefer to do nothing and allow a malicious actor to destroy both value and= trust.=C2=A0=C2=A0


"Lost coins only make everyone else's coins worth sl= ightly more. Think of it as a donation to everyone." - Satoshi Nakamoto

If true, the cor= ollary is:


"Quantum recovered coins only make everyone else's coins worth= less. Think of it as a theft from everyone."

The timelines that we are proposing are me= ant to find the best balance between giving ample ability for account owner= s to migrate while maintaining the integrity of the overall ecosystem to av= oid catastrophic attacks.=C2=A0=C2=A0


Backward Compatibility

As a series of soft forks, older nodes will continue to= operate without modification. Non-upgraded nodes, however, will consider a= ll post-quantum witness programs as anyone-can-spend scripts. They are stro= ngly encouraged to upgrade in order to fully validate the new programs.


Non-upgraded wallets can = receive and send bitcoin from non-upgraded and upgraded wallets until Phase= A. After Phase A, they can no longer receive from any other wallets and ca= n only send to upgraded wallets.=C2=A0 After Phase B, both senders and rece= ivers will require upgraded wallets.=C2=A0Phase C would likely require a lo= osening of consensus rules (a hard fork) to allow vulnerable funds recovery= via ZK proofs.

--
You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegroups.com.<= br /> To view this discussion visit htt= ps://groups.google.com/d/msgid/bitcoindev/4d9ce13e-466d-478b-ab4d-00404c80d= 620n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/6bb6953c-7784-4bd9-b271-ba5dc88b84b1n%40googlegroups.com.
------=_Part_255737_1954571789.1752547855637-- ------=_Part_255736_1315472411.1752547855637--