From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 25 May 2025 17:48:29 -0700 Received: from mail-oi1-f190.google.com ([209.85.167.190]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uJM0v-00089H-9G for bitcoindev@gnusha.org; Sun, 25 May 2025 17:48:29 -0700 Received: by mail-oi1-f190.google.com with SMTP id 5614622812f47-400b3984779sf1845651b6e.3 for ; Sun, 25 May 2025 17:48:25 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1748220499; cv=pass; d=google.com; s=arc-20240605; b=UUFsn+ujKteK+/t+7gpbjj+ArbAlDHtDAcavu0ZPBbFy0kHDejIQy/ZfI4ccecfLIP iqGy2icBUgheR0/fG4I7by6WyjSnqj1AkBIMIKi0Htr1jRL9QCBy5QQQy1S9RYSc1n4I f4xPT7nDHoI1gpw2MxbnQmz6Xtpcf4PD88d8iGLnNpZyLfmqme79II2qGaEeHSnS5Rqb 4jZhxu5MshI07Y2eLMMgO/dYaPSGMV+vLxVl6UlgO34sb8UMOdCVoby/Xn4Bf1A9fTgt sdXpTZfGq35/kwsIsqiMN5WSGF55Pjp2f1Gbo6udNkmRhPI4xVcoM+fJuNvu+/FXfwzs 8i6g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=; fh=yQLI1L/9ImmZ7tgX8/owNnJXTuV97e9oL8alxZ2BiwU=; b=IbnmL4IqNHJQfLxvMs2ETDKasz8Se9HUGs5W8HV+QoekuXNqnRq/LPEabmu3TAdfRw R8wTyGwEZrJW5gtSOWwVePlqxFvc9cAiVWiCnWO4YCMkFEbzP2A6wRByi51hJf/6PEVb nUXhXJI3pchwpmvSukd5cR+1odA5wNNwLpJ9fFZsJ7G6f7O7y1aKUUmv3kiyilWmYK+l nORRD2YeGHfj5RjjADUNT3RfjeF98dZlIcoJm83BoNIxI8MQ+nB+rS0Fjw4t5EkyEnGV 22U0xLG0IlbvUA6EQ/tytVjUsrOHAQsWVNQ4tOlFNrqv2sSEKlfJMdXkmWlKtHNCYjWA bGwQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1; spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748220499; x=1748825299; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=; b=kERhGDB763BRFQiP3CQdN8QSIViSXxpAr2P2m/fM94tRTftt3xgCKRDQICWxnan6wB tbB+IvlpQzL+fYRCYkB1MnjRdUFTuTumwlvqloylFSJ8euDWYTb6oyxAqjoGqiunXNK8 gVUvCyhll9Iw/RPhE8P2oClSxhN5bL4NiQ3ZflO5gvluy0VuKVHi/MzyTtroqvRpWJNC mXlVawd/oopiYkcZjMx91NGVDRjXRpfkm40fGS/cy7K7n+ODlRgGK9q1mMjnT1db9qNV LQlcyU557uu1+EVgSx/E9JbuoNwsCXQqc1vWeuRr3vpjJKKp6CdyrB1z1Hhjt6RiwyCL MqFQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748220499; x=1748825299; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=; b=UtKodlzj4/lJgB7bzpAIUXImIHDm45P/gdkGbVEI+jlkaOyK/hVj7AM9RPZPHmtA/2 NptXixj00jbNAZAOuExEfaFXVdrdLs2kdMHt/9De7KYcv1VHlR1/E8ztlhcc4IsZJJu3 Iy5jMJYbascoaNyRZJOitTaSzmEDixczgS6e9PCG3ztsYFnPXAX8v52ctUkciVgEXxka zxhs5ytiPwJv7O+m1KbpsxQUHzqOkmA0lnCYJzF5Jv0Qj9sPgGgPNTbWwsVvWfIR8zW6 Zl771XyjWpTFOSdmvSfNXuxOze75J0T/qsLsb9MNtVF/Q0sDdxq0Ezi9TTnU/OzteU1M jjRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748220499; x=1748825299; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=; b=kWTxNbAPEdlHDbrx91XtAGQCkXVemhSNdjuR/L3xpghn84ns6WTDH/FdcvNEtirAdH wjVodfk7W/IDWJGWvdNxsjHU9lOzAjvcoFZdQNe1D2u+F7jDkuiJzNOIXE1fxj/w/Ean L8J1wxD/JyVjPVbIlJtoApQtxE08HapP+pdfrjOjN0Sx+SBy2sxGwLANIC7SZd/7Kz+8 FAD0FZcl7QfgVEUpJ4jtbq40ZqYreUG54uQtGnkdr00KWayuX+CO6fluYPBq8nTdHLVj tqLDSowa1vnyH/989n/KsLzv9O/wqSIF3j3WivyZgsz95iI+RXAkxi8t2PVnIyAAQqII cgrw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWf4hHoSwmWvvz4OzwcFbaAel9Zw5HMVDCOCwczPQFJi6jFRp/KbLnKR5EcK1D/SqD+H+b/Hgl3i7bh@gnusha.org X-Gm-Message-State: AOJu0YwZp2w6w8fwy79gMYr9wQy5sqafn7mKWb4DUFT5/MHFvfyHhGVd QqY/DNqDXABudDOQIFHnRBcIPZe55TO8G0vDVw8Vy/7061Pu13sjoKmg X-Google-Smtp-Source: AGHT+IEtuqSNDOuYtfqgXZ9l7JGVfd6xu6bb760Lm1HudqWJKNoxAH4pewJItL3q13dsjPs0FzdL9g== X-Received: by 2002:a05:6808:338a:b0:401:e6f0:a8d4 with SMTP id 5614622812f47-406467c3fabmr4581801b6e.5.1748220499094; Sun, 25 May 2025 17:48:19 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBEBBRpqlXL19pEe/8RJMQPYbjVkJJOOz/B98pXWGl+FVg== Received: by 2002:a4a:d504:0:b0:604:8bd0:c016 with SMTP id 006d021491bc7-60b9f754834ls507270eaf.2.-pod-prod-01-us; Sun, 25 May 2025 17:48:15 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXtCUs3vQeTX2QBlhHNqReEEBUoQmiGnnu5/nbvEIioyd0nKbnOz17lxMvVAjjle3kdRIDrprAMHByM@googlegroups.com X-Received: by 2002:a05:6808:3c48:b0:3f6:65fe:2672 with SMTP id 5614622812f47-406467c3f8emr4586617b6e.2.1748220495254; Sun, 25 May 2025 17:48:15 -0700 (PDT) Received: by 2002:aa7:c344:0:b0:604:5e91:86bb with SMTP id 4fb4d7f45d1cf-6045e9187a0msa12; Sun, 25 May 2025 17:32:19 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWIcmsYmATUcDm5l1DIII/K7jvkYjmNb36aQqFTnUiPTZicyIIvKhyTjEArknM/QEEwAj6CCP0DJ7EX@googlegroups.com X-Received: by 2002:a05:6402:2801:b0:5f7:29e0:5cf9 with SMTP id 4fb4d7f45d1cf-602d8e63095mr5531798a12.5.1748219537429; Sun, 25 May 2025 17:32:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748219537; cv=none; d=google.com; s=arc-20240605; b=ZCPVZ7PdB6eBeM4K9/dvdPQNPiIPNvSYnmL+J/xNmnOVKsJ6NreyI6ItMYE09rLm4C NOcUC8BJw77zeHcdQGaeCd5QTa6c/sekVR9nGgsReXpnHqzfhwHR2TnKlhc+0Rq0fgxX cEqgKlUgqy/ljTW9b+dlEBCqWsQet3y1lV/yzZyI8yDBlUgwagn36waSgh7yqgxxGCEy lZuE++DxwFbEOOseCHE+lNp3Zag4myLm2/4ZJsRSCXAYJUDUnMm6Id3/I2FLE225gvgb clWbPRN1CaMagmjWyi/laTvjEIypxgYzqGvWkufptHZkEPffDGJUHr/n0y1xUourYXfb CJPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=s3MBI2zY01CbZFnsqsSgk2lRlaJsYaYujHmtDaVOoV8=; fh=MN9CwZkqMNHGESTc40e4dT1lufDTPcTjWNt7bp8uV/c=; b=NkGqRUhhhf2eyvWn4JBbAefIU0JCzlMVI8C5EePpTdKe7N+B0kmonYenjQyg+asVm/ QScZTQd2nRYvCRf50rJXY/oovjvD44utQU6cqqWV49pvxxDSWYEY2NcIQUoXEGkOC1dT tgneZS14hk9pYeF88G3mXeTF0oikBbliFOR85L+U6SAkSw0/PL7iNsrUbn4mEmKy+Ncg IQjPiKX2QWMPdfLGBDfY0B0TVWqrWz77znOfBswyxDFOj+FzIaSVYCvFuE1LNQAZOery 6P6XjH5QKKYtMM7r57fVCDMOUdFR6cr5/tVwxV4fmJoKsoI7E6EO+Jd/m+bzJTghOtMO OD2g==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1; spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com. [2a00:1450:4864:20::22b]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-604703ddb00si47843a12.2.2025.05.25.17.32.17 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 25 May 2025 17:32:17 -0700 (PDT) Received-SPF: pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) client-ip=2a00:1450:4864:20::22b; Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-32a63ff3bdfso631761fa.3 for ; Sun, 25 May 2025 17:32:17 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCUAIXTo/dg1BqvNuGQ6znFzQD30PEFN790EcdKotRqJgNCxXdXihXY5uzFsSVY6pGqsY60c0w29PgEu@googlegroups.com X-Gm-Gg: ASbGncuH3qDLG8jyyZcoMN2zSoxy/L3/fhzgy1mMiBiC75vnuSRVxtKta01tYp9Mchg M5LWYFTKisZnHE/1vW3PO7NSeE0or2iXUvWmddbASztlxZkP7kual522E3fycoZ1KhvqvnKrKg4 9bH50xxuQONNrUmUR6GU3MLhdefkw6LOgiI0o= X-Received: by 2002:a2e:b888:0:b0:308:f3b4:ea66 with SMTP id 38308e7fff4ca-3295ba5e02bmr21957161fa.28.1748219536212; Sun, 25 May 2025 17:32:16 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Agustin Cruz Date: Sun, 25 May 2025 20:32:04 -0400 X-Gm-Features: AX0GCFsFv3ckA9gaWctWiTvyLOsLDsDpG5OuSQw2fP2ARVpWVJC0fwWySIX42Lo Message-ID: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin To: Dustin Ray Cc: conduition , AstroTown , Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="00000000000072273e0635ff143b" X-Original-Sender: agustin.cruz@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1; spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) --00000000000072273e0635ff143b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi everyone, QRAMP proposal aims to manage the quantum transition responsibly without disrupting Bitcoin=E2=80=99s core principles. QRAMP has three phases: 1. Allow wallets to optionally include PQC keys in Taproot outputs. This enables early adoption without forcing anyone. 2. Announce a soft fork to disable vulnerable scripts, with a long (~4-year) grace period. This gives ample time to migrate and avoids sudden shocks. 3. Gradually deactivate vulnerable outputs based on age or inactivity. This avoids a harsh cutoff and gives time for adaptation. We can also allow exceptions via proof-of-possession, and delay restrictions on timelocked outputs to avoid harming future spenders. QRAMP is not about confiscation or control. It=E2=80=99s about aligning inc= entives, maintaining security, and offering a clear, non-coercive upgrade path. Best, Agustin Cruz El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray < dustinvonsandwich@gmail.com> escribi=C3=B3: > The difference between the ETH/ETC split though was that no one had > anything confiscated except the DAO hacker, everyone retained an identica= l > number of tokens on each chain. The proposal for BTC is very different in > that some holders will lose access to their coins during the PQ migration > under the confiscation approach. Just wanted to point that out. > > On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Developm= ent > Mailing List wrote: > >> Hey Saulo, >> >> You're right about the possibility of an ugly split. Laggards who don't >> move coins to PQ address schemes will be incentivized to follow any chai= n >> where they keep their coins. But those who do migrate will be incentiviz= ed >> to follow the chain where unmigrated pre-quantum coins are frozen. >> >> While you're comparing this event to the ETH/ETC split, we should >> remember that ETH remained the dominant chain despite their heavy-handed >> rollback. Just goes to show, confusion and face-loss is a lesser evil th= an >> allowing an adversary to pwn the network. >> >> This is the free-market way to solve problems without imposing rules on >> everyone. >> >> >> It'd still be a free market even if quantum-vulnerable coins are frozen. >> The only way to test the relative value of quantum-safe vs >> quantum-vulnerable coins is to split the chain and see how the market >> reacts. >> >> IMO, the "free market way" is to give people options and let their money >> flow to where it works best. That means people should be able to choose >> whether they want their money to be part of a system that allows quantum >> attack, or part of one which does not. I know which I would choose, but >> neither you nor I can make that choice for everyone. >> >> regards, >> conduition >> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz < >> agustin.cruz@gmail.com> wrote: >> >> I=E2=80=99m against letting quantum computers scoop up funds from addres= ses that >> don=E2=80=99t upgrade to quantum-resistant. >> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up for= grabs if >> people don=E2=80=99t move them, sounds fair at first. Let luck decide, r= ight? But I >> worry it=E2=80=99d turn into a mess. If quantum machines start cracking = keys and >> snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at risk. Pl= enty of >> active wallets, like those on the rich list Jameson mentioned, could get >> hit too. Imagine millions of BTC flooding the market. Prices tank, trust= in >> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerabl= e >> funds keeps that chaos in check. >> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s heart= . If quantum tech can >> steal from you just because you didn=E2=80=99t upgrade fast enough, that= promise >> feels shaky. Freezing funds after a heads-up period (say, four years) >> protects that idea better than letting tech giants or rogue states play >> vampire with our network. It also nudges people to get their act togethe= r >> and move to safer addresses, which strengthens Bitcoin long-term. >> Saulo=E2=80=99s right that freezing coins could confuse folks or spark a= split >> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look wo= rse. >> Bitcoin would seem broken, not just strict. A clear plan and enough time= to >> migrate could smooth things over. History=E2=80=99s on our side too. Bit= coin=E2=80=99s >> fixed bugs before, like SegWit. This feels like that, not a bailout. >> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to w= hoever >> builds the first quantum rig. It=E2=80=99s less about coddling people an= d more >> about keeping Bitcoin solid for everyone. What do you all think? >> Cheers, >> Agust=C3=ADn >> >> >> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown = wrote: >> >>> I believe that having some entity announce the decision to freeze old >>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value)= than having >>> them gathered by QC. This would create another version of Bitcoin, simi= lar >>> to Ethereum Classic, causing confusion in the market. >>> >>> It would be better to simply implement the possibility of moving funds >>> to a PQC address without a deadline, allowing those who fail to do so t= o >>> rely on luck to avoid having their coins stolen. Most coins would be >>> migrated to PQC anyway, and in most cases, only the lost ones would rem= ain >>> vulnerable. This is the free-market way to solve problems without impos= ing >>> rules on everyone. >>> >>> Saulo Fonseca >>> >>> >>> On 16. Mar 2025, at 15:15, Jameson Lopp wrote: >>> >>> The quantum computing debate is heating up. There are many controversia= l >>> aspects to this debate, including whether or not quantum computers will >>> ever actually become a practical threat. >>> >>> I won't tread into the unanswerable question of how worried we should b= e >>> about quantum computers. I think it's far from a crisis, but given the >>> difficulty in changing Bitcoin it's worth starting to seriously discuss= . >>> Today I wish to focus on a philosophical quandary related to one of the >>> decisions that would need to be made if and when we implement a quantum >>> safe signature scheme. >>> >>> Several Scenarios >>> Because this essay will reference game theory a fair amount, and there >>> are many variables at play that could change the nature of the game, I >>> think it's important to clarify the possible scenarios up front. >>> >>> 1. Quantum computing never materializes, never becomes a threat, and >>> thus everything discussed in this essay is moot. >>> 2. A quantum computing threat materializes suddenly and Bitcoin does no= t >>> have quantum safe signatures as part of the protocol. In this scenario = it >>> would likely make the points below moot because Bitcoin would be >>> fundamentally broken and it would take far too long to upgrade the >>> protocol, wallet software, and migrate user funds in order to restore >>> confidence in the network. >>> 3. Quantum computing advances slowly enough that we come to consensus >>> about how to upgrade Bitcoin and post quantum security has been minimal= ly >>> adopted by the time an attacker appears. >>> 4. Quantum computing advances slowly enough that we come to consensus >>> about how to upgrade Bitcoin and post quantum security has been highly >>> adopted by the time an attacker appears. >>> >>> For the purposes of this post, I'm envisioning being in situation 3 or = 4. >>> >>> To Freeze or not to Freeze? >>> I've started seeing more people weighing in on what is likely the most >>> contentious aspect of how a quantum resistance upgrade should be handle= d in >>> terms of migrating user funds. Should quantum vulnerable funds be left = open >>> to be swept by anyone with a sufficiently powerful quantum computer OR >>> should they be permanently locked? >>> >>> "I don't see why old coins should be confiscated. The better option is >>>> to let those with quantum computers free up old coins. While this migh= t >>>> have an inflationary impact on bitcoin's price, to use a turn of phras= e, >>>> the inflation is transitory. Those with low time preference should sup= port >>>> returning lost coins to circulation." >>> >>> - Hunter Beast >>> >>> >>> On the other hand: >>> >>> "Of course they have to be confiscated. If and when (and that's a big >>>> if) the existence of a cryptography-breaking QC becomes a credible thr= eat, >>>> the Bitcoin ecosystem has no other option than softforking out the abi= lity >>>> to spend from signature schemes (including ECDSA and BIP340) that are >>>> vulnerable to QCs. The alternative is that millions of BTC become >>>> vulnerable to theft; I cannot see how the currency can maintain any va= lue >>>> at all in such a setting. And this affects everyone; even those which >>>> diligently moved their coins to PQC-protected schemes." >>>> - Pieter Wuille >>> >>> >>> I don't think "confiscation" is the most precise term to use, as the >>> funds are not being seized and reassigned. Rather, what we're really >>> discussing would be better described as "burning" - placing the funds *= out >>> of reach of everyone*. >>> >>> Not freezing user funds is one of Bitcoin's inviolable properties. >>> However, if quantum computing becomes a threat to Bitcoin's elliptic cu= rve >>> cryptography, *an inviolable property of Bitcoin will be violated one >>> way or another*. >>> >>> Fundamental Properties at Risk >>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's >>> fundamental properties that give it value. >>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >>> >>> The particular properties in play with regard to this issue seem to be: >>> >>> *Censorship Resistance* - No one should have the power to prevent >>> others from using their bitcoin or interacting with the network. >>> >>> *Forward Compatibility* - changing the rules such that certain valid >>> transactions become invalid could undermine confidence in the protocol. >>> >>> *Conservatism* - Users should not be expected to be highly responsive >>> to system issues. >>> >>> As a result of the above principles, we have developed a strong meme >>> (kudos to Andreas Antonopoulos) that goes as follows: >>> >>> Not your keys, not your coins. >>> >>> >>> I posit that the corollary to this principle is: >>> >>> Your keys, only your coins. >>> >>> >>> A quantum capable entity breaks the corollary of this foundational >>> principle. We secure our bitcoin with the mathematical probabilities >>> related to extremely large random numbers. Your funds are only secure >>> because truly random large numbers should not be guessable or discovera= ble >>> by anyone else in the world. >>> >>> This is the principle behind the motto *vires in numeris* - strength in >>> numbers. In a world with quantum enabled adversaries, this principle is >>> null and void for many types of cryptography, including the elliptic cu= rve >>> digital signatures used in Bitcoin. >>> >>> Who is at Risk? >>> There has long been a narrative that Satoshi's coins and others from th= e >>> Satoshi era of P2PK locking scripts that exposed the public key directl= y on >>> the blockchain will be those that get scooped up by a quantum "miner." = But >>> unfortunately it's not that simple. If I had a powerful quantum compute= r, >>> which coins would I target? I'd go to the Bitcoin rich list and find th= e >>> wallets that have exposed their public keys due to re-using addresses t= hat >>> have previously been spent from. You can easily find them at >>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >>> >>> Note that a few of these wallets, like Bitfinex / Kraken / Tether, woul= d >>> be slightly harder to crack because they are multisig wallets. So a qua= ntum >>> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitf= inex >>> / Tether in order to spend funds. But many are single signature. >>> >>> Point being, it's not only the really old lost BTC that are at risk to = a >>> quantum enabled adversary, at least at time of writing. If we add a qua= ntum >>> safe signature scheme, we should expect those wallets to be some of the >>> first to upgrade given their incentives. >>> >>> The Ethical Dilemma: Quantifying Harm >>> Which decision results in the most harm? >>> >>> By making quantum vulnerable funds unspendable we potentially harm some >>> Bitcoin users who were not paying attention and neglected to migrate th= eir >>> funds to a quantum safe locking script. This violates the "conservativi= sm" >>> principle stated earlier. On the flip side, we prevent those funds plus= far >>> more lost funds from falling into the hands of the few privileged folks= who >>> gain early access to quantum computers. >>> >>> By leaving quantum vulnerable funds available to spend, the same set of >>> users who would otherwise have funds frozen are likely to see them stol= en. >>> And many early adopters who lost their keys will eventually see their >>> unreachable funds scooped up by a quantum enabled adversary. >>> >>> Imagine, for example, being James Howells, who accidentally threw away = a >>> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has >>> spent a decade trying to retrieve it from the landfill where he knows i= t's >>> buried, but can't get permission to excavate. I suspect that, given the >>> choice, he'd prefer those funds be permanently frozen rather than fall = into >>> someone else's possession - I know I would. >>> >>> Allowing a quantum computer to access lost funds doesn't make those >>> users any worse off than they were before, however it *would*have a >>> negative impact upon everyone who is currently holding bitcoin. >>> >>> It's prudent to expect significant economic disruption if large amounts >>> of coins fall into new hands. Since a quantum computer is going to have= a >>> massive up front cost, expect those behind it to desire to recoup their >>> investment. We also know from experience that when someone suddenly fin= ds >>> themselves in possession of 9+ figures worth of highly liquid assets, t= hey >>> tend to diversify into other things by selling. >>> >>> Allowing quantum recovery of bitcoin is *tantamount to wealth >>> redistribution*. What we'd be allowing is for bitcoin to be >>> redistributed from those who are ignorant of quantum computers to those= who >>> have won the technological race to acquire quantum computers. It's hard= to >>> see a bright side to that scenario. >>> >>> Is Quantum Recovery Good for Anyone? >>> >>> Does quantum recovery HELP anyone? I've yet to come across an argument >>> that it's a net positive in any way. It certainly doesn't add any secur= ity >>> to the network. If anything, it greatly decreases the security of the >>> network by allowing funds to be claimed by those who did not earn them. >>> >>> But wait, you may be thinking, wouldn't quantum "miners" have earned >>> their coins by all the work and resources invested in building a quantu= m >>> computer? I suppose, in the same sense that a burglar earns their spoil= s by >>> the resources they invest into surveilling targets and learning the ski= lls >>> needed to break into buildings. What I say "earned" I mean through >>> productive mutual trade. >>> >>> For example: >>> >>> * Investors earn BTC by trading for other currencies. >>> * Merchants earn BTC by trading for goods and services. >>> * Miners earn BTC by trading thermodynamic security. >>> * Quantum miners don't trade anything, they are vampires feeding upon >>> the system. >>> >>> There's no reason to believe that allowing quantum adversaries to >>> recover vulnerable bitcoin will be of benefit to anyone other than the >>> select few organizations that win the technological arms race to build = the >>> first such computers. Probably nation states and/or the top few largest >>> tech companies. >>> >>> One could certainly hope that an organization with quantum supremacy is >>> benevolent and acts in a "white hat" manner to return lost coins to the= ir >>> owners, but that's incredibly optimistic and foolish to rely upon. Such= a >>> situation creates an insurmountable ethical dilemma of only recovering = lost >>> bitcoin rather than currently owned bitcoin. There's no way to precisel= y >>> differentiate between the two; anyone can claim to have lost their bitc= oin >>> but if they have lost their keys then proving they ever had the