From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 16 Mar 2025 16:37:03 -0700 Received: from mail-oo1-f59.google.com ([209.85.161.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1ttxXP-0005Mh-Kf for bitcoindev@gnusha.org; Sun, 16 Mar 2025 16:37:03 -0700 Received: by mail-oo1-f59.google.com with SMTP id 006d021491bc7-601e778b584sf1727004eaf.3 for ; Sun, 16 Mar 2025 16:36:59 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1742168214; cv=pass; d=google.com; s=arc-20240605; b=CLh201YcHYeem0AEvFyr7muPWjY76XUfJxQX8J068rQo8kIk9lF+QFsPwutak0es+P 0AivN9gMPr7OlrtUBporoTDwlb+ZgZMj0vPoiQ4WrmDJ3VgtB3puDA6dyEIbiljzKl7f 41h9D7wdLvXKFvBEeE6qZGWu0E7DB1iiSnH3Urx8U14sBuunrJS9TWmuC4eCNf9OlTqE WXV6iDyKpRS06K7BB0PMxzCZp18ZGjWCPlt1A9LpBKthbcG1RAbs4FFukRBdVDWVbIkP W5y1Qch72payuZB6fAyP5F4zFrlH/wf4tkX5XjMbF73HIBr/9x5rDPTB04QCBXiE6g4G KfDQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=iDgmpQMqORyNnfvA/BlN9XtJKgS0rUWxPdUBR9eOQXk=; fh=iduiNEKqEVfreq91k6BsTYhBZc+nWV5Y9YnDP+X3L5I=; b=VHExJB/q6bVO97NWxMabwpYG6NtyaARls45XEm2po8UMfhuct7LKaFO2TjtMVIx5+d kjCcI58wY9L4kZ2hl8hJHn60/nFikgutH+92b8U6ipxTJhTogdWtGolBnxqd2OYuhciC /vsxYSocvwKfeLLN8yqa/CFMwCmxQwi6yhNCrQv1Mr6c9t1kNqdoUplrlZMnLhbxHDpC O40Z7rDl8NrZ3kbeK8/FWNmq3CRGX+u3fhFrwwjMRriNJNzoeCqBo5E2Udwk4JXwwl2G Z9SWhQDIrAOHPtib1qMjQr0htIrwHSc+GBqitkfWCSpTtcufQjPJW3SUB1cQFsLU0oy1 cBZA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cOTDgDJv; spf=pass (google.com: domain of jameson.lopp@gmail.com designates 2a00:1450:4864:20::132 as permitted sender) smtp.mailfrom=jameson.lopp@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1742168213; x=1742773013; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=iDgmpQMqORyNnfvA/BlN9XtJKgS0rUWxPdUBR9eOQXk=; b=ZVwz4F7DnAGDyN4whpJxJELtvFJl6FCiDRaUUBP1mdCweEAPd1Yz5m7HC/I3k14wdv RP0mmQLzQS23/ON0Dzi0cCEL6URXv82MskRnn1rcECOJJ55yajCceR3hjfRNYOqSq11e p5kfIZ4z2N2wdc4kW8jLIOIBFyKJqX1lNXn4VW1jCBq6kGJfc0W9aoNf7xDQdBgJNgeb UQ0Q5pml+h+0GkGOvl2VSXEOSEv+xrR4FOwPKeFLlUyo2CVU86uANXvELbWG/BKjdxTl ncv5mInOydy6B2MtyWXEzWj0pjtbwnCeEH5LU0QxWSDnuKw9QaNd04qoMdW4jriUaXma x7tw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1742168213; x=1742773013; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=iDgmpQMqORyNnfvA/BlN9XtJKgS0rUWxPdUBR9eOQXk=; b=nQTChR7BOdERasHzYGxnoqB2Tybv1AmJtTMBjnYbLiC8w98DTwWk67dQLq1dkzxD7q 3ykz72KcnfrEKFiwEVgnXJS8iUqmiFPZ2ao/6lsQhJkzvO7WUqY7iR5YgiJ/O5No246I C1kBHNgCCfsdof8wJ+qoaUFd4t9DJu2s7nT3cJ3JTTIpXyReS8bvIioz+OxzX7EASNGW OEQdDSTVvQe2VQ0UosPl5z3TR8mpHfIwRISVi/4rlN2RAFCw2FvidbwwCV/h8qEEo45o 2CLxmnc39V2+140rgSbsdaFkjyBQ0dycyh/KhjWRFgJetnJz354y64DYzyroXtHnlh0F 5v1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1742168213; x=1742773013; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=iDgmpQMqORyNnfvA/BlN9XtJKgS0rUWxPdUBR9eOQXk=; b=g06RCQibhHUUf8mIlVSyyeC7uPBmIotrWbf6FxyEEDgrL5yT4wUKMNMzvBBqTirtP1 51BBKFK0/jw7nZsOvjZXwvjIE5fBBWNuUoRxRif8Bif+I8vnatjXq9c/gHaBXl0W9pua UlCR2F64QIzKxRtKtbYerZYy1yXAE+nPPYrtGSNgVObi0/MT5SrKzJb7j91/ArtqwXDC rosNKsPE1NLN5TfQ1/HKHr49SruLiQkZEMVPcEo2SgkMqf+fOxwXc2C+b+QKOG4lNqDj 2NCY+Szvk9XBiv4pLhwBEqdtUaCw5RMCdvVXui9CSYi5gIPF0zL5O0Jug7RqVIEaEupp cVNg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWygO4IviFBNgppLxkim7+MaENBp/Rt7Buq3wQFqPpgPjoRXd9ZgbZxCxvr31HZDQV1jUcBgKo0h8Ve@gnusha.org X-Gm-Message-State: AOJu0Yw9DW+d2rNwvB2c7/NwKRjVBiGl9Dzylt2+Fm/FborqiCKhSOrT FQvvu4P04/DA6zQseCez+Rcm8JmMBOFqcTLpqLJUKdMNm1e9/DZf X-Google-Smtp-Source: AGHT+IGLvHTL5RZ3rEOjGk92do4hFWIGdbPAd7ja9v6BcifEHbiWq8x9U6wuTh7mRadv66ZEi6JGpQ== X-Received: by 2002:a05:6820:98b:b0:600:22bc:c1fa with SMTP id 006d021491bc7-601e45ee601mr5977704eaf.7.1742168213481; Sun, 16 Mar 2025 16:36:53 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPALIt2nZEv/76Dal1TNMvf8rjgS32oZgvzhmT87CH9VpRQ== Received: by 2002:a4a:db6f:0:b0:601:7ee2:67b2 with SMTP id 006d021491bc7-601d89ac51als901790eaf.2.-pod-prod-08-us; Sun, 16 Mar 2025 16:36:50 -0700 (PDT) X-Received: by 2002:a05:6808:1902:b0:3fa:d723:5af9 with SMTP id 5614622812f47-3fdf0363fe2mr6318368b6e.26.1742168210806; Sun, 16 Mar 2025 16:36:50 -0700 (PDT) Received: by 2002:ab3:115:0:b0:293:32b4:31b9 with SMTP id a1c4a302cd1d6-2935200f1a9msc7a; Sun, 16 Mar 2025 14:25:28 -0700 (PDT) X-Received: by 2002:a05:6512:3ba7:b0:549:8f4a:6ba7 with SMTP id 2adb3069b0e04-549c396ef32mr4714820e87.36.1742160325538; Sun, 16 Mar 2025 14:25:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1742160325; cv=none; d=google.com; s=arc-20240605; b=cKC3w9JXe/XcqDJo3oXhG5N15GhBv1yuky8h9Frty2H6LscxafyuqqiKvLHiDoFTHx tEEi0GScK4NWA6IejZM44YCkgV7GORHYHtFllTUZYYCWzYyhlGCUDmIN89VPH9hNgrYj vfr3Tv+pMTGfdDK5nWvzspqGY7rSQJdJV8TSmePjdXkNCH6bYafrvK5/FDLu6tZonr7d XtHyuvQCPoy1dBPa+QecUw6APBuFaUYhnWwtYJAP9R85xcO6VAVg2aCvg3Qq0GLkT1Dz oWNBdIp67YRR45TxcZxUdpRavEPeyDd+Q9WHwDSpcAiXFXtFflEvThi1NRDo0ILGjJoK P6Yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=HbuMDhfRb0Ja6NRGj66OVbPst85WbeDK+dGH4ooxdcg=; fh=HPA68ncp94B6BejhD2JPlI/1BWvELD7xBdD10WX68Vw=; b=ZmJTu437kh72pVj904WqKh+GTW8EYFBB1qvzCJLrl/cG7sVBz6lRktTN9gBof/GQEs pYMDj8M8On/4s7l7b058kVCE8pp6+pE0NvVtNjVcS3yoB+R/vUHZOrAzcxBCrA1sB/n4 kYli7g6dJbkg+6QNn8rVTt/t1RBCPhZ/821F9UBop7ULTva98Qz6fzj3yNuPEaFhrP3r V9cWjCDs0HmNSspOKxAlzxEwdrFdZjBWULhcaeJMT8PKQ6mhYQbkni0aA1jOF7c4I53R 1Q2uG+dL29Ycno1Lm0L+Qt1NC+Ic8LcSXUfHsZk6m0Jkw0qWTcb4JAosZP+rshmBhqJQ SfOg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cOTDgDJv; spf=pass (google.com: domain of jameson.lopp@gmail.com designates 2a00:1450:4864:20::132 as permitted sender) smtp.mailfrom=jameson.lopp@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com. [2a00:1450:4864:20::132]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-549ba722ce4si223907e87.1.2025.03.16.14.25.25 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Mar 2025 14:25:25 -0700 (PDT) Received-SPF: pass (google.com: domain of jameson.lopp@gmail.com designates 2a00:1450:4864:20::132 as permitted sender) client-ip=2a00:1450:4864:20::132; Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-5499c5d9691so4072923e87.2 for ; Sun, 16 Mar 2025 14:25:25 -0700 (PDT) X-Gm-Gg: ASbGncvJyciZ34zla+59r80ooHOHahtMIgdx5ZmnLTehhdSsuh21oveBQcipJVHNNEe B6aZ3Qwf1MypbhhlnYJwLU0Uw+dO97BeZyFyF1md4OXXMjRagYcSxbTfznZzcjSuZQ1VAPV1eez trfqLCoiBBkbIkJHveUXShKXxoSQ== X-Received: by 2002:a05:6512:31d2:b0:545:76e:31a with SMTP id 2adb3069b0e04-549c38d3ac3mr4652910e87.11.1742160324599; Sun, 16 Mar 2025 14:25:24 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jameson Lopp Date: Sun, 16 Mar 2025 17:25:11 -0400 X-Gm-Features: AQ5f1JrXfkta95PBUMtnCO_HDA-3aAPtQbDnJKQnTdSbSuk8AdlKZ9kB0lW7q5I Message-ID: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin To: Nagaev Boris Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="0000000000004a292b06307c4fa0" X-Original-Sender: jameson.lopp@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cOTDgDJv; spf=pass (google.com: domain of jameson.lopp@gmail.com designates 2a00:1450:4864:20::132 as permitted sender) smtp.mailfrom=jameson.lopp@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) --0000000000004a292b06307c4fa0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable It's certainly an edge case worth considering. If timelocked coins are being spent that haven't previously exposed their public keys, it could be considered safe to allow them to be spent. Quantum computers would have to become extremely powerful in order to reverse engineer a key and RBF a transaction just during the time it's in the mempool. I think this does bring up an often overlooked aspect of extremely long time locks: preventing yourself from spending funds does expose you to edge case protocol weaknesses that require migration of funds. Personally I'd get a bit nervous locking funds for more than a year or two. Another downside to long timelocks is that you could potentially miss out on the ability to economically "vote with your feet" in the case of a controversial chain fork. On Sun, Mar 16, 2025 at 3:45=E2=80=AFPM Nagaev Boris wr= ote: > Hi! > > What is your perspective on time-locked coins that become spendable > only after a set deadline? Unlike regular holders who can migrate > their funds in advance, owners of time-locked coins, such as those set > to unlock through an inheritance or a smart contract, have no way to > react before the deadline. Imagine you received an inheritance set to > unlock in 2030, only to find that the deadline for migration is set > for 2029. Would such cases be considered an acceptable loss, or is > there a way to account for them without violating Bitcoin=E2=80=99s > principles? > > Boris > > On Sun, Mar 16, 2025 at 12:22=E2=80=AFPM Jameson Lopp > wrote: > > > > The quantum computing debate is heating up. There are many controversia= l > aspects to this debate, including whether or not quantum computers will > ever actually become a practical threat. > > > > I won't tread into the unanswerable question of how worried we should b= e > about quantum computers. I think it's far from a crisis, but given the > difficulty in changing