One major issue with a mandatory transition to quantum-resistant addresses that I haven't seen brought up is that block size is limited. In such a scenario, it could be highly beneficial for parties that benefit from high fees to flood the network with bogus transactions to force the fees arbitrarily high, since people would then be forced to either pay exorbitant fees to move their funds by the deadline, or lose their funds entirely. As such, this does not seem like a good idea in general, at least unless the transition period is extremely long (say 10 years or more). A less drastic proposal could be to (at least initially) only disable spending from the less common outputs that have no inherent quantum resistance by virtue of having a hashed public key, such as P2PK and P2TR, while leaving the safer variants with hashed public keys like P2PKH and P2WPKH spendable. Most analyses of quantum algorithms I have read suggest that at least initially, they would take a significant amount of time to calculate a private key even if the public key is known, which means that even if there were a quantum breakthrough, there should be a relatively low chance of having funds intercepted between broadcasting it (which would of course reveal the public key) and having it included in a block. Furthermore, there would always be the option of only revealing the transaction to a trusted miner rather than broadcasting it, foregoing the risk entirely. UTXOs with hashed public keys might still need to be disabled at some point, seeing as a non-insignificant number of them have a revealed public key due to address reuse, and that quantum computers might eventually reach the point where the chance of breaking a private key after broadcasting but before block inclusion is non-insignificant, but this should at least alleviate the initial rush of disabling everything at once. -- Best, ArmchairCryptologist On Sunday, March 9th, 2025 at 1:53 AM, Agustin Cruz wrote: > Hi Michal, > > I completely understand your point of view. However, the concern with QRAMP isn’t about arbitrarily punishing users or confiscating assets without reason. Rather, it’s about mitigating a very real, systemic risk. If a significant amount of funds remains in legacy addresses and a quantum breakthrough occurs, the attack wouldn’t be a one-off incident targeting a few unlucky individuals. Instead, it could compromise the security of the entire network, affecting countless users and shaking confidence in Bitcoin as a whole. > > The enforcement aspect of QRAMP is intended as a last-resort safety mechanism after a long and well-communicated migration period. It’s designed to ensure that by the time any quantum-capable adversary comes along, almost everyone’s funds are protected by quantum-resistant cryptography. The goal is to preempt a scenario where the vulnerability becomes so widespread that a malicious actor could trigger a massive, destabilizing reallocation of wealth. > > The enforced migration is less about penalizing users and more about preserving the long-term security and stability of the network for everyone. > > Best regards, > Agustin > > El sáb, 8 de mar de 2025, 9:22 p. m., Michal Kolesár escribió: > >> Dear Agustin, >> >> enforcement in general doesn’t seem like a good choice to me. If I were to compare it to the real world, it’s as if people had money or jewelry in bank vaults that were unbreakable at the time they were stored. After a certain period, it’s discovered that these vaults could be breached, and we’d tell everyone they have to buy new vaults and move their diamonds, gold, and banknotes into them. If they don’t do it, everything in their old vaults would be confiscated and destroyed. Surely, it’s normal that people would naturally buy new vaults (or move to safer ones) if they’re informed well in advance and loudly enough about the outdated vaults. And if they decide not to replace them, someone will eventually break in sooner or later and become the new owner of their "wealth." That’s how it works in the real world, after all. Yes, perhaps if someone steals a large amount of Bitcoin en masse, it might temporarily lower its value. But that’s fine—it would just redistribute old, lost, or unused Bitcoins into new ownership, where someone would start using them. It’s like finding a lost treasure from the past at the bottom of the ocean. >> >> Best regards, >> Michal >> >> On Wednesday, February 12, 2025 at 1:10:17 AM UTC+1 Agustin Cruz wrote: >> >>> Dear Bitcoin Developers, >>> >>> I am writing to share my proposal for a new Bitcoin Improvement Proposal (BIP) titled Quantum-Resistant Address Migration Protocol (QRAMP). The goal of this proposal is to safeguard Bitcoin against potential future quantum attacks by enforcing a mandatory migration period for funds held in legacy Bitcoin addresses (secured by ECDSA) to quantum-resistant addresses. >>> >>> The proposal outlines: >>> >>> - Reducing Vulnerabilities: Transitioning funds to quantum-resistant schemes preemptively to eliminate the risk posed by quantum attacks on exposed public keys. >>> - Enforcing Timelines: A hard migration deadline that forces timely action, rather than relying on a gradual, voluntary migration that might leave many users at risk. >>> - Balancing Risks: Weighing the non-trivial risk of funds being permanently locked against the potential catastrophic impact of a quantum attack on Bitcoin’s security. >>> >>> Additionally, the proposal addresses common criticisms such as the risk of permanent fund loss, uncertain quantum timelines, and the potential for chain splits. It also details backwards compatibility measures, comprehensive security considerations, an extensive suite of test cases, and a reference implementation plan that includes script interpreter changes, wallet software updates, and network monitoring tools. >>> >>> For your convenience, I have published the full proposal on my GitHub repository. You can review it at the following link: >>> >>> [Quantum-Resistant Address Migration Protocol (QRAMP) Proposal on GitHub](https://github.com/chucrut/bips/blob/master/bip-xxxxx.md) >>> >>> I welcome your feedback and suggestions and look forward to engaging in a constructive discussion on how best to enhance the security and resilience of the Bitcoin network in the quantum computing era. >>> >>> Thank you for your time and consideration. >>> >>> Best regards, >>> >>> Agustin Cruz >> >> -- >> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. >> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/83e89408-a20c-4297-96eb-3ca353be02abn%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxAv8ahPOoTVryqy6oE8nUX0%2B49BHHhO%3D%3DM1HpZCuMNbQ%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ExSOriyqgy0FlVg3j_ZU9jMNQo5rgPRp2mVlp50gJEAtEy79NgFVMBOxchgG2mi6OVJWNN5UM5oXgrPrML_OAhT6v2-S1KVZ1oI14PjSEcw%3D%40protonmail.com.