From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 27 May 2025 18:21:48 -0700 Received: from mail-yw1-f187.google.com ([209.85.128.187]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uK5UF-0004l3-MS for bitcoindev@gnusha.org; Tue, 27 May 2025 18:21:48 -0700 Received: by mail-yw1-f187.google.com with SMTP id 00721157ae682-70e735c7857sf21113987b3.3 for ; Tue, 27 May 2025 18:21:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1748395297; x=1749000097; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=; b=CA+VL8EuV1f/eih0iA3kCFFed1Ub1wF4pncKkl/MwcFqK3r53GKblT6q3IIMWDgVq7 NR1WqjklpA1Qz5NhTsAKssMZtQLLzf404/yuK89q3kShSD2kLkbce5XSuaeYAyzfmUW8 8itIObMeAiW5W5L2YS+aR/xyNeFIqAxcoXpbbVfeieYzFacekehtRJt00+VkLIqx5Fy2 p0+3rd6LlCUVopMYUorri7KeMCzIXym0T78oilgQuV+jt/l33EPk6g3fzo7LeIMTCCw0 0dRCbSWvTaWzuk4yrQnXMXT/eANo1ICiMleMlb+jRIiXSAXIXrqsfKQgr2AQ+WIx4pC9 qgQA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1748395297; x=1749000097; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=; b=Ziijw9h6IcDMj8cj9ZkvpbYUJlC5m15O0oPSbl3+wWhNZvjyALexDF1H/4sN0NyhpX LLEKcxqIa7D0ozisE0EKKbNfCmqSmCnZCpYG/DnTXnIa6A36JdRMhUuUrwFw7F8Hd5yz j5LyzMsCpk/BfrbRQpLitWsTJsX2zGgjWuHbVfwfbfQxUuKqyvoYRl02TPO4Ge9SLaFk TSKTel8MRoQp8vwJePDSDWcMlv4sp3YjBHj0A8LMLSwKLLnO+Lc+HFNbseWGNadJ+WwN pMGmOOoFZJDQtcFTs7rVSiWkotU1Hzy1OZR09fitSIOseMyCvNYkKKvHQCmhWJDyAlEP H5rg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1748395297; x=1749000097; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=; b=XH+T2jiqbJf+VwTYKglFtspa8WIGEt8s5rDD+KYLRUNEkZabKJaovavknNJKItxTgw XeNkbrD2y0aAEBaN8SqkMf/SOJsjAANMlvXApdmgN+88zhBgR2VKzr+AS08ky5FabSK2 +yd1K/dPzbC2oKYcg+6cFIifAnwRruNA2B4LC2UNkoJGbkOW1vE0INOj7B1oNIbOHs5I WG8SeWEsjbnpHn0Gc+/pvgcNxa97oahb+V4BNlc2gcCSy53h/bjrg1abNNDC3x3wnI/K x4uFjQsALxTYhbOpGOLS5QMKMqP2xndXfGGNgvZw45zEnAqSuKM4A90QCyoz39PebJVR ECyw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVWYRr1REQE01vBamSrCIKel0uFPOQMorqlI4mLQiFkDL46ChjnUDGTj92oBgXX55ZQy2iGBGsMktcX@gnusha.org X-Gm-Message-State: AOJu0YzdQbNejGk8kEedp7R/Qz2GhUvLLYTJTrrh0dkxv/p8pYxHtI5A MFer96pHUR1FulW5F9n/F+ypdOk9OOr1JOSv8y2B9rOrwgTbF8Ua1FUF X-Google-Smtp-Source: AGHT+IGfBKb7126QBowUzjIPoYEiDbtzXdCQ122SPgCAcqzRg6kJD2W/ch0WEi6MLU0rAA4WXv2EGQ== X-Received: by 2002:a05:6902:1245:b0:e7d:a799:bbd4 with SMTP id 3f1490d57ef6-e7da799c1bcmr14453586276.43.1748395296942; Tue, 27 May 2025 18:21:36 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZf7cVeWtuhzgVEG0U5JdRa659AmcGjEf42oHMg4MEbCJA== Received: by 2002:a25:3fc4:0:b0:e7a:63e6:d8ef with SMTP id 3f1490d57ef6-e7d92107abbls2114465276.1.-pod-prod-09-us; Tue, 27 May 2025 18:21:33 -0700 (PDT) X-Received: by 2002:a05:690c:640d:b0:709:1b68:9f5c with SMTP id 00721157ae682-70e2d9eb85amr206444437b3.16.1748395293035; Tue, 27 May 2025 18:21:33 -0700 (PDT) Received: by 2002:a81:c949:0:b0:6ef:590d:3213 with SMTP id 00721157ae682-70ca9c0bd38ms7b3; Tue, 27 May 2025 18:07:58 -0700 (PDT) X-Received: by 2002:a05:690c:f10:b0:70d:f47a:7e21 with SMTP id 00721157ae682-70e2d9814admr198290597b3.1.1748394477306; Tue, 27 May 2025 18:07:57 -0700 (PDT) Date: Tue, 27 May 2025 18:07:56 -0700 (PDT) From: waxwing/ AdamISZ To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_7068_1573834767.1748394476949" X-Original-Sender: ekaggata@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) ------=_Part_7068_1573834767.1748394476949 Content-Type: multipart/alternative; boundary="----=_Part_7069_1578773686.1748394476949" ------=_Part_7069_1578773686.1748394476949 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all, I'd like to point out that the worst case scenarios here might be even=20 worse than one naturally thinks. (1) The first part is obvious: even though unlikely, it's possible that a= =20 certain group gains access to this functionality well in advance of the=20 general state of the art, and not only that, but decides to steal coins=20 only surreptitiously. This may be economically optimal for the thieves, but= =20 may also be negative-optimal (pessimal?) for the rest of us: because there= =20 will be continuous controversy about whether the theft happened, which=20 relates to the unobvious point: (2) The second part is somehow even way worse: that a well funded (but not= =20 having to spend money) attacker (not thief) on the system creates panic by= =20 pretending to have its coins stolen, even though it does not have access to= =20 an ECDLP break. This would be most likely in taproot, because they cannot= =20 prepare this attack in advance on coins created in 2009-10. Their only task= =20 is to create credibility amongst the general Bitcoin public, and thus force= =20 sufficient controversy for perhaps a chain split based on disagreeing with= =20 how to deal with the threat. I admit this is fairly fanciful, but imagine= =20 it occurring in combination with a heavily pushed proposal for a=20 technically unsound solution to the problem which actually undermines=20 Bitcoin's safety. Notice that this second observation illustrates the sense in which this is= =20 crucially very different from the DAO as Jameson suggests: the act of theft= =20 is not unambiguously visible. (well to be fair the phrase was "*some*=20 similarities" ! :) ). Two more observations: (3) I do really like the "disabled NUMS" concept in regard to taproot=20 external keys, for paving the way to PQC in tapleaf. This is one kind of=20 censorship that cannot be controversial. (4) (in this I agree with Saulo Fonseca): my second observation might be=20 unpopular but I think that a burning coins softfork will be appallingly=20 hard to come to consensus on, and probably shouldn't even be attempted ((2)= =20 is relevant here). I don't think it's going to happen. I think we need some= =20 cryptographic chicanery that allows spending currently-hashed utxos safely,= =20 along the lines of what Tim Ruffing, Adam Back and others have discussed in= =20 the past, and that P2PK that is untouched even during a transition is just= =20 a lost cause. (I also think that this is very very far in the future but=20 that is 100% opinion, not fact). On Sunday, May 25, 2025 at 9:48:19=E2=80=AFPM UTC-3 Agustin Cruz wrote: > Hi everyone, > > QRAMP proposal aims to manage the quantum transition responsibly without= =20 > disrupting Bitcoin=E2=80=99s core principles. > > QRAMP has three phases: > > 1. Allow wallets to optionally include PQC keys in Taproot outputs. This= =20 > enables early adoption without forcing anyone. > > 2. Announce a soft fork to disable vulnerable scripts, with a long=20 > (~4-year) grace period. This gives ample time to migrate and avoids sudde= n=20 > shocks. > > 3. Gradually deactivate vulnerable outputs based on age or inactivity.=20 > This avoids a harsh cutoff and gives time for adaptation. > > We can also allow exceptions via proof-of-possession, and delay=20 > restrictions on timelocked outputs to avoid harming future spenders. > > QRAMP is not about confiscation or control. It=E2=80=99s about aligning= =20 > incentives, maintaining security, and offering a clear, non-coercive=20 > upgrade path. > > Best, > Agustin Cruz > > > > El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray =20 > escribi=C3=B3: > >> The difference between the ETH/ETC split though was that no one had=20 >> anything confiscated except the DAO hacker, everyone retained an identic= al=20 >> number of tokens on each chain. The proposal for BTC is very different i= n=20 >> that some holders will lose access to their coins during the PQ migratio= n=20 >> under the confiscation approach. Just wanted to point that out. >> >> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop= ment=20 >> Mailing List wrote: >> >>> Hey Saulo, >>> >>> You're right about the possibility of an ugly split. Laggards who don't= =20 >>> move coins to PQ address schemes will be incentivized to follow any cha= in=20 >>> where they keep their coins. But those who do migrate will be incentivi= zed=20 >>> to follow the chain where unmigrated pre-quantum coins are frozen.=20 >>> >>> While you're comparing this event to the ETH/ETC split, we should=20 >>> remember that ETH remained the dominant chain despite their heavy-hande= d=20 >>> rollback. Just goes to show, confusion and face-loss is a lesser evil t= han=20 >>> allowing an adversary to pwn the network.=20 >>> >>> This is the free-market way to solve problems without imposing rules on= =20 >>> everyone. >>> >>> >>> It'd still be a free market even if quantum-vulnerable coins are frozen= .=20 >>> The only way to test the relative value of quantum-safe vs=20 >>> quantum-vulnerable coins is to split the chain and see how the market= =20 >>> reacts.=20 >>> >>> IMO, the "free market way" is to give people options and let their mone= y=20 >>> flow to where it works best. That means people should be able to choose= =20 >>> whether they want their money to be part of a system that allows quantu= m=20 >>> attack, or part of one which does not. I know which I would choose, but= =20 >>> neither you nor I can make that choice for everyone. >>> >>> regards, >>> conduition >>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz < >>> agusti...@gmail.com> wrote: >>> >>> I=E2=80=99m against letting quantum computers scoop up funds from addre= sses that=20 >>> don=E2=80=99t upgrade to quantum-resistant.=20 >>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up fo= r grabs=20 >>> if people don=E2=80=99t move them, sounds fair at first. Let luck decid= e, right?=20 >>> But I worry it=E2=80=99d turn into a mess. If quantum machines start cr= acking keys=20 >>> and snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at ris= k. Plenty of=20 >>> active wallets, like those on the rich list Jameson mentioned, could ge= t=20 >>> hit too. Imagine millions of BTC flooding the market. Prices tank, trus= t in=20 >>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerab= le=20 >>> funds keeps that chaos in check. >>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear= t. If quantum tech can=20 >>> steal from you just because you didn=E2=80=99t upgrade fast enough, tha= t promise=20 >>> feels shaky. Freezing funds after a heads-up period (say, four years)= =20 >>> protects that idea better than letting tech giants or rogue states play= =20 >>> vampire with our network. It also nudges people to get their act togeth= er=20 >>> and move to safer addresses, which strengthens Bitcoin long-term. >>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark = a split=20 >>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look w= orse.=20 >>> Bitcoin would seem broken, not just strict. A clear plan and enough tim= e to=20 >>> migrate could smooth things over. History=E2=80=99s on our side too. Bi= tcoin=E2=80=99s=20 >>> fixed bugs before, like SegWit. This feels like that, not a bailout. >>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to = whoever=20 >>> builds the first quantum rig. It=E2=80=99s less about coddling people a= nd more=20 >>> about keeping Bitcoin solid for everyone. What do you all think? >>> Cheers, >>> Agust=C3=ADn >>> >>> >>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown = wrote: >>> >>>> I believe that having some entity announce the decision to freeze old= =20 >>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value= ) than having=20 >>>> them gathered by QC. This would create another version of Bitcoin, sim= ilar=20 >>>> to Ethereum Classic, causing confusion in the market. >>>> >>>> It would be better to simply implement the possibility of moving funds= =20 >>>> to a PQC address without a deadline, allowing those who fail to do so = to=20 >>>> rely on luck to avoid having their coins stolen. Most coins would be= =20 >>>> migrated to PQC anyway, and in most cases, only the lost ones would re= main=20 >>>> vulnerable. This is the free-market way to solve problems without impo= sing=20 >>>> rules on everyone. >>>> >>>> Saulo Fonseca >>>> >>>> >>>> On 16. Mar 2025, at 15:15, Jameson Lopp wrote: >>>> >>>> The quantum computing debate is heating up. There are many=20 >>>> controversial aspects to this debate, including whether or not quantum= =20 >>>> computers will ever actually become a practical threat. >>>> >>>> I won't tread into the unanswerable question of how worried we should= =20 >>>> be about quantum computers. I think it's far from a crisis, but given = the=20 >>>> difficulty in changing Bitcoin it's worth starting to seriously discus= s.=20 >>>> Today I wish to focus on a philosophical quandary related to one of th= e=20 >>>> decisions that would need to be made if and when we implement a quantu= m=20 >>>> safe signature scheme. >>>> >>>> Several Scenarios >>>> Because this essay will reference game theory a fair amount, and there= =20 >>>> are many variables at play that could change the nature of the game, I= =20 >>>> think it's important to clarify the possible scenarios up front. >>>> >>>> 1. Quantum computing never materializes, never becomes a threat, and= =20 >>>> thus everything discussed in this essay is moot. >>>> 2. A quantum computing threat materializes suddenly and Bitcoin does= =20 >>>> not have quantum safe signatures as part of the protocol. In this scen= ario=20 >>>> it would likely make the points below moot because Bitcoin would be=20 >>>> fundamentally broken and it would take far too long to upgrade the=20 >>>> protocol, wallet software, and migrate user funds in order to restore= =20 >>>> confidence in the network. >>>> 3. Quantum computing advances slowly enough that we come to consensus= =20 >>>> about how to upgrade Bitcoin and post quantum security has been minima= lly=20 >>>> adopted by the time an attacker appears. >>>> 4. Quantum computing advances slowly enough that we come to consensus= =20 >>>> about how to upgrade Bitcoin and post quantum security has been highly= =20 >>>> adopted by the time an attacker appears. >>>> >>>> For the purposes of this post, I'm envisioning being in situation 3 or= =20 >>>> 4. >>>> >>>> To Freeze or not to Freeze? >>>> I've started seeing more people weighing in on what is likely the most= =20 >>>> contentious aspect of how a quantum resistance upgrade should be handl= ed in=20 >>>> terms of migrating user funds. Should quantum vulnerable funds be left= open=20 >>>> to be swept by anyone with a sufficiently powerful quantum computer OR= =20 >>>> should they be permanently locked? >>>> >>>> "I don't see why old coins should be confiscated. The better option is= =20 >>>>> to let those with quantum computers free up old coins. While this mig= ht=20 >>>>> have an inflationary impact on bitcoin's price, to use a turn of phra= se,=20 >>>>> the inflation is transitory. Those with low time preference should su= pport=20 >>>>> returning lost coins to circulation."=20 >>>> >>>> - Hunter Beast >>>> >>>> >>>> On the other hand: >>>> >>>> "Of course they have to be confiscated. If and when (and that's a big= =20 >>>>> if) the existence of a cryptography-breaking QC becomes a credible th= reat,=20 >>>>> the Bitcoin ecosystem has no other option than softforking out the ab= ility=20 >>>>> to spend from signature schemes (including ECDSA and BIP340) that are= =20 >>>>> vulnerable to QCs. The alternative is that millions of BTC become=20 >>>>> vulnerable to theft; I cannot see how the currency can maintain any v= alue=20 >>>>> at all in such a setting. And this affects everyone; even those which= =20 >>>>> diligently moved their coins to PQC-protected schemes." >>>>> - Pieter Wuille >>>> >>>> >>>> I don't think "confiscation" is the most precise term to use, as the= =20 >>>> funds are not being seized and reassigned. Rather, what we're really= =20 >>>> discussing would be better described as "burning" - placing the funds = *out=20 >>>> of reach of everyone*. >>>> >>>> Not freezing user funds is one of Bitcoin's inviolable properties.=20 >>>> However, if quantum computing becomes a threat to Bitcoin's elliptic c= urve=20 >>>> cryptography, *an inviolable property of Bitcoin will be violated one= =20 >>>> way or another*. >>>> >>>> Fundamental Properties at Risk >>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's= =20 >>>> fundamental properties that give it value.