Bitcoin it's worth starting to seriously discuss. > Today I wish to focus on a philosophical quandary related to one of the > decisions that would need to be made if and when we implement a quantum > safe signature scheme. > > > > Several Scenarios > > Because this essay will reference game theory a fair amount, and there > are many variables at play that could change the nature of the game, I > think it's important to clarify the possible scenarios up front. > > > > 1. Quantum computing never materializes, never becomes a threat, and > thus everything discussed in this essay is moot. > > 2. A quantum computing threat materializes suddenly and Bitcoin does no= t > have quantum safe signatures as part of the protocol. In this scenario it > would likely make the points below moot because Bitcoin would be > fundamentally broken and it would take far too long to upgrade the > protocol, wallet software, and migrate user funds in order to restore > confidence in the network. > > 3. Quantum computing advances slowly enough that we come to consensus > about how to upgrade Bitcoin and post quantum security has been minimally > adopted by the time an attacker appears. > > 4. Quantum computing advances slowly enough that we come to consensus > about how to upgrade Bitcoin and post quantum security has been highly > adopted by the time an attacker appears. > > > > For the purposes of this post, I'm envisioning being in situation 3 or = 4. > > > > To Freeze or not to Freeze? > > I've started seeing more people weighing in on what is likely the most > contentious aspect of how a quantum resistance upgrade should be handled = in > terms of migrating user funds. Should quantum vulnerable funds be left op= en > to be swept by anyone with a sufficiently powerful quantum computer OR > should they be permanently locked? > > > >> "I don't see why old coins should be confiscated. The better option is > to let those with quantum computers free up old coins. While this might > have an inflationary impact on bitcoin's price, to use a turn of phrase, > the inflation is transitory. Those with low time preference should suppor= t > returning lost coins to circulation." > >> > >> - Hunter Beast > > > > > > On the other hand: > > > >> "Of course they have to be confiscated. If and when (and that's a big > if) the existence of a cryptography-breaking QC becomes a credible threat= , > the Bitcoin ecosystem has no other option than softforking out the abilit= y > to spend from signature schemes (including ECDSA and BIP340) that are > vulnerable to QCs. The alternative is that millions of BTC become > vulnerable to theft; I cannot see how the currency can maintain any value > at all in such a setting. And this affects everyone; even those which > diligently moved their coins to PQC-protected schemes." > >> - Pieter Wuille > > > > > > I don't think "confiscation" is the most precise term to use, as the > funds are not being seized and reassigned. Rather, what we're really > discussing would be better described as "burning" - placing the funds out > of reach of everyone. > > > > Not freezing user funds is one of Bitcoin's inviolable properties. > However, if quantum computing becomes a threat to Bitcoin's elliptic curv= e > cryptography, an inviolable property of Bitcoin will be violated one way = or > another. > > > > Fundamental Properties at Risk > > 5 years ago I attempted to comprehensively categorize all of Bitcoin's > fundamental properties that give it value. > https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ > > > > The particular properties in play with regard to this issue seem to be: > > > > Censorship Resistance - No one should have the power to prevent others > from using their bitcoin or interacting with the network. > > > > Forward Compatibility - changing the rules such that certain valid > transactions become invalid could undermine confidence in the protocol. > > > > Conservatism - Users should not be expected to be highly responsive to > system issues. > > > > As a result of the above principles, we have developed a strong meme > (kudos to Andreas Antonopoulos) that goes as follows: > > > >> Not your keys, not your coins. > > > > > > I posit that the corollary to this principle is: > > > >> Your keys, only your coins. > > > > > > A quantum capable entity breaks the corollary of this foundational > principle. We secure our bitcoin with the mathematical probabilities > related to extremely large random numbers. Your funds are only secure > because truly random large numbers should not be guessable or discoverabl= e > by anyone else in the world. > > > > This is the principle behind the motto vires in numeris - strength in > numbers. In a world with quantum enabled adversaries, this principle is > null and void for many types of cryptography, including the elliptic curv= e > digital signatures used in Bitcoin. > > > > Who is at Risk? > > There has long been a narrative that Satoshi's coins and others from th= e > Satoshi era of P2PK locking scripts that exposed the public key directly = on > the blockchain will be those that get scooped up by a quantum "miner." Bu= t > unfortunately it's not that simple. If I had a powerful quantum computer, > which coins would I target? I'd go to the Bitcoin rich list and find the > wallets that have exposed their public keys due to re-using addresses tha= t > have previously been spent from. You can easily find them at > https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html > > > > Note that a few of these wallets, like Bitfinex / Kraken / Tether, woul= d > be slightly harder to crack because they are multisig wallets. So a quant= um > attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfin= ex > / Tether in order to spend funds. But many are single signature. > > > > Point being, it's not only the really old lost BTC that are at risk to = a > quantum enabled adversary, at least at time of writing. If we add a quant= um > safe signature scheme, we should expect those wallets to be some of the > first to upgrade given their incentives. > > > > The Ethical Dilemma: Quantifying Harm > > Which decision results in the most harm? > > > > By making quantum vulnerable funds unspendable we potentially harm some > Bitcoin users who were not paying attention and neglected to migrate thei= r > funds to a quantum safe locking script. This violates the "conservativism= " > principle stated earlier. On the flip side, we prevent those funds plus f= ar > more lost funds from falling into the hands of the few privileged folks w= ho > gain early access to quantum computers. > > > > By leaving quantum vulnerable funds available to spend, the same set of > users who would otherwise have funds frozen are likely to see them stolen= . > And many early adopters who lost their keys will eventually see their > unreachable funds scooped up by a quantum enabled adversary. > > > > Imagine, for example, being James Howells, who accidentally threw away = a > hard drive with 8,000 BTC on it, currently worth over $600M USD. He has > spent a decade trying to retrieve it from the landfill where he knows it'= s > buried, but can't get permission to excavate. I suspect that, given the > choice, he'd prefer those funds be permanently frozen rather than fall in= to > someone else's possession - I know I would. > > > > Allowing a quantum computer to access lost funds doesn't make those > users any worse off than they were before, however it would have a negati= ve > impact upon everyone who is currently holding bitcoin. > > > > It's prudent to expect significant economic disruption if large amounts > of coins fall into new hands. Since a quantum computer is going to have a > massive up front cost, expect those behind it to desire to recoup their > investment. We also know from experience that when someone suddenly finds > themselves in possession of 9+ figures worth of highly liquid assets, the= y > tend to diversify into other things by selling. > > > > Allowing quantum recovery of bitcoin is tantamount to wealth > redistribution. What we'd be allowing is for bitcoin to be redistributed > from those who are ignorant of quantum computers to those who have won th= e > technological race to acquire quantum computers. It's hard to see a brigh= t > side to that scenario. > > > > Is Quantum Recovery Good for Anyone? > > > > Does quantum recovery HELP anyone? I've yet to come across an argument > that it's a net positive in any way. It certainly doesn't add any securit= y > to the network. If anything, it greatly decreases the security of the > network by allowing funds to be claimed by those who did not earn them. > > > > But wait, you may be thinking, wouldn't quantum "miners" have earned > their coins by all the work and resources invested in building a quantum > computer? I suppose, in the same sense that a burglar earns their spoils = by > the resources they invest into surveilling targets and