keys >>> becomes rather difficult. I imagine that any such white hat recovery >>> efforts would have to rely upon attestations from trusted third parties >>> like exchanges. >>> >>> Even if the first actor with quantum supremacy is benevolent, we must >>> assume the technology could fall into adversarial hands and thus think >>> adversarially about the potential worst case outcomes. Imagine, for >>> example, that North Korea continues scooping up billions of dollars fro= m >>> hacking crypto exchanges and decides to invest some of those proceeds i= nto >>> building a quantum computer for the biggest payday ever... >>> >>> Downsides to Allowing Quantum Recovery >>> Let's think through an exhaustive list of pros and cons for allowing or >>> preventing the seizure of funds by a quantum adversary. >>> >>> Historical Precedent >>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair g= ame" but >>> rather were treated as failures to be remediated. Treating quantum thef= t >>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all= rather than >>> a system that seeks to protect its users. >>> >>> Violation of Property Rights >>> Allowing a quantum adversary to take control of funds undermines the >>> fundamental principle of cryptocurrency - if you keep your keys in your >>> possession, only you should be able to access your money. Bitcoin is bu= ilt >>> on the idea that private keys secure an individual=E2=80=99s assets, an= d >>> unauthorized access (even via advanced tech) is theft, not a legitimate >>> transfer. >>> >>> Erosion of Trust in Bitcoin >>> If quantum attackers can exploit vulnerable addresses, confidence in >>> Bitcoin as a secure store of value would collapse. Users and investors = rely >>> on cryptographic integrity, and widespread theft could drive adoption a= way >>> from Bitcoin, destabilizing its ecosystem. >>> >>> This is essentially the counterpoint to claiming the burning of >>> vulnerable funds is a violation of property rights. While some will >>> certainly see it as such, others will find the apathy toward stopping >>> quantum theft to be similarly concerning. >>> >>> Unfair Advantage >>> Quantum attackers, likely equipped with rare and expensive technology, >>> would have an unjust edge over regular users who lack access to such to= ols. >>> This creates an inequitable system where only the technologically elite= can >>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized = power. >>> >>> Bitcoin is designed to create an asymmetric advantage for DEFENDING >>> one's wealth. It's supposed to be impractically expensive for attackers= to >>> crack the entropy and cryptography protecting one's coins. But now we f= ind >>> ourselves discussing a situation where this asymmetric advantage is >>> compromised in favor of a specific class of attackers. >>> >>> Economic Disruption >>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= =99s price >>> as quantum recovered funds are dumped on exchanges. This would harm all >>> holders, not just those directly targeted, leading to broader financial >>> chaos in the markets. >>> >>> Moral Responsibility >>> Permitting theft via quantum computing sets a precedent that >>> technological superiority justifies unethical behavior. This is essenti= ally >>> taking a "code is law" stance in which we refuse to admit that both cod= e >>> and laws can be modified to adapt to previously unforeseen situations. >>> >>> Burning of coins can certainly be considered a form of theft, thus I >>> think it's worth differentiating the two different thefts being discuss= ed: >>> >>> 1. self-enriching & likely malicious >>> 2. harm prevention & not necessarily malicious >>> >>> Both options lack the consent of the party whose coins are being burnt >>> or transferred, thus I think the simple argument that theft is immoral >>> becomes a wash and it's important to drill down into the details of eac= h. >>> >>> Incentives Drive Security >>> I can tell you from a decade of working in Bitcoin security - the >>> average user is lazy and is a procrastinator. If Bitcoiners are given a >>> "drop dead date" after which they know vulnerable funds will be burned, >>> this pressure accelerates the adoption of post-quantum cryptography and >>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgra= ding >>> indefinitely will result in more laggards, leaving the network more exp= osed >>> when quantum tech becomes available. >>> >>> Steel Manning >>> Clearly this is a complex and controversial topic, thus it's worth >>> thinking through the opposing arguments. >>> >>> Protecting Property Rights >>> Allowing quantum computers to take vulnerable bitcoin could potentially >>> be spun as a hard money narrative - we care so greatly about not violat= ing >>> someone's access to their coins that we allow them to be stolen! >>> >>> But I think the flip side to the property rights narrative is that >>> burning vulnerable coins prevents said property from falling into >>> undeserving hands. If the entire Bitcoin ecosystem just stands around a= nd >>> allows quantum adversaries to claim funds that rightfully belong to oth= er >>> users, is that really a "win" in the "protecting property rights" categ= ory? >>> It feels more like apathy to me. >>> >>> As such, I think the "protecting property rights" argument is a wash. >>> >>> Quantum Computers Won't Attack Bitcoin >>> There is a great deal of skepticism that sufficiently powerful quantum >>> computers will ever exist, so we shouldn't bother preparing for a >>> non-existent threat. Others have argued that even if such a computer wa= s >>> built, a quantum attacker would not go after bitcoin because they would= n't >>> want to reveal their hand by doing so, and would instead attack other >>> infrastructure. >>> >>> It's quite difficult to quantify exactly how valuable attacking other >>> infrastructure would be. It also really depends upon when an entity gai= ns >>> quantum supremacy and thus if by that time most of the world's systems = have >>> already been upgraded. While I think you could argue that certain entit= ies >>> gaining quantum capability might not attack Bitcoin, it would only dela= y >>> the inevitable - eventually somebody will achieve the capability who >>> decides to use it for such an attack. >>> >>> Quantum Attackers Would Only Steal Small Amounts >>> Some have argued that even if a quantum attacker targeted bitcoin, >>> they'd only go after old, likely lost P2PK outputs so as to not arouse >>> suspicion and cause a market panic. >>> >>> I'm not so sure about that; why go after 50 BTC at a time when you coul= d >>> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zer= o >>> day exploit" game theory in which an attacker knows they have a limited >>> amount of time before someone else discovers the exploit and either >>> benefits from it or patches it. Take, for example, the recent ByBit att= ack >>> - the highest value crypto hack of all time. Lazarus Group had compromi= sed >>> the Safe wallet front end JavaScript app and they could have simply had= it >>> reassign ownership of everyone's Safe wallets as they were interacting = with >>> their wallet. But instead they chose to only specifically target ByBit'= s >>> wallet with $1.5 billion in it because they wanted to maximize their >>> extractable value. If Lazarus had started stealing from every wallet, t= hey >>> would have been discovered quickly and the Safe web app would likely ha= ve >>> been patched well before any billion dollar wallets executed the malici= ous >>> code. >>> >>> I think the "only stealing small amounts" argument is strongest for >>> Situation #2 described earlier, where a quantum attacker arrives before >>> quantum safe cryptography has been deployed across the Bitcoin ecosyste= m. >>> Because if it became clear that Bitcoin's cryptography was broken AND t= here >>> was nowhere safe for vulnerable users to migrate, the only logical opti= on >>> would be for everyone to liquidate their bitcoin as quickly as possible= . As >>> such, I don't think it applies as strongly for situations in which we h= ave >>> a migration path available. >>> >>> The 21 Million Coin Supply Should be in Circulation >>> Some folks are arguing that it's important for the "circulating / >>> spendable" supply to be as close to 21M as possible and that having a >>> significant portion of the supply out of circulation is somehow undesir= able. >>> >>> While the "21M BTC" attribute is a strong memetic narrative, I don't >>> think anyone has ever expected that it would all be in circulation. It = has >>> always been understood that many coins will be lost, and that's actuall= y >>> part of the game theory of owning bitcoin! >>> >>> And remember, the 21M number in and of itself is not a particularly >>> important detail - it's not even mentioned in the whitepaper. What's >>> important is that the supply is well known and not subject to change. >>> >>> Self-Sovereignty and Personal Responsibility >>> Bitcoin=E2=80=99s design empowers individuals to control their own weal= th, free >>> from centralized intervention. This freedom comes with the burden of >>> securing one's private keys. If quantum computing can break obsolete >>> cryptography, the fault lies with users who didn't move their funds to >>> quantum safe locking scripts. Expecting the network to shield users fro= m >>> their own negligence undermines the principle that you, and not a third >>> party, are accountable for your assets. >>> >>> I think this is generally a fair point that "the community" doesn't owe >>> you anything in terms of helping you. I think that we do, however, need= to >>> consider the incentives and game theory in play with regard to quantum = safe >>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. >>> >>> Code is Law >>> Bitcoin operates on transparent, immutable rules embedded in its >>> protocol. If a quantum attacker uses superior technology to derive priv= ate >>> keys from public keys, they=E2=80=99re not "hacking" the system - they'= re simply >>> following what's mathematically permissible within the current code. >>> Altering the protocol to stop this introduces subjective human >>> intervention, which clashes with the objective, deterministic nature of >>> blockchain. >>> >>> While I tend to agree that code is law, one of the entire points of law= s >>> is that they can be amended to improve their efficacy in reducing harm. >>> Leaning on this point seems more like a pro-ossification stance that it= 's >>> better to do nothing and allow harm to occur rather than take action to >>> stop an attack that was foreseen far in advance. >>> >>> Technological Evolution as a Feature, Not a Bug >>> It's well known that cryptography tends to weaken over time and >>> eventually break. Quantum computing is just the next step in this >>> progression. Users who fail to adapt (e.g., by adopting quantum-resista= nt >>> wallets when available) are akin to those who ignored technological >>> advancements like multisig or hardware wallets. Allowing quantum theft >>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, = punishing >>> complacency while rewarding vigilance. >>> >>> Market Signals Drive Security >>> If quantum attackers start stealing funds, it sends a clear signal to >>> the market: upgrade your security or lose everything. This pressure >>> accelerates the adoption of post-quantum cryptography and strengthens >>> Bitcoin long-term. Coddling vulnerable users delays this necessary >>> evolution, potentially leaving the network more exposed when quantum