=20 >>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >>>> >>>> The particular properties in play with regard to this issue seem to be= : >>>> >>>> *Censorship Resistance* - No one should have the power to prevent=20 >>>> others from using their bitcoin or interacting with the network. >>>> >>>> *Forward Compatibility* - changing the rules such that certain valid= =20 >>>> transactions become invalid could undermine confidence in the protocol= . >>>> >>>> *Conservatism* - Users should not be expected to be highly responsive= =20 >>>> to system issues. >>>> >>>> As a result of the above principles, we have developed a strong meme= =20 >>>> (kudos to Andreas Antonopoulos) that goes as follows: >>>> >>>> Not your keys, not your coins. >>>> >>>> >>>> I posit that the corollary to this principle is: >>>> >>>> Your keys, only your coins. >>>> >>>> >>>> A quantum capable entity breaks the corollary of this foundational=20 >>>> principle. We secure our bitcoin with the mathematical probabilities= =20 >>>> related to extremely large random numbers. Your funds are only secure= =20 >>>> because truly random large numbers should not be guessable or discover= able=20 >>>> by anyone else in the world. >>>> >>>> This is the principle behind the motto *vires in numeris* - strength= =20 >>>> in numbers. In a world with quantum enabled adversaries, this principl= e is=20 >>>> null and void for many types of cryptography, including the elliptic c= urve=20 >>>> digital signatures used in Bitcoin. >>>> >>>> Who is at Risk? >>>> There has long been a narrative that Satoshi's coins and others from= =20 >>>> the Satoshi era of P2PK locking scripts that exposed the public key=20 >>>> directly on the blockchain will be those that get scooped up by a quan= tum=20 >>>> "miner." But unfortunately it's not that simple. If I had a powerful= =20 >>>> quantum computer, which coins would I target? I'd go to the Bitcoin ri= ch=20 >>>> list and find the wallets that have exposed their public keys due to= =20 >>>> re-using addresses that have previously been spent from. You can easil= y=20 >>>> find them at=20 >>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >>>> >>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,=20 >>>> would be slightly harder to crack because they are multisig wallets. S= o a=20 >>>> quantum attacker would need to reverse engineer 2 keys for Kraken or 3= for=20 >>>> Bitfinex / Tether in order to spend funds. But many are single signatu= re. >>>> >>>> Point being, it's not only the really old lost BTC that are at risk to= =20 >>>> a quantum enabled adversary, at least at time of writing. If we add a= =20 >>>> quantum safe signature scheme, we should expect those wallets to be so= me of=20 >>>> the first to upgrade given their incentives. >>>> >>>> The Ethical Dilemma: Quantifying Harm >>>> Which decision results in the most harm? >>>> >>>> By making quantum vulnerable funds unspendable we potentially harm som= e=20 >>>> Bitcoin users who were not paying attention and neglected to migrate t= heir=20 >>>> funds to a quantum safe locking script. This violates the "conservativ= ism"=20 >>>> principle stated earlier. On the flip side, we prevent those funds plu= s far=20 >>>> more lost funds from falling into the hands of the few privileged folk= s who=20 >>>> gain early access to quantum computers. >>>> >>>> By leaving quantum vulnerable funds available to spend, the same set o= f=20 >>>> users who would otherwise have funds frozen are likely to see them sto= len.=20 >>>> And many early adopters who lost their keys will eventually see their= =20 >>>> unreachable funds scooped up by a quantum enabled adversary. >>>> >>>> Imagine, for example, being James Howells, who accidentally threw away= =20 >>>> a hard drive with 8,000 BTC on it, currently worth over $600M USD. He = has=20 >>>> spent a decade trying to retrieve it from the landfill where he knows = it's=20 >>>> buried, but can't get permission to excavate. I suspect that, given th= e=20 >>>> choice, he'd prefer those funds be permanently frozen rather than fall= into=20 >>>> someone else's possession - I know I would. >>>> >>>> Allowing a quantum computer to access lost funds doesn't make those=20 >>>> users any worse off than they were before, however it *would*have a=20 >>>> negative impact upon everyone who is currently holding bitcoin. >>>> >>>> It's prudent to expect significant economic disruption if large amount= s=20 >>>> of coins fall into new hands. Since a quantum computer is going to hav= e a=20 >>>> massive up front cost, expect those behind it to desire to recoup thei= r=20 >>>> investment. We also know from experience that when someone suddenly fi= nds=20 >>>> themselves in possession of 9+ figures worth of highly liquid assets, = they=20 >>>> tend to diversify into other things by selling. >>>> >>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20 >>>> redistribution*. What we'd be allowing is for bitcoin to be=20 >>>> redistributed from those who are ignorant of quantum computers to thos= e who=20 >>>> have won the technological race to acquire quantum computers. It's har= d to=20 >>>> see a bright side to that scenario. >>>> >>>> Is Quantum Recovery Good for Anyone? >>>> >>>> Does quantum recovery HELP anyone? I've yet to come across an argument= =20 >>>> that it's a net positive in any way. It certainly doesn't add any secu= rity=20 >>>> to the network. If anything, it greatly decreases the security of the= =20 >>>> network by allowing funds to be claimed by those who did not earn them= . >>>> >>>> But wait, you may be thinking, wouldn't quantum "miners" have earned= =20 >>>> their coins by all the work and resources invested in building a quant= um=20 >>>> computer? I suppose, in the same sense that a burglar earns their spoi= ls by=20 >>>> the resources they invest into surveilling targets and learning the sk= ills=20 >>>> needed to break into buildings. What I say "earned" I mean through=20 >>>> productive mutual trade. >>>> >>>> For example: >>>> >>>> * Investors earn BTC by trading for other currencies. >>>> * Merchants earn BTC by trading for goods and services. >>>> * Miners earn BTC by trading thermodynamic security. >>>> * Quantum miners don't trade anything, they are vampires feeding upon= =20 >>>> the system. >>>> >>>> There's no reason to believe that allowing quantum adversaries to=20 >>>> recover vulnerable bitcoin will be of benefit to anyone other than the= =20 >>>> select few organizations that win the technological arms race to build= the=20 >>>> first such computers. Probably nation states and/or the top few larges= t=20 >>>> tech companies. >>>> >>>> One could certainly hope that an organization with quantum supremacy i= s=20 >>>> benevolent and acts in a "white hat" manner to return lost coins to th= eir=20 >>>> owners, but that's incredibly optimistic and foolish to rely upon. Suc= h a=20 >>>> situation creates an insurmountable ethical dilemma of only recovering= lost=20 >>>> bitcoin rather than currently owned bitcoin. There's no way to precise= ly=20 >>>> differentiate between the two; anyone can claim to have lost their bit= coin=20 >>>> but if they have lost their keys then proving they ever had the keys= =20 >>>> becomes rather difficult. I imagine that any such white hat recovery= =20 >>>> efforts would have to rely upon attestations from trusted third partie= s=20 >>>> like exchanges. >>>> >>>> Even if the first actor with quantum supremacy is benevolent, we must= =20 >>>> assume the technology could fall into adversarial hands and thus think= =20 >>>> adversarially about the potential worst case outcomes. Imagine, for=20 >>>> example, that North Korea continues scooping up billions of dollars fr= om=20 >>>> hacking crypto exchanges and decides to invest some of those proceeds = into=20 >>>> building a quantum computer for the biggest payday ever... >>>> >>>> Downsides to Allowing Quantum Recovery >>>> Let's think through an exhaustive list of pros and cons for allowing o= r=20 >>>> preventing the seizure of funds by a quantum adversary. >>>> >>>> Historical Precedent >>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair = game" but=20 >>>> rather were treated as failures to be remediated. Treating quantum the= ft=20 >>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al= l rather than=20 >>>> a system that seeks to protect its users. >>>> >>>> Violation of Property Rights >>>> Allowing a quantum adversary to take control of funds undermines the= =20 >>>> fundamental principle of cryptocurrency - if you keep your keys in you= r=20 >>>> possession, only you should be able to access your money. Bitcoin is b= uilt=20 >>>> on the idea that private keys secure an individual=E2=80=99s assets, a= nd=20 >>>> unauthorized access (even via advanced tech) is theft, not a legitimat= e=20 >>>> transfer. >>>> >>>> Erosion of Trust in Bitcoin >>>> If quantum attackers can exploit vulnerable addresses, confidence in= =20 >>>> Bitcoin as a secure store of value would collapse. Users and investors= rely=20 >>>> on cryptographic integrity, and widespread theft could drive adoption = away=20 >>>> from Bitcoin, destabilizing its ecosystem. >>>> >>>> This is essentially the counterpoint to claiming the burning of=20 >>>> vulnerable funds is a violation of property rights. While some will=20 >>>> certainly see it as such, others will find the apathy toward stopping= =20 >>>> quantum theft to be similarly concerning. >>>> >>>> Unfair Advantage >>>> Quantum attackers, likely equipped with rare and expensive technology,= =20 >>>> would have an unjust edge over regular users who lack access to such t= ools.=20 >>>> This creates an inequitable system where only the technologically elit= e can=20 >>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized= power. >>>> >>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING=20 >>>> one's wealth. It's supposed to be impractically expensive for attacker= s to=20 >>>> crack the entropy and cryptography protecting one's coins. But now we = find=20 >>>> ourselves discussing a situation where this asymmetric advantage is=20 >>>> compromised in favor of a specific class of attackers. >>>> >>>> Economic Disruption >>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= =99s price=20 >>>> as quantum recovered funds are dumped on exchanges. This would harm al= l=20 >>>> holders, not just those directly targeted, leading to broader financia= l=20 >>>> chaos in the markets. >>>> >>>> Moral Responsibility >>>> Permitting theft via quantum computing sets a precedent that=20 >>>> technological superiority justifies unethical behavior. This is essent= ially=20 >>>> taking a "code is law" stance in which we refuse to admit that both co= de=20 >>>> and laws can be modified to adapt to previously unforeseen situations. >>>> >>>> Burning of coins can certainly be considered a form of theft, thus I= =20 >>>> think it's worth differentiating the two different thefts being discus= sed: >>>> >>>> 1. self-enriching & likely malicious >>>> 2. harm prevention & not necessarily malicious >>>> >>>> Both options lack the consent of the party whose coins are being burnt= =20 >>>> or transferred, thus I think the simple argument that theft is immoral= =20 >>>> becomes a wash and it's important to drill down into the details of ea= ch. >>>> >>>> Incentives Drive Security >>>> I can tell you from a decade of working in Bitcoin security - the=20 >>>> average user is lazy and is a procrastinator. If Bitcoiners are given = a=20 >>>> "drop dead date" after which they know vulnerable funds will be burned= ,=20 >>>> this pressure accelerates the adoption of post-quantum cryptography an= d=20 >>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgr= ading=20 >>>> indefinitely will result in more laggards, leaving the network more ex= posed=20 >>>> when quantum tech becomes available. >>>> >>>> Steel Manning >>>> Clearly this is a complex and controversial topic, thus it's worth=20 >>>> thinking through the opposing arguments. >>>> >>>> Protecting Property Rights >>>> Allowing quantum computers to take vulnerable bitcoin could potentiall= y=20 >>>> be spun as a hard money narrative - we care so greatly about not viola= ting=20 >>>> someone's access to their coins that we allow them to be stolen! >>>> >>>> But I think the flip side to the property rights narrative is that=20 >>>> burning vulnerable coins prevents said property from falling into=20 >>>> undeserving hands. If the entire Bitcoin ecosystem just stands around = and=20 >>>> allows quantum adversaries to claim funds that rightfully belong to ot= her=20 >>>> users, is that really a "win" in the "protecting property rights" cate= gory?=20 >>>> It feels more like apathy to me. >>>> >>>> As such, I think the "protecting property rights" argument is a wash. >>>> >>>> Quantum Computers Won't Attack Bitcoin >>>> There is a great deal of skepticism that sufficiently powerful quantum= =20 >>>> computers will ever exist, so we shouldn't bother preparing for a=20 >>>> non-existent threat. Others have argued that even if such a computer w= as=20 >>>> built, a quantum attacker would not go after bitcoin because they woul= dn't=20 >>>> want to reveal their hand by doing so, and would instead attack other= =20 >>>> infrastructure. >>>> >>>> It's quite difficult to quantify exactly how valuable attacking other= =20 >>>> infrastructure would be. It also really depends upon when an entity ga= ins=20 >>>> quantum supremacy and thus if by that time most of the world's systems= have=20 >>>> already been upgraded. While I think you could argue that certain enti= ties=20 >>>> gaining quantum capability might not attack Bitcoin, it would only del= ay=20 >>>> the inevitable - eventually somebody will achieve the capability who= =20 >>>> decides to use it for such an attack. >>>> >>>> Quantum Attackers Would Only Steal Small Amounts >>>> Some have argued that even if a quantum attacker targeted bitcoin,=20 >>>> they'd only go after old, likely lost P2PK outputs so as to not arouse= =20 >>>> suspicion and cause a market panic. >>>> >>>> I'm not so sure about that; why go after 50 BTC at a time when you=20 >>>> could take 250,000 BTC with the same effort as 50 BTC? This is a class= ic=20 >>>> "zero day exploit" game theory in which an attacker knows they have a= =20 >>>> limited amount of time before someone else discovers the exploit and e= ither=20 >>>> benefits from it or patches it. Take, for example, the recent ByBit at= tack=20 >>>> - the highest value crypto hack of all time. Lazarus Group had comprom= ised=20 >>>> the Safe wallet front end JavaScript app and they could have simply ha= d it=20 >>>> reassign ownership of everyone's Safe wallets as they were interacting= with=20 >>>> their wallet. But instead they chose to only specifically target ByBit= 's=20 >>>> wallet with $1.5 billion in it because they wanted to maximize their= =20 >>>> extractable value. If Lazarus had started stealing from every wallet, = they=20 >>>> would have been discovered quickly and the Safe web app would likely h= ave=20 >>>> been patched well before any billion dollar wallets executed the malic= ious=20 >>>> code. >>>> >>>> I think the "only stealing small amounts" argument is strongest for=20 >>>> Situation #2 described earlier, where a quantum attacker arrives befor= e=20 >>>> quantum safe cryptography has been deployed across the Bitcoin ecosyst= em.