From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 30 Apr 2025 20:14:18 -0700 Received: from mail-yb1-f183.google.com ([209.85.219.183]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uAKNK-0003Kw-8Q for bitcoindev@gnusha.org; Wed, 30 Apr 2025 20:14:18 -0700 Received: by mail-yb1-f183.google.com with SMTP id 3f1490d57ef6-e72696b6972sf764870276.2 for ; Wed, 30 Apr 2025 20:14:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1746069248; x=1746674048; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=zXb3PmsnHjHW+7LE16qW0lE8jBfVJCP+4pZbAgY0YGk=; b=wM4AwZ/oxI5bI6fA4ghtHOO7zGfu8fBPNcoA4EDLqcvd8KR43jQumaHNaYKetnraRw N2ZYWg3ikvsHC67XOBGyeCM6OdUOKFqynjHemnqhF46NPeSgGWxxO0da3TlAzgKeWpYR kyuZzFevi696BWv4TxXc9Rf95aeXjxuQbbUk4xRdaEXS4gw1Od3gS0qYMzgifZfR0Ylx JK6K/vJSrxIgGSwDsqvcHixPeJL6nx9NqFJSb9ZbPLEXKjIAILRZ3QVPpm5gAgMtma+/ cpwjMvODbdZO1hYtZj5uk2Gki/0MN3B8KwYX44D6NvkKrFCAlsCM97/FriUYdfXl9ENP 7kbQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups-com.20230601.gappssmtp.com; s=20230601; t=1746069248; x=1746674048; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=zXb3PmsnHjHW+7LE16qW0lE8jBfVJCP+4pZbAgY0YGk=; b=HXJnE1z8Y9K2rXZbvaPl3mhyOJeXzr3c1nljFc6y33LswTgeQm+u24HSdviek6IoG4 5wdw26JTQSwW6jOwMbvLiUmKHUd58EtFc3gOsC9FLnzkMFJzC2YDS/p284eM2arzwf0j zgUMW9eKxQOX0Fr2N4kAHyckry5rKnT+Q1PxF9Mx7D+jAwBhmlyGqnd/v3NvmtB5w1KO iwnJxBvwnZXC0SETEEJCWxPY3TZjy5AvUg9nTPs066WZfU479A/9tAr4BeYJiamO0MK4 o7JX4mhFfwcDuiPm/BFKCyA/xX7Q1Pgopk498djs5/4QhvOr1Y5M81XVyEvppsPqoWrN poNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746069248; x=1746674048; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=zXb3PmsnHjHW+7LE16qW0lE8jBfVJCP+4pZbAgY0YGk=; b=Qf/zAigvmPVYHwh+4C9H5cVu6SRTx5XqLa4NKE1yZO/3OEdnWzU7ISMaX0fPyHaKS1 oG/bH8JfEhsviYLzkKcneijdie7wiZXHw83r7cNkZXO07TGL2xh7p/naif8XSwpk+wuD atPDn6CD7SHhC+rW2pALEzXViPExxpwNGqrMuTU++bVpC0v6DILGV+NuxEYLcXt7xKDW xGx+mwuiIBQQ+LV3Lk7in82OHXTJMSgjBvjGjD6n6JQWDXuStSqkWGOX/QmBvg9N5nTm pVnRoEwx6R+28CVKXHrmJptuHFby5EPuNMbaJVaoopt0cbYm5EScPe0wDNootNO64n31 145g== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCW7estqVFCevjkQ595br3CfikoK7L/M8shJsMTqp9L8SWUN7KoNquGB7Dt0QZ8QfG1g23N1ChuHlmER@gnusha.org X-Gm-Message-State: AOJu0Yys9PGfd5DPYVPkJkLvZfvvfTj8zX5mnMM3PbI6fwVKLCRv//ag ELSfhnQGojam3pam5Zvl8cdoZ8Pzlo3xFSJCyshIyLzqv6sxn5xK X-Google-Smtp-Source: AGHT+IHh16MMjGGArKrBKoHHwI365ioYVoGgsbzxbW7DcjRVveo8VPUi2gxcjq4DarJSzFXCZQy4aw== X-Received: by 2002:a05:6902:1445:b0:e73:258d:9fce with SMTP id 3f1490d57ef6-e73e78561e3mr7136983276.0.1746069247759; Wed, 30 Apr 2025 20:14:07 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBH5pgbBQtn1BhX8QZj6pJZEfzi7CpNTrDQkssXDv6d8+g== Received: by 2002:a25:264a:0:b0:e73:f467:2ac4 with SMTP id 3f1490d57ef6-e74dcd98df5ls390326276.2.-pod-prod-06-us; Wed, 30 Apr 2025 20:14:03 -0700 (PDT) X-Received: by 2002:a25:d311:0:b0:e75:333a:b14b with SMTP id 3f1490d57ef6-e75333ab7b1mr638288276.27.1746069243606; Wed, 30 Apr 2025 20:14:03 -0700 (PDT) Received: by 2002:a05:690c:9c03:b0:706:b535:945d with SMTP id 00721157ae682-708ab0f15b8ms7b3; Wed, 30 Apr 2025 08:40:43 -0700 (PDT) X-Received: by 2002:a05:690c:fc1:b0:6fd:a226:fb50 with SMTP id 00721157ae682-708ad5ee803mr46228217b3.13.1746027642003; Wed, 30 Apr 2025 08:40:42 -0700 (PDT) Date: Wed, 30 Apr 2025 08:40:41 -0700 (PDT) From: Michael Tidwell To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_2150_1829896903.1746027641620" X-Original-Sender: michael@tidwell.io Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.2 (/) ------=_Part_2150_1829896903.1746027641620 Content-Type: multipart/alternative; boundary="----=_Part_2151_517126783.1746027641620" ------=_Part_2151_517126783.1746027641620 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'm late, but want to share thoughts. I gathered from this thread the way= =20 more pertinent and prerequisite idea is to formulate some idea for pqc safe= =20 schemes, before the idea of burning/freezing/other becomes actionable. Originally I thought Matt's idea of a secure leaf that could be enabled to= =20 be the only spend path seemed clever, but after thinking about it more, I= =20 think it would be better to cleanly have a new address/ taproot version.=20 1. We get public data to know how many coins are using the post-quantum=20 secured scheme. Allow better informed decisions on adoptions, planning, and= =20 understanding sentiment on the perceived threat. 2. would have clean separation for users to know whether or not their=20 address is PQC secured. 3. for people not worried about it, they wouldn't feel arm-bar'd into=20 having longer descriptors and an unnecessary leaf. 4. *unsure here*, but possible that library and wallet developers could=20 treat this with cleaner separation uX, UI and not worry about (legacy-tr)= =20 vs (pqc-tr) descriptions and script code. (To help users differentiate) 5. We wouldn't need to worry about some roll out period or flag day where= =20 the leafs become necessary or an enabled spend path. Given that pqc transactions will likely require additional space and=20 computational resources, we should be cautious about heavily incentivizing= =20 uncertain approaches (i.e. it may be advantageous to decide on something=20 before having certainty about the optimal approach). Significant fee=20 discounts may be needed once there's high confidence on the=20 approach/method. However, enhanced security itself inherently serves as=20 part of the explicit incentive, and maybe should be part of the incentive= =20 calculation. On Monday, April 7, 2025 at 6:34:54=E2=80=AFAM UTC-4 Nadav Ivgi wrote: > One possible alternative to freezing/burning the coins entirely is lettin= g=20 > quantum attackers keep some small percent as a reward, but force them to= =20 > stage the rest to future miners as an additional security budget subsidy. > > This can be implemented as a soft fork, by requiring transactions spendin= g=20 > QC-vulnerable coins to allocate some funds to an OP_CLTV[0]-only encumber= ed=20 > output timelocked far into the future. Miners would then monitor these=20 > outputs and claim them as they become available. > > For example, allow a 1% reward to be spent freely to any address but=20 > require 99% to be sent to an OP_CLTV output timelocked to a=20 > deterministically random height between 10-100 years from now. > > The 1% reward could also be required to be sent to a script that enforces= =20 > a timelock (in addition to other conditions), to avoid flooding the marke= ts=20 > with the rewarded coins all at once. Probably a shorter timelock duration= =20 > though, say picked randomly between 10-30 months. > > To further smooth out variance in the release schedule, coins could be=20 > split into up-to-N-BTC outputs, each staggered with a different=20 > deterministic timelock. So for example, a single tx spending 10,000 BTC= =20 > won't release 9,900 BTC to the miners in a single far-future block (which= =20 > may cause chain instability if the miners get into a reorg war over it),= =20 > but rather as 9,900 separate outputs of 1 BTC each released gradually=20 > time.[1] > > I'm still not sure what I think about this. This is not necessarily an=20 > endorsement, just a thought. :) > > - shesek > > [0] OP_CSV only supports relative timelocks of up to 65535 blocks (~15=20 > months), which is too short for that purpose. OP_CLTV supports longer=20 > (absolute) timelocks. > > [1] This can be made more efficient with CTV, by having a single UTXO=20 > carrying the full amount that slowly unrolls rather than 9,900 separate= =20 > UTXO entries. > > > On Sun, Mar 16, 2025 at 5:22=E2=80=AFPM Jameson Lopp wrote: > >> The quantum computing debate is heating up. There are many controversial= =20 >> aspects to this debate, including whether or not quantum computers will= =20 >> ever actually become a practical threat. >> >> I won't tread into the unanswerable question of how worried we should be= =20 >> about quantum computers. I think it's far from a crisis, but given the= =20 >> difficulty in changing Bitcoin it's worth starting to seriously discuss.