te= ch >>> becomes widely accessible. Theft is a brutal but effective teacher. >>> >>> Centralized Blacklisting Power >>> Burning vulnerable funds requires centralized decision-making - a soft >>> fork to invalidate certain transactions. This sets a dangerous preceden= t >>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. I= f quantum >>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The s= ystem must >>> remain neutral, even if it means some lose out. >>> >>> I think this could be a potential slippery slope if the proposal was to >>> only burn specific addresses. Rather, I'd expect a neutral proposal to = burn >>> all funds in locking script types that are known to be quantum vulnerab= le. >>> Thus, we could eliminate any subjectivity from the code. >>> >>> Fairness in Competition >>> Quantum attackers aren't cheating; they're using publicly available >>> physics and math. Anyone with the resources and foresight can build or >>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a C= PU. >>> Early adopters took risks and reaped rewards; quantum innovators are do= ing >>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has = never promised >>> equality of outcome - only equality of opportunity within its rules. >>> >>> I find this argument to be a mischaracterization because we're not >>> talking about CPUs. This is more akin to talking about ASICs, except ea= ch >>> ASIC costs millions if not billions of dollars. This is out of reach fr= om >>> all but the wealthiest organizations. >>> >>> Economic Resilience >>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and >>> emerged stronger. The market can absorb quantum losses, with unaffected >>> users continuing to hold and new entrants buying in at lower prices. Fe= ar >>> of economic collapse overestimates the impact - the network=E2=80=99s a= ntifragility >>> thrives on such challenges. >>> >>> This is a big grey area because we don't know when a quantum computer >>> will come online and we don't know how quickly said computers would be = able >>> to steal bitcoin. If, for example, the first generation of sufficiently >>> powerful quantum computers were stealing less volume than the current b= lock >>> reward then of course it will have minimal economic impact. But if they= 're >>> taking thousands of BTC per day and bringing them back into circulation= , >>> there will likely be a noticeable market impact as it absorbs the new >>> supply. >>> >>> This is where the circumstances will really matter. If a quantum >>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppor= t >>> quantum resistant cryptography then we should expect the most valuable >>> active wallets will have upgraded and the juiciest target would be the >>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has = been >>> dormant since 2010. In general I'd expect that the amount of BTC >>> re-entering the circulating supply would look somewhat similar to the >>> mining emission curve: volume would start off very high as the most >>> valuable addresses are drained and then it would fall off as quantum >>> computers went down the list targeting addresses with less and less BTC= . >>> >>> Why is economic impact a factor worth considering? Miners and businesse= s >>> in general. More coins being liquidated will push down the price, which >>> will negatively impact miner revenue. Similarly, I can attest from work= ing >>> in the industry for a decade, that lower prices result in less demand f= rom >>> businesses across the entire industry. As such, burning quantum vulnera= ble >>> bitcoin is good for the entire industry. >>> >>> Practicality & Neutrality of Non-Intervention >>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D = from legitimate "white >>> hat" key recovery. If someone loses their private key and a quantum >>> computer recovers it, is that stealing or reclaiming? Policing quantum >>> actions requires invasive assumptions about intent, which Bitcoin=E2=80= =99s >>> trustless design can=E2=80=99t accommodate. Letting the chips fall wher= e they may >>> avoids this mess. >>> >>> Philosophical Purity >>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcom= es >>> reflect preparation and skill, not sentimentality. If quantum computing >>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant= to be safe or fair >>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose f= unds to >>> quantum attacks are casualties of liberty and their own ignorance, not >>> victims of injustice. >>> >>> Bitcoin's DAO Moment >>> This situation has some similarities to The DAO hack of an Ethereum >>> smart contract in 2016, which resulted in a fork to stop the attacker a= nd >>> return funds to their original owners. The game theory is similar becau= se >>> it's a situation where a threat is known but there's some period of tim= e >>> before the attacker can actually execute the theft. As such, there's ti= me >>> to mitigate the attack by changing the protocol. >>> >>> It also created a schism in the community around the true meaning of >>> "code is law," resulting in Ethereum Classic, which decided to allow th= e >>> attacker to retain control of the stolen funds. >>> >>> A soft fork to burn vulnerable bitcoin could certainly result in a hard >>> fork if there are enough miners who reject the soft fork and continue >>> including transactions. >>> >>> Incentives Matter >>> We can wax philosophical until the cows come home, but what are the >>> actual incentives for existing Bitcoin holders regarding this decision? >>> >>> "Lost coins only make everyone else's coins worth slightly more. Think >>>> of it as a donation to everyone." - Satoshi Nakamoto >>> >>> >>> If true, the corollary is: >>> >>> "Quantum recovered coins only make everyone else's coins worth less. >>>> Think of it as a theft from everyone." - Jameson Lopp >>> >>> >>> Thus, assuming we get to a point where quantum resistant signatures are >>> supported within the Bitcoin protocol, what's the incentive to let >>> vulnerable coins remain spendable? >>> >>> * It's not good for the actual owners of those coins. It disincentivize= s >>> owners from upgrading until perhaps it's too late. >>> * It's not good for the more attentive / responsible owners of coins wh= o >>> have quantum secured their stash. Allowing the circulating supply to >>> balloon will assuredly reduce the purchasing power of all bitcoin holde= rs. >>> >>> Forking Game Theory >>> From a game theory point of view, I see this as incentivizing users to >>> upgrade their wallets. If you disagree with the burning of vulnerable >>> coins, all you have to do is move your funds to a quantum safe signatur= e >>> scheme. Point being, I don't see there being an economic majority (or e= ven >>> more than a tiny minority) of users who would fight such a soft fork. W= hy >>> expend significant resources fighting a fork when you can just move you= r >>> coins to a new address? >>> >>> Remember that blocking spending of certain classes of locking scripts i= s >>> a tightening of the rules - a soft fork. As such, it can be meaningfull= y >>> enacted and enforced by a mere majority of hashpower. If miners general= ly >>> agree that it's in their best interest to burn vulnerable coins, are ot= her >>> users going to care enough to put in the effort to run new node softwar= e >>> that resists the soft fork? Seems unlikely to me. >>> >>> How to Execute Burning >>> In order to be as objective as possible, the goal would be to announce >>> to the world that after a specific block height / timestamp, Bitcoin no= des >>> will no longer accept transactions (or blocks containing such transacti= ons) >>> that spend funds from any scripts other than the newly instituted quant= um >>> safe schemes. >>> >>> It could take a staggered approach to first freeze funds that are >>> susceptible to long-range attacks such as those in P2PK scripts or thos= e >>> that exposed their public keys due to previously re-using addresses, bu= t I >>> expect the additional complexity would drive further controversy. >>> >>> How long should the grace period be in order to give the ecosystem time >>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrade= . We >>> can only hope that hardware wallet manufacturers are able to implement = post >>> quantum cryptography on their existing hardware with only a firmware up= date. >>> >>> Beyond that, it will take at least 6 months worth of block space for al= l >>> users to migrate their funds, even in a best case scenario. Though if y= ou >>> exclude dust UTXOs you could probably get 95% of BTC value migrated in = 1 >>> month. Of course this is a highly optimistic situation where everyone i= s >>> completely focused on migrations - in reality it will take far longer. >>> >>> Regardless, I'd think that in order to reasonably uphold Bitcoin's >>> conservatism it would be preferable to allow a 4 year migration window.= In >>> the meantime, mining pools could coordinate emergency soft forking logi= c >>> such that if quantum attackers materialized, they could accelerate the >>> countdown to the quantum vulnerable funds burn. >>> >>> Random Tangential Benefits >>> On the plus side, burning all quantum vulnerable bitcoin would allow us >>> to prune all of those UTXOs out of the UTXO set, which would also clean= up >>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even = been >>> a recent proposal for how to incentivize cleaning them up. >>> >>> We should also expect that incentivizing migration of the entire UTXO >>> set will create substantial demand for block space that will sustain a = fee >>> market for a fairly lengthy amount of time. >>> >>> In Summary >>> While the moral quandary of violating any of Bitcoin's inviolable >>> properties can make this a very complex issue to discuss, the game theo= ry >>> and incentives between burning vulnerable coins versus allowing them to= be >>> claimed by entities with quantum supremacy appears to be a much simpler >>> issue. >>> >>> I, for one, am not interested in rewarding quantum capable entities by >>> inflating the circulating money supply just because some people lost th= eir >>> keys long ago and some laggards are not upgrading their bitcoin wallet'= s >>> security. >>> >>> We can hope that this scenario never comes to pass, but hope is not a >>> strategy. >>> >>> I welcome your feedback upon any of the above points, and contribution >>> of any arguments I failed to consider. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to bitcoindev+unsubscribe@googlegroups.com. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8= nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to bitcoindev+unsubscribe@googlegroups.com. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D= 9D2B732364%40astrotown.de >>> . >> >> >>> -- >> You received this message because you are subscribed to the Google Group= s >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n >> email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6= mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com >> . >> >> >> -- >> You received this message because you are subscribed to the Google Group= s >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n >> email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit >> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfX= niazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLm= iCJOY%3D%40proton.me >> >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com. --00000000000072273e0635ff143b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi everyone,