=20 >>>> Because if it became clear that Bitcoin's cryptography was broken AND = there=20 >>>> was nowhere safe for vulnerable users to migrate, the only logical opt= ion=20 >>>> would be for everyone to liquidate their bitcoin as quickly as possibl= e. As=20 >>>> such, I don't think it applies as strongly for situations in which we = have=20 >>>> a migration path available. >>>> >>>> The 21 Million Coin Supply Should be in Circulation >>>> Some folks are arguing that it's important for the "circulating /=20 >>>> spendable" supply to be as close to 21M as possible and that having a= =20 >>>> significant portion of the supply out of circulation is somehow undesi= rable. >>>> >>>> While the "21M BTC" attribute is a strong memetic narrative, I don't= =20 >>>> think anyone has ever expected that it would all be in circulation. It= has=20 >>>> always been understood that many coins will be lost, and that's actual= ly=20 >>>> part of the game theory of owning bitcoin! >>>> >>>> And remember, the 21M number in and of itself is not a particularly=20 >>>> important detail - it's not even mentioned in the whitepaper. What's= =20 >>>> important is that the supply is well known and not subject to change. >>>> >>>> Self-Sovereignty and Personal Responsibility >>>> Bitcoin=E2=80=99s design empowers individuals to control their own wea= lth, free=20 >>>> from centralized intervention. This freedom comes with the burden of= =20 >>>> securing one's private keys. If quantum computing can break obsolete= =20 >>>> cryptography, the fault lies with users who didn't move their funds to= =20 >>>> quantum safe locking scripts. Expecting the network to shield users fr= om=20 >>>> their own negligence undermines the principle that you, and not a thir= d=20 >>>> party, are accountable for your assets. >>>> >>>> I think this is generally a fair point that "the community" doesn't ow= e=20 >>>> you anything in terms of helping you. I think that we do, however, nee= d to=20 >>>> consider the incentives and game theory in play with regard to quantum= safe=20 >>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. >>>> >>>> Code is Law >>>> Bitcoin operates on transparent, immutable rules embedded in its=20 >>>> protocol. If a quantum attacker uses superior technology to derive pri= vate=20 >>>> keys from public keys, they=E2=80=99re not "hacking" the system - they= 're simply=20 >>>> following what's mathematically permissible within the current code.= =20 >>>> Altering the protocol to stop this introduces subjective human=20 >>>> intervention, which clashes with the objective, deterministic nature o= f=20 >>>> blockchain. >>>> >>>> While I tend to agree that code is law, one of the entire points of=20 >>>> laws is that they can be amended to improve their efficacy in reducing= =20 >>>> harm. Leaning on this point seems more like a pro-ossification stance = that=20 >>>> it's better to do nothing and allow harm to occur rather than take act= ion=20 >>>> to stop an attack that was foreseen far in advance. >>>> >>>> Technological Evolution as a Feature, Not a Bug >>>> It's well known that cryptography tends to weaken over time and=20 >>>> eventually break. Quantum computing is just the next step in this=20 >>>> progression. Users who fail to adapt (e.g., by adopting quantum-resist= ant=20 >>>> wallets when available) are akin to those who ignored technological=20 >>>> advancements like multisig or hardware wallets. Allowing quantum theft= =20 >>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic,= punishing=20 >>>> complacency while rewarding vigilance. >>>> >>>> Market Signals Drive Security >>>> If quantum attackers start stealing funds, it sends a clear signal to= =20 >>>> the market: upgrade your security or lose everything. This pressure=20 >>>> accelerates the adoption of post-quantum cryptography and strengthens= =20 >>>> Bitcoin long-term. Coddling vulnerable users delays this necessary=20 >>>> evolution, potentially leaving the network more exposed when quantum t= ech=20 >>>> becomes widely accessible. Theft is a brutal but effective teacher. >>>> >>>> Centralized Blacklisting Power >>>> Burning vulnerable funds requires centralized decision-making - a soft= =20 >>>> fork to invalidate certain transactions. This sets a dangerous precede= nt=20 >>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. = If quantum=20 >>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The = system must=20 >>>> remain neutral, even if it means some lose out. >>>> >>>> I think this could be a potential slippery slope if the proposal was t= o=20 >>>> only burn specific addresses. Rather, I'd expect a neutral proposal to= burn=20 >>>> all funds in locking script types that are known to be quantum vulnera= ble.=20 >>>> Thus, we could eliminate any subjectivity from the code. >>>> >>>> Fairness in Competition >>>> Quantum attackers aren't cheating; they're using publicly available=20 >>>> physics and math. Anyone with the resources and foresight can build or= =20 >>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a = CPU.=20 >>>> Early adopters took risks and reaped rewards; quantum innovators are d= oing=20 >>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has= never promised=20 >>>> equality of outcome - only equality of opportunity within its rules. >>>> >>>> I find this argument to be a mischaracterization because we're not=20 >>>> talking about CPUs. This is more akin to talking about ASICs, except e= ach=20 >>>> ASIC costs millions if not billions of dollars. This is out of reach f= rom=20 >>>> all but the wealthiest organizations. >>>> >>>> Economic Resilience >>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20 >>>> emerged stronger. The market can absorb quantum losses, with unaffecte= d=20 >>>> users continuing to hold and new entrants buying in at lower prices. F= ear=20 >>>> of economic collapse overestimates the impact - the network=E2=80=99s = antifragility=20 >>>> thrives on such challenges. >>>> >>>> This is a big grey area because we don't know when a quantum computer= =20 >>>> will come online and we don't know how quickly said computers would be= able=20 >>>> to steal bitcoin. If, for example, the first generation of sufficientl= y=20 >>>> powerful quantum computers were stealing less volume than the current = block=20 >>>> reward then of course it will have minimal economic impact. But if the= y're=20 >>>> taking thousands of BTC per day and bringing them back into circulatio= n,=20 >>>> there will likely be a noticeable market impact as it absorbs the new= =20 >>>> supply. >>>> >>>> This is where the circumstances will really matter. If a quantum=20 >>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppo= rt=20 >>>> quantum resistant cryptography then we should expect the most valuable= =20 >>>> active wallets will have upgraded and the juiciest target would be the= =20 >>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has= been=20 >>>> dormant since 2010. In general I'd expect that the amount of BTC=20 >>>> re-entering the circulating supply would look somewhat similar to the= =20 >>>> mining emission curve: volume would start off very high as the most=20 >>>> valuable addresses are drained and then it would fall off as quantum= =20 >>>> computers went down the list targeting addresses with less and less BT= C. >>>> >>>> Why is economic impact a factor worth considering? Miners and=20 >>>> businesses in general. More coins being liquidated will push down the= =20 >>>> price, which will negatively impact miner revenue. Similarly, I can at= test=20 >>>> from working in the industry for a decade, that lower prices result in= less=20 >>>> demand from businesses across the entire industry. As such, burning qu= antum=20 >>>> vulnerable bitcoin is good for the entire industry. >>>> >>>> Practicality & Neutrality of Non-Intervention >>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D= from legitimate "white=20 >>>> hat" key recovery. If someone loses their private key and a quantum=20 >>>> computer recovers it, is that stealing or reclaiming? Policing quantum= =20 >>>> actions requires invasive assumptions about intent, which Bitcoin=E2= =80=99s=20 >>>> trustless design can=E2=80=99t accommodate. Letting the chips fall whe= re they may=20 >>>> avoids this mess. >>>> >>>> Philosophical Purity >>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco= mes=20 >>>> reflect preparation and skill, not sentimentality. If quantum computin= g=20 >>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t mean= t to be safe or fair=20 >>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose = funds to=20 >>>> quantum attacks are casualties of liberty and their own ignorance, not= =20 >>>> victims of injustice. >>>> >>>> Bitcoin's DAO Moment >>>> This situation has some similarities to The DAO hack of an Ethereum=20 >>>> smart contract in 2016, which resulted in a fork to stop the attacker = and=20 >>>> return funds to their original owners. The game theory is similar beca= use=20 >>>> it's a situation where a threat is known but there's some period of ti= me=20 >>>> before the attacker can actually execute the theft. As such, there's t= ime=20 >>>> to mitigate the attack by changing the protocol. >>>> >>>> It also created a schism in the community around the true meaning of= =20 >>>> "code is law," resulting in Ethereum Classic, which decided to allow t= he=20 >>>> attacker to retain control of the stolen funds. >>>> >>>> A soft fork to burn vulnerable bitcoin could certainly result in a har= d=20 >>>> fork if there are enough miners who reject the soft fork and continue= =20 >>>> including transactions. >>>> >>>> Incentives Matter >>>> We can wax philosophical until the cows come home, but what are the=20 >>>> actual incentives for existing Bitcoin holders regarding this decision= ? >>>> >>>> "Lost coins only make everyone else's coins worth slightly more. Think= =20 >>>>> of it as a donation to everyone." - Satoshi Nakamoto >>>> >>>> >>>> If true, the corollary is: >>>> >>>> "Quantum recovered coins only make everyone else's coins worth less.= =20 >>>>> Think of it as a theft from everyone." - Jameson Lopp >>>> >>>> >>>> Thus, assuming we get to a point where quantum resistant signatures ar= e=20 >>>> supported within the Bitcoin protocol, what's the incentive to let=20 >>>> vulnerable coins remain spendable? >>>> >>>> * It's not good for the actual owners of those coins. It=20 >>>> disincentivizes owners from upgrading until perhaps it's too late. >>>> * It's not good for the more attentive / responsible owners of coins= =20 >>>> who have quantum secured their stash. Allowing the circulating supply = to=20 >>>> balloon will assuredly reduce the purchasing power of all bitcoin hold= ers. >>>> >>>> Forking Game Theory >>>> From a game theory point of view, I see this as incentivizing users to= =20 >>>> upgrade their wallets. If you disagree with the burning of vulnerable= =20 >>>> coins, all you have to do is move your funds to a quantum safe signatu= re=20 >>>> scheme. Point being, I don't see there being an economic majority (or = even=20 >>>> more than a tiny minority) of users who would fight such a soft fork. = Why=20 >>>> expend significant resources fighting a fork when you can just move yo= ur=20 >>>> coins to a new address? >>>> >>>> Remember that blocking spending of certain classes of locking scripts= =20 >>>> is a tightening of the rules - a soft fork. As such, it can be meaning= fully=20 >>>> enacted and enforced by a mere majority of hashpower. If miners genera= lly=20 >>>> agree that it's in their best interest to burn vulnerable coins, are o= ther=20 >>>> users going to care enough to put in the effort to run new node softwa= re=20 >>>> that resists the soft fork? Seems unlikely to me. >>>> >>>> How to Execute Burning >>>> In order to be as objective as possible, the goal would be to announce= =20 >>>> to the world that after a specific block height / timestamp, Bitcoin n= odes=20 >>>> will no longer accept transactions (or blocks containing such transact= ions)=20 >>>> that spend funds from any scripts other than the newly instituted quan= tum=20 >>>> safe schemes. >>>> >>>> It could take a staggered approach to first freeze funds that are=20 >>>> susceptible to long-range attacks such as those in P2PK scripts or tho= se=20 >>>> that exposed their public keys due to previously re-using addresses, b= ut I=20 >>>> expect the additional complexity would drive further controversy. >>>> >>>> How long should the grace period be in order to give the ecosystem tim= e=20 >>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrad= e. We=20 >>>> can only hope that hardware wallet manufacturers are able to implement= post=20 >>>> quantum cryptography on their existing hardware with only a firmware u= pdate. >>>> >>>> Beyond that, it will take at least 6 months worth of block space for= =20 >>>> all users to migrate their funds, even in a best case scenario. Though= if=20 >>>> you exclude dust UTXOs you could probably get 95% of BTC value migrate= d in=20 >>>> 1 month. Of course this is a highly optimistic situation where everyon= e is=20 >>>> completely focused on migrations - in reality it will take far longer. >>>> >>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20 >>>> conservatism it would be preferable to allow a 4 year migration window= . In=20 >>>> the meantime, mining pools could coordinate emergency soft forking log= ic=20 >>>> such that if quantum attackers materialized, they could accelerate the= =20 >>>> countdown to the quantum vulnerable funds burn. >>>> >>>> Random Tangential Benefits >>>> On the plus side, burning all quantum vulnerable bitcoin would allow u= s=20 >>>> to prune all of those UTXOs out of the UTXO set, which would also clea= n up=20 >>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even= been=20 >>>> a recent proposal for how to incentivize cleaning them up. >>>> >>>> We should also expect that incentivizing migration of the entire UTXO= =20 >>>> set will create substantial demand for block space that will sustain a= fee=20 >>>> market for a fairly lengthy amount of time. >>>> >>>> In Summary >>>> While the moral quandary of violating any of Bitcoin's inviolable=20 >>>> properties can make this a very complex issue to discuss, the game the= ory=20 >>>> and incentives between burning vulnerable coins versus allowing them t= o be=20 >>>> claimed by entities with quantum supremacy appears to be a much simple= r=20 >>>> issue. >>>> >>>> I, for one, am not interested in rewarding quantum capable entities by= =20 >>>> inflating the circulating money supply just because some people lost t= heir=20 >>>> keys long ago and some laggards are not upgrading their bitcoin wallet= 's=20 >>>> security. >>>> >>>> We can hope that this scenario never comes to pass, but hope is not a= =20 >>>> strategy. >>>> >>>> I welcome your feedback upon any of the above points, and contribution= =20 >>>> of any arguments I failed to consider. >>>> >>>> --=20 >>>> You received this message because you are subscribed to the Google=20 >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>>> an email to bitcoindev+...@googlegroups.com. >>>> To view this discussion visit=20 >>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq= 8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com >>>> . >>>> >>>> --=20 >>>> You received this message because you are subscribed to the Google=20 >>>> Groups "Bitcoin Development Mailing List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>>> an email to bitcoindev+...@googlegroups.com. >>>> To view this discussion visit=20 >>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4= D9D2B732364%40astrotown.de >>>> . >>> >>> >>>> --=20 >>> You received this message because you are subscribed to the Google=20 >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>> an email to bitcoindev+...@googlegroups.com. >>> To view this discussion visit=20 >>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br= 6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com >>> . >>> >>> >>> --=20 >>> You received this message because you are subscribed to the Google=20 >>> Groups "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send= =20 >>> an email to bitcoindev+...@googlegroups.com. >>> To view this discussion visit=20 >>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf= XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL= miCJOY%3D%40proton.me=20 >>> >>> . >>> >> --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= c568cc33-abba-4010-ac65-42c84dae6eb8n%40googlegroups.com. ------=_Part_7069_1578773686.1748394476949 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