learning the skill= s > needed to break into buildings. What I say "earned" I mean through > productive mutual trade. > > > > For example: > > > > * Investors earn BTC by trading for other currencies. > > * Merchants earn BTC by trading for goods and services. > > * Miners earn BTC by trading thermodynamic security. > > * Quantum miners don't trade anything, they are vampires feeding upon > the system. > > > > There's no reason to believe that allowing quantum adversaries to > recover vulnerable bitcoin will be of benefit to anyone other than the > select few organizations that win the technological arms race to build th= e > first such computers. Probably nation states and/or the top few largest > tech companies. > > > > One could certainly hope that an organization with quantum supremacy is > benevolent and acts in a "white hat" manner to return lost coins to their > owners, but that's incredibly optimistic and foolish to rely upon. Such a > situation creates an insurmountable ethical dilemma of only recovering lo= st > bitcoin rather than currently owned bitcoin. There's no way to precisely > differentiate between the two; anyone can claim to have lost their bitcoi= n > but if they have lost their keys then proving they ever had the keys > becomes rather difficult. I imagine that any such white hat recovery > efforts would have to rely upon attestations from trusted third parties > like exchanges. > > > > Even if the first actor with quantum supremacy is benevolent, we must > assume the technology could fall into adversarial hands and thus think > adversarially about the potential worst case outcomes. Imagine, for > example, that North Korea continues scooping up billions of dollars from > hacking crypto exchanges and decides to invest some of those proceeds int= o > building a quantum computer for the biggest payday ever... > > > > Downsides to Allowing Quantum Recovery > > Let's think through an exhaustive list of pros and cons for allowing or > preventing the seizure of funds by a quantum adversary. > > > > Historical Precedent > > Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair g= ame" but > rather were treated as failures to be remediated. Treating quantum theft > differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all r= ather than > a system that seeks to protect its users. > > > > Violation of Property Rights > > Allowing a quantum adversary to take control of funds undermines the > fundamental principle of cryptocurrency - if you keep your keys in your > possession, only you should be able to access your money. Bitcoin is buil= t > on the idea that private keys secure an individual=E2=80=99s assets, and > unauthorized access (even via advanced tech) is theft, not a legitimate > transfer. > > > > Erosion of Trust in Bitcoin > > If quantum attackers can exploit vulnerable addresses, confidence in > Bitcoin as a secure store of value would collapse. Users and investors re= ly > on cryptographic integrity, and widespread theft could drive adoption awa= y > from Bitcoin, destabilizing its ecosystem. > > > > This is essentially the counterpoint to claiming the burning of > vulnerable funds is a violation of property rights. While some will > certainly see it as such, others will find the apathy toward stopping > quantum theft to be similarly concerning. > > > > Unfair Advantage > > Quantum attackers, likely equipped with rare and expensive technology, > would have an unjust edge over regular users who lack access to such tool= s. > This creates an inequitable system where only the technologically elite c= an > exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized po= wer. > > > > Bitcoin is designed to create an asymmetric advantage for DEFENDING > one's wealth. It's supposed to be impractically expensive for attackers t= o > crack the entropy and cryptography protecting one's coins. But now we fin= d > ourselves discussing a situation where this asymmetric advantage is > compromised in favor of a specific class of attackers. > > > > Economic Disruption > > Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= =99s price > as quantum recovered funds are dumped on exchanges. This would harm all > holders, not just those directly targeted, leading to broader financial > chaos in the markets. > > > > Moral Responsibility > > Permitting theft via quantum computing sets a precedent that > technological superiority justifies unethical behavior. This is essential= ly > taking a "code is law" stance in which we refuse to admit that both code > and laws can be modified to adapt to previously unforeseen situations. > > > > Burning of coins can certainly be considered a form of theft, thus I > think it's worth differentiating the two different thefts being discussed= : > > > > 1. self-enriching & likely malicious > > 2. harm prevention & not necessarily malicious > > > > Both options lack the consent of the party whose coins are being burnt > or transferred, thus I think the simple argument that theft is immoral > becomes a wash and it's important to drill down into the details of each. > > > > Incentives Drive Security > > I can tell you from a decade of working in Bitcoin security - the > average user is lazy and is a procrastinator. If Bitcoiners are given a > "drop dead date" after which they know vulnerable funds will be burned, > this pressure accelerates the adoption of post-quantum cryptography and > strengthens Bitcoin long-term. Allowing vulnerable users to delay upgradi= ng > indefinitely will result in more laggards, leaving the network more expos= ed > when quantum tech becomes available. > > > > Steel Manning > > Clearly this is a complex and controversial topic, thus it's worth > thinking through the opposing arguments. > > > > Protecting Property Rights > > Allowing quantum computers to take vulnerable bitcoin could potentially > be spun as a hard money narrative - we care so greatly about not violatin= g > someone's access to their coins that we allow them to be stolen! > > > > But I think the flip side to the property rights narrative is that > burning vulnerable coins prevents said property from falling into > undeserving hands. If the entire Bitcoin ecosystem just stands around and > allows quantum adversaries to claim funds that rightfully belong to other > users, is that really a "win" in the "protecting property rights" categor= y? > It feels more like apathy to me. > > > > As such, I think the "protecting property rights" argument is a wash. > > > > Quantum Computers Won't Attack Bitcoin > > There is a great deal of skepticism that sufficiently powerful quantum > computers will ever exist, so we shouldn't bother preparing for a > non-existent threat. Others have argued that even if such a computer was > built, a quantum attacker would not go after bitcoin because they wouldn'= t > want to reveal their hand by doing so, and would instead attack other > infrastructure. > > > > It's quite difficult to quantify exactly how valuable attacking other > infrastructure would be. It also really depends upon when an entity gains > quantum supremacy and thus if by that time most of the world's systems ha= ve > already been upgraded. While I think you could argue that certain entitie= s > gaining quantum capability might not attack Bitcoin, it would only delay > the inevitable - eventually somebody will achieve the capability who > decides to use it for such an attack. > > > > Quantum Attackers Would Only Steal Small Amounts > > Some have argued that even if a quantum attacker targeted bitcoin, > they'd only go after old, likely lost P2PK outputs so as to not arouse > suspicion and cause a market panic. > > > > I'm not so sure about that; why go after 50 BTC at a time when you coul= d > take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero > day exploit" game theory in which an attacker knows they have a limited > amount of time before someone else discovers the exploit and either > benefits from it or patches it. Take, for example, the recent ByBit attac= k > - the highest value crypto hack of all time. Lazarus Group had compromise= d > the Safe wallet front end JavaScript app and they could have simply had i= t > reassign ownership of everyone's Safe wallets as they were interacting wi= th > their wallet. But instead they chose to only specifically target ByBit's > wallet with $1.5 billion in it because they wanted to maximize their > extractable value. If Lazarus had started stealing from every wallet, the= y > would have been discovered quickly and the Safe web app would likely have > been patched well before any billion dollar wallets executed the maliciou= s > code. > > > > I think the "only stealing small amounts" argument is strongest for > Situation #2 described earlier, where a quantum attacker arrives before > quantum safe cryptography has been deployed across the Bitcoin ecosystem. > Because if it became clear that Bitcoin's cryptography was broken AND