QRAMP proposal aims to manage the quantum transition responsibly without d= isrupting Bitcoin=E2=80=99s core principles.

QRAMP has three phases:

1. Allow wallets to optionally include PQC keys in Tap= root outputs. This enables early adoption without forcing anyone.

2. Announce a soft fork to disabl= e vulnerable scripts, with a long (~4-year) grace period. This gives ample = time to migrate and avoids sudden shocks.

=
3. Gradually deactivate vulnerable outputs based on age o= r inactivity. This avoids a harsh cutoff and gives time for adaptation.

We = can also allow exceptions via proof-of-possession, and delay restrictions o= n timelocked outputs to avoid harming future spenders.

QRAMP is not about confiscation or control. = It=E2=80=99s about aligning incentives, maintaining security, and offering = a clear, non-coercive upgrade path.

Best,
Agustin Cruz



El dom, 25 de= may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvonsandwich@gmail.com> escribi=C3=B3:
<= /div>
The difference betwee= n the ETH/ETC split though was that no one had anything confiscated except = the DAO hacker, everyone retained an identical number of tokens on each cha= in. The proposal for BTC is very different in that some holders will lose a= ccess to their coins during the PQ migration under the confiscation approac= h. Just wanted to point that out.

=
On Sun, May 25, 2025 at 3:06=E2=80=AF= PM 'conduition' via Bitcoin Development Mailing List <b= itcoindev@googlegroups.com> wrote:
Hey Saulo,

You're right about the po= ssibility of an ugly split. Laggards who don't move coins to PQ address= schemes will be incentivized to follow any chain where they keep their coi= ns. But those who do migrate will be incentivized to follow the chain where= unmigrated pre-quantum coins are frozen.=C2=A0

While you're comparing this event to the= ETH/ETC split, we should remember that ETH remained the dominant chain des= pite their heavy-handed rollback. Just goes to show, confusion and face-los= s is a lesser evil than allowing an adversary to pwn the network.=C2=A0

This is the free-market way to = solve problems without imposing rules on everyone.

It'd still be a free= market even if quantum-vulnerable coins are frozen. The only way to test t= he relative value of quantum-safe vs quantum-vulnerable coins is to split t= he chain and see how the market reacts.=C2=A0

IMO, the "free market way" is to giv= e people options and let their money flow to where it works best. That mean= s people should be able to choose whether they want their money to be part = of a system that allows quantum attack, or part of one which does not. I kn= ow which I would choose, but neither you nor I can make that choice for eve= ryone.