I'd like to point out that the wors= t case scenarios here might be even worse than one naturally thinks.
<= div>
(1) The first part is obvious: even though unlikely, i= t's possible that a certain group gains access to this functionality well i= n advance of the general state of the art, and not only that, but decides t= o steal coins only surreptitiously. This may be economically optimal for th= e thieves, but may also be negative-optimal (pessimal?) for the rest of us:= because there will be continuous controversy about whether the theft happe= ned, which relates to the unobvious point:

(2) T= he second part is somehow even way worse: that a well funded (but not havin= g to spend money) attacker (not thief) on the system creates panic by prete= nding to have its coins stolen, even though it does not have access to an E= CDLP break. This would be most likely in taproot, because they cannot prepa= re this attack in advance on coins created in 2009-10. Their only task is t= o create credibility amongst the general Bitcoin public, and thus force suf= ficient controversy for perhaps a chain split based on disagreeing with how= to deal with the threat. I admit this is fairly fanciful, but imagine it o= ccurring in combination with a heavily pushed proposal for a technically un= sound solution to the problem which actually undermines Bitcoin's safety.

Notice that this second observation illustrates t= he sense in which this is crucially very different from the DAO as Jameson = suggests: the act of theft is not unambiguously visible. (well to be fair t= he phrase was "*some* similarities" ! :) ).