= =20 >> Today I wish to focus on a philosophical quandary related to one of the= =20 >> decisions that would need to be made if and when we implement a quantum= =20 >> safe signature scheme. >> >> Several Scenarios >> Because this essay will reference game theory a fair amount, and there= =20 >> are many variables at play that could change the nature of the game, I= =20 >> think it's important to clarify the possible scenarios up front. >> >> 1. Quantum computing never materializes, never becomes a threat, and thu= s=20 >> everything discussed in this essay is moot. >> 2. A quantum computing threat materializes suddenly and Bitcoin does not= =20 >> have quantum safe signatures as part of the protocol. In this scenario i= t=20 >> would likely make the points below moot because Bitcoin would be=20 >> fundamentally broken and it would take far too long to upgrade the=20 >> protocol, wallet software, and migrate user funds in order to restore=20 >> confidence in the network. >> 3. Quantum computing advances slowly enough that we come to consensus=20 >> about how to upgrade Bitcoin and post quantum security has been minimall= y=20 >> adopted by the time an attacker appears. >> 4. Quantum computing advances slowly enough that we come to consensus=20 >> about how to upgrade Bitcoin and post quantum security has been highly= =20 >> adopted by the time an attacker appears. >> >> For the purposes of this post, I'm envisioning being in situation 3 or 4= . >> >> To Freeze or not to Freeze? >> I've started seeing more people weighing in on what is likely the most= =20 >> contentious aspect of how a quantum resistance upgrade should be handled= in=20 >> terms of migrating user funds. Should quantum vulnerable funds be left o= pen=20 >> to be swept by anyone with a sufficiently powerful quantum computer OR= =20 >> should they be permanently locked? >> >> "I don't see why old coins should be confiscated. The better option is t= o=20 >>> let those with quantum computers free up old coins. While this might ha= ve=20 >>> an inflationary impact on bitcoin's price, to use a turn of phrase, the= =20 >>> inflation is transitory. Those with low time preference should support= =20 >>> returning lost coins to circulation."=20 >> >> - Hunter Beast >> >> >> On the other hand: >> >> "Of course they have to be confiscated. If and when (and that's a big if= )=20 >>> the existence of a cryptography-breaking QC becomes a credible threat, = the=20 >>> Bitcoin ecosystem has no other option than softforking out the ability = to=20 >>> spend from signature schemes (including ECDSA and BIP340) that are=20 >>> vulnerable to QCs. The alternative is that millions of BTC become=20 >>> vulnerable to theft; I cannot see how the currency can maintain any val= ue=20 >>> at all in such a setting. And this affects everyone; even those which= =20 >>> diligently moved their coins to PQC-protected schemes." >>> - Pieter Wuille >> >> >> I don't think "confiscation" is the most precise term to use, as the=20 >> funds are not being seized and reassigned. Rather, what we're really=20 >> discussing would be better described as "burning" - placing the funds *o= ut=20 >> of reach of everyone*. >> >> Not freezing user funds is one of Bitcoin's inviolable properties.=20 >> However, if quantum computing becomes a threat to Bitcoin's elliptic cur= ve=20 >> cryptography, *an inviolable property of Bitcoin will be violated one=20 >> way or another*. >> >> Fundamental Properties at Risk >> 5 years ago I attempted to comprehensively categorize all of Bitcoin's= =20 >> fundamental properties that give it value.=20 >> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >> >> The particular properties in play with regard to this issue seem to be: >> >> *Censorship Resistance* - No one should have the power to prevent others= =20 >> from using their bitcoin or interacting with the network. >> >> *Forward Compatibility* - changing the rules such that certain valid=20 >> transactions become invalid could undermine confidence in the protocol. >> >> *Conservatism* - Users should not be expected to be highly responsive to= =20 >> system issues. >> >> As a result of the above principles, we have developed a strong meme=20 >> (kudos to Andreas Antonopoulos) that goes as follows: >> >> Not your keys, not your coins. >> >> >> I posit that the corollary to this principle is: >> >> Your keys, only your coins. >> >> >> A quantum capable entity breaks the corollary of this foundational=20 >> principle. We secure our bitcoin with the mathematical probabilities=20 >> related to extremely large random numbers. Your funds are only secure=20 >> because truly random large numbers should not be guessable or discoverab= le=20 >> by anyone else in the world. >> >> This is the principle behind the motto *vires in numeris* - strength in= =20 >> numbers. In a world with quantum enabled adversaries, this principle is= =20 >> null and void for many types of cryptography, including the elliptic cur= ve=20 >> digital signatures used in Bitcoin. >> >> Who is at Risk? >> There has long been a narrative that Satoshi's coins and others from the= =20 >> Satoshi era of P2PK locking scripts that exposed the public key directly= on=20 >> the blockchain will be those that get scooped up by a quantum "miner." B= ut=20 >> unfortunately it's not that simple. If I had a powerful quantum computer= ,=20 >> which coins would I target? I'd go to the Bitcoin rich list and find the= =20 >> wallets that have exposed their public keys due to re-using addresses th= at=20 >> have previously been spent from. You can easily find them at=20 >> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >> >> Note that a few of these wallets, like Bitfinex / Kraken / Tether, would= =20 >> be slightly harder to crack because they are multisig wallets. So a quan= tum=20 >> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfi= nex=20 >> / Tether in order to spend funds. But many are single signature. >> >> Point being, it's not only the really old lost BTC that are at risk to a= =20 >> quantum enabled adversary, at least at time of writing. If we add a quan= tum=20 >> safe signature scheme, we should expect those wallets to be some of the= =20 >> first to upgrade given their incentives. >> >> The Ethical Dilemma: Quantifying Harm >> Which decision results in the most harm? >> >> By making quantum vulnerable funds unspendable we potentially harm some= =20 >> Bitcoin users who were not paying attention and neglected to migrate the= ir=20 >> funds to a quantum safe locking script. This violates the "conservativis= m"=20 >> principle stated earlier. On the flip side, we prevent those funds plus = far=20 >> more lost funds from falling into the hands of the few privileged folks = who=20 >> gain early access to quantum computers. >> >> By leaving quantum vulnerable funds available to spend, the same set of= =20 >> users who would otherwise have funds frozen are likely to see them stole= n.=20 >> And many early adopters who lost their keys will eventually see their=20 >> unreachable funds scooped up by a quantum enabled adversary. >> >> Imagine, for example, being James Howells, who accidentally threw away a= =20 >> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has= =20 >> spent a decade trying to retrieve it from the landfill where he knows it= 's=20 >> buried, but can't get permission to excavate. I suspect that, given the= =20 >> choice, he'd prefer those funds be permanently frozen rather than fall i= nto=20 >> someone else's possession - I know I would. >> >> Allowing a quantum computer to access lost funds doesn't make those user= s=20 >> any worse off than they were before, however it *would* have a negative= =20 >> impact upon everyone who is currently holding bitcoin. >> >> It's prudent to expect significant economic disruption if large amounts= =20 >> of coins fall into new hands. Since a quantum computer is going to have = a=20 >> massive up front cost, expect those behind it to desire to recoup their= =20 >> investment. We also know from experience that when someone suddenly find= s=20 >> themselves in possession of 9+ figures worth of highly liquid assets, th= ey=20 >> tend to diversify into other things by selling. >> >> Allowing quantum recovery of bitcoin is *tantamount to wealth=20 >> redistribution*. What we'd be allowing is for bitcoin to be=20 >> redistributed from those who are ignorant of quantum computers to those = who=20 >> have won the technological race to acquire quantum computers. It's hard = to=20 >> see a bright side to that scenario. >> >> Is Quantum Recovery Good for Anyone? >> >> Does quantum recovery HELP anyone? I've yet to come across an argument= =20 >> that it's a net positive in any way. It certainly doesn't add any securi= ty=20 >> to the network. If anything, it greatly decreases the security of the=20 >> network by allowing funds to be claimed by those who did not earn them. >> >> But wait, you may be thinking, wouldn't quantum "miners" have earned=20 >> their coins by all the work and resources invested in building a quantum= =20 >> computer? I suppose, in the same sense that