=
regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agusti= n.cruz@gmail.com> wrote:
I=E2=80=99m against letting q= uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t= o quantum-resistant.
Saulo=E2=80=99s idea of a free-market approach, le= aving old coins up for grabs if people don=E2=80=99t move them, sounds fair= at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes= s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s= not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th= ose on the rich list Jameson mentioned, could get hit too. Imagine millions= of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an= d we all feel the pain. Freezing those vulnerable funds keeps that chaos in= check.
Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80= =99s heart. If quantum tech can steal from you just because you didn=E2=80= =99t upgrade fast enough, that promise feels shaky. Freezing funds after a = heads-up period (say, four years) protects that idea better than letting te= ch giants or rogue states play vampire with our network. It also nudges peo= ple to get their act together and move to safer addresses, which strengthen= s Bitcoin long-term.
Saulo=E2=80=99s right that freezing coins could con= fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu= antum theft would look worse. Bitcoin would seem broken, not just strict. A= clear plan and enough time to migrate could smooth things over. History=E2= =80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. = This feels like that, not a bailout.
So yeah, I=E2=80=99d rather see vul= nerable coins locked than handed to whoever builds the first quantum rig. I= t=E2=80=99s less about coddling people and more about keeping Bitcoin solid= for everyone. What do you all think?
Cheers,
Agust=C3=ADn


On = Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo@astrotown.de> wrote:
I believe that = having some entity announce the decision to freeze old UTXOs would be more = damaging to Bitcoin=E2=80=99s image (and its value) than having them gather= ed by QC. This would create another version of Bitcoin, similar to Ethereum= Classic, causing confusion in the market.

It would b= e better to simply implement the possibility of moving funds to a PQC addre= ss without a deadline, allowing those who fail to do so to rely on luck to = avoid having their coins stolen. Most coins would be migrated to PQC anyway= , and in most cases, only the lost ones would remain vulnerable. This is th= e free-market way to solve problems without imposing rules on everyone.

Saulo Fonseca


On 16. Mar 2025, at 1= 5:15, Jameson Lopp <j= ameson.lopp@gmail.com> wrote:

= The quantum computing debate is heating up. There are many controversial as= pects to this debate, including whether or not quantum computers will ever = actually become a practical threat.

I won't tread into the unan= swerable question of how worried we should be about quantum computers. I th= ink it's far from a crisis, but given the difficulty in changing Bitcoi= n it's worth starting to seriously discuss. Today I wish to focus on a = philosophical quandary related to one of the decisions that would need to b= e made if and when we implement a quantum safe signature scheme.

Several Scenarios
Becaus= e this essay will reference game theory a fair amount, and there are many v= ariables at play that could change the nature of the game, I think it's= important to clarify the possible scenarios up front.

1. Quantum co= mputing never materializes, never becomes a threat, and thus everything dis= cussed in this essay is moot.
2. A quantum computing threat materializes= suddenly and Bitcoin does not have quantum safe signatures as part of the = protocol. In this scenario it would likely make the points below moot becau= se Bitcoin would be fundamentally broken and it would take far too long to = upgrade the protocol, wallet software, and migrate user funds in order to r= estore confidence in the network.
3. Quantum computing advances slowly e= nough that we come to consensus about how to upgrade Bitcoin and post quant= um security has been minimally adopted by the time an attacker appears.
= 4. Quantum computing advances slowly enough that we come to consensus about= how to upgrade Bitcoin and post quantum security has been highly adopted b= y the time an attacker appears.

For the purposes of this post, I'= ;m envisioning being in situation 3 or 4.

To Freeze or not to Freeze?
I've started se= eing more people weighing in on what is likely the most contentious aspect = of how a quantum resistance upgrade should be handled in terms of migrating= user funds. Should quantum vulnerable funds be left open to be swept by an= yone with a sufficiently powerful quantum computer OR should they be perman= ently locked?

"I = don't see why old coins should be confiscated. The better option is to = let those with quantum computers free up old coins. While this might have a= n inflationary impact on bitcoin's price, to use a turn of phrase, the = inflation is transitory. Those with low time preference should support retu= rning lost coins to circulation."
- Hunter Beast

On the oth= er hand:

"= Of course they have to be confiscated. If and when (and that's a big if= ) the existence of a cryptography-breaking QC becomes a credible threat, th= e Bitcoin ecosystem has no other option than softforking out the ability to= spend from signature schemes (including ECDSA and BIP340) that are vulnera= ble to QCs. The alternative is that millions of BTC become vulnerable to th= eft; I cannot see how the currency can maintain any value at all in such a = setting. And this affects everyone; even those which diligently moved their= coins to PQC-protected schemes."
- Pieter Wuille

I= don't think "confiscation" is the most precise term to use, = as the funds are not being seized and reassigned. Rather, what we're re= ally discussing would be better described as "burning" - placing = the funds out of reach of everyone.

Not freezing user funds i= s one of Bitcoin's inviolable properties. However, if quantum computing= becomes a threat to Bitcoin's elliptic curve cryptography, an invio= lable property of Bitcoin will be violated one way or another.

<= font size=3D"6" style=3D"color:rgb(0,0,0)">Fundamental Properties at Risk5 years ago I attempted to comprehensively categorize all of Bitco= in's fundamental properties that give it value. https://nakamoto.com/what-are-the-= key-properties-of-bitcoin/

The particular properties in play wit= h regard to this issue seem to be:

Censorship Resistance - No= one should have the power to prevent others from using their bitcoin or in= teracting with the network.

Forward Compatibility - changing = the rules such that certain valid transactions become invalid could undermi= ne confidence in the protocol.

Conservatism - Users should no= t be expected to be highly responsive to system issues.

As a result = of the above principles, we have developed a strong meme (kudos to Andreas = Antonopoulos) that goes as follows:

Not your keys, not your coins.

I posit that t= he corollary to this principle is:

Your keys, only your coins.

A quantum capable = entity breaks the corollary of this foundational principle. We secure our b= itcoin with the mathematical probabilities related to extremely large rando= m numbers. Your funds are only secure because truly random large numbers sh= ould not be guessable or discoverable by anyone else in the world.

T= his is the principle behind the motto vires in numeris - strength in= numbers. In a world with quantum enabled adversaries, this principle is nu= ll and void for many types of cryptography, including the elliptic curve di= gital signatures used in Bitcoin.

Who is at Risk?
There has long been a narrative that Sa= toshi's coins and others from the Satoshi era of P2PK locking scripts t= hat exposed the public key directly on the blockchain will be those that ge= t scooped up by a quantum "miner." But unfortunately it's not= that simple. If I had a powerful quantum computer, which coins would I tar= get? I'd go to the Bitcoin rich list and find the wallets that have exp= osed their public keys due to re-using addresses that have previously been = spent from. You can easily find them at https://bitinfocharts.com/top-100-richest-= bitcoin-addresses.html

Note that a few of these wallets, like Bi= tfinex / Kraken / Tether, would be slightly harder to crack because they ar= e multisig wallets. So a quantum attacker would need to reverse engineer 2 = keys for Kraken or 3 for Bitfinex / Tether in order to spend funds. But man= y are single signature.

Point being, it's not only the really ol= d lost BTC that are at risk to a quantum enabled adversary, at least at tim= e of writing. If we add a quantum safe signature scheme, we should expect t= hose wallets to be some of the first to upgrade given their incentives.
=
The Ethical Dilemma: Quanti= fying Harm
Which decision results in the most harm?

By mak= ing quantum vulnerable funds unspendable we potentially harm some Bitcoin u= sers who were not paying attention and neglected to migrate their funds to = a quantum safe locking script. This violates the "conservativism"= principle stated earlier. On the flip side, we prevent those funds plus fa= r more lost funds from falling into the hands of the few privileged folks w= ho gain early access to quantum computers.

By leaving quantum vulner= able funds available to spend, the same set of users who would otherwise ha= ve funds frozen are likely to see them stolen. And many early adopters who = lost their keys will eventually see their unreachable funds scooped up by a= quantum enabled adversary.

Imagine, for example, being James Howell= s, who accidentally threw away a hard drive with 8,000 BTC on it, currently= worth over $600M USD. He has spent a decade trying to retrieve it from the= landfill where he knows it's buried, but can't get permission to e= xcavate. I suspect that, given the choice, he'd prefer those funds be p= ermanently frozen rather than fall into someone else's possession - I k= now I would.

Allowing a quantum computer to access lost funds doesn&= #39;t make those users any worse off than they were before, however it w= ouldhave a negative impact upon everyone who is currently holding bitco= in.

It's prudent to expect significant economic disruption if la= rge amounts of coins fall into new hands. Since a quantum computer is going= to have a massive up front cost, expect those behind it to desire to recou= p their investment. We also know from experience that when someone suddenly= finds themselves in possession of 9+ figures worth of highly liquid assets= , they tend to diversify into other things by selling.

Allowing quan= tum recovery of bitcoin is tantamount to wealth redistribution. What= we'd be allowing is for bitcoin to be redistributed from those who are= ignorant of quantum computers to those who have won the technological race= to acquire quantum computers. It's hard to see a bright side to that s= cenario.

Is Quantum Reco= very Good for Anyone?

Does quantum recovery HELP anyone? I= 9;ve yet to come across an argument that it's a net positive in any way= . It certainly doesn't add any security to the network. If anything, it= greatly decreases the security of the network by allowing funds to be clai= med by those who did not earn them.

But wait, you may be thinking, w= ouldn't quantum "miners" have earned their coins by all the w= ork and resources invested in building a quantum computer? I suppose, in th= e same sense that a burglar earns their spoils by the resources they invest= into surveilling targets and learning the skills needed to break into buil= dings. What I say "earned" I mean through productive mutual trade= .

For example:

* Investors earn BTC by trading for other curr= encies.
* Merchants earn BTC by trading for goods and services.
* Min= ers earn BTC by trading thermodynamic security.
* Quantum miners don'= ;t trade anything, they are vampires feeding upon the system.