Two = more observations:

(3) I do really like the "dis= abled NUMS" concept in regard to taproot external keys, for paving the way = to PQC in tapleaf. This is one kind of censorship that cannot be controvers= ial.

(4) (in this I agree with Saulo Fonseca): m= y second observation might be unpopular but I think that a burning coins so= ftfork will be appallingly hard to come to consensus on, and probably shoul= dn't even be attempted ((2) is relevant here). I don't think it's going to = happen. I think we need some cryptographic chicanery that allows spending c= urrently-hashed utxos safely, along the lines of what Tim Ruffing, Adam Bac= k and others have discussed in the past, and that P2PK that is untouched ev= en during a transition is just a lost cause. (I also think that this is ver= y very far in the future but that is 100% opinion, not fact).

On Sunday, = May 25, 2025 at 9:48:19=E2=80=AFPM UTC-3 Agustin Cruz wrote:
Hi everyo= ne,

QRAMP proposal aims to man= age the quantum transition responsibly without disrupting Bitcoin=E2=80=99s= core principles.

QRAMP = has three phases:

1. All= ow wallets to optionally include PQC keys in Taproot outputs. This enables = early adoption without forcing anyone.

2. Announce a soft fork to disable vulnerable scripts, with = a long (~4-year) grace period. This gives ample time to migrate and avoids = sudden shocks.

3. Gradua= lly deactivate vulnerable outputs based on age or inactivity. This avoids a= harsh cutoff and gives time for adaptation.
<= div dir=3D"auto">
We can also allow exceptions v= ia proof-of-possession, and delay restrictions on timelocked outputs to avo= id harming future spenders.

QRAMP is not about confiscation or control. It=E2=80=99s about aligning= incentives, maintaining security, and offering a clear, non-coercive upgra= de path.

Best,
Agustin Cruz



El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <<= a href data-email-masked rel=3D"nofollow">dustinvo...@gmail.com> esc= ribi=C3=B3:
The d= ifference between the ETH/ETC split though was that no one had anything con= fiscated except the DAO hacker, everyone retained an identical number of to= kens on each chain. The proposal for BTC is very different in that some hol= ders will lose access to their coins during the PQ migration under the conf= iscation approach. Just wanted to point that out.