a burglar earns their spoils= by=20 >> the resources they invest into surveilling targets and learning the skil= ls=20 >> needed to break into buildings. What I say "earned" I mean through=20 >> productive mutual trade. >> >> For example: >> >> * Investors earn BTC by trading for other currencies. >> * Merchants earn BTC by trading for goods and services. >> * Miners earn BTC by trading thermodynamic security. >> * Quantum miners don't trade anything, they are vampires feeding upon th= e=20 >> system. >> >> There's no reason to believe that allowing quantum adversaries to recove= r=20 >> vulnerable bitcoin will be of benefit to anyone other than the select fe= w=20 >> organizations that win the technological arms race to build the first su= ch=20 >> computers. Probably nation states and/or the top few largest tech compan= ies. >> >> One could certainly hope that an organization with quantum supremacy is= =20 >> benevolent and acts in a "white hat" manner to return lost coins to thei= r=20 >> owners, but that's incredibly optimistic and foolish to rely upon. Such = a=20 >> situation creates an insurmountable ethical dilemma of only recovering l= ost=20 >> bitcoin rather than currently owned bitcoin. There's no way to precisely= =20 >> differentiate between the two; anyone can claim to have lost their bitco= in=20 >> but if they have lost their keys then proving they ever had the keys=20 >> becomes rather difficult. I imagine that any such white hat recovery=20 >> efforts would have to rely upon attestations from trusted third parties= =20 >> like exchanges. >> >> Even if the first actor with quantum supremacy is benevolent, we must=20 >> assume the technology could fall into adversarial hands and thus think= =20 >> adversarially about the potential worst case outcomes. Imagine, for=20 >> example, that North Korea continues scooping up billions of dollars from= =20 >> hacking crypto exchanges and decides to invest some of those proceeds in= to=20 >> building a quantum computer for the biggest payday ever... >> >> Downsides to Allowing Quantum Recovery >> Let's think through an exhaustive list of pros and cons for allowing or= =20 >> preventing the seizure of funds by a quantum adversary. >> >> Historical Precedent >> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair ga= me" but=20 >> rather were treated as failures to be remediated. Treating quantum theft= =20 >> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all = rather than=20 >> a system that seeks to protect its users. >> >> Violation of Property Rights >> Allowing a quantum adversary to take control of funds undermines the=20 >> fundamental principle of cryptocurrency - if you keep your keys in your= =20 >> possession, only you should be able to access your money. Bitcoin is bui= lt=20 >> on the idea that private keys secure an individual=E2=80=99s assets, and= =20 >> unauthorized access (even via advanced tech) is theft, not a legitimate= =20 >> transfer. >> >> Erosion of Trust in Bitcoin >> If quantum attackers can exploit vulnerable addresses, confidence in=20 >> Bitcoin as a secure store of value would collapse. Users and investors r= ely=20 >> on cryptographic integrity, and widespread theft could drive adoption aw= ay=20 >> from Bitcoin, destabilizing its ecosystem. >> >> This is essentially the counterpoint to claiming the burning of=20 >> vulnerable funds is a violation of property rights. While some will=20 >> certainly see it as such, others will find the apathy toward stopping=20 >> quantum theft to be similarly concerning. >> >> Unfair Advantage >> Quantum attackers, likely equipped with rare and expensive technology,= =20 >> would have an unjust edge over regular users who lack access to such too= ls.=20 >> This creates an inequitable system where only the technologically elite = can=20 >> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized p= ower. >> >> Bitcoin is designed to create an asymmetric advantage for DEFENDING one'= s=20 >> wealth. It's supposed to be impractically expensive for attackers to cra= ck=20 >> the entropy and cryptography protecting one's coins. But now we find=20 >> ourselves discussing a situation where this asymmetric advantage is=20 >> compromised in favor of a specific class of attackers. >> >> Economic Disruption >> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99= s price=20 >> as quantum recovered funds are dumped on exchanges. This would harm all= =20 >> holders, not just those directly targeted, leading to broader financial= =20 >> chaos in the markets. >> >> Moral Responsibility >> Permitting theft via quantum computing sets a precedent that=20 >> technological superiority justifies unethical behavior. This is essentia= lly=20 >> taking a "code is law" stance in which we refuse to admit that both code= =20 >> and laws can be modified to adapt to previously unforeseen situations. >> >> Burning of coins can certainly be considered a form of theft, thus I=20 >> think it's worth differentiating the two different thefts being discusse= d: >> >> 1. self-enriching & likely malicious >> 2. harm prevention & not necessarily malicious >> >> Both options lack the consent of the party whose coins are being burnt o= r=20 >> transferred, thus I think the simple argument that theft is immoral beco= mes=20 >> a wash and it's important to drill down into the details of each. >> >> Incentives Drive Security >> I can tell you from a decade of working in Bitcoin security - the averag= e=20 >> user is lazy and is a procrastinator. If Bitcoiners are given a "drop de= ad=20 >> date" after which they know vulnerable funds will be burned, this pressu= re=20 >> accelerates the adoption of post-quantum cryptography and strengthens=20 >> Bitcoin long-term. Allowing vulnerable users to delay upgrading=20 >> indefinitely will result in more laggards, leaving the network more expo= sed=20 >> when quantum tech becomes available. >> >> Steel Manning >> Clearly this is a complex and controversial topic, thus it's worth=20 >> thinking through the opposing arguments. >> >> Protecting Property Rights >> Allowing quantum computers to take vulnerable bitcoin could potentially= =20 >> be spun as a hard money narrative - we care so greatly about not violati= ng=20 >> someone's access to their coins that we allow them to be stolen! >> >> But I think the flip side to the property rights narrative is that=20 >> burning vulnerable coins prevents said property from falling into=20 >> undeserving hands. If the entire Bitcoin ecosystem just stands around an= d=20 >> allows quantum adversaries to claim funds that rightfully belong to othe= r=20 >> users, is that really a "win" in the "protecting property rights" catego= ry?=20 >> It feels more like apathy to me. >> >> As such, I think the "protecting property rights" argument is a wash. >> >> Quantum Computers Won't Attack Bitcoin >> There is a great deal of skepticism that sufficiently powerful quantum= =20 >> computers will ever exist, so we shouldn't bother preparing for a=20 >> non-existent threat. Others have argued that even if such a computer was= =20 >> built, a quantum attacker would not go after bitcoin because they wouldn= 't=20 >> want to reveal their hand by doing so, and would instead attack other=20 >> infrastructure. >> >> It's quite difficult to quantify exactly how valuable attacking other=20 >> infrastructure would be. It also really depends upon when an entity gain= s=20 >> quantum supremacy and thus if by that time most of the world's systems h= ave=20 >> already been upgraded. While I think you could argue that certain entiti= es=20 >> gaining quantum capability might not attack Bitcoin, it would only delay= =20 >> the inevitable - eventually somebody will achieve the capability who=20 >> decides to use it for such an attack. >> >> Quantum Attackers Would Only Steal Small Amounts >> Some have argued that even if a quantum attacker targeted bitcoin, they'= d=20 >> only go after old, likely lost P2PK outputs so as to not arouse suspicio= n=20 >> and cause a market panic. >> >> I'm not so sure about that; why go after 50 BTC at a time when you could= =20 >> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero= =20 >> day exploit" game theory in which an attacker knows they have a limited= =20 >> amount of time before someone else discovers the exploit and either=20 >> benefits from it or patches it. Take, for example, the recent ByBit atta= ck=20 >> - the highest value crypto hack of all time. Lazarus Group had compromis= ed=20 >> the Safe wallet front end JavaScript app and they could have simply had = it=20 >> reassign ownership of everyone's Safe wallets as they were interacting w= ith=20 >> their wallet. But instead they chose to only specifically target ByBit's= =20 >> wallet with $1.5 billion in it because they wanted to maximize their=20 >> extractable value. If Lazarus had started stealing from every wallet, th= ey=20 >> would have been discovered quickly and the Safe web app would likely hav= e=20 >> been patched well before any billion dollar wallets executed the malicio= us=20 >> code. >> >> I think the "only stealing small amounts" argument is strongest for=20 >> Situation #2 described earlier, where a quantum attacker arrives before= =20 >> quantum safe cryptography has been deployed across the Bitcoin ecosystem= .