From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sat, 07 Jun 2025 06:55:16 -0700 Received: from mail-yb1-f187.google.com ([209.85.219.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uNu0t-0001jm-UW for bitcoindev@gnusha.org; Sat, 07 Jun 2025 06:55:16 -0700 Received: by mail-yb1-f187.google.com with SMTP id 3f1490d57ef6-e812e1573ecsf3222588276.2 for ; Sat, 07 Jun 2025 06:55:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; b=RkUlEpHFre0+3f82GTZxk6/rFrd9RLtd3Y/hH07LsiL+RHBUVzjCkDOacnKUyUak9U /1Mfm68izCtNN3Hd+j6rwsMVLWRr6f+HmBvCjTag6NE5TvF+K7h4v7ln8069pAPkLV5I 3OUBUirsoMNApI4C0HWNvy/Yw8Fn3rdTZPcgadvvHArvcVDeD9aeDnkigFPiHAqO3sks 3Wa5u2ob0sXtRQmWPQ6A96Hi/vX2a5Xlo7h+hj8PvLcK/AEmMRKGLdqhg8SaBQdX98de EJaqKOqg9ZwWoc47z4P6xhiuuH/CNE5ze8Wnj1GwGRI+CgsePe3Pg3fYe08EW1+pNAy1 8FaQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; b=aeVjJaJ65W0ngv2oiSM35+bPvzZXKfLmVCCY+5st+PRhm74xvfpG1slgse9E2luQjP KfR9MllX92bbd9sGqfL2ZrmotRegSrXNp2xNBGcHB8o5NwusTw2VJ5hwmmhKDWDG4Qxp xtVaADjsDu71tploQB9cMQEMGIUGoITvGcRlW0CIOsaGcL7h9V/G9Ns3viX+BISDwrkQ 7D6Azg4wrfwBKOCBwqaGt7QZPtr9HRjckfccQ+ePRatoHZaMvYAHjsGCPJflBQLy5QCl a/3QwZhm7WNYXgPDXX6dSkSuGYj75nf9xu8X307kKes9CL9aJU52iAchNvH4zLBFwEXh 3g3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749304506; x=1749909306; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; b=gvUm7rz99Lo/Y53SAfLQuPdjcHaH2ys7OjygBnD6F37/tfihbvi9Q/nI4e5OjkzVl2 W1JNmxGH2idLB5/wTNsp7WpLdeoHtCefQyDEib4Lzz5SSRl8EJ/V58sDPkUgQtcD7d4p HX/u0bzNZd+g4LFm+4t9jGrMus2/UdR9SVOcplKB70RfPOHEI42T6/UAUVwRHuhJb0Ss E/H8U1bm0n5i9CLM8GQuh13tZPq14pP+IsZtmpMeRFKE58kMutGjCnAToJgnuS8lq5/n esC/rXuXq56j46hf7IbpV3C0qMNXSmwizRkzF+2H+xuyneHXfEfpcX14+2xZnSDW5I7e 3DCg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVgU7ids4L4BTmyqm2Tb66yAjT+pgUM3kZfwL+rBu2vuDWE04d3dfgoXJ/V5ljk2xtbENbF1fxsEB5M@gnusha.org X-Gm-Message-State: AOJu0YzeM25xCRvRB9DoqJy4NEUgQJljPbIBJARZ7pGh7+kkweQsDnOx 4P8UYLvCmE1e+94hcmyTknJKJzjMartI2+UsvsQ0Rpz2KOwHyIgRrOGW X-Google-Smtp-Source: AGHT+IG2Br0Dp1pOKLfFwUWMTeKH6+g6IvzE/4mD7rSui0geEfrJmG0vbjo4qwNjbdBSmdRy62UWkg== X-Received: by 2002:a05:6902:c06:b0:e7d:c9f4:ed7b with SMTP id 3f1490d57ef6-e81a227c993mr9757571276.1.1749304505627; Sat, 07 Jun 2025 06:55:05 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfYGfIeHbTj2cq69vkQxDWQrC35RJGZY1av3o+1sp07bg== Received: by 2002:a25:6953:0:b0:e81:7cf7:5008 with SMTP id 3f1490d57ef6-e8188826eb1ls2611055276.0.-pod-prod-03-us; Sat, 07 Jun 2025 06:55:00 -0700 (PDT) X-Received: by 2002:a05:690c:6c83:b0:6fb:b1dd:a00d with SMTP id 00721157ae682-710f771c5dfmr109416417b3.30.1749304500560; Sat, 07 Jun 2025 06:55:00 -0700 (PDT) Received: by 2002:a05:690c:ed6:b0:70d:e0e5:164f with SMTP id 00721157ae682-710f8f40b91ms7b3; Sat, 7 Jun 2025 06:28:35 -0700 (PDT) X-Received: by 2002:a05:690c:6f0b:b0:6fb:a696:b23b with SMTP id 00721157ae682-710f7739ae2mr99557867b3.33.1749302914045; Sat, 07 Jun 2025 06:28:34 -0700 (PDT) Date: Sat, 7 Jun 2025 06:28:33 -0700 (PDT) From: waxwing/ AdamISZ To: Bitcoin Development Mailing List Message-Id: <893891ea-34ec-4d60-9941-9f636be0d747n@googlegroups.com> In-Reply-To: References: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_18010_831844196.1749302913697" X-Original-Sender: ekaggata@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) ------=_Part_18010_831844196.1749302913697 Content-Type: multipart/alternative; boundary="----=_Part_18011_501201720.1749302913697" ------=_Part_18011_501201720.1749302913697 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > I'm not a lawyer, but if developers make a conscious decision to make a= =20 code change that confiscates funds, even with a reasonable heads-up, I feel= =20 like some lawyers might be tempted to make an argument that those=20 developers should be held responsible for any losses. As everyone knows,=20 Bitcoin has been under legal attacks before, and I'm not sure that anyone= =20 would (or should) be willing to sign off on a change that might potentially= =20 open them up to several billion dollars worth of personal responsibility -= =20 especially if the "bonded courier" actually shows up and reveals a private= =20 key that would have unlocked funds under the pre-QC scheme. Coincidentally, Peter Todd has just made the same point in another=20 (apparently unrelated) thread, here:=20 https://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ For me it's very clear, that it's not an accident that such "unexpected"=20 side effects exist. It's a feature that I'd whimsically call "ethical=20 impedance-mismatch" (the term impedance mismatch has been used in=20 computing/programming, which itself borrowed it from the real meaning, in= =20 physics). People have a moral/ethical desire to make bitcoin function as=20 well as possible, and see a failure mode in those using it for other=20 purposes, but that line of thought clashes with the essential, basic=20 principle of censorship-resistance. So we see technical borked-ness like failure to get accurate fee rates and= =20 the like, from doing something (attempting to filter at p2p level) that it= =20 is intrinsically counter to the foundational ethical, functional purpose of= =20 the system: censorship-resistance. And then we see "cascading failures" of= =20 the type discussed here: if the devs are working to break bitcoin's ethical= =20 promise of censorship-resistance, then thugs^H^H politicians and lawyers,= =20 will seek to take control of that "break" for their own purposes. That's why I'm not against "quantum recovery" as per the title of this=20 thread. Recovery, independent of outside control, *is* bitcoin's function.= =20 If half a million btc get spent by someone who has "recovered" in an=20 unexpected way, tough titties. If the entire system collapses because we=20 can't get our act together before 2085 (OK I know some think it's 2035, I= =20 don't, but whatever), then it is what it is. That is a huge unknown. But=20 Bitcoin will 100% fail if confiscation of *any* type becomes a thing. Cheers, AdamISZ/waxwing On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCryptologist= wrote: > Hi, > > With the longer grace period and selective deactivation, this seems more= =20 > sensible, but there is one elephant in the room that I haven't seen=20 > mentioned here - namely, the legal aspect. (If it was, sorry I missed it.= ) > > I'm not a lawyer, but if developers make a conscious decision to make a= =20 > code change that confiscates funds, even with a reasonable heads-up, I fe= el=20 > like some lawyers might be tempted to make an argument that those=20 > developers should be held responsible for any losses. As everyone knows,= =20 > Bitcoin has been under legal attacks before, and I'm not sure that anyone= =20 > would (or should) be willing to sign off on a change that might potential= ly=20 > open them up to several billion dollars worth of personal responsibility = -=20 > especially if the "bonded courier" actually shows up and reveals a privat= e=20 > key that would have unlocked funds under the pre-QC scheme. > > The only safe-ish way I can see to do this is to have it only affect fund= s=20 > that are very likely to be lost in the first place. So at the very least,= =20 > it could not affect UTXOs that could potentially be encumbered with a=20 > timelock (i.e. P2SH/P2WSH), and it could only affect UTXOs that have not= =20 > moved for a very long time (say 15-20 years).=20 > > If quantum computers capable of practical attacks against Bitcoin are eve= r=20 > known to actually exist, *sending*=E2=80=8B to non-PQC addresses should o= f course=20 > be disabled immediately. But I feel that the nature of a permissionless= =20 > system implies a large degree of self-responsibility, so if someone choos= es=20 > to keep using non-PQC addresses even after PQC addresses have become=20 > available and practical quantum attacks are suspected to be an imminent= =20 > danger, it's not necessarily up to the developers to tell them they can't= ,=20 > only that they really shouldn't. > > -- > Regards, > ArmchairCryptologist > > Sent with Proton Mail secure email.=20 > > On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz = =20 > wrote: > > Hi everyone, > > QRAMP proposal aims to manage the quantum transition responsibly without= =20 > disrupting Bitcoin=E2=80=99s core principles. > > QRAMP has three phases: > > 1. Allow wallets to optionally include PQC keys in Taproot outputs. This= =20 > enables early adoption without forcing anyone. > > 2. Announce a soft fork to disable vulnerable scripts, with a long=20 > (~4-year) grace period. This gives ample time to migrate and avoids sudde= n=20 > shocks. > > 3. Gradually deactivate vulnerable outputs based on age or inactivity.=20 > This avoids a harsh cutoff and gives time for adaptation. > > We can also allow exceptions via proof-of-possession, and delay=20 > restrictions on timelocked outputs to avoid harming future spenders. > > QRAMP is not about confiscation or control. It=E2=80=99s about aligning= =20 > incentives, maintaining security, and offering a clear, non-coercive=20 > upgrade path. > > Best, > Agustin Cruz > > > > El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray =20 > escribi=C3=B3: > >> The difference between the ETH/ETC split though was that no one had=20 >> anything confiscated except the DAO hacker, everyone retained an identic= al=20 >> number of tokens on each chain. The proposal for BTC is very different i= n=20 >> that some holders will lose access to their coins during the PQ migratio= n=20 >> under the confiscation approach. Just wanted to point that out. >> >> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop= ment=20 >> Mailing List wrote: >> >>> Hey Saulo, >>> >>> You're right about the possibility of an ugly split. Laggards who don't= =20 >>> move coins to PQ address schemes will be incentivized to follow any cha= in=20 >>> where they keep their coins. But those who do migrate will be incentivi= zed=20 >>> to follow the chain where unmigrated pre-quantum coins are frozen.=20 >>> >>> While you're comparing this event to the ETH/ETC split, we should=20 >>> remember that ETH remained the dominant chain despite their heavy-hande= d=20 >>> rollback. Just goes to show, confusion and face-loss is a lesser evil t= han=20 >>> allowing an adversary to pwn the network.=20 >>> >>> This is the free-market way to solve problems without imposing rules on= =20 >>> everyone. >>> >>> >>> It'd still be a free market even if quantum-vulnerable coins are frozen= .=20 >>> The only way to test the relative value of quantum-safe vs=20 >>> quantum-vulnerable coins is to split the chain and see how the market= =20 >>> reacts.=20 >>> >>> IMO, the "free market way" is to give people options and let their mone= y=20 >>> flow to where it works best. That means people should be able to choose= =20 >>> whether they want their money to be part of a system that allows quantu= m=20 >>> attack, or part of one which does not. I know which I would choose, but= =20 >>> neither you nor I can make that choice for everyone. >>> >>> regards, >>> conduition >>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz < >>> agusti...@gmail.com> wrote: >>> >>> I=E2=80=99m against letting quantum computers scoop up funds from addre= sses that=20 >>> don=E2=80=99t upgrade to quantum-resistant.=20 >>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up fo= r grabs=20 >>> if people don=E2=80=99t move them, sounds fair at first. Let luck decid= e, right?=20 >>> But I worry it=E2=80=99d turn into a mess. If quantum machines start cr= acking keys=20 >>> and snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at ris= k. Plenty of=20 >>> active wallets, like those on the rich list Jameson mentioned, could ge= t=20 >>> hit too. Imagine millions of BTC flooding the market. Prices tank, trus= t in=20 >>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerab= le=20 >>> funds keeps that chaos in check. >>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear= t. If quantum tech can=20 >>> steal from you just because you didn=E2=80=99t upgrade fast enough, tha= t promise=20 >>> feels shaky. Freezing funds after a heads-up period (say, four years)= =20 >>> protects that idea better than letting tech giants or rogue states play= =20 >>> vampire with our network. It also nudges people to get their act togeth= er=20 >>> and move to safer addresses, which strengthens Bitcoin long-term. >>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark = a split=20 >>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look w= orse.=20 >>> Bitcoin would seem broken, not just strict. A clear plan and enough tim= e to=20 >>> migrate could smooth things over. History=E2=80=99s on our side too. Bi= tcoin=E2=80=99s=20 >>> fixed bugs before, like SegWit. This feels like that, not a bailout. >>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to = whoever=20 >>> builds the first quantum rig. It=E2=80=99s less about coddling people a= nd more=20 >>> about keeping Bitcoin solid for everyone. What do you all think? >>> Cheers, >>> Agust=C3=ADn >>> >>> >>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown = wrote: >>> >>>> I believe that having some entity announce the decision to freeze old= =20 >>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value= ) than having=20 >>>> them gathered by QC. This would create another version of Bitcoin, sim= ilar=20 >>>> to Ethereum Classic, causing confusion in the market. >>>> >>>> It would be better to simply implement the possibility of moving funds= =20 >>>> to a PQC address without a deadline, allowing those who fail to do so = to=20 >>>> rely on luck to avoid having their coins stolen. Most coins would be= =20 >>>> migrated to PQC anyway, and in most cases, only the lost ones would re= main=20 >>>> vulnerable. This is the free-market way to solve problems without impo= sing=20 >>>> rules on everyone. >>>> >>>> Saulo Fonseca >>>> >>>> >>>> On 16. Mar 2025, at 15:15, Jameson Lopp wrote: >>>> >>>> The quantum computing debate is heating up. There are many=20 >>>> controversial aspects to this debate, including whether or not quantum= =20 >>>> computers will ever actually become a practical threat. >>>> >>>> I won't tread into the unanswerable question of how worried we should= =20 >>>> be about quantum computers. I think it's far from a crisis, but given = the=20 >>>> difficulty in changing Bitcoin it's worth starting to seriously discus= s.=20 >>>> Today I wish to focus on a philosophical quandary related to one of th= e=20 >>>> decisions that would need to be made if and when we implement a quantu= m=20 >>>> safe signature scheme. >>>> >>>> Several Scenarios >>>> Because this essay will reference game theory a fair amount, and there= =20 >>>> are many variables at play that could change the nature of the game, I= =20 >>>> think it's important to clarify the possible scenarios up front. >>>> >>>> 1. Quantum computing never materializes, never becomes a threat, and= =20 >>>> thus everything discussed in this essay is moot. >>>> 2. A quantum computing threat materializes suddenly and Bitcoin does= =20 >>>> not have quantum safe signatures as part of the protocol. In this scen= ario=20 >>>> it would likely make the points below moot because Bitcoin would be=20 >>>> fundamentally broken and it would take far too long to upgrade the=20 >>>> protocol, wallet software, and migrate user funds in order to restore= =20 >>>> confidence in the network. >>>> 3. Quantum computing advances slowly enough that we come to consensus= =20 >>>> about how to upgrade Bitcoin and post quantum security has been minima= lly=20 >>>> adopted by the time an attacker appears. >>>> 4. Quantum computing advances slowly enough that we come to consensus= =20 >>>> about how to upgrade Bitcoin and post quantum security has been highly= =20 >>>> adopted by the time an attacker appears. >>>> >>>> For the purposes of this post, I'm envisioning being in situation 3 or= =20 >>>> 4. >>>> >>>> To Freeze or not to Freeze? >>>> I've started seeing more people weighing in on what is likely the most= =20 >>>> contentious aspect of how a quantum resistance upgrade should be handl= ed in=20 >>>> terms of migrating user funds. Should quantum vulnerable funds be left= open=20 >>>> to be swept by anyone with a sufficiently powerful quantum computer OR= =20 >>>> should they be permanently locked? >>>> >>>> "I don't see why old coins should be confiscated. The better option is= =20 >>>>> to let those with quantum computers free up old coins. While this mig= ht=20 >>>>> have an inflationary impact on bitcoin's price, to use a turn of phra= se,=20 >>>>> the inflation is transitory. Those with low time preference should su= pport=20 >>>>> returning lost coins to circulation."