There&= #39;s no reason to believe that allowing quantum adversaries to recover vul= nerable bitcoin will be of benefit to anyone other than the select few orga= nizations that win the technological arms race to build the first such comp= uters. Probably nation states and/or the top few largest tech companies.
One could certainly hope that an organization with quantum supremacy i= s benevolent and acts in a "white hat" manner to return lost coin= s to their owners, but that's incredibly optimistic and foolish to rely= upon. Such a situation creates an insurmountable ethical dilemma of only r= ecovering lost bitcoin rather than currently owned bitcoin. There's no = way to precisely differentiate between the two; anyone can claim to have lo= st their bitcoin but if they have lost their keys then proving they ever ha= d the keys becomes rather difficult. I imagine that any such white hat reco= very efforts would have to rely upon attestations from trusted third partie= s like exchanges.

Even if the first actor with quantum supremacy is = benevolent, we must assume the technology could fall into adversarial hands= and thus think adversarially about the potential worst case outcomes. Imag= ine, for example, that North Korea continues scooping up billions of dollar= s from hacking crypto exchanges and decides to invest some of those proceed= s into building a quantum computer for the biggest payday ever...

Downsides to Allowing Quantum Rec= overy
Let's think through an exhaustive list of pros and cons= for allowing or preventing the seizure of funds by a quantum adversary.
Historical Precedent
Previous protocol vulnerabilities weren=E2=80=99t celebrated as "= fair game" but rather were treated as failures to be remediated. Treat= ing quantum theft differently risks rewriting Bitcoin=E2=80=99s history as = a free-for-all rather than a system that seeks to protect its users.
Violation of Property Rights
Allowing a quantum adversary to take control of funds undermines t= he fundamental principle of cryptocurrency - if you keep your keys in your = possession, only you should be able to access your money. Bitcoin is built = on the idea that private keys secure an individual=E2=80=99s assets, and un= authorized access (even via advanced tech) is theft, not a legitimate trans= fer.

Erosion of Trust in= Bitcoin
If quantum attackers can exploit vulnerable addresses, c= onfidence in Bitcoin as a secure store of value would collapse. Users and i= nvestors rely on cryptographic integrity, and widespread theft could drive = adoption away from Bitcoin, destabilizing its ecosystem.

This is ess= entially the counterpoint to claiming the burning of vulnerable funds is a = violation of property rights. While some will certainly see it as such, oth= ers will find the apathy toward stopping quantum theft to be similarly conc= erning.

Unfair Advantage=
Quantum attackers, likely equipped with rare and expensive techn= ology, would have an unjust edge over regular users who lack access to such= tools. This creates an inequitable system where only the technologically e= lite can exploit others, contradicting Bitcoin=E2=80=99s ethos of decentral= ized power.

Bitcoin is designed to create an asymmetric advantage fo= r DEFENDING one's wealth. It's supposed to be impractically expensi= ve for attackers to crack the entropy and cryptography protecting one's= coins. But now we find ourselves discussing a situation where this asymmet= ric advantage is compromised in favor of a specific class of attackers.
=
Economic Disruption<= br>Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99= s price as quantum recovered funds are dumped on exchanges. This would harm= all holders, not just those directly targeted, leading to broader financia= l chaos in the markets.

= Moral Responsibility
Permitting theft via quantum computing sets = a precedent that technological superiority justifies unethical behavior. Th= is is essentially taking a "code is law" stance in which we refus= e to admit that both code and laws can be modified to adapt to previously u= nforeseen situations.

Burning of coins can certainly be considered a= form of theft, thus I think it's worth differentiating the two differe= nt thefts being discussed:

1. self-enriching & likely malicious<= br>2. harm prevention & not necessarily malicious

Both options l= ack the consent of the party whose coins are being burnt or transferred, th= us I think the simple argument that theft is immoral becomes a wash and it&= #39;s important to drill down into the details of each.

Incentives Drive Security
I can= tell you from a decade of working in Bitcoin security - the average user i= s lazy and is a procrastinator. If Bitcoiners are given a "drop dead d= ate" after which they know vulnerable funds will be burned, this press= ure accelerates the adoption of post-quantum cryptography and strengthens B= itcoin long-term. Allowing vulnerable users to delay upgrading indefinitely= will result in more laggards, leaving the network more exposed when quantu= m tech becomes available.

Steel Manning
Clearly this is a complex and controversial topic= , thus it's worth thinking through the opposing arguments.

Protecting Property RightsAllowing quantum computers to take vulnerable bitcoin could potentially be= spun as a hard money narrative - we care so greatly about not violating so= meone's access to their coins that we allow them to be stolen!

B= ut I think the flip side to the property rights narrative is that burning v= ulnerable coins prevents said property from falling into undeserving hands.= If the entire Bitcoin ecosystem just stands around and allows quantum adve= rsaries to claim funds that rightfully belong to other users, is that reall= y a "win" in the "protecting property rights" category?= It feels more like apathy to me.

As such, I think the "protect= ing property rights" argument is a wash.

Quantum Computers Won't Attack Bitcoin
= There is a great deal of skepticism that sufficiently powerful quantum comp= uters will ever exist, so we shouldn't bother preparing for a non-exist= ent threat. Others have argued that even if such a computer was built, a qu= antum attacker would not go after bitcoin because they wouldn't want to= reveal their hand by doing so, and would instead attack other infrastructu= re.

It's quite difficult to quantify exactly how valuable attack= ing other infrastructure would be. It also really depends upon when an enti= ty gains quantum supremacy and thus if by that time most of the world's= systems have already been upgraded. While I think you could argue that cer= tain entities gaining quantum capability might not attack Bitcoin, it would= only delay the inevitable - eventually somebody will achieve the capabilit= y who decides to use it for such an attack.

Quantum Attackers Would Only Steal Small Amounts
Some have argued that even if a quantum attacker targeted bitcoin, th= ey'd only go after old, likely lost P2PK outputs so as to not arouse su= spicion and cause a market panic.

I'm not so sure about that; wh= y go after 50 BTC at a time when you could take 250,000 BTC with the same e= ffort as 50 BTC? This is a classic "zero day exploit" game theory= in which an attacker knows they have a limited amount of time before someo= ne else discovers the exploit and either benefits from it or patches it. Ta= ke, for example, the recent ByBit attack - the highest value crypto hack of= all time. Lazarus Group had compromised the Safe wallet front end JavaScri= pt app and they could have simply had it reassign ownership of everyone'= ;s Safe wallets as they were interacting with their wallet. But instead the= y chose to only specifically target ByBit's wallet with $1.5 billion in= it because they wanted to maximize their extractable value. If Lazarus had= started stealing from every wallet, they would have been discovered quickl= y and the Safe web app would likely have been patched well before any billi= on dollar wallets executed the malicious code.

I think the "onl= y stealing small amounts" argument is strongest for Situation #2 descr= ibed earlier, where a quantum attacker arrives before quantum safe cryptogr= aphy has been deployed across the Bitcoin ecosystem. Because if it became c= lear that Bitcoin's cryptography was broken AND there was nowhere safe = for vulnerable users to migrate, the only logical option would be for every= one to liquidate their bitcoin as quickly as possible. As such, I don't= think it applies as strongly for situations in which we have a migration p= ath available.

The 21 Mi= llion Coin Supply Should be in Circulation
Some folks are arguing= that it's important for the "circulating / spendable" supply= to be as close to 21M as possible and that having a significant portion of= the supply out of circulation is somehow undesirable.

While the &qu= ot;21M BTC" attribute is a strong memetic narrative, I don't think= anyone has ever expected that it would all be in circulation. It has alway= s been understood that many coins will be lost, and that's actually par= t of the game theory of owning bitcoin!

And remember, the 21M number= in and of itself is not a particularly important detail - it's not eve= n mentioned in the whitepaper. What's important is that the supply is w= ell known and not subject to change.

Self-Sovereignty and Personal Responsibility
Bitcoin= =E2=80=99s design empowers individuals to control their own wealth, free fr= om centralized intervention. This freedom comes with the burden of securing= one's private keys. If quantum computing can break obsolete cryptograp= hy, the fault lies with users who didn't move their funds to quantum sa= fe locking scripts. Expecting the network to shield users from their own ne= gligence undermines the principle that you, and not a third party, are acco= untable for your assets.

I think this is generally a fair point that= "the community" doesn't owe you anything in terms of helping= you. I think that we do, however, need to consider the incentives and game= theory in play with regard to quantum safe Bitcoiners vs quantum vulnerabl= e Bitcoiners. More on that later.

Code is Law
Bitcoin operates on transparent, immutable = rules embedded in its protocol. If a quantum attacker uses superior technol= ogy to derive private keys from public keys, they=E2=80=99re not "hack= ing" the system - they're simply following what's mathematical= ly permissible within the current code. Altering the protocol to stop this = introduces subjective human intervention, which clashes with the objective,= deterministic nature of blockchain.

While I tend to agree that code= is law, one of the entire points of laws is that they can be amended to im= prove their efficacy in reducing harm. Leaning on this point seems more lik= e a pro-ossification stance that it's better to do nothing and allow ha= rm to occur rather than take action to stop an attack that was foreseen far= in advance.