=20 >> Because if it became clear that Bitcoin's cryptography was broken AND th= ere=20 >> was nowhere safe for vulnerable users to migrate, the only logical optio= n=20 >> would be for everyone to liquidate their bitcoin as quickly as possible.= As=20 >> such, I don't think it applies as strongly for situations in which we ha= ve=20 >> a migration path available. >> >> The 21 Million Coin Supply Should be in Circulation >> Some folks are arguing that it's important for the "circulating /=20 >> spendable" supply to be as close to 21M as possible and that having a=20 >> significant portion of the supply out of circulation is somehow undesira= ble. >> >> While the "21M BTC" attribute is a strong memetic narrative, I don't=20 >> think anyone has ever expected that it would all be in circulation. It h= as=20 >> always been understood that many coins will be lost, and that's actually= =20 >> part of the game theory of owning bitcoin! >> >> And remember, the 21M number in and of itself is not a particularly=20 >> important detail - it's not even mentioned in the whitepaper. What's=20 >> important is that the supply is well known and not subject to change. >> >> Self-Sovereignty and Personal Responsibility >> Bitcoin=E2=80=99s design empowers individuals to control their own wealt= h, free=20 >> from centralized intervention. This freedom comes with the burden of=20 >> securing one's private keys. If quantum computing can break obsolete=20 >> cryptography, the fault lies with users who didn't move their funds to= =20 >> quantum safe locking scripts. Expecting the network to shield users from= =20 >> their own negligence undermines the principle that you, and not a third= =20 >> party, are accountable for your assets. >> >> I think this is generally a fair point that "the community" doesn't owe= =20 >> you anything in terms of helping you. I think that we do, however, need = to=20 >> consider the incentives and game theory in play with regard to quantum s= afe=20 >> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. >> >> Code is Law >> Bitcoin operates on transparent, immutable rules embedded in its=20 >> protocol. If a quantum attacker uses superior technology to derive priva= te=20 >> keys from public keys, they=E2=80=99re not "hacking" the system - they'r= e simply=20 >> following what's mathematically permissible within the current code.=20 >> Altering the protocol to stop this introduces subjective human=20 >> intervention, which clashes with the objective, deterministic nature of= =20 >> blockchain. >> >> While I tend to agree that code is law, one of the entire points of laws= =20 >> is that they can be amended to improve their efficacy in reducing harm.= =20 >> Leaning on this point seems more like a pro-ossification stance that it'= s=20 >> better to do nothing and allow harm to occur rather than take action to= =20 >> stop an attack that was foreseen far in advance. >> >> Technological Evolution as a Feature, Not a Bug >> It's well known that cryptography tends to weaken over time and=20 >> eventually break. Quantum computing is just the next step in this=20 >> progression. Users who fail to adapt (e.g., by adopting quantum-resistan= t=20 >> wallets when available) are akin to those who ignored technological=20 >> advancements like multisig or hardware wallets. Allowing quantum theft= =20 >> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, p= unishing=20 >> complacency while rewarding vigilance. >> >> Market Signals Drive Security >> If quantum attackers start stealing funds, it sends a clear signal to th= e=20 >> market: upgrade your security or lose everything. This pressure accelera= tes=20 >> the adoption of post-quantum cryptography and strengthens Bitcoin=20 >> long-term. Coddling vulnerable users delays this necessary evolution,=20 >> potentially leaving the network more exposed when quantum tech becomes= =20 >> widely accessible. Theft is a brutal but effective teacher. >> >> Centralized Blacklisting Power >> Burning vulnerable funds requires centralized decision-making - a soft= =20 >> fork to invalidate certain transactions. This sets a dangerous precedent= =20 >> for future interventions, eroding Bitcoin=E2=80=99s decentralization. If= quantum=20 >> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sy= stem must=20 >> remain neutral, even if it means some lose out. >> >> I think this could be a potential slippery slope if the proposal was to= =20 >> only burn specific addresses. Rather, I'd expect a neutral proposal to b= urn=20 >> all funds in locking script types that are known to be quantum vulnerabl= e.=20 >> Thus, we could eliminate any subjectivity from the code. >> >> Fairness in Competition >> Quantum attackers aren't cheating; they're using publicly available=20 >> physics and math. Anyone with the resources and foresight can build or= =20 >> access quantum tech, just as anyone could mine Bitcoin in 2009 with a CP= U.=20 >> Early adopters took risks and reaped rewards; quantum innovators are doi= ng=20 >> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has n= ever promised=20 >> equality of outcome - only equality of opportunity within its rules. >> >> I find this argument to be a mischaracterization because we're not=20 >> talking about CPUs. This is more akin to talking about ASICs, except eac= h=20 >> ASIC costs millions if not billions of dollars. This is out of reach fro= m=20 >> all but the wealthiest organizations. >> >> Economic Resilience >> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20 >> emerged stronger. The market can absorb quantum losses, with unaffected= =20 >> users continuing to hold and new entrants buying in at lower prices. Fea= r=20 >> of economic collapse overestimates the impact - the network=E2=80=99s an= tifragility=20 >> thrives on such challenges. >> >> This is a big grey area because we don't know when a quantum computer=20 >> will come online and we don't know how quickly said computers would be a= ble=20 >> to steal bitcoin. If, for example, the first generation of sufficiently= =20 >> powerful quantum computers were stealing less volume than the current bl= ock=20 >> reward then of course it will have minimal economic impact. But if they'= re=20 >> taking thousands of BTC per day and bringing them back into circulation,= =20 >> there will likely be a noticeable market impact as it absorbs the new=20 >> supply. >> >> This is where the circumstances will really matter. If a quantum attacke= r=20 >> appears AFTER the Bitcoin protocol has been upgraded to support quantum= =20 >> resistant cryptography then we should expect the most valuable active=20 >> wallets will have upgraded and the juiciest target would be the 31,000 B= TC=20 >> in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant= =20 >> since 2010. In general I'd expect that the amount of BTC re-entering the= =20 >> circulating supply would look somewhat similar to the mining emission=20 >> curve: volume would start off very high as the most valuable addresses a= re=20 >> drained and then it would fall off as quantum computers went down the li= st=20 >> targeting addresses with less and less BTC. >> >> Why is economic impact a factor worth considering? Miners and businesses= =20 >> in general. More coins being liquidated will push down the price, which= =20 >> will negatively impact miner revenue. Similarly, I can attest from worki= ng=20 >> in the industry for a decade, that lower prices result in less demand fr= om=20 >> businesses across the entire industry. As such, burning quantum vulnerab= le=20 >> bitcoin is good for the entire industry. >> >> Practicality & Neutrality of Non-Intervention >> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D f= rom legitimate "white=20 >> hat" key recovery. If someone loses their private key and a quantum=20 >> computer recovers