the= re > was nowhere safe for vulnerable users to migrate, the only logical option > would be for everyone to liquidate their bitcoin as quickly as possible. = As > such, I don't think it applies as strongly for situations in which we hav= e > a migration path available. > > > > The 21 Million Coin Supply Should be in Circulation > > Some folks are arguing that it's important for the "circulating / > spendable" supply to be as close to 21M as possible and that having a > significant portion of the supply out of circulation is somehow undesirab= le. > > > > While the "21M BTC" attribute is a strong memetic narrative, I don't > think anyone has ever expected that it would all be in circulation. It ha= s > always been understood that many coins will be lost, and that's actually > part of the game theory of owning bitcoin! > > > > And remember, the 21M number in and of itself is not a particularly > important detail - it's not even mentioned in the whitepaper. What's > important is that the supply is well known and not subject to change. > > > > Self-Sovereignty and Personal Responsibility > > Bitcoin=E2=80=99s design empowers individuals to control their own weal= th, free > from centralized intervention. This freedom comes with the burden of > securing one's private keys. If quantum computing can break obsolete > cryptography, the fault lies with users who didn't move their funds to > quantum safe locking scripts. Expecting the network to shield users from > their own negligence undermines the principle that you, and not a third > party, are accountable for your assets. > > > > I think this is generally a fair point that "the community" doesn't owe > you anything in terms of helping you. I think that we do, however, need t= o > consider the incentives and game theory in play with regard to quantum sa= fe > Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. > > > > Code is Law > > Bitcoin operates on transparent, immutable rules embedded in its > protocol. If a quantum attacker uses superior technology to derive privat= e > keys from public keys, they=E2=80=99re not "hacking" the system - they're= simply > following what's mathematically permissible within the current code. > Altering the protocol to stop this introduces subjective human > intervention, which clashes with the objective, deterministic nature of > blockchain. > > > > While I tend to agree that code is law, one of the entire points of law= s > is that they can be amended to improve their efficacy in reducing harm. > Leaning on this point seems more like a pro-ossification stance that it's > better to do nothing and allow harm to occur rather than take action to > stop an attack that was foreseen far in advance. > > > > Technological Evolution as a Feature, Not a Bug > > It's well known that cryptography tends to weaken over time and > eventually break. Quantum computing is just the next step in this > progression. Users who fail to adapt (e.g., by adopting quantum-resistant > wallets when available) are akin to those who ignored technological > advancements like multisig or hardware wallets. Allowing quantum theft > incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, pu= nishing > complacency while rewarding vigilance. > > > > Market Signals Drive Security > > If quantum attackers start stealing funds, it sends a clear signal to > the market: upgrade your security or lose everything. This pressure > accelerates the adoption of post-quantum cryptography and strengthens > Bitcoin long-term. Coddling vulnerable users delays this necessary > evolution, potentially leaving the network more exposed when quantum tech > becomes widely accessible. Theft is a brutal but effective teacher. > > > > Centralized Blacklisting Power > > Burning vulnerable funds requires centralized decision-making - a soft > fork to invalidate certain transactions. This sets a dangerous precedent > for future interventions, eroding Bitcoin=E2=80=99s decentralization. If = quantum > theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sys= tem must > remain neutral, even if it means some lose out. > > > > I think this could be a potential slippery slope if the proposal was to > only burn specific addresses. Rather, I'd expect a neutral proposal to bu= rn > all funds in locking script types that are known to be quantum vulnerable= . > Thus, we could eliminate any subjectivity from the code. > > > > Fairness in Competition > > Quantum attackers aren't cheating; they're using publicly available > physics and math. Anyone with the resources and foresight can build or > access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU= . > Early adopters took risks and reaped rewards; quantum innovators are doin= g > the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne= ver promised > equality of outcome - only equality of opportunity within its rules. > > > > I find this argument to be a mischaracterization because we're not > talking about CPUs. This is more akin to talking about ASICs, except each > ASIC costs millions if not billions of dollars. This is out of reach from > all but the wealthiest organizations. > > > > Economic Resilience > > Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and > emerged stronger. The market can absorb quantum losses, with unaffected > users continuing to hold and new entrants buying in at lower prices. Fear > of economic collapse overestimates the impact - the network=E2=80=99s ant= ifragility > thrives on such challenges. > > > > This is a big grey area because we don't know when a quantum computer > will come online and we don't know how quickly said computers would be ab= le > to steal bitcoin. If, for example, the first generation of sufficiently > powerful quantum computers were stealing less volume than the current blo= ck > reward then of course it will have minimal economic impact. But if they'r= e > taking thousands of BTC per day and bringing them back into circulation, > there will likely be a noticeable market impact as it absorbs the new > supply. > > > > This is where the circumstances will really matter. If a quantum > attacker appears AFTER the Bitcoin protocol has been upgraded to support > quantum resistant cryptography then we should expect the most valuable > active wallets will have upgraded and the juiciest target would be the > 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has be= en > dormant since 2010. In general I'd expect that the amount of BTC > re-entering the circulating supply would look somewhat similar to the > mining emission curve: volume would start off very high as the most > valuable addresses are drained and then it would fall off as quantum > computers went down the list targeting addresses with less and less BTC. > > > > Why is economic impact a factor worth considering? Miners and businesse= s > in general. More coins being liquidated will push down the price, which > will negatively impact miner revenue. Similarly, I can attest from workin= g > in the industry for a decade, that lower prices result in less demand fro= m > businesses across the entire industry. As such, burning quantum vulnerabl= e > bitcoin is good for the entire industry. > > > > Practicality & Neutrality of Non-Intervention > > There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D = from legitimate "white > hat" key recovery. If someone loses their private key and a quantum > computer recovers it, is that stealing or reclaiming? Policing quantum > actions requires invasive assumptions about intent, which Bitcoin=E2=80= =99s > trustless design can=E2=80=99t accommodate. Letting the chips fall where = they may > avoids this mess. > > > > Philosophical Purity > > Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcom= es > reflect preparation and skill, not sentimentality. If quantum computing > upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant t= o be safe or fair > in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose fun= ds to > quantum attacks are casualties of liberty and their own ignorance, not > victims of injustice. > > > > Bitcoin's DAO Moment > > This situation has some similarities to The DAO hack of an Ethereum > smart contract in 2016, which resulted in a fork to stop the attacker and > return funds to their original owners. The game theory is similar because > it's a situation where a threat is known but there's some period of time > before the attacker can actually execute the theft. As such, there's time > to mitigate the attack by changing the protocol. > > > > It also created a schism in the community around the true meaning of > "code is law," resulting in Ethereum Classic, which decided to allow the > attacker to retain control of the stolen funds. > > > > A soft fork to burn vulnerable bitcoin could certainly result in a hard > fork if there are enough miners who reject the soft fork and continue > including transactions. > > > > Incentives Matter > > We can