=20 >>>> >>>> - Hunter Beast >>>> >>>> >>>> On the other hand: >>>> >>>> "Of course they have to be confiscated. If and when (and that's a big= =20 >>>>> if) the existence of a cryptography-breaking QC becomes a credible th= reat,=20 >>>>> the Bitcoin ecosystem has no other option than softforking out the ab= ility=20 >>>>> to spend from signature schemes (including ECDSA and BIP340) that are= =20 >>>>> vulnerable to QCs. The alternative is that millions of BTC become=20 >>>>> vulnerable to theft; I cannot see how the currency can maintain any v= alue=20 >>>>> at all in such a setting. And this affects everyone; even those which= =20 >>>>> diligently moved their coins to PQC-protected schemes." >>>>> - Pieter Wuille >>>> >>>> >>>> I don't think "confiscation" is the most precise term to use, as the= =20 >>>> funds are not being seized and reassigned. Rather, what we're really= =20 >>>> discussing would be better described as "burning" - placing the funds = *out=20 >>>> of reach of everyone*. >>>> >>>> Not freezing user funds is one of Bitcoin's inviolable properties.=20 >>>> However, if quantum computing becomes a threat to Bitcoin's elliptic c= urve=20 >>>> cryptography, *an inviolable property of Bitcoin will be violated one= =20 >>>> way or another*. >>>> >>>> Fundamental Properties at Risk >>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's= =20 >>>> fundamental properties that give it value.=20 >>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >>>> >>>> The particular properties in play with regard to this issue seem to be= : >>>> >>>> *Censorship Resistance* - No one should have the power to prevent=20 >>>> others from using their bitcoin or interacting with the network. >>>> >>>> *Forward Compatibility* - changing the rules such that certain valid= =20 >>>> transactions become invalid could undermine confidence in the protocol= . >>>> >>>> *Conservatism* - Users should not be expected to be highly responsive= =20 >>>> to system issues. >>>> >>>> As a result of the above principles, we have developed a strong meme= =20 >>>> (kudos to Andreas Antonopoulos) that goes as follows: >>>> >>>> Not your keys, not your coins. >>>> >>>> >>>> I posit that the corollary to this principle is: >>>> >>>> Your keys, only your coins. >>>> >>>> >>>> A quantum capable entity breaks the corollary of this foundational=20 >>>> principle. We secure our bitcoin with the mathematical probabilities= =20 >>>> related to extremely large random numbers. Your funds are only secure= =20 >>>> because truly random large numbers should not be guessable or discover= able=20 >>>> by anyone else in the world. >>>> >>>> This is the principle behind the motto *vires in numeris* - strength= =20 >>>> in numbers. In a world with quantum enabled adversaries, this principl= e is=20 >>>> null and void for many types of cryptography, including the elliptic c= urve=20 >>>> digital signatures used in Bitcoin. >>>> >>>> Who is at Risk? >>>> There has long been a narrative that Satoshi's coins and others from= =20 >>>> the Satoshi era of P2PK locking scripts that exposed the public key=20 >>>> directly on the blockchain will be those that get scooped up by a quan= tum=20 >>>> "miner." But unfortunately it's not that simple. If I had a powerful= =20 >>>> quantum computer, which coins would I target? I'd go to the Bitcoin ri= ch=20 >>>> list and find the wallets that have exposed their public keys due to= =20 >>>> re-using addresses that have previously been spent from. You can easil= y=20 >>>> find them at=20 >>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >>>> >>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,=20 >>>> would be slightly harder to crack because they are multisig wallets. S= o a=20 >>>> quantum attacker would need to reverse engineer 2 keys for Kraken or 3= for=20 >>>> Bitfinex / Tether in order to spend funds. But many are single signatu= re. >>>> >>>> Point being, it's not only the really old lost BTC that are at risk to= =20 >>>> a quantum enabled adversary, at least at time of writing. If we add a= =20 >>>> quantum safe signature scheme, we should expect those wallets to be so= me of=20 >>>> the first to upgrade given their incentives. >>>> >>>> The Ethical Dilemma: Quantifying Harm >>>> Which decision results in the most harm? >>>> >>>> By making quantum vulnerable funds unspendable we potentially harm som= e=20 >>>> Bitcoin users who were not paying attention and neglected to migrate t= heir=20 >>>> funds to a quantum safe locking script. This violates the "conservativ= ism"=20 >>>> principle stated earlier. On the flip side, we prevent those funds plu= s far=20 >>>> more lost funds from falling into the hands of the few privileged folk= s who=20 >>>> gain early access to quantum computers. >>>> >>>> By leaving quantum vulnerable funds available to spend, the same set o= f=20 >>>> users who would otherwise have funds frozen are likely to see them sto= len.=20 >>>> And many early adopters who lost their keys will eventually see their= =20 >>>> unreachable funds scooped up by a quantum enabled adversary. >>>> >>>> Imagine, for example, being James Howells, who accidentally threw away= =20 >>>> a hard drive with 8,000 BTC on it, currently worth over $600M USD. He = has=20 >>>> spent a decade trying to retrieve it from the landfill where he knows = it's=20 >>>> buried, but can't get permission to excavate. I suspect that, given th= e=20 >>>> choice, he'd prefer those funds be permanently frozen rather than fall= into=20 >>>> someone else's possession - I know I would. >>>> >>>> Allowing a quantum computer to access lost funds doesn't make those=20 >>>> users any worse off than they were before, however it *would*have a=20 >>>> negative impact upon everyone who is currently holding bitcoin. >>>> >>>> It's prudent to expect significant economic disruption if large amount= s=20 >>>> of coins fall into new hands. Since a quantum computer is going to hav= e a=20 >>>> massive up front cost, expect those behind it to desire to recoup thei= r=20 >>>> investment. We also know from experience that when someone suddenly fi= nds=20 >>>> themselves in possession of 9+ figures worth of highly liquid assets, = they=20 >>>> tend to diversify into other things by selling. >>>> >>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20 >>>> redistribution*. What we'd be allowing is for bitcoin to be=20 >>>> redistributed from those who are ignorant of quantum computers to thos= e who=20 >>>> have won the technological race to acquire quantum computers. It's har= d to=20 >>>> see a bright side to that scenario. >>>> >>>> Is Quantum Recovery Good for Anyone? >>>> >>>> Does quantum recovery HELP anyone? I've yet to come across an argument= =20 >>>> that it's a net positive in any way. It certainly doesn't add any secu= rity=20 >>>> to the network. If anything, it greatly decreases the security of the= =20 >>>> network by allowing funds to be claimed by those who did not earn them= . >>>> >>>> But wait, you may be thinking, wouldn't quantum "miners" have earned= =20 >>>> their coins by all the work and resources invested in building a quant= um=20 >>>> computer? I suppose, in the same sense that a burglar earns their spoi= ls by=20 >>>> the resources they invest into surveilling targets and learning the sk= ills=20 >>>> needed to break into buildings. What I say "earned" I mean through=20 >>>> productive mutual trade. >>>> >>>> For example: >>>> >>>> * Investors earn BTC by trading for other currencies. >>>> * Merchants earn BTC by trading for goods and services. >>>> * Miners earn BTC by trading thermodynamic security. >>>> * Quantum miners don't trade anything, they are vampires feeding upon= =20 >>>> the system. >>>> >>>> There's no reason to believe that allowing quantum adversaries to=20 >>>> recover vulnerable bitcoin will be of benefit to anyone other than the= =20 >>>> select few organizations that win the technological arms race to build= the=20 >>>> first such computers. Probably nation states and/or the top few larges= t=20 >>>> tech companies. >>>> >>>> One could certainly hope that an organization with quantum supremacy i= s=20 >>>> benevolent and acts in a "white hat" manner to return lost coins to th= eir=20 >>>> owners, but that's incredibly optimistic and foolish to rely upon. Suc= h a=20 >>>> situation creates an insurmountable ethical dilemma of only recovering= lost=20 >>>> bitcoin rather than currently owned bitcoin. There's no way to precise= ly=20 >>>> differentiate between the two; anyone can claim to have lost their bit= coin=20 >>>> but if they have lost their keys then proving they ever had the keys= =20 >>>> becomes rather difficult. I imagine that any such white hat recovery= =20 >>>> efforts would have to rely upon attestations from trusted third partie= s=20 >>>> like exchanges. >>>> >>>> Even if the first actor with quantum supremacy is benevolent, we must= =20 >>>> assume the technology could fall into adversarial hands and thus think= =20 >>>> adversarially about the potential worst case outcomes. Imagine, for=20 >>>> example, that North Korea continues scooping up billions of dollars fr= om=20 >>>> hacking crypto exchanges and decides to invest some of those proceeds = into=20 >>>> building a quantum computer for the biggest payday ever... >>>> >>>> Downsides to Allowing Quantum Recovery >>>> Let's think through an exhaustive list of pros and cons for allowing o= r=20 >>>> preventing the seizure of funds by a quantum adversary. >>>> >>>> Historical Precedent >>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair = game" but=20 >>>> rather were treated as failures to be remediated. Treating quantum the= ft=20 >>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al= l rather than=20 >>>> a system that seeks to protect its users. >>>> >>>> Violation of Property Rights >>>> Allowing a quantum adversary to take control of funds undermines the= =20 >>>> fundamental principle of cryptocurrency - if you keep your keys in you= r=20 >>>> possession, only you should be able to access your money. Bitcoin is b= uilt=20 >>>> on the idea that private keys secure an individual=E2=80=99s assets, a= nd=20 >>>> unauthorized access (even via advanced tech) is theft, not a legitimat= e=20 >>>> transfer. >>>> >>>> Erosion of Trust in Bitcoin >>>> If quantum attackers can exploit vulnerable addresses, confidence in= =20 >>>> Bitcoin as a secure store of value would collapse. Users and investors= rely=20 >>>> on cryptographic integrity, and widespread theft could drive adoption = away=20 >>>> from Bitcoin, destabilizing its ecosystem. >>>> >>>> This is essentially the counterpoint to claiming the burning of=20 >>>> vulnerable funds is a violation of property rights. While some will=20 >>>> certainly see it as such, others will find the apathy toward stopping= =20 >>>> quantum theft to be similarly concerning. >>>> >>>> Unfair Advantage >>>> Quantum attackers, likely equipped with rare and expensive technology,= =20 >>>> would have an unjust edge over regular users who lack access to such t= ools.=20 >>>> This creates an inequitable system where only the technologically elit= e can=20 >>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized= power. >>>> >>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING=20 >>>> one's wealth. It's supposed to be impractically expensive for attacker= s to=20 >>>> crack the entropy and cryptography protecting one's coins. But now we = find=20 >>>> ourselves discussing a situation where this asymmetric advantage is=20 >>>> compromised in favor of a specific class of attackers. >>>> >>>> Economic Disruption >>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= =99s price=20 >>>> as quantum recovered funds are dumped on exchanges. This would harm al= l=20 >>>> holders, not just those directly targeted, leading to broader financia= l=20 >>>> chaos in the markets. >>>> >>>> Moral Responsibility >>>> Permitting theft via quantum computing sets a precedent that=20 >>>> technological superiority justifies unethical behavior. This is essent= ially=20 >>>> taking a "code is law" stance in which we refuse to admit that both co= de=20 >>>> and laws can be modified to adapt to previously unforeseen situations. >>>> >>>> Burning of coins can certainly be considered a form of theft, thus I= =20 >>>> think it's worth differentiating the two different thefts being discus= sed: >>>> >>>> 1. self-enriching & likely malicious >>>> 2. harm prevention & not necessarily malicious >>>> >>>> Both options lack the consent of the party whose coins are being burnt= =20 >>>> or transferred, thus I think the simple argument that theft is immoral= =20 >>>> becomes a wash and it's important to drill down into the details of ea= ch. >>>> >>>> Incentives Drive Security >>>> I can tell you from a decade of working in Bitcoin security - the=20 >>>> average user is lazy and is a procrastinator. If Bitcoiners are given = a=20 >>>> "drop dead date" after which they know vulnerable funds will be burned= ,=20 >>>> this pressure accelerates the adoption of post-quantum cryptography an= d=20 >>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgr= ading=20 >>>> indefinitely will result in more laggards, leaving the network more ex= posed=20 >>>> when quantum tech becomes available. >>>> >>>> Steel Manning >>>> Clearly this is a complex and controversial topic, thus it's worth=20 >>>> thinking through the opposing arguments. >>>> >>>> Protecting Property Rights >>>> Allowing quantum computers to take vulnerable bitcoin could potentiall= y=20 >>>> be spun as a hard money narrative - we care so greatly about not viola= ting=20 >>>> someone's access to their coins that we allow them to be stolen! >>>> >>>> But I think the flip side to the property rights narrative is that=20 >>>> burning vulnerable coins prevents said property from falling into=20 >>>> undeserving hands. If the entire Bitcoin ecosystem just stands around = and=20 >>>> allows quantum adversaries to claim funds that rightfully belong to ot= her=20 >>>> users, is that really a "win" in the "protecting property rights" cate= gory?=20 >>>> It feels more like apathy to me. >>>> >>>> As such, I think the "protecting property rights" argument is a wash. >>>> >>>> Quantum Computers Won't Attack Bitcoin >>>> There is a great deal of skepticism that sufficiently powerful quantum= =20 >>>> computers will ever exist, so we shouldn't bother preparing for a=20 >>>> non-existent threat. Others have argued that even if such a computer w= as=20 >>>> built, a quantum attacker would not go after bitcoin because they woul= dn't=20 >>>> want to reveal their hand by doing so, and would instead attack other= =20 >>>> infrastructure. >>>> >>>> It's quite difficult to quantify exactly how valuable attacking other= =20 >>>> infrastructure would be. It also really depends upon when an entity ga= ins=20 >>>> quantum supremacy and thus if by that time most of the world's systems= have=20 >>>> already been upgraded. While I think you could argue that certain enti= ties=20 >>>> gaining quantum capability might not attack Bitcoin, it would only del= ay=20 >>>> the inevitable - eventually somebody will achieve the capability who= =20 >>>> decides to use it for such an attack. >>>> >>>> Quantum Attackers Would Only Steal Small Amounts >>>> Some have argued that even if a quantum attacker targeted bitcoin,=20 >>>> they'd only go after old, likely lost P2PK outputs so as to not arouse= =20 >>>> suspicion and cause a market panic. >>>> >>>> I'm not so sure about that; why go after 50 BTC at a time when you=20 >>>> could take 250,000 BTC with the same effort as 50 BTC? This is a class= ic=20 >>>> "zero day exploit" game theory in which an attacker knows they have a= =20 >>>> limited amount of time before someone else discovers the exploit and e= ither=20 >>>> benefits from it or patches it. Take, for example, the recent ByBit at= tack=20 >>>> - the highest value crypto hack of all time. Lazarus Group had comprom= ised=20 >>>> the Safe wallet front end JavaScript app and they could have simply ha= d it=20 >>>> reassign ownership of everyone's Safe wallets as they were interacting= with=20 >>>> their wallet. But instead they chose to only specifically target ByBit= 's=20 >>>> wallet with $1.5 billion in it because they wanted to maximize their= =20 >>>> extractable value. If Lazarus had started stealing from every wallet, = they=20 >>>> would have been discovered quickly and the Safe web app would likely h= ave=20 >>>> been patched well before any billion dollar wallets executed the malic= ious=20 >>>> code. >>>> >>>> I think the "only stealing small amounts" argument is strongest for=20 >>>> Situation #2 described earlier, where a quantum attacker arrives befor= e=20 >>>> quantum safe cryptography has been deployed across the Bitcoin ecosyst= em.