it, is that stealing or reclaiming? Policing quantum= =20 >> actions requires invasive assumptions about intent, which Bitcoin=E2=80= =99s=20 >> trustless design can=E2=80=99t accommodate. Letting the chips fall where= they may=20 >> avoids this mess. >> >> Philosophical Purity >> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcome= s reflect=20 >> preparation and skill, not sentimentality. If quantum computing upends t= he=20 >> game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe = or fair in a=20 >> nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds t= o quantum=20 >> attacks are casualties of liberty and their own ignorance, not victims o= f=20 >> injustice. >> >> Bitcoin's DAO Moment >> This situation has some similarities to The DAO hack of an Ethereum smar= t=20 >> contract in 2016, which resulted in a fork to stop the attacker and retu= rn=20 >> funds to their original owners. The game theory is similar because it's = a=20 >> situation where a threat is known but there's some period of time before= =20 >> the attacker can actually execute the theft. As such, there's time to=20 >> mitigate the attack by changing the protocol. >> >> It also created a schism in the community around the true meaning of=20 >> "code is law," resulting in Ethereum Classic, which decided to allow the= =20 >> attacker to retain control of the stolen funds. >> >> A soft fork to burn vulnerable bitcoin could certainly result in a hard= =20 >> fork if there are enough miners who reject the soft fork and continue=20 >> including transactions. >> >> Incentives Matter >> We can wax philosophical until the cows come home, but what are the=20 >> actual incentives for existing Bitcoin holders regarding this decision? >> >> "Lost coins only make everyone else's coins worth slightly more. Think o= f=20 >>> it as a donation to everyone." - Satoshi Nakamoto >> >> >> If true, the corollary is: >> >> "Quantum recovered coins only make everyone else's coins worth less.=20 >>> Think of it as a theft from everyone." - Jameson Lopp >> >> >> Thus, assuming we get to a point where quantum resistant signatures are= =20 >> supported within the Bitcoin protocol, what's the incentive to let=20 >> vulnerable coins remain spendable? >> >> * It's not good for the actual owners of those coins. It disincentivizes= =20 >> owners from upgrading until perhaps it's too late. >> * It's not good for the more attentive / responsible owners of coins who= =20 >> have quantum secured their stash. Allowing the circulating supply to=20 >> balloon will assuredly reduce the purchasing power of all bitcoin holder= s. >> >> Forking Game Theory >> From a game theory point of view, I see this as incentivizing users to= =20 >> upgrade their wallets. If you disagree with the burning of vulnerable=20 >> coins, all you have to do is move your funds to a quantum safe signature= =20 >> scheme. Point being, I don't see there being an economic majority (or ev= en=20 >> more than a tiny minority) of users who would fight such a soft fork. Wh= y=20 >> expend significant resources fighting a fork when you can just move your= =20 >> coins to a new address? >> >> Remember that blocking spending of certain classes of locking scripts is= =20 >> a tightening of the rules - a soft fork. As such, it can be meaningfully= =20 >> enacted and enforced by a mere majority of hashpower. If miners generall= y=20 >> agree that it's in their best interest to burn vulnerable coins, are oth= er=20 >> users going to care enough to put in the effort to run new node software= =20 >> that resists the soft fork? Seems unlikely to me. >> >> How to Execute Burning >> In order to be as objective as possible, the goal would be to announce t= o=20 >> the world that after a specific block height / timestamp, Bitcoin nodes= =20 >> will no longer accept transactions (or blocks containing such transactio= ns)=20 >> that spend funds from any scripts other than the newly instituted quantu= m=20 >> safe schemes. >> >> It could take a staggered approach to first freeze funds that are=20 >> susceptible to long-range attacks such as those in P2PK scripts or those= =20 >> that exposed their public keys due to previously re-using addresses, but= I=20 >> expect the additional complexity would drive further controversy. >> >> How long should the grace period be in order to give the ecosystem time= =20 >> to upgrade? I'd say a minimum of 1 year for software wallets to upgrade.= We=20 >> can only hope that hardware wallet manufacturers are able to implement p= ost=20 >> quantum cryptography on their existing hardware with only a firmware upd= ate. >> >> Beyond that, it will take at least 6 months worth of block space for all= =20 >> users to migrate their funds, even in a best case scenario. Though if yo= u=20 >> exclude dust UTXOs you could probably get 95% of BTC value migrated in 1= =20 >> month. Of course this is a highly optimistic situation where everyone is= =20 >> completely focused on migrations - in reality it will take far longer. >> >> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20 >> conservatism it would be preferable to allow a 4 year migration window. = In=20 >> the meantime, mining pools could coordinate emergency soft forking logic= =20 >> such that if quantum attackers materialized, they could accelerate the= =20 >> countdown to the quantum vulnerable funds burn. >> >> Random Tangential Benefits >> On the plus side, burning all quantum vulnerable bitcoin would allow us= =20 >> to prune all of those UTXOs out of the UTXO set, which would also clean = up=20 >> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even b= een=20 >> a recent proposal for how to incentivize cleaning them up. >> >> We should also expect that incentivizing migration of the entire UTXO se= t=20 >> will create substantial demand for block space that will sustain a fee= =20 >> market for a fairly lengthy amount of time. >> >> In Summary >> While the moral quandary of violating any of Bitcoin's inviolable=20 >> properties can make this a very complex issue to discuss, the game theor= y=20 >> and incentives between burning vulnerable coins versus allowing them to = be=20 >> claimed by entities with quantum supremacy appears to be a much simpler= =20 >> issue. >> >> I, for one, am not interested in rewarding quantum capable entities by= =20 >> inflating the circulating money supply just because some people lost the= ir=20 >> keys long ago and some laggards are not upgrading their bitcoin wallet's= =20 >> security. >> >> We can hope that this scenario never comes to pass, but hope is not a=20 >> strategy. >> >> I welcome your feedback upon any of the above points, and contribution o= f=20 >> any arguments I failed to consider. >> >> --=20 >> > You received this message because you are subscribed to the Google Groups= =20 >> "Bitcoin Development Mailing List" group. >> > To unsubscribe from this group and stop receiving emails from it, send an= =20 >> email to bitcoindev+...@googlegroups.com. >> To view this discussion visit=20 >> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8n= A_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com=20 >> >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= dbe7018c-149f-4ead-be39-fa368eca06f0n%40googlegroups.com. ------=_Part_2151_517126783.1746027641620 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I'm late, but want to share thoughts. I gathered from this thread the way m= ore pertinent and prerequisite idea is to formulate some idea for pqc safe = schemes, before the idea of burning/freezing/other becomes actionable.
Originally I thought Matt's idea of a secure leaf that could be enabled to= be the only spend path seemed clever, but after thinking about it more, I = think it would be better to cleanly have a new address/ taproot version.
1. We get public data to know how many coins are using the post-q= uantum secured scheme. Allow better informed decisions on adoptions, planni= ng, and understanding sentiment on the perceived threat.
2. would have= clean separation for users to know whether or not their address is PQC sec= ured.
3. for people not worried about it, they wouldn't feel arm-bar'd= into having longer descriptors and an unnecessary leaf.
4. *unsure he= re*, but possible that library and wallet developers could treat this with = cleaner separation uX, UI and not worry about (legacy-tr) vs (pqc-tr) descr= iptions and script code. (To help users differentiate)
5. We wouldn't = need to worry about some roll out period or flag day where the leafs become= necessary or an enabled spend path.