Technologic= al Evolution as a Feature, Not a Bug
It's well known that cry= ptography tends to weaken over time and eventually break. Quantum computing= is just the next step in this progression. Users who fail to adapt (e.g., = by adopting quantum-resistant wallets when available) are akin to those who= ignored technological advancements like multisig or hardware wallets. Allo= wing quantum theft incentivizes innovation and keeps Bitcoin=E2=80=99s ecos= ystem dynamic, punishing complacency while rewarding vigilance.

Market Signals Drive Security
If quantum attackers start stealing funds, it sends a clear signal to = the market: upgrade your security or lose everything. This pressure acceler= ates the adoption of post-quantum cryptography and strengthens Bitcoin long= -term. Coddling vulnerable users delays this necessary evolution, potential= ly leaving the network more exposed when quantum tech becomes widely access= ible. Theft is a brutal but effective teacher.

Centralized Blacklisting Power
Burning vul= nerable funds requires centralized decision-making - a soft fork to invalid= ate certain transactions. This sets a dangerous precedent for future interv= entions, eroding Bitcoin=E2=80=99s decentralization. If quantum theft is bl= ocked, what=E2=80=99s next - reversing exchange hacks? The system must rema= in neutral, even if it means some lose out.

I think this could be a = potential slippery slope if the proposal was to only burn specific addresse= s. Rather, I'd expect a neutral proposal to burn all funds in locking s= cript types that are known to be quantum vulnerable. Thus, we could elimina= te any subjectivity from the code.

Fairness in Competition
Quantum attackers aren't c= heating; they're using publicly available physics and math. Anyone with= the resources and foresight can build or access quantum tech, just as anyo= ne could mine Bitcoin in 2009 with a CPU. Early adopters took risks and rea= ped rewards; quantum innovators are doing the same. Calling it =E2=80=9Cunf= air=E2=80=9D ignores that Bitcoin has never promised equality of outcome - = only equality of opportunity within its rules.

I find this argument = to be a mischaracterization because we're not talking about CPUs. This = is more akin to talking about ASICs, except each ASIC costs millions if not= billions of dollars. This is out of reach from all but the wealthiest orga= nizations.

Economic Resi= lience
Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX,= etc) and emerged stronger. The market can absorb quantum losses, with unaf= fected users continuing to hold and new entrants buying in at lower prices.= Fear of economic collapse overestimates the impact - the network=E2=80=99s= antifragility thrives on such challenges.

This is a big grey area b= ecause we don't know when a quantum computer will come online and we do= n't know how quickly said computers would be able to steal bitcoin. If,= for example, the first generation of sufficiently powerful quantum compute= rs were stealing less volume than the current block reward then of course i= t will have minimal economic impact. But if they're taking thousands of= BTC per day and bringing them back into circulation, there will likely be = a noticeable market impact as it absorbs the new supply.

This is whe= re the circumstances will really matter. If a quantum attacker appears AFTE= R the Bitcoin protocol has been upgraded to support quantum resistant crypt= ography then we should expect the most valuable active wallets will have up= graded and the juiciest target would be the 31,000 BTC in the address 12ib7= dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general= I'd expect that the amount of BTC re-entering the circulating supply w= ould look somewhat similar to the mining emission curve: volume would start= off very high as the most valuable addresses are drained and then it would= fall off as quantum computers went down the list targeting addresses with = less and less BTC.

Why is economic impact a factor worth considering= ? Miners and businesses in general. More coins being liquidated will push d= own the price, which will negatively impact miner revenue. Similarly, I can= attest from working in the industry for a decade, that lower prices result= in less demand from businesses across the entire industry. As such, burnin= g quantum vulnerable bitcoin is good for the entire industry.

Practicality & Neutrality of Non-= Intervention
There=E2=80=99s no reliable way to distinguish =E2= =80=9Ctheft=E2=80=9D from legitimate "white hat" key recovery. If= someone loses their private key and a quantum computer recovers it, is tha= t stealing or reclaiming? Policing quantum actions requires invasive assump= tions about intent, which Bitcoin=E2=80=99s trustless design can=E2=80=99t = accommodate. Letting the chips fall where they may avoids this mess.
Philosophical PurityBitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes = reflect preparation and skill, not sentimentality. If quantum computing upe= nds the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be = safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. Users w= ho lose funds to quantum attacks are casualties of liberty and their own ig= norance, not victims of injustice.

Bitcoin's DAO Moment
This situation has some simil= arities to The DAO hack of an Ethereum smart contract in 2016, which result= ed in a fork to stop the attacker and return funds to their original owners= . The game theory is similar because it's a situation where a threat is= known but there's some period of time before the attacker can actually= execute the theft. As such, there's time to mitigate the attack by cha= nging the protocol.

It also created a schism in the community around= the true meaning of "code is law," resulting in Ethereum Classic= , which decided to allow the attacker to retain control of the stolen funds= .

A soft fork to burn vulnerable bitcoin could certainly result in a= hard fork if there are enough miners who reject the soft fork and continue= including transactions.

Incentives Matter
We can wax philosophical until the cows come h= ome, but what are the actual incentives for existing Bitcoin holders regard= ing this decision?

&qu= ot;Lost coins only make everyone else's coins worth slightly more. Thin= k of it as a donation to everyone." - Satoshi Nakamoto
If true, the corollary is:

"Quantum recovered coins only make everyone else's coins wor= th less. Think of it as a theft from everyone." - Jameson Lopp
Thus, assuming we get to a point where quantum resistant signature= s are supported within the Bitcoin protocol, what's the incentive to le= t vulnerable coins remain spendable?

* It's not good for the act= ual owners of those coins. It disincentivizes owners from upgrading until p= erhaps it's too late.
* It's not good for the more attentive / r= esponsible owners of coins who have quantum secured their stash. Allowing t= he circulating supply to balloon will assuredly reduce the purchasing power= of all bitcoin holders.

Forking Game Theory
From a game theory point of view, I see this= as incentivizing users to upgrade their wallets. If you disagree with the = burning of vulnerable coins, all you have to do is move your funds to a qua= ntum safe signature scheme. Point being, I don't see there being an eco= nomic majority (or even more than a tiny minority) of users who would fight= such a soft fork. Why expend significant resources fighting a fork when yo= u can just move your coins to a new address?

Remember that blocking = spending of certain classes of locking scripts is a tightening of the rules= - a soft fork. As such, it can be meaningfully enacted and enforced by a m= ere majority of hashpower. If miners generally agree that it's in their= best interest to burn vulnerable coins, are other users going to care enou= gh to put in the effort to run new node software that resists the soft fork= ? Seems unlikely to me.

= How to Execute Burning
In order to be as objective as possible, t= he goal would be to announce to the world that after a specific block heigh= t / timestamp, Bitcoin nodes will no longer accept transactions (or blocks = containing such transactions) that spend funds from any scripts other than = the newly instituted quantum safe schemes.

It could take a staggered= approach to first freeze funds that are susceptible to long-range attacks = such as those in P2PK scripts or those that exposed their public keys due t= o previously re-using addresses, but I expect the additional complexity wou= ld drive further controversy.

How long should the grace period be in= order to give the ecosystem time to upgrade? I'd say a minimum of 1 ye= ar for software wallets to upgrade. We can only hope that hardware wallet m= anufacturers are able to implement post quantum cryptography on their exist= ing hardware with only a firmware update.

Beyond that, it will take = at least 6 months worth of block space for all users to migrate their funds= , even in a best case scenario. Though if you exclude dust UTXOs you could = probably get 95% of BTC value migrated in 1 month. Of course this is a high= ly optimistic situation where everyone is completely focused on migrations = - in reality it will take far longer.

Regardless, I'd think that= in order to reasonably uphold Bitcoin's conservatism it would be prefe= rable to allow a 4 year migration window. In the meantime, mining pools cou= ld coordinate emergency soft forking logic such that if quantum attackers m= aterialized, they could accelerate the countdown to the quantum vulnerable = funds burn.

Random Tange= ntial Benefits
On the plus side, burning all quantum vulnerable b= itcoin would allow us to prune all of those UTXOs out of the UTXO set, whic= h would also clean up a lot of dust. Dust UTXOs are a bit of an annoyance a= nd there has even been a recent proposal for how to incentivize cleaning th= em up.

We should also expect that incentivizing migration of the ent= ire UTXO set will create substantial demand for block space that will susta= in a fee market for a fairly lengthy amount of time.

In Summary
While the moral quandary = of violating any of Bitcoin's inviolable properties can make this a ver= y complex issue to discuss, the game theory and incentives between burning = vulnerable coins versus allowing them to be claimed by entities with quantu= m supremacy appears to be a much simpler issue.

I, for one, am not i= nterested in rewarding quantum capable entities by inflating the circulatin= g money supply just because some people lost their keys long ago and some l= aggards are not upgrading their bitcoin wallet's security.

We ca= n hope that this scenario never comes to pass, but hope is not a strategy.<= br>
I welcome your feedback upon any of the above points, and contributi= on of any arguments I failed to consider.

--
= You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from t= his group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.co= m.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKV= a7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubs= cribe@googlegroups.com.
To view this discussion visit https://groups.googl= e.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.d= e.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubs= cribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6= mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.=
To view this discussion visit https://gr= oups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuG= LeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40pr= oton.me.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/ms= gid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.g= mail.com.
--00000000000072273e0635ff143b--