=20 >>>> Because if it became clear that Bitcoin's cryptography was broken AND = there=20 >>>> was nowhere safe for vulnerable users to migrate, the only logical opt= ion=20 >>>> would be for everyone to liquidate their bitcoin as quickly as possibl= e. As=20 >>>> such, I don't think it applies as strongly for situations in which we = have=20 >>>> a migration path available. >>>> >>>> The 21 Million Coin Supply Should be in Circulation >>>> Some folks are arguing that it's important for the "circulating /=20 >>>> spendable" supply to be as close to 21M as possible and that having a= =20 >>>> significant portion of the supply out of circulation is somehow undesi= rable. >>>> >>>> While the "21M BTC" attribute is a strong memetic narrative, I don't= =20 >>>> think anyone has ever expected that it would all be in circulation. It= has=20 >>>> always been understood that many coins will be lost, and that's actual= ly=20 >>>> part of the game theory of owning bitcoin! >>>> >>>> And remember, the 21M number in and of itself is not a particularly=20 >>>> important detail - it's not even mentioned in the whitepaper. What's= =20 >>>> important is that the supply is well known and not subject to change. >>>> >>>> Self-Sovereignty and Personal Responsibility >>>> Bitcoin=E2=80=99s design empowers individuals to control their own wea= lth, free=20 >>>> from centralized intervention. This freedom comes with the burden of= =20 >>>> securing one's private keys. If quantum computing can break obsolete= =20 >>>> cryptography, the fault lies with users who didn't move their funds to= =20 >>>> quantum safe locking scripts. Expecting the network to shield users fr= om=20 >>>> their own negligence undermines the principle that you, and not a thir= d=20 >>>> party, are accountable for your assets. >>>> >>>> I think this is generally a fair point that "the community" doesn't ow= e=20 >>>> you anything in terms of helping you. I think that we do, however, nee= d to=20 >>>> consider the incentives and game theory in play with regard to quantum= safe=20 >>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. >>>> >>>> Code is Law >>>> Bitcoin operates on transparent, immutable rules embedded in its=20 >>>> protocol. If a quantum attacker uses superior technology to derive pri= vate=20 >>>> keys from public keys, they=E2=80=99re not "hacking" the system - they= 're simply=20 >>>> following what's mathematically permissible within the current code.= =20 >>>> Altering the protocol to stop this introduces subjective human=20 >>>> intervention, which clashes with the objective, deterministic nature o= f=20 >>>> blockchain. >>>> >>>> While I tend to agree that code is law, one of the entire points of=20 >>>> laws is that they can be amended to improve their efficacy in reducing= =20 >>>> harm. Leaning on this point seems more like a pro-ossification stance = that=20 >>>> it's better to do nothing and allow harm to occur rather than take act= ion=20 >>>> to stop an attack that was foreseen far in advance. >>>> >>>> Technological Evolution as a Feature, Not a Bug >>>> It's well known that cryptography tends to weaken over time and=20 >>>> eventually break. Quantum computing is just the next step in this=20 >>>> progression. Users who fail to adapt (e.g., by adopting quantum-resist= ant=20 >>>> wallets when available) are akin to those who ignored technological=20 >>>> advancements like multisig or hardware wallets. Allowing quantum theft= =20 >>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic,= punishing=20 >>>> complacency while rewarding vigilance. >>>> >>>> Market Signals Drive Security >>>> If quantum attackers start stealing funds, it sends a clear signal to= =20 >>>> the market: upgrade your security or lose everything. This pressure=20 >>>> accelerates the adoption of post-quantum cryptography and strengthens= =20 >>>> Bitcoin long-term. Coddling vulnerable users delays this necessary=20 >>>> evolution, potentially leaving the network more exposed when quantum t= ech=20 >>>> becomes widely accessible. Theft is a brutal but effective teacher. >>>> >>>> Centralized Blacklisting Power >>>> Burning vulnerable funds requires centralized decision-making - a soft= =20 >>>> fork to invalidate certain transactions. This sets a dangerous precede= nt=20 >>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. = If quantum=20 >>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The = system must=20 >>>> remain neutral, even if it means some lose out. >>>> >>>> I think this could be a potential slippery slope if the proposal was t= o=20 >>>> only burn specific addresses. Rather, I'd expect a neutral proposal to= burn=20 >>>> all funds in locking script types that are known to be quantum vulnera= ble.=20 >>>> Thus, we could eliminate any subjectivity from the code. >>>> >>>> Fairness in Competition >>>> Quantum attackers aren't cheating; they're using publicly available=20 >>>> physics and math. Anyone with the resources and foresight can build or= =20 >>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a = CPU.=20 >>>> Early adopters took risks and reaped rewards; quantum innovators are d= oing=20 >>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has= never promised=20 >>>> equality of outcome - only equality of opportunity within its rules. >>>> >>>> I find this argument to be a mischaracterization because we're not=20 >>>> talking about CPUs. This is more akin to talking about ASICs, except e= ach=20 >>>> ASIC costs millions if not billions of dollars. This is out of reach f= rom=20 >>>> all but the wealthiest organizations. >>>> >>>> Economic Resilience >>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20 >>>> emerged stronger. The market can absorb quantum losses, with unaffecte= d=20 >>>> users continuing to hold and new entrants buying in at lower prices. F= ear=20 >>>> of economic collapse overestimates the impact - the network=E2=80=99s = antifragility=20 >>>> thrives on such challenges. >>>> >>>> This is a big grey area because we don't know when a quantum computer= =20 >>>> will come online and we don't know how quickly said computers would be= able=20 >>>> to steal bitcoin. If, for example, the first generation of sufficientl= y=20 >>>> powerful quantum computers were stealing less volume than the current = block=20 >>>> reward then of course it will have minimal economic impact. But if the= y're=20 >>>> taking thousands of BTC per day and bringing them back into circulatio= n,=20 >>>> there will likely be a noticeable market impact as it absorbs the new= =20 >>>> supply. >>>> >>>> This is where the circumstances will really matter. If a quantum=20 >>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppo= rt=20 >>>> quantum resistant cryptography then we should expect the most valuable= =20 >>>> active wallets will have upgraded and the juiciest target would be the= =20 >>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has= been=20 >>>> dormant since 2010. In general I'd expect that the amount of BTC=20 >>>> re-entering the circulating supply would look somewhat similar to the= =20 >>>> mining emission curve: volume would start off very high as the most=20 >>>> valuable addresses are drained and then it would fall off as quantum= =20 >>>> computers went down the list targeting addresses with less and less BT= C. >>>> >>>> Why is economic impact a factor worth considering? Miners and=20 >>>> businesses in general. More coins being liquidated will push down the= =20 >>>> price, which will negatively impact miner revenue. Similarly, I can at= test=20 >>>> from working in the industry for a decade, that lower prices result in= less=20 >>>> demand from businesses across the entire industry. As such, burning qu= antum=20 >>>> vulnerable bitcoin is good for the entire industry. >>>> >>>> Practicality & Neutrality of Non-Intervention >>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D= from legitimate "white=20 >>>> hat" key recovery. If someone loses their private key and a quantum=20 >>>> computer recovers it, is that stealing or reclaiming? Policing quantum= =20 >>>> actions requires invasive assumptions about intent, which Bitcoin=E2= =80=99s=20 >>>> trustless design can=E2=80=99t accommodate. Letting the chips fall whe= re they may=20 >>>> avoids this mess. >>>> >>>> Philosophical Purity >>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco= mes=20 >>>> reflect preparation and skill, not sentimentality. If quantum computin= g=20 >>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t mean= t to be safe or fair=20 >>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose = funds to=20 >>>> quantum attacks are casualties of liberty and their own ignorance, not= =20 >>>> victims of injustice. >>>> >>>> Bitcoin's DAO Moment >>>> This situation has some similarities to The DAO hack of an Ethereum=20 >>>> smart contract in 2016, which resulted in a fork to stop the attacker = and=20 >>>> return funds to their original owners. The game theory is similar beca= use=20 >>>> it's a situation where a threat is known but there's some period of ti= me=20 >>>> before the attacker can actually execute the theft. As such, there's t= ime=20 >>>> to mitigate the attack by changing the protocol. >>>> >>>> It also created a schism in the community around the true meaning of= =20 >>>> "code is law," resulting in Ethereum Classic, which decided to allow t= he=20 >>>> attacker to retain control of the stolen funds. >>>> >>>> A soft fork to burn vulnerable bitcoin could certainly result in a har= d=20 >>>> fork if there are enough miners who reject the soft fork and continue= =20 >>>> including transactions. >>>> >>>> Incentives Matter >>>> We can wax philosophical until the cows come home, but what are the=20 >>>> actual incentives for existing Bitcoin holders regarding this decision= ? >>>> >>>> "Lost coins only make everyone else's coins worth slightly more. Think= =20 >>>>> of it as a donation to everyone." - Satoshi Nakamoto >>>> >>>> >>>> If true, the corollary is: >>>> >>>> "Quantum recovered coins only make everyone else's coins worth less.= =20 >>>>> Think of it as a theft from everyone." - Jameson Lopp >>>> >>>> >>>> Thus, assuming we get to a point where quantum resistant signatures ar= e=20 >>>> supported within the Bitcoin protocol, what's the incentive to let=20 >>>> vulnerable coins remain spendable? >>>> >>>> * It's not good for the actual owners of those coins. It=20 >>>> disincentivizes owners from upgrading until perhaps it's too late. >>>> * It's not good for the more attentive / responsible owners of coins= =20 >>>> who have quantum secured their stash. Allowing the circulating supply = to=20 >>>> balloon will assuredly reduce the purchasing power of all bitcoin hold= ers. >>>> >>>> Forking Game Theory >>>> From a game theory point of view, I see this as incentivizing users to= =20 >>>> upgrade their wallets. If you disagree with the burning of vulnerable= =20 >>>> coins, all you have to do is move your funds to a quantum safe signatu= re=20 >>>> scheme. Point being, I don't see there being an economic majority (or = even=20 >>>> more than a tiny minority) of users who would fight such a soft fork. = Why=20 >>>> expend significant resources fighting a fork when you can just move yo= ur=20 >>>> coins to a new address? >>>> >>>> Remember that blocking spending of certain classes of locking scripts= =20 >>>> is a tightening of the rules - a soft fork. As such, it can be meaning= fully=20 >>>> enacted and enforced by a mere majority of hashpower. If miners genera= lly=20 >>>> agree that it's in their best interest to burn vulnerable coins, are o= ther=20 >>>> users going to care enough to put in the effort to run new node softwa= re=20 >>>> that resists the soft fork? Seems unlikely to me. >>>> >>>> How to Execute Burning >>>> In order to be as objective as possible, the goal would be to announce= =20 >>>> to the world that after a specific block height / timestamp, Bitcoin n= odes=20 >>>> will no longer accept transactions (or blocks containing such transact= ions)=20 >>>> that spend funds from any scripts other than the newly instituted quan= tum=20 >>>> safe schemes. >>>> >>>> It could take a staggered approach to first freeze funds that are=20 >>>> susceptible to long-range attacks such as those in P2PK scripts or tho= se=20 >>>> that exposed their public keys due to previously re-using addresses, b= ut I=20 >>>> expect the additional complexity would drive further controversy. >>>> >>>> How long should the grace period be in order to give the ecosystem tim= e=20 >>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrad= e. We=20 >>>> can only hope that hardware wallet manufacturers are able to implement= post=20 >>>> quantum cryptography on their existing hardware with only a firmware u= pdate. >>>> >>>> Beyond that, it will take at least 6 months worth of block space for= =20 >>>> all users to migrate their funds, even in a best case scenario. Though= if=20 >>>> you exclude dust UTXOs you could probably get 95% of BTC value migrate= d in=20 >>>> 1 month. Of course this is a highly optimistic situation where everyon= e is=20 >>>> completely focused on migrations - in reality it will take far longer. >>>> >>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20 >>>> conservatism it would be preferable to allow a 4 year migration window= . In=20 >>>> the meantime, mining pools could coordinate emergency soft forking log= ic=20 >>>> such that if quantum attackers materialized, they could accelerate the= =20 >>>> countdown to the quantum vulnerable funds burn. >>>> >>>> Random Tangential Benefits >>>> On the plus side, burning all quantum vulnerable bitcoin would allow u= s=20 >>>> to prune all of those UTXOs out of the UTXO set, which would also clea= n up=20 >>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even= been=20 >>>> a recent proposal for how to incentivize cleaning them up. >>>> >>>> We should also expect that incentivizing migration of the entire UTXO= =20 >>>> set will create substantial demand for block space that will sustain a= fee=20 >>>> market for a fairly lengthy amount of time. >>>> >>>> In Summary >>>> While the moral quandary of violating any of Bitcoin's inviolable=20 >>>> properties can make this a very complex issue to discuss, the game the= ory=20 >>>> and incentives between burning vulnerable coins versus allowing them t= o be=20 >>>> claimed by entities with quantum supremacy appears to be a much simple= r=20 >>>> issue. >>>> >>>> I, for one, am not interested in rewarding quantum capable entities by= =20 >>>> inflating the circulating money supply just because some people lost t= heir=20 >>>> keys long ago and some laggards are not upgrading their bitcoin wallet= 's=20 >>>> security. >>>> >>>> We can hope that this scenario never comes to pass, but hope is not a= =20 >>>> strategy. >>>> >>>> I welcome your feedback upon any of the above points, and contribution= =20 >>>> of any arguments I failed to consider. >>>> >>>> --=20 >>>> You received this message because you are subscribed to the Google=20 >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>>> an email to bitcoindev+...@googlegroups.com. >>>> To view this discussion visit=20 >>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq= 8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com >>>> . >>>> >>>> --=20 >>>> You received this message because you are subscribed to the Google=20 >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>>> an email to bitcoindev+...@googlegroups.com. >>>> To view this discussion visit=20 >>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4= D9D2B732364%40astrotown.de >>>> . >>> >>> >>>> --=20 >>> You received this message because you are subscribed to the Google=20 >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>> an email to bitcoindev+...@googlegroups.com. >>> To view this discussion visit=20 >>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br= 6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com >>> . >>> >>> >>> --=20 >>> You received this message because you are subscribed to the Google=20 >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>> an email to bitcoindev+...@googlegroups.com. >>> To view this discussion visit=20 >>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf= XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL= miCJOY%3D%40proton.me >>> . >>> >> --=20 > You received this message because you are subscribed to the Google Groups= =20 > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an= =20 > email to bitcoindev+...@googlegroups.com. > > To view this discussion visit=20 > https://groups.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C= -RS703P1-RQLW5CdcCehsqg%40mail.gmail.com > . > > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com. ------=_Part_18011_501201720.1749302913697 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> I'm not a lawyer, but if developers make a conscious decision to = make a=20 code change that confiscates funds, even with a reasonable heads-up, I=20 feel like some lawyers might be tempted to make an argument that those=20 developers should be held responsible for any losses. As everyone knows, Bitcoin has been under legal attacks before, and I'm not sure that=20 anyone would (or should) be willing to sign off on a change that might=20 potentially open them up to several billion dollars worth of personal=20 responsibility - especially if the "bonded courier" actually shows up=20 and reveals a private key that would have unlocked funds under the=20 pre-QC scheme.