Given that pqc transactions= will likely require additional space and computational resources, we shoul= d be cautious about heavily incentivizing uncertain approaches (i.e. it may= be advantageous to decide on something before having certainty about the o= ptimal approach). Significant fee discounts may be needed once there's high= confidence on the approach/method. However, enhanced security itself inher= ently serves as part of the explicit incentive, and maybe should be part of= the incentive calculation.

On Monday, April 7, 2025 at 6:34:54=E2=80=AF= AM UTC-4 Nadav Ivgi wrote:
One possible alternati= ve to freezing/burning the coins entirely is letting quantum attackers keep= some small percent as a reward, but force them to stage the rest to future= miners as an additional security budget subsidy.

=
This can be implemented as a soft fork, by requiring transaction= s=20 spending QC-vulnerable coins to allocate some funds to an OP_CLTV[0]-only e= ncumbered output timelocked far into the future. Miners would then monitor = these outputs and claim them as they become available.

For example, allow a 1% reward to be spent freely to any a= ddress but require 99% to be sent to an OP_CLTV output timelocked to a dete= rministically random height between 10-100 years from now.

Th= e 1% reward could also be required to be sent to a script that enforces a t= imelock (in addition to other conditions), to avoid flooding the markets wi= th the rewarded coins all at once. Probably a shorter timelock duration tho= ugh, say picked randomly between 10-30 months.

To = further smooth out variance in the release schedule, coins could be split i= nto up-to-N-BTC outputs, each staggered with a different deterministic time= lock. So for example, a single tx spending 10,000 BTC won't release 9,9= 00 BTC to the miners in a single far-future block (which may cause chain in= stability if the miners get into a reorg war over it), but rather as 9,900 = separate outputs of 1 BTC each released=C2=A0gradually time.[1]
<= br>
I'm still not sure what I think about this. This is not n= ecessarily an endorsement, just a thought. :)

- sh= esek

[0] OP_CSV only supports relative timelocks o= f up to 65535 blocks (~15 months), which is too short for that purpose. OP_= CLTV supports longer (absolute) timelocks.

[1] Thi= s can be made more efficient with CTV, by having a single UTXO carrying the= full amount that slowly unrolls rather than 9,900 separate UTXO entries.


On Sun, Mar 16, 2025 at 5:22= =E2=80=AFPM Jameson Lopp <jam= eso...@gmail.com> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">
The quant= um computing debate is heating up. There are many controversial aspects to = this debate, including whether or not quantum computers will ever actually = become a practical threat.

I won't tread into the unanswerable = question of how worried we should be about quantum computers. I think it= 9;s far from a crisis, but given the difficulty in changing Bitcoin it'= s worth starting to seriously discuss. Today I wish to focus on a philosoph= ical quandary related to one of the decisions that would need to be made if= and when we implement a quantum safe signature scheme.

Several Scenarios
Because this essay will reference game t= heory a fair amount, and there are many variables at play that could change= the nature of the game, I think it's important to clarify the possible= scenarios up front.

1. Quantum computing never materializes, never = becomes a threat, and thus everything discussed in this essay is moot.
2= . A quantum computing threat materializes suddenly and Bitcoin does not hav= e quantum safe signatures as part of the protocol. In this scenario it woul= d likely make the points below moot because Bitcoin would be fundamentally = broken and it would take far too long to upgrade the protocol, wallet softw= are, and migrate user funds in order to restore confidence in the network.<= br>3. Quantum computing advances slowly enough that we come to consensus ab= out how to upgrade Bitcoin and post quantum security has been minimally ado= pted by the time an attacker appears.
4. Quantum computing advances slow= ly enough that we come to consensus about how to upgrade Bitcoin and post q= uantum security has been highly adopted by the time an attacker appears.
For the purposes of this post, I'm envisioning being in situation = 3 or 4.

To Freeze or not to Freeze?
I'= ;ve started seeing more people weighing in on what is likely the most conte= ntious aspect of how a quantum resistance upgrade should be handled in term= s of migrating user funds. Should quantum vulnerable funds be left open to = be swept by anyone with a sufficiently powerful quantum computer OR should = they be permanently locked?

"I don't see why old coins should be confiscated. The b= etter option is to let those with quantum computers free up old coins. Whil= e this might have an inflationary impact on bitcoin's price, to use a t= urn of phrase, the inflation is transitory. Those with low time preference = should support returning lost coins to circulation."=C2=A0
- Hunter Beast

On the other hand:

"Of course they have to be confiscated. If a= nd when (and that's a big if) the existence of a cryptography-breaking = QC becomes a credible threat, the Bitcoin ecosystem has no other option tha= n softforking out the ability to spend from signature schemes (including EC= DSA and BIP340) that are vulnerable to QCs. The alternative is that million= s of BTC become vulnerable to theft; I cannot see how the currency can main= tain any value at all in such a setting. And this affects everyone; even th= ose which diligently moved their coins to PQC-protected schemes."
-= Pieter Wuille

I don't think "confiscation" i= s the most precise term to use, as the funds are not being seized and reass= igned. Rather, what we're really discussing would be better described a= s "burning" - placing the funds out of reach of everyone.<= br>
Not freezing user funds is one of Bitcoin's inviolable propertie= s. However, if quantum computing becomes a threat to Bitcoin's elliptic= curve cryptography, an inviolable property of Bitcoin will be violated = one way or another.

Fundamental Properties at R= isk
5 years ago I attempted to comprehensively categorize all of = Bitcoin's fundamental properties that give it value. https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
The particular properties in play with regard to this issue seem to be:
Censorship Resistance - No one should have the power to prevent= others from using their bitcoin or interacting with the network.

Forward Compatibility - changing the rules such that certain valid tra= nsactions become invalid could undermine confidence in the protocol.
Conservatism - Users should not be expected to be highly responsive= to system issues.

As a result of the above principles, we have deve= loped a strong meme (kudos to Andreas Antonopoulos) that goes as follows:
Not your keys, not = your coins.

I posit that the corollary to this principle is= :

Your keys, only = your coins.

A quantum capable entity breaks the corollary o= f this foundational principle. We secure our bitcoin with the mathematical = probabilities related to extremely large random numbers. Your funds are onl= y secure because truly random large numbers should not be guessable or disc= overable by anyone else in the world.

This is the principle behind t= he motto vires in numeris - strength in numbers. In a world with qua= ntum enabled adversaries, this principle is null and void for many types of= cryptography, including the elliptic curve digital signatures used in Bitc= oin.

Who is at Risk?
There has long been = a narrative that Satoshi's coins and others from the Satoshi era of P2P= K locking scripts that exposed the public key directly on the blockchain wi= ll be those that get scooped up by a quantum "miner." But unfortu= nately it's not that simple. If I had a powerful quantum computer, whic= h coins would I target? I'd go to the Bitcoin rich list and find the wa= llets that have exposed their public keys due to re-using addresses that ha= ve previously been spent from. You can easily find them at https://bitinfocharts.com/top-100-richest-bitcoin-addresses.= html

Note that a few of these wallets, like Bitfinex / Kraken / = Tether, would be slightly harder to crack because they are multisig wallets= . So a quantum attacker would need to reverse engineer 2 keys for Kraken or= 3 for Bitfinex / Tether in order to spend funds. But many are single signa= ture.