wax philosophical until the cows come home, but what are the > actual incentives for existing Bitcoin holders regarding this decision? > > > >> "Lost coins only make everyone else's coins worth slightly more. Think > of it as a donation to everyone." - Satoshi Nakamoto > > > > > > If true, the corollary is: > > > >> "Quantum recovered coins only make everyone else's coins worth less. > Think of it as a theft from everyone." - Jameson Lopp > > > > > > Thus, assuming we get to a point where quantum resistant signatures are > supported within the Bitcoin protocol, what's the incentive to let > vulnerable coins remain spendable? > > > > * It's not good for the actual owners of those coins. It disincentivize= s > owners from upgrading until perhaps it's too late. > > * It's not good for the more attentive / responsible owners of coins wh= o > have quantum secured their stash. Allowing the circulating supply to > balloon will assuredly reduce the purchasing power of all bitcoin holders= . > > > > Forking Game Theory > > From a game theory point of view, I see this as incentivizing users to > upgrade their wallets. If you disagree with the burning of vulnerable > coins, all you have to do is move your funds to a quantum safe signature > scheme. Point being, I don't see there being an economic majority (or eve= n > more than a tiny minority) of users who would fight such a soft fork. Why > expend significant resources fighting a fork when you can just move your > coins to a new address? > > > > Remember that blocking spending of certain classes of locking scripts i= s > a tightening of the rules - a soft fork. As such, it can be meaningfully > enacted and enforced by a mere majority of hashpower. If miners generally > agree that it's in their best interest to burn vulnerable coins, are othe= r > users going to care enough to put in the effort to run new node software > that resists the soft fork? Seems unlikely to me. > > > > How to Execute Burning > > In order to be as objective as possible, the goal would be to announce > to the world that after a specific block height / timestamp, Bitcoin node= s > will no longer accept transactions (or blocks containing such transaction= s) > that spend funds from any scripts other than the newly instituted quantum > safe schemes. > > > > It could take a staggered approach to first freeze funds that are > susceptible to long-range attacks such as those in P2PK scripts or those > that exposed their public keys due to previously re-using addresses, but = I > expect the additional complexity would drive further controversy. > > > > How long should the grace period be in order to give the ecosystem time > to upgrade? I'd say a minimum of 1 year for software wallets to upgrade. = We > can only hope that hardware wallet manufacturers are able to implement po= st > quantum cryptography on their existing hardware with only a firmware upda= te. > > > > Beyond that, it will take at least 6 months worth of block space for al= l > users to migrate their funds, even in a best case scenario. Though if you > exclude dust UTXOs you could probably get 95% of BTC value migrated in 1 > month. Of course this is a highly optimistic situation where everyone is > completely focused on migrations - in reality it will take far longer. > > > > Regardless, I'd think that in order to reasonably uphold Bitcoin's > conservatism it would be preferable to allow a 4 year migration window. I= n > the meantime, mining pools could coordinate emergency soft forking logic > such that if quantum attackers materialized, they could accelerate the > countdown to the quantum vulnerable funds burn. > > > > Random Tangential Benefits > > On the plus side, burning all quantum vulnerable bitcoin would allow us > to prune all of those UTXOs out of the UTXO set, which would also clean u= p > a lot of dust. Dust UTXOs are a bit of an annoyance and there has even be= en > a recent proposal for how to incentivize cleaning them up. > > > > We should also expect that incentivizing migration of the entire UTXO > set will create substantial demand for block space that will sustain a fe= e > market for a fairly lengthy amount of time. > > > > In Summary > > While the moral quandary of violating any of Bitcoin's inviolable > properties can make this a very complex issue to discuss, the game theory > and incentives between burning vulnerable coins versus allowing them to b= e > claimed by entities with quantum supremacy appears to be a much simpler > issue. > > > > I, for one, am not interested in rewarding quantum capable entities by > inflating the circulating money supply just because some people lost thei= r > keys long ago and some laggards are not upgrading their bitcoin wallet's > security. > > > > We can hope that this scenario never comes to pass, but hope is not a > strategy. > > > > I welcome your feedback upon any of the above points, and contribution > of any arguments I failed to consider. > > > > -- > > You received this message because you are subscribed to the Google > Groups "Bitcoin Development Mailing List" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to bitcoindev+unsubscribe@googlegroups.com. > > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA= _4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com > . > > > > -- > Best regards, > Boris Nagaev > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CADL_X_f267CaqbvtU2rLWoW7hLCv2NAHLnk59eS2Oz0GjL1HeA%40mail.gmail.com. --0000000000004a292b06307c4fa0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
It's certainly an edge case worth considering. If time= locked coins are being spent that haven't previously exposed their publ= ic keys, it could be considered safe to allow them to be spent. Quantum com= puters would have to become=C2=A0extremely powerful in order to reverse eng= ineer a key and RBF a transaction just during the time it's in the memp= ool.

I think this does bring up an often overlooked aspe= ct of extremely long time locks: preventing yourself from spending funds do= es expose you to edge case protocol weaknesses that require migration of fu= nds. Personally I'd get a bit nervous locking funds for more than a yea= r or two.

Another downside to long timelocks is th= at you could potentially miss out on the ability to economically=C2=A0"= ;vote with your feet" in the case of a controversial chain fork.
=

On Sun, Mar 16, 2025 at 3:45=E2=80=AFPM Nagaev Boris = <bnagaev@gmail.com> wrote:
Hi!

What is your perspective on time-locked coins that become spendable
only after a set deadline? Unlike regular holders who can migrate
their funds in advance, owners of time-locked coins, such as those set
to unlock through an inheritance or a smart contract, have no way to
react before the deadline. Imagine you received an inheritance set to
unlock in 2030, only to find that the deadline for migration is set
for 2029. Would such cases be considered an acceptable loss, or is
there a way to account for them without violating Bitcoin=E2=80=99s
principles?

Boris

On Sun, Mar 16, 2025 at 12:22=E2=80=AFPM Jameson Lopp <jameson.lopp@gmail.com> w= rote:
>
> The quantum computing debate is heating up. There are many controversi= al aspects to this debate, including whether or not quantum computers will = ever actually become a practical threat.
>
> I won't tread into the unanswerable question of how worried we sho= uld be about quantum computers. I think it's far from a crisis, but giv= en the difficulty in changing Bitcoin it's worth starting to seriously = discuss. Today I wish to focus on a philosophical quandary related to one o= f the decisions that would need to be made if and when we implement a quant= um safe signature scheme.
>
> Several Scenarios
> Because this essay will reference game theory a fair amount, and there= are many variables at play that could change the nature of the game, I thi= nk it's important to clarify the possible scenarios up front.
>
> 1. Quantum computing never materializes, never becomes a threat, and t= hus everything discussed in this essay is moot.
> 2. A quantum computing threat materializes suddenly and Bitcoin does n= ot have quantum safe signatures as part of the protocol. In this scenario i= t would likely make the points below moot because Bitcoin would be fundamen= tally broken and it would take far too long to upgrade the protocol, wallet= software, and migrate user funds in order to restore confidence in the net= work.
> 3. Quantum computing advances slowly enough that we come to consensus = about how to upgrade Bitcoin and post quantum security has been minimally a= dopted by the time an attacker appears.
> 4. Quantum computing advances slowly enough that we come to consensus = about how to upgrade Bitcoin and post quantum security has been highly adop= ted by the time an attacker appears.
>
> For the purposes of this post, I'm envisioning being in situation = 3 or 4.
>
> To Freeze or not to Freeze?