Coincidentally, Peter Todd has ju= st made the same point in another (apparently unrelated) thread, here: http= s://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ
<= br />
For me it's very clear, that it's not an accident that such= "unexpected" side effects exist. It's a feature that I'd whimsically call = "ethical impedance-mismatch" (the term impedance mismatch has been used in = computing/programming, which itself borrowed it from the real meaning, in p= hysics). People have a moral/ethical desire to make bitcoin function as wel= l as possible, and see a failure mode in those using it for other purposes,= but that line of thought clashes with the essential, basic principle of ce= nsorship-resistance.

So we see technical borked-= ness like failure to get accurate fee rates and the like, from doing someth= ing (attempting to filter at p2p level) that it is intrinsically counter to= the foundational ethical, functional purpose of the system: censorship-res= istance. And then we see "cascading failures" of the type discussed here: i= f the devs are working to break bitcoin's ethical promise of censorship-res= istance, then thugs^H^H politicians and lawyers, will seek to take control = of that "break" for their own purposes.

That's w= hy I'm not against "quantum recovery" as per the title of this thread. Reco= very, independent of outside control, *is* bitcoin's function. If half a mi= llion btc get spent by someone who has "recovered" in an unexpected way, to= ugh titties. If the entire system collapses because we can't get our act to= gether before 2085 (OK I know some think it's 2035, I don't, but whatever),= then it is what it is. That is a huge unknown. But Bitcoin will 100% fail = if confiscation of *any* type becomes a thing.