On Sun, May 25, 2025= at 3:06=E2=80=AFPM 'conduition' via Bitcoin Development Mailing Li= st <bitco...@googl= egroups.com> wrote:
Hey Saulo,

You're right about the possibility of an= ugly split. Laggards who don't move coins to PQ address schemes will b= e incentivized to follow any chain where they keep their coins. But those w= ho do migrate will be incentivized to follow the chain where unmigrated pre= -quantum coins are frozen.=C2=A0

While you're comparing this event to the ETH/ETC split,= we should remember that ETH remained the dominant chain despite their heav= y-handed rollback. Just goes to show, confusion and face-loss is a lesser e= vil than allowing an adversary to pwn the network.=C2=A0

This is the free-market way to solve problem= s without imposing rules on everyone.

It'd still be a free market even = if quantum-vulnerable coins are frozen. The only way to test the relative v= alue of quantum-safe vs quantum-vulnerable coins is to split the chain and = see how the market reacts.=C2=A0

IMO, the "free market way" is to give people opti= ons and let their money flow to where it works best. That means people shou= ld be able to choose whether they want their money to be part of a system t= hat allows quantum attack, or part of one which does not. I know which I wo= uld choose, but neither you nor I can make that choice for everyone.
<= div style=3D"font-family:Arial,sans-serif;font-size:14px">
regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agusti...@gmail.com> wro= te:
I=E2=80=99m against letting q= uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t= o quantum-resistant.
Saulo=E2=80=99s idea of a free-market approach, le= aving old coins up for grabs if people don=E2=80=99t move them, sounds fair= at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes= s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s= not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th= ose on the rich list Jameson mentioned, could get hit too. Imagine millions= of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an= d we all feel the pain. Freezing those vulnerable funds keeps that chaos in= check.
Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80= =99s heart. If quantum tech can steal from you just because you didn=E2=80= =99t upgrade fast enough, that promise feels shaky. Freezing funds after a = heads-up period (say, four years) protects that idea better than letting te= ch giants or rogue states play vampire with our network. It also nudges peo= ple to get their act together and move to safer addresses, which strengthen= s Bitcoin long-term.
Saulo=E2=80=99s right that freezing coins could con= fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu= antum theft would look worse. Bitcoin would seem broken, not just strict. A= clear plan and enough time to migrate could smooth things over. History=E2= =80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. = This feels like that, not a bailout.
So yeah, I=E2=80=99d rather see vul= nerable coins locked than handed to whoever builds the first quantum rig. I= t=E2=80=99s less about coddling people and more about keeping Bitcoin solid= for everyone. What do you all think?
Cheers,
Agust=C3=ADn


On = Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <sa...@astrotown.de&g= t; wrote:
I believe that having some entity announce the= decision to freeze old UTXOs would be more damaging to Bitcoin=E2=80=99s i= mage (and its value) than having them gathered by QC. This would create ano= ther version of Bitcoin, similar to Ethereum Classic, causing confusion in = the market.

It would be better to simply implement th= e possibility of moving funds to a PQC address without a deadline, allowing= those who fail to do so to rely on luck to avoid having their coins stolen= . Most coins would be migrated to PQC anyway, and in most cases, only the l= ost ones would remain vulnerable. This is the free-market way to solve prob= lems without imposing rules on everyone.

Saulo Fonseca


On 16. Mar 2025, at 15:15, Jameson Lopp <jameso...@gmail.com> wrote:

The quantum computing debate is heating up. There are many controv= ersial aspects to this debate, including whether or not quantum computers w= ill ever actually become a practical threat.

I won't tread into= the unanswerable question of how worried we should be about quantum comput= ers. I think it's far from a crisis, but given the difficulty in changi= ng Bitcoin it's worth starting to seriously discuss. Today I wish to fo= cus on a philosophical quandary related to one of the decisions that would = need to be made if and when we implement a quantum safe signature scheme.
Several Scenarios
Because this essay will reference game theory a fair amount, and there a= re many variables at play that could change the nature of the game, I think= it's important to clarify the possible scenarios up front.

1. Q= uantum computing never materializes, never becomes a threat, and thus every= thing discussed in this essay is moot.
2. A quantum computing threat mat= erializes suddenly and Bitcoin does not have quantum safe signatures as par= t of the protocol. In this scenario it would likely make the points below m= oot because Bitcoin would be fundamentally broken and it would take far too= long to upgrade the protocol, wallet software, and migrate user funds in o= rder to restore confidence in the network.
3. Quantum computing advances= slowly enough that we come to consensus about how to upgrade Bitcoin and p= ost quantum security has been minimally adopted by the time an attacker app= ears.
4. Quantum computing advances slowly enough that we come to consen= sus about how to upgrade Bitcoin and post quantum security has been highly = adopted by the time an attacker appears.

For the purposes of this po= st, I'm envisioning being in situation 3 or 4.

To Freeze or not to Freeze?
I've s= tarted seeing more people weighing in on what is likely the most contentiou= s aspect of how a quantum resistance upgrade should be handled in terms of = migrating user funds. Should quantum vulnerable funds be left open to be sw= ept by anyone with a sufficiently powerful quantum computer OR should they = be permanently locked?

"I don't see why old coins should be confiscated. The better opti= on is to let those with quantum computers free up old coins. While this mig= ht have an inflationary impact on bitcoin's price, to use a turn of phr= ase, the inflation is transitory. Those with low time preference should sup= port returning lost coins to circulation."
- Hunter Beast

O= n the other hand:

"Of course they have to be confiscated. If and when (and that's= a big if) the existence of a cryptography-breaking QC becomes a credible t= hreat, the Bitcoin ecosystem has no other option than softforking out the a= bility to spend from signature schemes (including ECDSA and BIP340) that ar= e vulnerable to QCs. The alternative is that millions of BTC become vulnera= ble to theft; I cannot see how the currency can maintain any value at all i= n such a setting. And this affects everyone; even those which diligently mo= ved their coins to PQC-protected schemes."
- Pieter Wuille
I don't think "confiscation" is the most precise term= to use, as the funds are not being seized and reassigned. Rather, what we&= #39;re really discussing would be better described as "burning" -= placing the funds out of reach of everyone.

Not freezing use= r funds is one of Bitcoin's inviolable properties. However, if quantum = computing becomes a threat to Bitcoin's elliptic curve cryptography, an inviolable property of Bitcoin will be violated one way or another.=

Fundamental Properties = at Risk
5 years ago I attempted to comprehensively categorize all= of Bitcoin's fundamental properties that give it value. https://nakamoto.com/what-are-the-ke= y-properties-of-bitcoin/

The particular properties in play with = regard to this issue seem to be:

Censorship Resistance - No o= ne should have the power to prevent others from using their bitcoin or inte= racting with the network.

Forward Compatibility - changing th= e rules such that certain valid transactions become invalid could undermine= confidence in the protocol.

Conservatism - Users should not = be expected to be highly responsive to system issues.

As a result of= the above principles, we have developed a strong meme (kudos to Andreas An= tonopoulos) that goes as follows:

Not your keys, not your coins.

I posit that the= corollary to this principle is:

Your keys, only your coins.

A quantum capable en= tity breaks the corollary of this foundational principle. We secure our bit= coin with the mathematical probabilities related to extremely large random = numbers. Your funds are only secure because truly random large numbers shou= ld not be guessable or discoverable by anyone else in the world.

Thi= s is the principle behind the motto vires in numeris - strength in n= umbers. In a world with quantum enabled adversaries, this principle is null= and void for many types of cryptography, including the elliptic curve digi= tal signatures used in Bitcoin.

Who is at Risk?
There has long been a narrative that Sato= shi's coins and others from the Satoshi era of P2PK locking scripts tha= t exposed the public key directly on the blockchain will be those that get = scooped up by a quantum "miner." But unfortunately it's not t= hat simple. If I had a powerful quantum computer, which coins would I targe= t? I'd go to the Bitcoin rich list and find the wallets that have expos= ed their public keys due to re-using addresses that have previously been sp= ent from. You can easily find them at https://bitinfocharts.com/top-100-richest-bitcoin-a= ddresses.html

Note that a few of these wallets, like Bitfinex / = Kraken / Tether, would be slightly harder to crack because they are multisi= g wallets. So a quantum attacker would need to reverse engineer 2 keys for = Kraken or 3 for Bitfinex / Tether in order to spend funds. But many are sin= gle signature.

Point being, it's not only the really old lost BT= C that are at risk to a quantum enabled adversary, at least at time of writ= ing. If we add a quantum safe signature scheme, we should expect those wall= ets to be some of the first to upgrade given their incentives.

The Ethical Dilemma: Quantifying Har= m
Which decision results in the most harm?

By making quant= um vulnerable funds unspendable we potentially harm some Bitcoin users who = were not paying attention and neglected to migrate their funds to a quantum= safe locking script. This violates the "conservativism" principl= e stated earlier. On the flip side, we prevent those funds plus far more lo= st funds from falling into the hands of the few privileged folks who gain e= arly access to quantum computers.

By leaving quantum vulnerable fund= s available to spend, the same set of users who would otherwise have funds = frozen are likely to see them stolen. And many early adopters who lost thei= r keys will eventually see their unreachable funds scooped up by a quantum = enabled adversary.

Imagine, for example, being James Howells, who ac= cidentally threw away a hard drive with 8,000 BTC on it, currently worth ov= er $600M USD. He has spent a decade trying to retrieve it from the landfill= where he knows it's buried, but can't get permission to excavate. = I suspect that, given the choice, he'd prefer those funds be permanentl= y frozen rather than fall into someone else's possession - I know I wou= ld.

Allowing a quantum computer to access lost funds doesn't mak= e those users any worse off than they were before, however it wouldh= ave a negative impact upon everyone who is currently holding bitcoin.
It's prudent to expect significant economic disruption if large amoun= ts of coins fall into new hands. Since a quantum computer is going to have = a massive up front cost, expect those behind it to desire to recoup their i= nvestment. We also know from experience that when someone suddenly finds th= emselves in possession of 9+ figures worth of highly liquid assets, they te= nd to diversify into other things by selling.