> I've started seeing more people weighing in on what is likely the = most contentious aspect of how a quantum resistance upgrade should be handl= ed in terms of migrating user funds. Should quantum vulnerable funds be lef= t open to be swept by anyone with a sufficiently powerful quantum computer = OR should they be permanently locked?
>
>> "I don't see why old coins should be confiscated. The bet= ter option is to let those with quantum computers free up old coins. While = this might have an inflationary impact on bitcoin's price, to use a tur= n of phrase, the inflation is transitory. Those with low time preference sh= ould support returning lost coins to circulation."
>>
>> - Hunter Beast
>
>
> On the other hand:
>
>> "Of course they have to be confiscated. If and when (and that= 's a big if) the existence of a cryptography-breaking QC becomes a cred= ible threat, the Bitcoin ecosystem has no other option than softforking out= the ability to spend from signature schemes (including ECDSA and BIP340) t= hat are vulnerable to QCs. The alternative is that millions of BTC become v= ulnerable to theft; I cannot see how the currency can maintain any value at= all in such a setting. And this affects everyone; even those which diligen= tly moved their coins to PQC-protected schemes."
>> - Pieter Wuille
>
>
> I don't think "confiscation" is the most precise term to= use, as the funds are not being seized and reassigned. Rather, what we'= ;re really discussing would be better described as "burning" - pl= acing the funds out of reach of everyone.
>
> Not freezing user funds is one of Bitcoin's inviolable properties.= However, if quantum computing becomes a threat to Bitcoin's elliptic c= urve cryptography, an inviolable property of Bitcoin will be violated one w= ay or another.
>
> Fundamental Properties at Risk
> 5 years ago I attempted to comprehensively categorize all of Bitcoin&#= 39;s fundamental properties that give it value. https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >
> The particular properties in play with regard to this issue seem to be= :
>
> Censorship Resistance - No one should have the power to prevent others= from using their bitcoin or interacting with the network.
>
> Forward Compatibility - changing the rules such that certain valid tra= nsactions become invalid could undermine confidence in the protocol.
>
> Conservatism - Users should not be expected to be highly responsive to= system issues.
>
> As a result of the above principles, we have developed a strong meme (= kudos to Andreas Antonopoulos) that goes as follows:
>
>> Not your keys, not your coins.
>
>
> I posit that the corollary to this principle is:
>
>> Your keys, only your coins.
>
>
> A quantum capable entity breaks the corollary of this foundational pri= nciple. We secure our bitcoin with the mathematical probabilities related t= o extremely large random numbers. Your funds are only secure because truly = random large numbers should not be guessable or discoverable by anyone else= in the world.
>
> This is the principle behind the motto vires in numeris - strength in = numbers. In a world with quantum enabled adversaries, this principle is nul= l and void for many types of cryptography, including the elliptic curve dig= ital signatures used in Bitcoin.
>
> Who is at Risk?
> There has long been a narrative that Satoshi's coins and others fr= om the Satoshi era of P2PK locking scripts that exposed the public key dire= ctly on the blockchain will be those that get scooped up by a quantum "= ;miner." But unfortunately it's not that simple. If I had a powerf= ul quantum computer, which coins would I target? I'd go to the Bitcoin = rich list and find the wallets that have exposed their public keys due to r= e-using addresses that have previously been spent from. You can easily find= them at https://bitinfocharts.com/t= op-100-richest-bitcoin-addresses.html
>
> Note that a few of these wallets, like Bitfinex / Kraken / Tether, wou= ld be slightly harder to crack because they are multisig wallets. So a quan= tum attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitf= inex / Tether in order to spend funds. But many are single signature.
>
> Point being, it's not only the really old lost BTC that are at ris= k to a quantum enabled adversary, at least at time of writing. If we add a = quantum safe signature scheme, we should expect those wallets to be some of= the first to upgrade given their incentives.
>
> The Ethical Dilemma: Quantifying Harm
> Which decision results in the most harm?
>
> By making quantum vulnerable funds unspendable we potentially harm som= e Bitcoin users who were not paying attention and neglected to migrate thei= r funds to a quantum safe locking script. This violates the "conservat= ivism" principle stated earlier. On the flip side, we prevent those fu= nds plus far more lost funds from falling into the hands of the few privile= ged folks who gain early access to quantum computers.
>
> By leaving quantum vulnerable funds available to spend, the same set o= f users who would otherwise have funds frozen are likely to see them stolen= . And many early adopters who lost their keys will eventually see their unr= eachable funds scooped up by a quantum enabled adversary.
>
> Imagine, for example, being James Howells, who accidentally threw away= a hard drive with 8,000 BTC on it, currently worth over $600M USD. He has = spent a decade trying to retrieve it from the landfill where he knows it= 9;s buried, but can't get permission to excavate. I suspect that, given= the choice, he'd prefer those funds be permanently frozen rather than = fall into someone else's possession - I know I would.
>
> Allowing a quantum computer to access lost funds doesn't make thos= e users any worse off than they were before, however it would have a negati= ve impact upon everyone who is currently holding bitcoin.
>
> It's prudent to expect significant economic disruption if large am= ounts of coins fall into new hands. Since a quantum computer is going to ha= ve a massive up front cost, expect those behind it to desire to recoup thei= r investment. We also know from experience that when someone suddenly finds= themselves in possession of 9+ figures worth of highly liquid assets, they= tend to diversify into other things by selling.
>
> Allowing quantum recovery of bitcoin is tantamount to wealth redistrib= ution. What we'd be allowing is for bitcoin to be redistributed from th= ose who are ignorant of quantum computers to those who have won the technol= ogical race to acquire quantum computers. It's hard to see a bright sid= e to that scenario.
>
> Is Quantum Recovery Good for Anyone?
>
> Does quantum recovery HELP anyone? I've yet to come across an argu= ment that it's a net positive in any way. It certainly doesn't add = any security to the network. If anything, it greatly decreases the security= of the network by allowing funds to be claimed by those who did not earn t= hem.
>
> But wait, you may be thinking, wouldn't quantum "miners"= have earned their coins by all the work and resources invested in building= a quantum computer? I suppose, in the same sense that a burglar earns thei= r spoils by the resources they invest into surveilling targets and learning= the skills needed to break into buildings. What I say "earned" I= mean through productive mutual trade.
>
> For example:
>
> * Investors earn BTC by trading for other currencies.
> * Merchants earn BTC by trading for goods and services.
> * Miners earn BTC by trading thermodynamic security.
> * Quantum miners don't trade anything, they are vampires feeding u= pon the system.
>
> There's no reason to believe that allowing quantum adversaries to = recover vulnerable bitcoin will be of benefit to anyone other than the sele= ct few organizations that win the technological arms race to build the firs= t such computers. Probably nation states and/or the top few largest tech co= mpanies.
>
> One could certainly hope that an organization with quantum supremacy i= s benevolent and acts in a "white hat" manner to return lost coin= s to their owners, but that's incredibly optimistic and foolish to rely= upon. Such a situation creates an insurmountable ethical dilemma of only r= ecovering lost bitcoin rather than currently owned bitcoin. There's no = way to precisely differentiate between the two; anyone can claim to have lo= st their bitcoin but if they have lost their keys then proving they ever ha= d the keys becomes rather difficult. I imagine that any such white hat reco= very efforts would have to rely upon attestations from trusted third partie= s like exchanges.
>
> Even if the first actor with quantum supremacy is benevolent, we must = assume the technology could fall into adversarial hands and thus think adve= rsarially about the potential worst case outcomes. Imagine, for example, th= at North Korea continues scooping up billions of dollars from hacking crypt= o exchanges and decides to invest some of those proceeds into building a qu= antum computer for the biggest payday ever...
>
> Downsides to Allowing Quantum Recovery
> Let's think through an exhaustive list of pros and cons for allowi= ng or preventing the seizure of funds by a quantum adversary.
>
> Historical Precedent
> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "= fair game" but rather were treated as failures to be remediated. Treat= ing quantum theft differently risks rewriting Bitcoin=E2=80=99s history as = a free-for-all rather than a system that seeks to protect its users.