Cheers,AdamISZ/waxwing
On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCrypt= ologist wrote:
Hi,

With the longer grace peri= od and selective deactivation, this seems more sensible, but there is one e= lephant in the room that I haven't seen mentioned here - namely, the le= gal aspect. (If it was, sorry I missed it.)

I'm not a lawyer, but if developers make a c= onscious decision to make a code change that confiscates funds, even with a= reasonable heads-up, I feel like some lawyers might be tempted to make an = argument that those developers should be held responsible for any losses. A= s everyone knows, Bitcoin has been under legal attacks before, and I'm = not sure that anyone would (or should) be willing to sign off on a change t= hat might potentially open them up to several billion dollars worth of pers= onal responsibility - especially if the "bonded courier" actually= shows up and reveals a private key that would have unlocked funds under th= e pre-QC scheme.

= The only safe-ish way I can see to do this is to have it only affect funds = that are very likely to be lost in the first place. So at the very least, it could not affect UTXOs that coul= d potentially be encumbered with a timelock (i.e. P2SH/P2WSH), and it could= only affect UTXOs that have not moved for a very long time (say 15-20 year= s).

If quantum c= omputers capable of practical attacks against Bitcoin are ever known to act= ually exist, sending=E2=80=8B to non-PQC addresses should of course = be disabled immediately. But I feel that the nature of a permissionless sys= tem implies a large degree of self-responsibility, so if someone chooses to= keep using non-PQC addresses even after PQC addresses have become availabl= e and practical quantum attacks are suspected to be an imminent danger, it&= #39;s not necessarily up to the developers to tell them they can't, onl= y that they really shouldn't.

--
Regards,
ArmchairCryptologist

=20
=20
Sent with Proton Mail secure ema= il.

<= /div>
On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <agusti...@gmail.com> wrote:
Hi everyone,

QRAMP proposal aims to manage the quantum transition responsib= ly without disrupting Bitcoin=E2=80=99s core principles.

QRAMP has three phases:

1. Allow wallets to optionally include PQC= keys in Taproot outputs. This enables early adoption without forcing anyon= e.