Allowing quantum recov= ery of bitcoin is tantamount to wealth redistribution. What we'd= be allowing is for bitcoin to be redistributed from those who are ignorant= of quantum computers to those who have won the technological race to acqui= re quantum computers. It's hard to see a bright side to that scenario.<= br>
Is Quantum Recovery Good= for Anyone?

Does quantum recovery HELP anyone? I've yet = to come across an argument that it's a net positive in any way. It cert= ainly doesn't add any security to the network. If anything, it greatly = decreases the security of the network by allowing funds to be claimed by th= ose who did not earn them.

But wait, you may be thinking, wouldn'= ;t quantum "miners" have earned their coins by all the work and r= esources invested in building a quantum computer? I suppose, in the same se= nse that a burglar earns their spoils by the resources they invest into sur= veilling targets and learning the skills needed to break into buildings. Wh= at I say "earned" I mean through productive mutual trade.

= For example:

* Investors earn BTC by trading for other currencies.* Merchants earn BTC by trading for goods and services.
* Miners earn = BTC by trading thermodynamic security.
* Quantum miners don't trade = anything, they are vampires feeding upon the system.

There's no = reason to believe that allowing quantum adversaries to recover vulnerable b= itcoin will be of benefit to anyone other than the select few organizations= that win the technological arms race to build the first such computers. Pr= obably nation states and/or the top few largest tech companies.

One = could certainly hope that an organization with quantum supremacy is benevol= ent and acts in a "white hat" manner to return lost coins to thei= r owners, but that's incredibly optimistic and foolish to rely upon. Su= ch a situation creates an insurmountable ethical dilemma of only recovering= lost bitcoin rather than currently owned bitcoin. There's no way to pr= ecisely differentiate between the two; anyone can claim to have lost their = bitcoin but if they have lost their keys then proving they ever had the key= s becomes rather difficult. I imagine that any such white hat recovery effo= rts would have to rely upon attestations from trusted third parties like ex= changes.

Even if the first actor with quantum supremacy is benevolen= t, we must assume the technology could fall into adversarial hands and thus= think adversarially about the potential worst case outcomes. Imagine, for = example, that North Korea continues scooping up billions of dollars from ha= cking crypto exchanges and decides to invest some of those proceeds into bu= ilding a quantum computer for the biggest payday ever...

Downsides to Allowing Quantum Recovery
Let's think through an exhaustive list of pros and cons for all= owing or preventing the seizure of funds by a quantum adversary.

Historical Precedent
Pre= vious protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam= e" but rather were treated as failures to be remediated. Treating quan= tum theft differently risks rewriting Bitcoin=E2=80=99s history as a free-f= or-all rather than a system that seeks to protect its users.

Violation of Property RightsAllowing a quantum adversary to take control of funds undermines the funda= mental principle of cryptocurrency - if you keep your keys in your possessi= on, only you should be able to access your money. Bitcoin is built on the i= dea that private keys secure an individual=E2=80=99s assets, and unauthoriz= ed access (even via advanced tech) is theft, not a legitimate transfer.
=
Erosion of Trust in Bitcoin=
If quantum attackers can exploit vulnerable addresses, confidenc= e in Bitcoin as a secure store of value would collapse. Users and investors= rely on cryptographic integrity, and widespread theft could drive adoption= away from Bitcoin, destabilizing its ecosystem.

This is essentially= the counterpoint to claiming the burning of vulnerable funds is a violatio= n of property rights. While some will certainly see it as such, others will= find the apathy toward stopping quantum theft to be similarly concerning.<= br>
Unfair Advantage<= br>Quantum attackers, likely equipped with rare and expensive technology, w= ould have an unjust edge over regular users who lack access to such tools. = This creates an inequitable system where only the technologically elite can= exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized pow= er.

Bitcoin is designed to create an asymmetric advantage for DEFEND= ING one's wealth. It's supposed to be impractically expensive for a= ttackers to crack the entropy and cryptography protecting one's coins. = But now we find ourselves discussing a situation where this asymmetric adva= ntage is compromised in favor of a specific class of attackers.

Economic Disruption
Large= -scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s price = as quantum recovered funds are dumped on exchanges. This would harm all hol= ders, not just those directly targeted, leading to broader financial chaos = in the markets.

Moral Re= sponsibility
Permitting theft via quantum computing sets a preced= ent that technological superiority justifies unethical behavior. This is es= sentially taking a "code is law" stance in which we refuse to adm= it that both code and laws can be modified to adapt to previously unforesee= n situations.

Burning of coins can certainly be considered a form of= theft, thus I think it's worth differentiating the two different theft= s being discussed:

1. self-enriching & likely malicious
2. ha= rm prevention & not necessarily malicious

Both options lack the = consent of the party whose coins are being burnt or transferred, thus I thi= nk the simple argument that theft is immoral becomes a wash and it's im= portant to drill down into the details of each.

Incentives Drive Security
I can tell you = from a decade of working in Bitcoin security - the average user is lazy and= is a procrastinator. If Bitcoiners are given a "drop dead date" = after which they know vulnerable funds will be burned, this pressure accele= rates the adoption of post-quantum cryptography and strengthens Bitcoin lon= g-term. Allowing vulnerable users to delay upgrading indefinitely will resu= lt in more laggards, leaving the network more exposed when quantum tech bec= omes available.

Steel Ma= nning
Clearly this is a complex and controversial topic, thus it&= #39;s worth thinking through the opposing arguments.

Protecting Property Rights
Allowing = quantum computers to take vulnerable bitcoin could potentially be spun as a= hard money narrative - we care so greatly about not violating someone'= s access to their coins that we allow them to be stolen!

But I think= the flip side to the property rights narrative is that burning vulnerable = coins prevents said property from falling into undeserving hands. If the en= tire Bitcoin ecosystem just stands around and allows quantum adversaries to= claim funds that rightfully belong to other users, is that really a "= win" in the "protecting property rights" category? It feels = more like apathy to me.

As such, I think the "protecting proper= ty rights" argument is a wash.

Quantum Computers Won't Attack Bitcoin
There is a= great deal of skepticism that sufficiently powerful quantum computers will= ever exist, so we shouldn't bother preparing for a non-existent threat= . Others have argued that even if such a computer was built, a quantum atta= cker would not go after bitcoin because they wouldn't want to reveal th= eir hand by doing so, and would instead attack other infrastructure.
It's quite difficult to quantify exactly how valuable attacking other = infrastructure would be. It also really depends upon when an entity gains q= uantum supremacy and thus if by that time most of the world's systems h= ave already been upgraded. While I think you could argue that certain entit= ies gaining quantum capability might not attack Bitcoin, it would only dela= y the inevitable - eventually somebody will achieve the capability who deci= des to use it for such an attack.

Quantum Attackers Would Only Steal Small Amounts
Some h= ave argued that even if a quantum attacker targeted bitcoin, they'd onl= y go after old, likely lost P2PK outputs so as to not arouse suspicion and = cause a market panic.

I'm not so sure about that; why go after 5= 0 BTC at a time when you could take 250,000 BTC with the same effort as 50 = BTC? This is a classic "zero day exploit" game theory in which an= attacker knows they have a limited amount of time before someone else disc= overs the exploit and either benefits from it or patches it. Take, for exam= ple, the recent ByBit attack - the highest value crypto hack of all time. L= azarus Group had compromised the Safe wallet front end JavaScript app and t= hey could have simply had it reassign ownership of everyone's Safe wall= ets as they were interacting with their wallet. But instead they chose to o= nly specifically target ByBit's wallet with $1.5 billion in it because = they wanted to maximize their extractable value. If Lazarus had started ste= aling from every wallet, they would have been discovered quickly and the Sa= fe web app would likely have been patched well before any billion dollar wa= llets executed the malicious code.

I think the "only stealing s= mall amounts" argument is strongest for Situation #2 described earlier= , where a quantum attacker arrives before quantum safe cryptography has bee= n deployed across the Bitcoin ecosystem. Because if it became clear that Bi= tcoin's cryptography was broken AND there was nowhere safe for vulnerab= le users to migrate, the only logical option would be for everyone to liqui= date their bitcoin as quickly as possible. As such, I don't think it ap= plies as strongly for situations in which we have a migration path availabl= e.

The 21 Million Coin S= upply Should be in Circulation
Some folks are arguing that it'= ;s important for the "circulating / spendable" supply to be as cl= ose to 21M as possible and that having a significant portion of the supply = out of circulation is somehow undesirable.

While the "21M BTC&q= uot; attribute is a strong memetic narrative, I don't think anyone has = ever expected that it would all be in circulation. It has always been under= stood that many coins will be lost, and that's actually part of the gam= e theory of owning bitcoin!

And remember, the 21M number in and of i= tself is not a particularly important detail - it's not even mentioned = in the whitepaper. What's important is that the supply is well known an= d not subject to change.

Self-Sovereignty and Personal Responsibility
Bitcoin=E2=80=99s d= esign empowers individuals to control their own wealth, free from centraliz= ed intervention. This freedom comes with the burden of securing one's p= rivate keys. If quantum computing can break obsolete cryptography, the faul= t lies with users who didn't move their funds to quantum safe locking s= cripts. Expecting the network to shield users from their own negligence und= ermines the principle that you, and not a third party, are accountable for = your assets.

I think this is generally a fair point that "the c= ommunity" doesn't owe you anything in terms of helping you. I thin= k that we do, however, need to consider the incentives and game theory in p= lay with regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners= . More on that later.

Co= de is Law
Bitcoin operates on transparent, immutable rules embedd= ed in its protocol. If a quantum attacker uses superior technology to deriv= e private keys from public keys, they=E2=80=99re not "hacking" th= e system - they're simply following what's mathematically permissib= le within the current code. Altering the protocol to stop this introduces s= ubjective human intervention, which clashes with the objective, determinist= ic nature of blockchain.