>
> Violation of Property Rights
> Allowing a quantum adversary to take control of funds undermines the f= undamental principle of cryptocurrency - if you keep your keys in your poss= ession, only you should be able to access your money. Bitcoin is built on t= he idea that private keys secure an individual=E2=80=99s assets, and unauth= orized access (even via advanced tech) is theft, not a legitimate transfer.=
>
> Erosion of Trust in Bitcoin
> If quantum attackers can exploit vulnerable addresses, confidence in B= itcoin as a secure store of value would collapse. Users and investors rely = on cryptographic integrity, and widespread theft could drive adoption away = from Bitcoin, destabilizing its ecosystem.
>
> This is essentially the counterpoint to claiming the burning of vulner= able funds is a violation of property rights. While some will certainly see= it as such, others will find the apathy toward stopping quantum theft to b= e similarly concerning.
>
> Unfair Advantage
> Quantum attackers, likely equipped with rare and expensive technology,= would have an unjust edge over regular users who lack access to such tools= . This creates an inequitable system where only the technologically elite c= an exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized p= ower.
>
> Bitcoin is designed to create an asymmetric advantage for DEFENDING on= e's wealth. It's supposed to be impractically expensive for attacke= rs to crack the entropy and cryptography protecting one's coins. But no= w we find ourselves discussing a situation where this asymmetric advantage = is compromised in favor of a specific class of attackers.
>
> Economic Disruption
> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= =99s price as quantum recovered funds are dumped on exchanges. This would h= arm all holders, not just those directly targeted, leading to broader finan= cial chaos in the markets.
>
> Moral Responsibility
> Permitting theft via quantum computing sets a precedent that technolog= ical superiority justifies unethical behavior. This is essentially taking a= "code is law" stance in which we refuse to admit that both code = and laws can be modified to adapt to previously unforeseen situations.
>
> Burning of coins can certainly be considered a form of theft, thus I t= hink it's worth differentiating the two different thefts being discusse= d:
>
> 1. self-enriching & likely malicious
> 2. harm prevention & not necessarily malicious
>
> Both options lack the consent of the party whose coins are being burnt= or transferred, thus I think the simple argument that theft is immoral bec= omes a wash and it's important to drill down into the details of each.<= br> >
> Incentives Drive Security
> I can tell you from a decade of working in Bitcoin security - the aver= age user is lazy and is a procrastinator. If Bitcoiners are given a "d= rop dead date" after which they know vulnerable funds will be burned, = this pressure accelerates the adoption of post-quantum cryptography and str= engthens Bitcoin long-term. Allowing vulnerable users to delay upgrading in= definitely will result in more laggards, leaving the network more exposed w= hen quantum tech becomes available.
>
> Steel Manning
> Clearly this is a complex and controversial topic, thus it's worth= thinking through the opposing arguments.
>
> Protecting Property Rights
> Allowing quantum computers to take vulnerable bitcoin could potentiall= y be spun as a hard money narrative - we care so greatly about not violatin= g someone's access to their coins that we allow them to be stolen!
>
> But I think the flip side to the property rights narrative is that bur= ning vulnerable coins prevents said property from falling into undeserving = hands. If the entire Bitcoin ecosystem just stands around and allows quantu= m adversaries to claim funds that rightfully belong to other users, is that= really a "win" in the "protecting property rights" cat= egory? It feels more like apathy to me.
>
> As such, I think the "protecting property rights" argument i= s a wash.
>
> Quantum Computers Won't Attack Bitcoin
> There is a great deal of skepticism that sufficiently powerful quantum= computers will ever exist, so we shouldn't bother preparing for a non-= existent threat. Others have argued that even if such a computer was built,= a quantum attacker would not go after bitcoin because they wouldn't wa= nt to reveal their hand by doing so, and would instead attack other infrast= ructure.
>
> It's quite difficult to quantify exactly how valuable attacking ot= her infrastructure would be. It also really depends upon when an entity gai= ns quantum supremacy and thus if by that time most of the world's syste= ms have already been upgraded. While I think you could argue that certain e= ntities gaining quantum capability might not attack Bitcoin, it would only = delay the inevitable - eventually somebody will achieve the capability who = decides to use it for such an attack.
>
> Quantum Attackers Would Only Steal Small Amounts
> Some have argued that even if a quantum attacker targeted bitcoin, the= y'd only go after old, likely lost P2PK outputs so as to not arouse sus= picion and cause a market panic.
>
> I'm not so sure about that; why go after 50 BTC at a time when you= could take 250,000 BTC with the same effort as 50 BTC? This is a classic &= quot;zero day exploit" game theory in which an attacker knows they hav= e a limited amount of time before someone else discovers the exploit and ei= ther benefits from it or patches it. Take, for example, the recent ByBit at= tack - the highest value crypto hack of all time. Lazarus Group had comprom= ised the Safe wallet front end JavaScript app and they could have simply ha= d it reassign ownership of everyone's Safe wallets as they were interac= ting with their wallet. But instead they chose to only specifically target = ByBit's wallet with $1.5 billion in it because they wanted to maximize = their extractable value. If Lazarus had started stealing from every wallet,= they would have been discovered quickly and the Safe web app would likely = have been patched well before any billion dollar wallets executed the malic= ious code.
>
> I think the "only stealing small amounts" argument is strong= est for Situation #2 described earlier, where a quantum attacker arrives be= fore quantum safe cryptography has been deployed across the Bitcoin ecosyst= em. Because if it became clear that Bitcoin's cryptography was broken A= ND there was nowhere safe for vulnerable users to migrate, the only logical= option would be for everyone to liquidate their bitcoin as quickly as poss= ible. As such, I don't think it applies as strongly for situations in w= hich we have a migration path available.
>
> The 21 Million Coin Supply Should be in Circulation
> Some folks are arguing that it's important for the "circulati= ng / spendable" supply to be as close to 21M as possible and that havi= ng a significant portion of the supply out of circulation is somehow undesi= rable.
>
> While the "21M BTC" attribute is a strong memetic narrative,= I don't think anyone has ever expected that it would all be in circula= tion. It has always been understood that many coins will be lost, and that&= #39;s actually part of the game theory of owning bitcoin!
>
> And remember, the 21M number in and of itself is not a particularly im= portant detail - it's not even mentioned in the whitepaper. What's = important is that the supply is well known and not subject to change.
>
> Self-Sovereignty and Personal Responsibility
> Bitcoin=E2=80=99s design empowers individuals to control their own wea= lth, free from centralized intervention. This freedom comes with the burden= of securing one's private keys. If quantum computing can break obsolet= e cryptography, the fault lies with users who didn't move their funds t= o quantum safe locking scripts. Expecting the network to shield users from = their own negligence undermines the principle that you, and not a third par= ty, are accountable for your assets.
>
> I think this is generally a fair point that "the community" = doesn't owe you anything in terms of helping you. I think that we do, h= owever, need to consider the incentives and game theory in play with regard= to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners. More on that = later.
>
> Code is Law
> Bitcoin operates on transparent, immutable rules embedded in its proto= col. If a quantum attacker uses superior technology to derive private keys = from public keys, they=E2=80=99re not "hacking" the system - they= 're simply following what's mathematically permissible within the c= urrent code. Altering the protocol to stop this introduces subjective human= intervention, which clashes with the objective, deterministic nature of bl= ockchain.
>
> While I tend to agree that code is law, one of the entire points of la= ws is that they can be amended to improve their efficacy in reducing harm. = Leaning on this point seems more like a pro-ossification stance that it'= ;s better to do nothing and allow harm to occur rather than take action to = stop an attack that was foreseen far in advance.
>
> Technological Evolution as a Feature, Not a Bug
> It's well known that cryptography tends to weaken over time and ev= entually break. Quantum computing is just the next step in this progression= . Users who fail to adapt (e.g., by adopting quantum-resistant wallets when= available) are akin to those who ignored technological advancements like m= ultisig or hardware wallets. Allowing quantum theft incentivizes innovation= and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency while= rewarding vigilance.
>
> Market Signals Drive Security
> If quantum attackers start stealing funds, it sends a clear signal to = the market: upgrade your security or lose everything. This pressure acceler= ates the adoption of post-quantum cryptography and strengthens Bitcoin long= -term. Coddling vulnerable users delays this necessary evolution, potential= ly leaving the network more exposed when quantum tech becomes widely access= ible. Theft is a brutal but effective teacher.
>
> Centralized Blacklisting Power
> Burning vulnerable funds requires centralized decision-making - a soft= fork to invalidate certain transactions. This sets a dangerous precedent f= or future interventions, eroding Bitcoin=E2=80=99s decentralization. If qua= ntum theft is blocked, what=E2=80=99s next - reversing exchange hacks? The = system must remain neutral, even if it means some lose out.