2. Announce a soft fo= rk to disable vulnerable scripts, with a long (~4-year) grace period. This = gives ample time to migrate and avoids sudden shocks.

3. Gradually deactivate vulnerable outputs ba= sed on age or inactivity. This avoids a harsh cutoff and gives time for ada= ptation.

We can also allow exceptions via proof-of-possession, and delay r= estrictions on timelocked outputs to avoid harming future spenders.

QRAMP is not about confiscation= or control. It=E2=80=99s about aligning incentives, maintaining security, = and offering a clear, non-coercive upgrade path.
Best,
Agustin Cruz



El dom, 25 de may de= 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvo...@gmail.com> escribi=C3=B3:
The difference bet= ween the ETH/ETC split though was that no one had anything confiscated exce= pt the DAO hacker, everyone retained an identical number of tokens on each = chain. The proposal for BTC is very different in that some holders will los= e access to their coins during the PQ migration under the confiscation appr= oach. Just wanted to point that out.

On Sun, May 25, 2025 at 3:06=E2=80= =AFPM 'conduition' via Bitcoin Development Mailing List <bitco...@googlegro= ups.com> wrote:
Hey Saulo,

You're right about the possibility of an ugl= y split. Laggards who don't move coins to PQ address schemes will be in= centivized to follow any chain where they keep their coins. But those who d= o migrate will be incentivized to follow the chain where unmigrated pre-qua= ntum coins are frozen.

While you're comparing this event to the ETH/ETC split, we shoul= d remember that ETH remained the dominant chain despite their heavy-handed = rollback. Just goes to show, confusion and face-loss is a lesser evil than = allowing an adversary to pwn the network.

This is the free-market way to solve problems without imposing rule= s on everyone.

It'd still be a free market even if quantum-vulnerable c= oins are frozen. The only way to test the relative value of quantum-safe vs= quantum-vulnerable coins is to split the chain and see how the market reac= ts.

IMO, the &qu= ot;free market way" is to give people options and let their money flow= to where it works best. That means people should be able to choose whether= they want their money to be part of a system that allows quantum attack, o= r part of one which does not. I know which I would choose, but neither you = nor I can make that choice for everyone.

regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agusti...@gmail.com> wrote:
I=E2=80=99m against letting q= uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t= o quantum-resistant.
Saulo=E2=80=99s idea of a free-market approach, le= aving old coins up for grabs if people don=E2=80=99t move them, sounds fair= at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes= s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s= not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th= ose on the rich list Jameson mentioned, could get hit too. Imagine millions= of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an= d we all feel the pain. Freezing those vulnerable funds keeps that chaos in= check.
Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80= =99s heart. If quantum tech can steal from you just because you didn=E2=80= =99t upgrade fast enough, that promise feels shaky. Freezing funds after a = heads-up period (say, four years) protects that idea better than letting te= ch giants or rogue states play vampire with our network. It also nudges peo= ple to get their act together and move to safer addresses, which strengthen= s Bitcoin long-term.
Saulo=E2=80=99s right that freezing coins could con= fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu= antum theft would look worse. Bitcoin would seem broken, not just strict. A= clear plan and enough time to migrate could smooth things over. History=E2= =80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. = This feels like that, not a bailout.
So yeah, I=E2=80=99d rather see vul= nerable coins locked than handed to whoever builds the first quantum rig. I= t=E2=80=99s less about coddling people and more about keeping Bitcoin solid= for everyone. What do you all think?
Cheers,
Agust=C3=ADn


On = Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <sa...@astrotown.de> wrote:
I believe that having some entity announce the decision t= o freeze old UTXOs would be more damaging to Bitcoin=E2=80=99s image (and i= ts value) than having them gathered by QC. This would create another versio= n of Bitcoin, similar to Ethereum Classic, causing confusion in the market.=

It would be better to simply implement the possibili= ty of moving funds to a PQC address without a deadline, allowing those who = fail to do so to rely on luck to avoid having their coins stolen. Most coin= s would be migrated to PQC anyway, and in most cases, only the lost ones wo= uld remain vulnerable. This is the free-market way to solve problems withou= t imposing rules on everyone.

Saulo Fonseca


On 16. Mar 2025, at 15:15, Jameson Lopp <<= a rel=3D"noreferrer nofollow noopener" href data-email-masked>jameso...@gma= il.com> wrote:

The quantum com= puting debate is heating up. There are many controversial aspects to this d= ebate, including whether or not quantum computers will ever actually become= a practical threat.

I won't tread into the unanswerable questi= on of how worried we should be about quantum computers. I think it's fa= r from a crisis, but given the difficulty in changing Bitcoin it's wort= h starting to seriously discuss. Today I wish to focus on a philosophical q= uandary related to one of the decisions that would need to be made if and w= hen we implement a quantum safe signature scheme.

Several Scenarios
Because this essay wi= ll reference game theory a fair amount, and there are many variables at pla= y that could change the nature of the game, I think it's important to c= larify the possible scenarios up front.

1. Quantum computing never m= aterializes, never becomes a threat, and thus everything discussed in this = essay is moot.
2. A quantum computing threat materializes suddenly and B= itcoin does not have quantum safe signatures as part of the protocol. In th= is scenario it would likely make the points below moot because Bitcoin woul= d be fundamentally broken and it would take far too long to upgrade the pro= tocol, wallet software, and migrate user funds in order to restore confiden= ce in the network.
3. Quantum computing advances slowly enough that we c= ome to consensus about how to upgrade Bitcoin and post quantum security has= been minimally adopted by the time an attacker appears.
4. Quantum comp= uting advances slowly enough that we come to consensus about how to upgrade= Bitcoin and post quantum security has been highly adopted by the time an a= ttacker appears.

For the purposes of this post, I'm envisioning = being in situation 3 or 4.

To Freeze or not to Freeze?
I've started seeing more peopl= e weighing in on what is likely the most contentious aspect of how a quantu= m resistance upgrade should be handled in terms of migrating user funds. Sh= ould quantum vulnerable funds be left open to be swept by anyone with a suf= ficiently powerful quantum computer OR should they be permanently locked?
"I don't see w= hy old coins should be confiscated. The better option is to let those with = quantum computers free up old coins. While this might have an inflationary = impact on bitcoin's price, to use a turn of phrase, the inflation is tr= ansitory. Those with low time preference should support returning lost coin= s to circulation."
- Hunter Beast

On the other hand:
<= div>
"Of course they = have to be confiscated. If and when (and that's a big if) the existence= of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosy= stem has no other option than softforking out the ability to spend from sig= nature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The= alternative is that millions of BTC become vulnerable to theft; I cannot s= ee how the currency can maintain any value at all in such a setting. And th= is affects everyone; even those which diligently moved their coins to PQC-p= rotected schemes."
- Pieter Wuille

I don't thin= k "confiscation" is the most precise term to use, as the funds ar= e not being seized and reassigned. Rather, what we're really discussing= would be better described as "burning" - placing the funds ou= t of reach of everyone.

Not freezing user funds is one of Bitcoi= n's inviolable properties. However, if quantum computing becomes a thre= at to Bitcoin's elliptic curve cryptography, an inviolable property = of Bitcoin will be violated one way or another.

Fundamental Properties at Risk
5 year= s ago I attempted to comprehensively categorize all of Bitcoin's fundam= ental properties that give it value. https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
The particular properties in play with regard to this issue seem to be:
Censorship Resistance - No one should have the power to prevent= others from using their bitcoin or interacting with the network.

Forward Compatibility - changing the rules such that certain valid tra= nsactions become invalid could undermine confidence in the protocol.
Conservatism - Users should not be expected to be highly responsive= to system issues.

As a result of the above principles, we have deve= loped a strong meme (kudos to Andreas Antonopoulos) that goes as follows:
Not your keys, not your= coins.

I posit that the corollary to this principle is:
Your keys, only your coi= ns.

A quantum capable entity breaks the corollary of this f= oundational principle. We secure our bitcoin with the mathematical probabil= ities related to extremely large random numbers. Your funds are only secure= because truly random large numbers should not be guessable or discoverable= by anyone else in the world.

This is the principle behind the motto= vires in numeris - strength in numbers. In a world with quantum ena= bled adversaries, this principle is null and void for many types of cryptog= raphy, including the elliptic curve digital signatures used in Bitcoin.
=
Who is at Risk?
T= here has long been a narrative that Satoshi's coins and others from the= Satoshi era of P2PK locking scripts that exposed the public key directly o= n the blockchain will be those that get scooped up by a quantum "miner= ." But unfortunately it's not that simple. If I had a powerful qua= ntum computer, which coins would I target? I'd go to the Bitcoin rich l= ist and find the wallets that have exposed their public keys due to re-usin= g addresses that have previously been spent from. You can easily find them = at https://bitinfocharts.= com/top-100-richest-bitcoin-addresses.html

Note that a few of th= ese wallets, like Bitfinex / Kraken / Tether, would be slightly harder to c= rack because they are multisig wallets. So a quantum attacker would need to= reverse engineer 2 keys for Kraken or 3 for Bitfinex / Tether in order to = spend funds. But many are single signature.

Point being, it's no= t only the really old lost BTC that are at risk to a quantum enabled advers= ary, at least at time of writing. If we add a quantum safe signature scheme= , we should expect those wallets to be some of the first to upgrade given t= heir incentives.

The Eth= ical Dilemma: Quantifying Harm
Which decision results in the most= harm?

By making quantum vulnerable funds unspendable we potentially= harm some Bitcoin users who were not paying attention and neglected to mig= rate their funds to a quantum safe locking script. This violates the "= conservativism" principle stated earlier. On the flip side, we prevent= those funds plus far more lost funds from falling into the hands of the fe= w privileged folks who gain early access to quantum computers.

By le= aving quantum vulnerable funds available to spend, the same set of users wh= o would otherwise have funds frozen are likely to see them stolen. And many= early adopters who lost their keys will eventually see their unreachable f= unds scooped up by a quantum enabled adversary.

Imagine, for example= , being James Howells, who accidentally threw away a hard drive with 8,000 = BTC on it, currently worth over $600M USD. He has spent a decade trying to = retrieve it from the landfill where he knows it's buried, but can't= get permission to excavate. I suspect that, given the choice, he'd pre= fer those funds be permanently frozen rather than fall into someone else= 9;s possession - I know I would.