Point being, it's not only the really old lost BTC that ar= e at risk to a quantum enabled adversary, at least at time of writing. If w= e add a quantum safe signature scheme, we should expect those wallets to be= some of the first to upgrade given their incentives.

The Ethical Dilemma: Quantifying Harm
Which decision results i= n the most harm?

By making quantum vulnerable funds unspendable we p= otentially harm some Bitcoin users who were not paying attention and neglec= ted to migrate their funds to a quantum safe locking script. This violates = the "conservativism" principle stated earlier. On the flip side, = we prevent those funds plus far more lost funds from falling into the hands= of the few privileged folks who gain early access to quantum computers.
By leaving quantum vulnerable funds available to spend, the same set o= f users who would otherwise have funds frozen are likely to see them stolen= . And many early adopters who lost their keys will eventually see their unr= eachable funds scooped up by a quantum enabled adversary.

Imagine, f= or example, being James Howells, who accidentally threw away a hard drive w= ith 8,000 BTC on it, currently worth over $600M USD. He has spent a decade = trying to retrieve it from the landfill where he knows it's buried, but= can't get permission to excavate. I suspect that, given the choice, he= 'd prefer those funds be permanently frozen rather than fall into someo= ne else's possession - I know I would.

Allowing a quantum comput= er to access lost funds doesn't make those users any worse off than the= y were before, however it would have a negative impact upon everyone= who is currently holding bitcoin.

It's prudent to expect signif= icant economic disruption if large amounts of coins fall into new hands. Si= nce a quantum computer is going to have a massive up front cost, expect tho= se behind it to desire to recoup their investment. We also know from experi= ence that when someone suddenly finds themselves in possession of 9+ figure= s worth of highly liquid assets, they tend to diversify into other things b= y selling.

Allowing quantum recovery of bitcoin is tantamount to = wealth redistribution. What we'd be allowing is for bitcoin to be r= edistributed from those who are ignorant of quantum computers to those who = have won the technological race to acquire quantum computers. It's hard= to see a bright side to that scenario.

Is Quantum = Recovery Good for Anyone?

Does quantum recovery HELP anyone? = I've yet to come across an argument that it's a net positive in any= way. It certainly doesn't add any security to the network. If anything= , it greatly decreases the security of the network by allowing funds to be = claimed by those who did not earn them.

But wait, you may be thinkin= g, wouldn't quantum "miners" have earned their coins by all t= he work and resources invested in building a quantum computer? I suppose, i= n the same sense that a burglar earns their spoils by the resources they in= vest into surveilling targets and learning the skills needed to break into = buildings. What I say "earned" I mean through productive mutual t= rade.

For example:

* Investors earn BTC by trading for other = currencies.
* Merchants earn BTC by trading for goods and services.
*= Miners earn BTC by trading thermodynamic security.
* Quantum miners don= 't trade anything, they are vampires feeding upon the system.

Th= ere's no reason to believe that allowing quantum adversaries to recover= vulnerable bitcoin will be of benefit to anyone other than the select few = organizations that win the technological arms race to build the first such = computers. Probably nation states and/or the top few largest tech companies= .

One could certainly hope that an organization with quantum suprema= cy is benevolent and acts in a "white hat" manner to return lost = coins to their owners, but that's incredibly optimistic and foolish to = rely upon. Such a situation creates an insurmountable ethical dilemma of on= ly recovering lost bitcoin rather than currently owned bitcoin. There's= no way to precisely differentiate between the two; anyone can claim to hav= e lost their bitcoin but if they have lost their keys then proving they eve= r had the keys becomes rather difficult. I imagine that any such white hat = recovery efforts would have to rely upon attestations from trusted third pa= rties like exchanges.

Even if the first actor with quantum supremacy= is benevolent, we must assume the technology could fall into adversarial h= ands and thus think adversarially about the potential worst case outcomes. = Imagine, for example, that North Korea continues scooping up billions of do= llars from hacking crypto exchanges and decides to invest some of those pro= ceeds into building a quantum computer for the biggest payday ever...
Downsides to Allowing Quantum Recovery
Let'= ;s think through an exhaustive list of pros and cons for allowing or preven= ting the seizure of funds by a quantum adversary.

H= istorical Precedent
Previous protocol vulnerabilities weren=E2=80= =99t celebrated as "fair game" but rather were treated as failure= s to be remediated. Treating quantum theft differently risks rewriting Bitc= oin=E2=80=99s history as a free-for-all rather than a system that seeks to = protect its users.

Violation of Property Rights
Allowing a quantum adversary to take control of funds undermines the= fundamental principle of cryptocurrency - if you keep your keys in your po= ssession, only you should be able to access your money. Bitcoin is built on= the idea that private keys secure an individual=E2=80=99s assets, and unau= thorized access (even via advanced tech) is theft, not a legitimate transfe= r.

Erosion of Trust in Bitcoin
If quantum= attackers can exploit vulnerable addresses, confidence in Bitcoin as a sec= ure store of value would collapse. Users and investors rely on cryptographi= c integrity, and widespread theft could drive adoption away from Bitcoin, d= estabilizing its ecosystem.

This is essentially the counterpoint to = claiming the burning of vulnerable funds is a violation of property rights.= While some will certainly see it as such, others will find the apathy towa= rd stopping quantum theft to be similarly concerning.

Unfair Advantage
Quantum attackers, likely equipped with rare = and expensive technology, would have an unjust edge over regular users who = lack access to such tools. This creates an inequitable system where only th= e technologically elite can exploit others, contradicting Bitcoin=E2=80=99s= ethos of decentralized power.

Bitcoin is designed to create an asym= metric advantage for DEFENDING one's wealth. It's supposed to be im= practically expensive for attackers to crack the entropy and cryptography p= rotecting one's coins. But now we find ourselves discussing a situation= where this asymmetric advantage is compromised in favor of a specific clas= s of attackers.

Economic Disruption
Large= -scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s price = as quantum recovered funds are dumped on exchanges. This would harm all hol= ders, not just those directly targeted, leading to broader financial chaos = in the markets.

Moral Responsibility
Perm= itting theft via quantum computing sets a precedent that technological supe= riority justifies unethical behavior. This is essentially taking a "co= de is law" stance in which we refuse to admit that both code and laws = can be modified to adapt to previously unforeseen situations.

Burnin= g of coins can certainly be considered a form of theft, thus I think it'= ;s worth differentiating the two different thefts being discussed:

1= . self-enriching & likely malicious
2. harm prevention & not nec= essarily malicious

Both options lack the consent of the party whose = coins are being burnt or transferred, thus I think the simple argument that= theft is immoral becomes a wash and it's important to drill down into = the details of each.

Incentives Drive Security
I can tell you from a decade of working in Bitcoin security - the ave= rage user is lazy and is a procrastinator. If Bitcoiners are given a "= drop dead date" after which they know vulnerable funds will be burned,= this pressure accelerates the adoption of post-quantum cryptography and st= rengthens Bitcoin long-term. Allowing vulnerable users to delay upgrading i= ndefinitely will result in more laggards, leaving the network more exposed = when quantum tech becomes available.

Steel Manning<= br>Clearly this is a complex and controversial topic, thus it's = worth thinking through the opposing arguments.

Prot= ecting Property Rights
Allowing quantum computers to take vulnera= ble bitcoin could potentially be spun as a hard money narrative - we care s= o greatly about not violating someone's access to their coins that we a= llow them to be stolen!

But I think the flip side to the property ri= ghts narrative is that burning vulnerable coins prevents said property from= falling into undeserving hands. If the entire Bitcoin ecosystem just stand= s around and allows quantum adversaries to claim funds that rightfully belo= ng to other users, is that really a "win" in the "protecting= property rights" category? It feels more like apathy to me.

As= such, I think the "protecting property rights" argument is a was= h.