While I tend to agree that code is law, one= of the entire points of laws is that they can be amended to improve their = efficacy in reducing harm. Leaning on this point seems more like a pro-ossi= fication stance that it's better to do nothing and allow harm to occur = rather than take action to stop an attack that was foreseen far in advance.=

Technological Evolution= as a Feature, Not a Bug
It's well known that cryptography te= nds to weaken over time and eventually break. Quantum computing is just the= next step in this progression. Users who fail to adapt (e.g., by adopting = quantum-resistant wallets when available) are akin to those who ignored tec= hnological advancements like multisig or hardware wallets. Allowing quantum= theft incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynami= c, punishing complacency while rewarding vigilance.

Market Signals Drive Security
If quan= tum attackers start stealing funds, it sends a clear signal to the market: = upgrade your security or lose everything. This pressure accelerates the ado= ption of post-quantum cryptography and strengthens Bitcoin long-term. Coddl= ing vulnerable users delays this necessary evolution, potentially leaving t= he network more exposed when quantum tech becomes widely accessible. Theft = is a brutal but effective teacher.

Centralized Blacklisting Power
Burning vulnerable fund= s requires centralized decision-making - a soft fork to invalidate certain = transactions. This sets a dangerous precedent for future interventions, ero= ding Bitcoin=E2=80=99s decentralization. If quantum theft is blocked, what= =E2=80=99s next - reversing exchange hacks? The system must remain neutral,= even if it means some lose out.

I think this could be a potential s= lippery slope if the proposal was to only burn specific addresses. Rather, = I'd expect a neutral proposal to burn all funds in locking script types= that are known to be quantum vulnerable. Thus, we could eliminate any subj= ectivity from the code.

= Fairness in Competition
Quantum attackers aren't cheating; th= ey're using publicly available physics and math. Anyone with the resour= ces and foresight can build or access quantum tech, just as anyone could mi= ne Bitcoin in 2009 with a CPU. Early adopters took risks and reaped rewards= ; quantum innovators are doing the same. Calling it =E2=80=9Cunfair=E2=80= =9D ignores that Bitcoin has never promised equality of outcome - only equa= lity of opportunity within its rules.

I find this argument to be a m= ischaracterization because we're not talking about CPUs. This is more a= kin to talking about ASICs, except each ASIC costs millions if not billions= of dollars. This is out of reach from all but the wealthiest organizations= .

Economic Resilience
Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and= emerged stronger. The market can absorb quantum losses, with unaffected us= ers continuing to hold and new entrants buying in at lower prices. Fear of = economic collapse overestimates the impact - the network=E2=80=99s antifrag= ility thrives on such challenges.

This is a big grey area because we= don't know when a quantum computer will come online and we don't k= now how quickly said computers would be able to steal bitcoin. If, for exam= ple, the first generation of sufficiently powerful quantum computers were s= tealing less volume than the current block reward then of course it will ha= ve minimal economic impact. But if they're taking thousands of BTC per = day and bringing them back into circulation, there will likely be a noticea= ble market impact as it absorbs the new supply.

This is where the ci= rcumstances will really matter. If a quantum attacker appears AFTER the Bit= coin protocol has been upgraded to support quantum resistant cryptography t= hen we should expect the most valuable active wallets will have upgraded an= d the juiciest target would be the 31,000 BTC in the address 12ib7dApVFvg82= TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general I'd = expect that the amount of BTC re-entering the circulating supply would look= somewhat similar to the mining emission curve: volume would start off very= high as the most valuable addresses are drained and then it would fall off= as quantum computers went down the list targeting addresses with less and = less BTC.

Why is economic impact a factor worth considering? Miners = and businesses in general. More coins being liquidated will push down the p= rice, which will negatively impact miner revenue. Similarly, I can attest f= rom working in the industry for a decade, that lower prices result in less = demand from businesses across the entire industry. As such, burning quantum= vulnerable bitcoin is good for the entire industry.

Practicality & Neutrality of Non-Intervent= ion
There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft= =E2=80=9D from legitimate "white hat" key recovery. If someone lo= ses their private key and a quantum computer recovers it, is that stealing = or reclaiming? Policing quantum actions requires invasive assumptions about= intent, which Bitcoin=E2=80=99s trustless design can=E2=80=99t accommodate= . Letting the chips fall where they may avoids this mess.

Philosophical Purity
Bitcoin re= jects bailouts. It=E2=80=99s a cold, hard system where outcomes reflect pre= paration and skill, not sentimentality. If quantum computing upends the gam= e, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe or fai= r in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose fun= ds to quantum attacks are casualties of liberty and their own ignorance, no= t victims of injustice.

= Bitcoin's DAO Moment
This situation has some similarities to = The DAO hack of an Ethereum smart contract in 2016, which resulted in a for= k to stop the attacker and return funds to their original owners. The game = theory is similar because it's a situation where a threat is known but = there's some period of time before the attacker can actually execute th= e theft. As such, there's time to mitigate the attack by changing the p= rotocol.

It also created a schism in the community around the true m= eaning of "code is law," resulting in Ethereum Classic, which dec= ided to allow the attacker to retain control of the stolen funds.

A = soft fork to burn vulnerable bitcoin could certainly result in a hard fork = if there are enough miners who reject the soft fork and continue including = transactions.

Incentives= Matter
We can wax philosophical until the cows come home, but wh= at are the actual incentives for existing Bitcoin holders regarding this de= cision?

"Lost coi= ns only make everyone else's coins worth slightly more. Think of it as = a donation to everyone." - Satoshi Nakamoto

If true, t= he corollary is:

"= ;Quantum recovered coins only make everyone else's coins worth less. Th= ink of it as a theft from everyone." - Jameson Lopp

Th= us, assuming we get to a point where quantum resistant signatures are suppo= rted within the Bitcoin protocol, what's the incentive to let vulnerabl= e coins remain spendable?

* It's not good for the actual owners = of those coins. It disincentivizes owners from upgrading until perhaps it&#= 39;s too late.
* It's not good for the more attentive / responsible = owners of coins who have quantum secured their stash. Allowing the circulat= ing supply to balloon will assuredly reduce the purchasing power of all bit= coin holders.

Forking Ga= me Theory
From a game theory point of view, I see this as incenti= vizing users to upgrade their wallets. If you disagree with the burning of = vulnerable coins, all you have to do is move your funds to a quantum safe s= ignature scheme. Point being, I don't see there being an economic major= ity (or even more than a tiny minority) of users who would fight such a sof= t fork. Why expend significant resources fighting a fork when you can just = move your coins to a new address?

Remember that blocking spending of= certain classes of locking scripts is a tightening of the rules - a soft f= ork. As such, it can be meaningfully enacted and enforced by a mere majorit= y of hashpower. If miners generally agree that it's in their best inter= est to burn vulnerable coins, are other users going to care enough to put i= n the effort to run new node software that resists the soft fork? Seems unl= ikely to me.

How to Exec= ute Burning
In order to be as objective as possible, the goal wou= ld be to announce to the world that after a specific block height / timesta= mp, Bitcoin nodes will no longer accept transactions (or blocks containing = such transactions) that spend funds from any scripts other than the newly i= nstituted quantum safe schemes.

It could take a staggered approach t= o first freeze funds that are susceptible to long-range attacks such as tho= se in P2PK scripts or those that exposed their public keys due to previousl= y re-using addresses, but I expect the additional complexity would drive fu= rther controversy.

How long should the grace period be in order to g= ive the ecosystem time to upgrade? I'd say a minimum of 1 year for soft= ware wallets to upgrade. We can only hope that hardware wallet manufacturer= s are able to implement post quantum cryptography on their existing hardwar= e with only a firmware update.

Beyond that, it will take at least 6 = months worth of block space for all users to migrate their funds, even in a= best case scenario. Though if you exclude dust UTXOs you could probably ge= t 95% of BTC value migrated in 1 month. Of course this is a highly optimist= ic situation where everyone is completely focused on migrations - in realit= y it will take far longer.

Regardless, I'd think that in order t= o reasonably uphold Bitcoin's conservatism it would be preferable to al= low a 4 year migration window. In the meantime, mining pools could coordina= te emergency soft forking logic such that if quantum attackers materialized= , they could accelerate the countdown to the quantum vulnerable funds burn.=

Random Tangential Benef= its
On the plus side, burning all quantum vulnerable bitcoin woul= d allow us to prune all of those UTXOs out of the UTXO set, which would als= o clean up a lot of dust. Dust UTXOs are a bit of an annoyance and there ha= s even been a recent proposal for how to incentivize cleaning them up.
<= br>We should also expect that incentivizing migration of the entire UTXO se= t will create substantial demand for block space that will sustain a fee ma= rket for a fairly lengthy amount of time.

In Summary
While the moral quandary of violatin= g any of Bitcoin's inviolable properties can make this a very complex i= ssue to discuss, the game theory and incentives between burning vulnerable = coins versus allowing them to be claimed by entities with quantum supremacy= appears to be a much simpler issue.

I, for one, am not interested i= n rewarding quantum capable entities by inflating the circulating money sup= ply just because some people lost their keys long ago and some laggards are= not upgrading their bitcoin wallet's security.

We can hope that= this scenario never comes to pass, but hope is not a strategy.

I we= lcome your feedback upon any of the above points, and contribution of any a= rguments I failed to consider.

--
You receive= d this message because you are subscribed to the Google Groups "Bitcoi= n Development Mailing List" group.
To unsubscribe from this group a= nd stop receiving emails from it, send an email to bitcoindev+...@googlegrou= ps.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXRe= Mq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD= -4D9D2B732364%40astrotown.de.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.= google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmw= x6U_eO5JhZLg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+..= .@googlegroups.com.
To view this discussion visit https://gr= oups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuG= LeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40pr= oton.me.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/c568cc33-abba-4010-ac65-42c84dae6eb8n%40googlegroups.com.
------=_Part_7069_1578773686.1748394476949-- ------=_Part_7068_1573834767.1748394476949--