Allowing a quantum computer to acce= ss lost funds doesn't make those users any worse off than they were bef= ore, however it wouldhave a negative impact upon everyone who is cur= rently holding bitcoin.

It's prudent to expect significant econo= mic disruption if large amounts of coins fall into new hands. Since a quant= um computer is going to have a massive up front cost, expect those behind i= t to desire to recoup their investment. We also know from experience that w= hen someone suddenly finds themselves in possession of 9+ figures worth of = highly liquid assets, they tend to diversify into other things by selling.<= br>
Allowing quantum recovery of bitcoin is tantamount to wealth redi= stribution. What we'd be allowing is for bitcoin to be redistribute= d from those who are ignorant of quantum computers to those who have won th= e technological race to acquire quantum computers. It's hard to see a b= right side to that scenario.

Is Quantum Recovery Good for Anyone?

Does quantum reco= very HELP anyone? I've yet to come across an argument that it's a n= et positive in any way. It certainly doesn't add any security to the ne= twork. If anything, it greatly decreases the security of the network by all= owing funds to be claimed by those who did not earn them.

But wait, = you may be thinking, wouldn't quantum "miners" have earned th= eir coins by all the work and resources invested in building a quantum comp= uter? I suppose, in the same sense that a burglar earns their spoils by the= resources they invest into surveilling targets and learning the skills nee= ded to break into buildings. What I say "earned" I mean through p= roductive mutual trade.

For example:

* Investors earn BTC by = trading for other currencies.
* Merchants earn BTC by trading for goods = and services.
* Miners earn BTC by trading thermodynamic security.
* = Quantum miners don't trade anything, they are vampires feeding upon the= system.

There's no reason to believe that allowing quantum adve= rsaries to recover vulnerable bitcoin will be of benefit to anyone other th= an the select few organizations that win the technological arms race to bui= ld the first such computers. Probably nation states and/or the top few larg= est tech companies.

One could certainly hope that an organization wi= th quantum supremacy is benevolent and acts in a "white hat" mann= er to return lost coins to their owners, but that's incredibly optimist= ic and foolish to rely upon. Such a situation creates an insurmountable eth= ical dilemma of only recovering lost bitcoin rather than currently owned bi= tcoin. There's no way to precisely differentiate between the two; anyon= e can claim to have lost their bitcoin but if they have lost their keys the= n proving they ever had the keys becomes rather difficult. I imagine that a= ny such white hat recovery efforts would have to rely upon attestations fro= m trusted third parties like exchanges.

Even if the first actor with= quantum supremacy is benevolent, we must assume the technology could fall = into adversarial hands and thus think adversarially about the potential wor= st case outcomes. Imagine, for example, that North Korea continues scooping= up billions of dollars from hacking crypto exchanges and decides to invest= some of those proceeds into building a quantum computer for the biggest pa= yday ever...

Downsides t= o Allowing Quantum Recovery
Let's think through an exhaustive= list of pros and cons for allowing or preventing the seizure of funds by a= quantum adversary.

Hist= orical Precedent
Previous protocol vulnerabilities weren=E2=80=99= t celebrated as "fair game" but rather were treated as failures t= o be remediated. Treating quantum theft differently risks rewriting Bitcoin= =E2=80=99s history as a free-for-all rather than a system that seeks to pro= tect its users.

Violatio= n of Property Rights
Allowing a quantum adversary to take control= of funds undermines the fundamental principle of cryptocurrency - if you k= eep your keys in your possession, only you should be able to access your mo= ney. Bitcoin is built on the idea that private keys secure an individual=E2= =80=99s assets, and unauthorized access (even via advanced tech) is theft, = not a legitimate transfer.

Erosion of Trust in Bitcoin
If quantum attackers can exploit v= ulnerable addresses, confidence in Bitcoin as a secure store of value would= collapse. Users and investors rely on cryptographic integrity, and widespr= ead theft could drive adoption away from Bitcoin, destabilizing its ecosyst= em.

This is essentially the counterpoint to claiming the burning of = vulnerable funds is a violation of property rights. While some will certain= ly see it as such, others will find the apathy toward stopping quantum thef= t to be similarly concerning.

Unfair Advantage
Quantum attackers, likely equipped with r= are and expensive technology, would have an unjust edge over regular users = who lack access to such tools. This creates an inequitable system where onl= y the technologically elite can exploit others, contradicting Bitcoin=E2=80= =99s ethos of decentralized power.

Bitcoin is designed to create an = asymmetric advantage for DEFENDING one's wealth. It's supposed to b= e impractically expensive for attackers to crack the entropy and cryptograp= hy protecting one's coins. But now we find ourselves discussing a situa= tion where this asymmetric advantage is compromised in favor of a specific = class of attackers.

Econ= omic Disruption
Large-scale theft from vulnerable addresses could= crash Bitcoin=E2=80=99s price as quantum recovered funds are dumped on exc= hanges. This would harm all holders, not just those directly targeted, lead= ing to broader financial chaos in the markets.

Moral Responsibility
Permitting theft via = quantum computing sets a precedent that technological superiority justifies= unethical behavior. This is essentially taking a "code is law" s= tance in which we refuse to admit that both code and laws can be modified t= o adapt to previously unforeseen situations.

Burning of coins can ce= rtainly be considered a form of theft, thus I think it's worth differen= tiating the two different thefts being discussed:

1. self-enriching = & likely malicious
2. harm prevention & not necessarily maliciou= s

Both options lack the consent of the party whose coins are being b= urnt or transferred, thus I think the simple argument that theft is immoral= becomes a wash and it's important to drill down into the details of ea= ch.

Incentives Drive Sec= urity
I can tell you from a decade of working in Bitcoin security= - the average user is lazy and is a procrastinator. If Bitcoiners are give= n a "drop dead date" after which they know vulnerable funds will = be burned, this pressure accelerates the adoption of post-quantum cryptogra= phy and strengthens Bitcoin long-term. Allowing vulnerable users to delay u= pgrading indefinitely will result in more laggards, leaving the network mor= e exposed when quantum tech becomes available.

Steel Manning
Clearly this is a complex an= d controversial topic, thus it's worth thinking through the opposing ar= guments.

Protecting Prop= erty Rights
Allowing quantum computers to take vulnerable bitcoin= could potentially be spun as a hard money narrative - we care so greatly a= bout not violating someone's access to their coins that we allow them t= o be stolen!

But I think the flip side to the property rights narrat= ive is that burning vulnerable coins prevents said property from falling in= to undeserving hands. If the entire Bitcoin ecosystem just stands around an= d allows quantum adversaries to claim funds that rightfully belong to other= users, is that really a "win" in the "protecting property r= ights" category? It feels more like apathy to me.

As such, I th= ink the "protecting property rights" argument is a wash.

<= font style=3D"color:rgb(0,0,0)" size=3D"4">Quantum Computers Won't Atta= ck Bitcoin
There is a great deal of skepticism that sufficiently = powerful quantum computers will ever exist, so we shouldn't bother prep= aring for a non-existent threat. Others have argued that even if such a com= puter was built, a quantum attacker would not go after bitcoin because they= wouldn't want to reveal their hand by doing so, and would instead atta= ck other infrastructure.

It's quite difficult to quantify exactl= y how valuable attacking other infrastructure would be. It also really depe= nds upon when an entity gains quantum supremacy and thus if by that time mo= st of the world's systems have already been upgraded. While I think you= could argue that certain entities gaining quantum capability might not att= ack Bitcoin, it would only delay the inevitable - eventually somebody will = achieve the capability who decides to use it for such an attack.

Quantum Attackers Would Only Steal= Small Amounts
Some have argued that even if a quantum attacker t= argeted bitcoin, they'd only go after old, likely lost P2PK outputs so = as to not arouse suspicion and cause a market panic.

I'm not so = sure about that; why go after 50 BTC at a time when you could take 250,000 = BTC with the same effort as 50 BTC? This is a classic "zero day exploi= t" game theory in which an attacker knows they have a limited amount o= f time before someone else discovers the exploit and either benefits from i= t or patches it. Take, for example, the recent ByBit attack - the highest v= alue crypto hack of all time. Lazarus Group had compromised the Safe wallet= front end JavaScript app and they could have simply had it reassign owners= hip of everyone's Safe wallets as they were interacting with their wall= et. But instead they chose to only specifically target ByBit's wallet w= ith $1.5 billion in it because they wanted to maximize their extractable va= lue. If Lazarus had started stealing from every wallet, they would have bee= n discovered quickly and the Safe web app would likely have been patched we= ll before any billion dollar wallets executed the malicious code.

I = think the "only stealing small amounts" argument is strongest for= Situation #2 described earlier, where a quantum attacker arrives before qu= antum safe cryptography has been deployed across the Bitcoin ecosystem. Bec= ause if it became clear that Bitcoin's cryptography was broken AND ther= e was nowhere safe for vulnerable users to migrate, the only logical option= would be for everyone to liquidate their bitcoin as quickly as possible. A= s such, I don't think it applies as strongly for situations in which we= have a migration path available.

The 21 Million Coin Supply Should be in Circulation
Som= e folks are arguing that it's important for the "circulating / spe= ndable" supply to be as close to 21M as possible and that having a sig= nificant portion of the supply out of circulation is somehow undesirable.
While the "21M BTC" attribute is a strong memetic narrative= , I don't think anyone has ever expected that it would all be in circul= ation. It has always been understood that many coins will be lost, and that= 's actually part of the game theory of owning bitcoin!

And remem= ber, the 21M number in and of itself is not a particularly important detail= - it's not even mentioned in the whitepaper. What's important is t= hat the supply is well known and not subject to change.

Self-Sovereignty and Personal Responsibili= ty
Bitcoin=E2=80=99s design empowers individuals to control their= own wealth, free from centralized intervention. This freedom comes with th= e burden of securing one's private keys. If quantum computing can break= obsolete cryptography, the fault lies with users who didn't move their= funds to quantum safe locking scripts. Expecting the network to shield use= rs from their own negligence undermines the principle that you, and not a t= hird party, are accountable for your assets.

I think this is general= ly a fair point that "the community" doesn't owe you anything= in terms of helping you. I think that we do, however, need to consider the= incentives and game theory in play with regard to quantum safe Bitcoiners = vs quantum vulnerable Bitcoiners. More on that later.