>
> I think this could be a potential slippery slope if the proposal was t= o only burn specific addresses. Rather, I'd expect a neutral proposal t= o burn all funds in locking script types that are known to be quantum vulne= rable. Thus, we could eliminate any subjectivity from the code.
>
> Fairness in Competition
> Quantum attackers aren't cheating; they're using publicly avai= lable physics and math. Anyone with the resources and foresight can build o= r access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU= . Early adopters took risks and reaped rewards; quantum innovators are doin= g the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne= ver promised equality of outcome - only equality of opportunity within its = rules.
>
> I find this argument to be a mischaracterization because we're not= talking about CPUs. This is more akin to talking about ASICs, except each = ASIC costs millions if not billions of dollars. This is out of reach from a= ll but the wealthiest organizations.
>
> Economic Resilience
> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and em= erged stronger. The market can absorb quantum losses, with unaffected users= continuing to hold and new entrants buying in at lower prices. Fear of eco= nomic collapse overestimates the impact - the network=E2=80=99s antifragili= ty thrives on such challenges.
>
> This is a big grey area because we don't know when a quantum compu= ter will come online and we don't know how quickly said computers would= be able to steal bitcoin. If, for example, the first generation of suffici= ently powerful quantum computers were stealing less volume than the current= block reward then of course it will have minimal economic impact. But if t= hey're taking thousands of BTC per day and bringing them back into circ= ulation, there will likely be a noticeable market impact as it absorbs the = new supply.
>
> This is where the circumstances will really matter. If a quantum attac= ker appears AFTER the Bitcoin protocol has been upgraded to support quantum= resistant cryptography then we should expect the most valuable active wall= ets will have upgraded and the juiciest target would be the 31,000 BTC in t= he address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since = 2010. In general I'd expect that the amount of BTC re-entering the circ= ulating supply would look somewhat similar to the mining emission curve: vo= lume would start off very high as the most valuable addresses are drained a= nd then it would fall off as quantum computers went down the list targeting= addresses with less and less BTC.
>
> Why is economic impact a factor worth considering? Miners and business= es in general. More coins being liquidated will push down the price, which = will negatively impact miner revenue. Similarly, I can attest from working = in the industry for a decade, that lower prices result in less demand from = businesses across the entire industry. As such, burning quantum vulnerable = bitcoin is good for the entire industry.
>
> Practicality & Neutrality of Non-Intervention
> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D= from legitimate "white hat" key recovery. If someone loses their= private key and a quantum computer recovers it, is that stealing or reclai= ming? Policing quantum actions requires invasive assumptions about intent, = which Bitcoin=E2=80=99s trustless design can=E2=80=99t accommodate. Letting= the chips fall where they may avoids this mess.
>
> Philosophical Purity
> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco= mes reflect preparation and skill, not sentimentality. If quantum computing= upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to= be safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. Use= rs who lose funds to quantum attacks are casualties of liberty and their ow= n ignorance, not victims of injustice.
>
> Bitcoin's DAO Moment
> This situation has some similarities to The DAO hack of an Ethereum sm= art contract in 2016, which resulted in a fork to stop the attacker and ret= urn funds to their original owners. The game theory is similar because it&#= 39;s a situation where a threat is known but there's some period of tim= e before the attacker can actually execute the theft. As such, there's = time to mitigate the attack by changing the protocol.
>
> It also created a schism in the community around the true meaning of &= quot;code is law," resulting in Ethereum Classic, which decided to all= ow the attacker to retain control of the stolen funds.
>
> A soft fork to burn vulnerable bitcoin could certainly result in a har= d fork if there are enough miners who reject the soft fork and continue inc= luding transactions.
>
> Incentives Matter
> We can wax philosophical until the cows come home, but what are the ac= tual incentives for existing Bitcoin holders regarding this decision?
>
>> "Lost coins only make everyone else's coins worth slightl= y more. Think of it as a donation to everyone." - Satoshi Nakamoto
>
>
> If true, the corollary is:
>
>> "Quantum recovered coins only make everyone else's coins = worth less. Think of it as a theft from everyone." - Jameson Lopp
>
>
> Thus, assuming we get to a point where quantum resistant signatures ar= e supported within the Bitcoin protocol, what's the incentive to let vu= lnerable coins remain spendable?
>
> * It's not good for the actual owners of those coins. It disincent= ivizes owners from upgrading until perhaps it's too late.
> * It's not good for the more attentive / responsible owners of coi= ns who have quantum secured their stash. Allowing the circulating supply to= balloon will assuredly reduce the purchasing power of all bitcoin holders.=
>
> Forking Game Theory
> From a game theory point of view, I see this as incentivizing users to= upgrade their wallets. If you disagree with the burning of vulnerable coin= s, all you have to do is move your funds to a quantum safe signature scheme= . Point being, I don't see there being an economic majority (or even mo= re than a tiny minority) of users who would fight such a soft fork. Why exp= end significant resources fighting a fork when you can just move your coins= to a new address?
>
> Remember that blocking spending of certain classes of locking scripts = is a tightening of the rules - a soft fork. As such, it can be meaningfully= enacted and enforced by a mere majority of hashpower. If miners generally = agree that it's in their best interest to burn vulnerable coins, are ot= her users going to care enough to put in the effort to run new node softwar= e that resists the soft fork? Seems unlikely to me.
>
> How to Execute Burning
> In order to be as objective as possible, the goal would be to announce= to the world that after a specific block height / timestamp, Bitcoin nodes= will no longer accept transactions (or blocks containing such transactions= ) that spend funds from any scripts other than the newly instituted quantum= safe schemes.
>
> It could take a staggered approach to first freeze funds that are susc= eptible to long-range attacks such as those in P2PK scripts or those that e= xposed their public keys due to previously re-using addresses, but I expect= the additional complexity would drive further controversy.
>
> How long should the grace period be in order to give the ecosystem tim= e to upgrade? I'd say a minimum of 1 year for software wallets to upgra= de. We can only hope that hardware wallet manufacturers are able to impleme= nt post quantum cryptography on their existing hardware with only a firmwar= e update.
>
> Beyond that, it will take at least 6 months worth of block space for a= ll users to migrate their funds, even in a best case scenario. Though if yo= u exclude dust UTXOs you could probably get 95% of BTC value migrated in 1 = month. Of course this is a highly optimistic situation where everyone is co= mpletely focused on migrations - in reality it will take far longer.
>
> Regardless, I'd think that in order to reasonably uphold Bitcoin&#= 39;s conservatism it would be preferable to allow a 4 year migration window= . In the meantime, mining pools could coordinate emergency soft forking log= ic such that if quantum attackers materialized, they could accelerate the c= ountdown to the quantum vulnerable funds burn.
>
> Random Tangential Benefits
> On the plus side, burning all quantum vulnerable bitcoin would allow u= s to prune all of those UTXOs out of the UTXO set, which would also clean u= p a lot of dust. Dust UTXOs are a bit of an annoyance and there has even be= en a recent proposal for how to incentivize cleaning them up.
>
> We should also expect that incentivizing migration of the entire UTXO = set will create substantial demand for block space that will sustain a fee = market for a fairly lengthy amount of time.
>
> In Summary
> While the moral quandary of violating any of Bitcoin's inviolable = properties can make this a very complex issue to discuss, the game theory a= nd incentives between burning vulnerable coins versus allowing them to be c= laimed by entities with quantum supremacy appears to be a much simpler issu= e.
>
> I, for one, am not interested in rewarding quantum capable entities by= inflating the circulating money supply just because some people lost their= keys long ago and some laggards are not upgrading their bitcoin wallet'= ;s security.
>
> We can hope that this scenario never comes to pass, but hope is not a = strategy.
>
> I welcome your feedback upon any of the above points, and contribution= of any arguments I failed to consider.
>
> --
> You received this message because you are subscribed to the Google Gro= ups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send= an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.goog= le.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B= 0GYN97P6hQ%40mail.gmail.com.



--
Best regards,
Boris Nagaev

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/ms= gid/bitcoindev/CADL_X_f267CaqbvtU2rLWoW7hLCv2NAHLnk59eS2Oz0GjL1HeA%40mail.g= mail.com.
--0000000000004a292b06307c4fa0--