Code is Law
Bitcoin operates on tra= nsparent, immutable rules embedded in its protocol. If a quantum attacker u= ses superior technology to derive private keys from public keys, they=E2=80= =99re not "hacking" the system - they're simply following wha= t's mathematically permissible within the current code. Altering the pr= otocol to stop this introduces subjective human intervention, which clashes= with the objective, deterministic nature of blockchain.

While I ten= d to agree that code is law, one of the entire points of laws is that they = can be amended to improve their efficacy in reducing harm. Leaning on this = point seems more like a pro-ossification stance that it's better to do = nothing and allow harm to occur rather than take action to stop an attack t= hat was foreseen far in advance.

Technological Evolution as a Feature, Not a Bug
It's= well known that cryptography tends to weaken over time and eventually brea= k. Quantum computing is just the next step in this progression. Users who f= ail to adapt (e.g., by adopting quantum-resistant wallets when available) a= re akin to those who ignored technological advancements like multisig or ha= rdware wallets. Allowing quantum theft incentivizes innovation and keeps Bi= tcoin=E2=80=99s ecosystem dynamic, punishing complacency while rewarding vi= gilance.

Market Signals = Drive Security
If quantum attackers start stealing funds, it send= s a clear signal to the market: upgrade your security or lose everything. T= his pressure accelerates the adoption of post-quantum cryptography and stre= ngthens Bitcoin long-term. Coddling vulnerable users delays this necessary = evolution, potentially leaving the network more exposed when quantum tech b= ecomes widely accessible. Theft is a brutal but effective teacher.

<= font style=3D"color:rgb(0,0,0)" size=3D"4">Centralized Blacklisting Power
Burning vulnerable funds requires centralized decision-making - a = soft fork to invalidate certain transactions. This sets a dangerous precede= nt for future interventions, eroding Bitcoin=E2=80=99s decentralization. If= quantum theft is blocked, what=E2=80=99s next - reversing exchange hacks? = The system must remain neutral, even if it means some lose out.

I th= ink this could be a potential slippery slope if the proposal was to only bu= rn specific addresses. Rather, I'd expect a neutral proposal to burn al= l funds in locking script types that are known to be quantum vulnerable. Th= us, we could eliminate any subjectivity from the code.

Fairness in Competition
Quantum = attackers aren't cheating; they're using publicly available physics= and math. Anyone with the resources and foresight can build or access quan= tum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early adopt= ers took risks and reaped rewards; quantum innovators are doing the same. C= alling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never promised = equality of outcome - only equality of opportunity within its rules.
I find this argument to be a mischaracterization because we're not tal= king about CPUs. This is more akin to talking about ASICs, except each ASIC= costs millions if not billions of dollars. This is out of reach from all b= ut the wealthiest organizations.

Economic Resilience
Bitcoin has weathered thefts before = (MTGOX, Bitfinex, FTX, etc) and emerged stronger. The market can absorb qua= ntum losses, with unaffected users continuing to hold and new entrants buyi= ng in at lower prices. Fear of economic collapse overestimates the impact -= the network=E2=80=99s antifragility thrives on such challenges.

Thi= s is a big grey area because we don't know when a quantum computer will= come online and we don't know how quickly said computers would be able= to steal bitcoin. If, for example, the first generation of sufficiently po= werful quantum computers were stealing less volume than the current block r= eward then of course it will have minimal economic impact. But if they'= re taking thousands of BTC per day and bringing them back into circulation,= there will likely be a noticeable market impact as it absorbs the new supp= ly.

This is where the circumstances will really matter. If a quantum= attacker appears AFTER the Bitcoin protocol has been upgraded to support q= uantum resistant cryptography then we should expect the most valuable activ= e wallets will have upgraded and the juiciest target would be the 31,000 BT= C in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant = since 2010. In general I'd expect that the amount of BTC re-entering th= e circulating supply would look somewhat similar to the mining emission cur= ve: volume would start off very high as the most valuable addresses are dra= ined and then it would fall off as quantum computers went down the list tar= geting addresses with less and less BTC.

Why is economic impact a fa= ctor worth considering? Miners and businesses in general. More coins being = liquidated will push down the price, which will negatively impact miner rev= enue. Similarly, I can attest from working in the industry for a decade, th= at lower prices result in less demand from businesses across the entire ind= ustry. As such, burning quantum vulnerable bitcoin is good for the entire i= ndustry.

Practicality &a= mp; Neutrality of Non-Intervention
There=E2=80=99s no reliable wa= y to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "white hat&qu= ot; key recovery. If someone loses their private key and a quantum computer= recovers it, is that stealing or reclaiming? Policing quantum actions requ= ires invasive assumptions about intent, which Bitcoin=E2=80=99s trustless d= esign can=E2=80=99t accommodate. Letting the chips fall where they may avoi= ds this mess.

Philosophi= cal Purity
Bitcoin rejects bailouts. It=E2=80=99s a cold, hard sy= stem where outcomes reflect preparation and skill, not sentimentality. If q= uantum computing upends the game, that=E2=80=99s the point - Bitcoin isn=E2= =80=99t meant to be safe or fair in a nanny-state sense; it=E2=80=99s meant= to be free. Users who lose funds to quantum attacks are casualties of libe= rty and their own ignorance, not victims of injustice.

Bitcoin's DAO Moment
This si= tuation has some similarities to The DAO hack of an Ethereum smart contract= in 2016, which resulted in a fork to stop the attacker and return funds to= their original owners. The game theory is similar because it's a situa= tion where a threat is known but there's some period of time before the= attacker can actually execute the theft. As such, there's time to miti= gate the attack by changing the protocol.

It also created a schism i= n the community around the true meaning of "code is law," resulti= ng in Ethereum Classic, which decided to allow the attacker to retain contr= ol of the stolen funds.

A soft fork to burn vulnerable bitcoin could= certainly result in a hard fork if there are enough miners who reject the = soft fork and continue including transactions.

Incentives Matter
We can wax philosophical= until the cows come home, but what are the actual incentives for existing = Bitcoin holders regarding this decision?

"Lost coins only make everyone else's coins wor= th slightly more. Think of it as a donation to everyone." - Satoshi Na= kamoto

If true, the corollary is:

"Quantum recovered coins only make everyo= ne else's coins worth less. Think of it as a theft from everyone."= - Jameson Lopp

Thus, assuming we get to a point where quan= tum resistant signatures are supported within the Bitcoin protocol, what= 9;s the incentive to let vulnerable coins remain spendable?

* It'= ;s not good for the actual owners of those coins. It disincentivizes owners= from upgrading until perhaps it's too late.
* It's not good for= the more attentive / responsible owners of coins who have quantum secured = their stash. Allowing the circulating supply to balloon will assuredly redu= ce the purchasing power of all bitcoin holders.

Forking Game Theory
From a game theory po= int of view, I see this as incentivizing users to upgrade their wallets. If= you disagree with the burning of vulnerable coins, all you have to do is m= ove your funds to a quantum safe signature scheme. Point being, I don't= see there being an economic majority (or even more than a tiny minority) o= f users who would fight such a soft fork. Why expend significant resources = fighting a fork when you can just move your coins to a new address?

= Remember that blocking spending of certain classes of locking scripts is a = tightening of the rules - a soft fork. As such, it can be meaningfully enac= ted and enforced by a mere majority of hashpower. If miners generally agree= that it's in their best interest to burn vulnerable coins, are other u= sers going to care enough to put in the effort to run new node software tha= t resists the soft fork? Seems unlikely to me.

How to Execute Burning
In order to be as o= bjective as possible, the goal would be to announce to the world that after= a specific block height / timestamp, Bitcoin nodes will no longer accept t= ransactions (or blocks containing such transactions) that spend funds from = any scripts other than the newly instituted quantum safe schemes.

It= could take a staggered approach to first freeze funds that are susceptible= to long-range attacks such as those in P2PK scripts or those that exposed = their public keys due to previously re-using addresses, but I expect the ad= ditional complexity would drive further controversy.

How long should= the grace period be in order to give the ecosystem time to upgrade? I'= d say a minimum of 1 year for software wallets to upgrade. We can only hope= that hardware wallet manufacturers are able to implement post quantum cryp= tography on their existing hardware with only a firmware update.

Bey= ond that, it will take at least 6 months worth of block space for all users= to migrate their funds, even in a best case scenario. Though if you exclud= e dust UTXOs you could probably get 95% of BTC value migrated in 1 month. O= f course this is a highly optimistic situation where everyone is completely= focused on migrations - in reality it will take far longer.

Regardl= ess, I'd think that in order to reasonably uphold Bitcoin's conserv= atism it would be preferable to allow a 4 year migration window. In the mea= ntime, mining pools could coordinate emergency soft forking logic such that= if quantum attackers materialized, they could accelerate the countdown to = the quantum vulnerable funds burn.

Random Tangential Benefits
On the plus side, burning a= ll quantum vulnerable bitcoin would allow us to prune all of those UTXOs ou= t of the UTXO set, which would also clean up a lot of dust. Dust UTXOs are = a bit of an annoyance and there has even been a recent proposal for how to = incentivize cleaning them up.

We should also expect that incentivizi= ng migration of the entire UTXO set will create substantial demand for bloc= k space that will sustain a fee market for a fairly lengthy amount of time.=

In Summary
Wh= ile the moral quandary of violating any of Bitcoin's inviolable propert= ies can make this a very complex issue to discuss, the game theory and ince= ntives between burning vulnerable coins versus allowing them to be claimed = by entities with quantum supremacy appears to be a much simpler issue.
<= br>I, for one, am not interested in rewarding quantum capable entities by i= nflating the circulating money supply just because some people lost their k= eys long ago and some laggards are not upgrading their bitcoin wallet's= security.

We can hope that this scenario never comes to pass, but h= ope is not a strategy.

I welcome your feedback upon any of the above= points, and contribution of any arguments I failed to consider.

--
You received this message because you are subscribed= to the Google Groups "Bitcoin Development Mailing List" group.To unsubscribe from this group and stop receiving emails from it, send an= email to bi= tcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3D= UKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.
=

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitc= oindev+...@googlegroups.com.
To view this discussion visit htt= ps://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732= 364%40astrotown.de.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitc= oindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/= d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZL= g%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitc= oindev+...@googlegroups.com.
To view this discussion visit https://g= roups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZu= GLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40p= roton.me.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitc= oindev+...@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com.
------=_Part_18011_501201720.1749302913697-- ------=_Part_18010_831844196.1749302913697--