Quantum Computers Won't Attack Bitcoin
There is a great deal of skepticism that sufficiently powerful quantum= computers will ever exist, so we shouldn't bother preparing for a non-= existent threat. Others have argued that even if such a computer was built,= a quantum attacker would not go after bitcoin because they wouldn't wa= nt to reveal their hand by doing so, and would instead attack other infrast= ructure.

It's quite difficult to quantify exactly how valuable a= ttacking other infrastructure would be. It also really depends upon when an= entity gains quantum supremacy and thus if by that time most of the world&= #39;s systems have already been upgraded. While I think you could argue tha= t certain entities gaining quantum capability might not attack Bitcoin, it = would only delay the inevitable - eventually somebody will achieve the capa= bility who decides to use it for such an attack.

Qu= antum Attackers Would Only Steal Small Amounts
Some have argued t= hat even if a quantum attacker targeted bitcoin, they'd only go after o= ld, likely lost P2PK outputs so as to not arouse suspicion and cause a mark= et panic.

I'm not so sure about that; why go after 50 BTC at a t= ime when you could take 250,000 BTC with the same effort as 50 BTC? This is= a classic "zero day exploit" game theory in which an attacker kn= ows they have a limited amount of time before someone else discovers the ex= ploit and either benefits from it or patches it. Take, for example, the rec= ent ByBit attack - the highest value crypto hack of all time. Lazarus Group= had compromised the Safe wallet front end JavaScript app and they could ha= ve simply had it reassign ownership of everyone's Safe wallets as they = were interacting with their wallet. But instead they chose to only specific= ally target ByBit's wallet with $1.5 billion in it because they wanted = to maximize their extractable value. If Lazarus had started stealing from e= very wallet, they would have been discovered quickly and the Safe web app w= ould likely have been patched well before any billion dollar wallets execut= ed the malicious code.

I think the "only stealing small amounts= " argument is strongest for Situation #2 described earlier, where a qu= antum attacker arrives before quantum safe cryptography has been deployed a= cross the Bitcoin ecosystem. Because if it became clear that Bitcoin's = cryptography was broken AND there was nowhere safe for vulnerable users to = migrate, the only logical option would be for everyone to liquidate their b= itcoin as quickly as possible. As such, I don't think it applies as str= ongly for situations in which we have a migration path available.

The 21 Million Coin Supply Should be in CirculationSome folks are arguing that it's important for the "circulating = / spendable" supply to be as close to 21M as possible and that having = a significant portion of the supply out of circulation is somehow undesirab= le.

While the "21M BTC" attribute is a strong memetic narr= ative, I don't think anyone has ever expected that it would all be in c= irculation. It has always been understood that many coins will be lost, and= that's actually part of the game theory of owning bitcoin!

And = remember, the 21M number in and of itself is not a particularly important d= etail - it's not even mentioned in the whitepaper. What's important= is that the supply is well known and not subject to change.

Self-Sovereignty and Personal Responsibility
Bitcoin=E2= =80=99s design empowers individuals to control their own wealth, free from = centralized intervention. This freedom comes with the burden of securing on= e's private keys. If quantum computing can break obsolete cryptography,= the fault lies with users who didn't move their funds to quantum safe = locking scripts. Expecting the network to shield users from their own negli= gence undermines the principle that you, and not a third party, are account= able for your assets.

I think this is generally a fair point that &q= uot;the community" doesn't owe you anything in terms of helping yo= u. I think that we do, however, need to consider the incentives and game th= eory in play with regard to quantum safe Bitcoiners vs quantum vulnerable B= itcoiners. More on that later.

Code is LawBitcoin operates on transparent, immutable rules embedded in its protocol= . If a quantum attacker uses superior technology to derive private keys fro= m public keys, they=E2=80=99re not "hacking" the system - they= 9;re simply following what's mathematically permissible within the curr= ent code. Altering the protocol to stop this introduces subjective human in= tervention, which clashes with the objective, deterministic nature of block= chain.

While I tend to agree that code is law, one of the entire poi= nts of laws is that they can be amended to improve their efficacy in reduci= ng harm. Leaning on this point seems more like a pro-ossification stance th= at it's better to do nothing and allow harm to occur rather than take a= ction to stop an attack that was foreseen far in advance.

Technological Evolution as a Feature, Not a Bug
It's w= ell known that cryptography tends to weaken over time and eventually break.= Quantum computing is just the next step in this progression. Users who fai= l to adapt (e.g., by adopting quantum-resistant wallets when available) are= akin to those who ignored technological advancements like multisig or hard= ware wallets. Allowing quantum theft incentivizes innovation and keeps Bitc= oin=E2=80=99s ecosystem dynamic, punishing complacency while rewarding vigi= lance.

Market Signals Drive Security
If q= uantum attackers start stealing funds, it sends a clear signal to the marke= t: upgrade your security or lose everything. This pressure accelerates the = adoption of post-quantum cryptography and strengthens Bitcoin long-term. Co= ddling vulnerable users delays this necessary evolution, potentially leavin= g the network more exposed when quantum tech becomes widely accessible. The= ft is a brutal but effective teacher.

Centralized B= lacklisting Power
Burning vulnerable funds requires centralized d= ecision-making - a soft fork to invalidate certain transactions. This sets = a dangerous precedent for future interventions, eroding Bitcoin=E2=80=99s d= ecentralization. If quantum theft is blocked, what=E2=80=99s next - reversi= ng exchange hacks? The system must remain neutral, even if it means some lo= se out.

I think this could be a potential slippery slope if the prop= osal was to only burn specific addresses. Rather, I'd expect a neutral = proposal to burn all funds in locking script types that are known to be qua= ntum vulnerable. Thus, we could eliminate any subjectivity from the code.
Fairness in Competition
Quantum attackers = aren't cheating; they're using publicly available physics and math.= Anyone with the resources and foresight can build or access quantum tech, = just as anyone could mine Bitcoin in 2009 with a CPU. Early adopters took r= isks and reaped rewards; quantum innovators are doing the same. Calling it = =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never promised equality o= f outcome - only equality of opportunity within its rules.

I find th= is argument to be a mischaracterization because we're not talking about= CPUs. This is more akin to talking about ASICs, except each ASIC costs mil= lions if not billions of dollars. This is out of reach from all but the wea= lthiest organizations.

Economic ResilienceBitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and emerg= ed stronger. The market can absorb quantum losses, with unaffected users co= ntinuing to hold and new entrants buying in at lower prices. Fear of econom= ic collapse overestimates the impact - the network=E2=80=99s antifragility = thrives on such challenges.

This is a big grey area because we don&#= 39;t know when a quantum computer will come online and we don't know ho= w quickly said computers would be able to steal bitcoin. If, for example, t= he first generation of sufficiently powerful quantum computers were stealin= g less volume than the current block reward then of course it will have min= imal economic impact. But if they're taking thousands of BTC per day an= d bringing them back into circulation, there will likely be a noticeable ma= rket impact as it absorbs the new supply.

This is where the circumst= ances will really matter. If a quantum attacker appears AFTER the Bitcoin p= rotocol has been upgraded to support quantum resistant cryptography then we= should expect the most valuable active wallets will have upgraded and the = juiciest target would be the 31,000 BTC in the address 12ib7dApVFvg82TXKycW= BNpN8kFyiAN1dr which has been dormant since 2010. In general I'd expect= that the amount of BTC re-entering the circulating supply would look somew= hat similar to the mining emission curve: volume would start off very high = as the most valuable addresses are drained and then it would fall off as qu= antum computers went down the list targeting addresses with less and less B= TC.

Why is economic impact a factor worth considering? Miners and bu= sinesses in general. More coins being liquidated will push down the price, = which will negatively impact miner revenue. Similarly, I can attest from wo= rking in the industry for a decade, that lower prices result in less demand= from businesses across the entire industry. As such, burning quantum vulne= rable bitcoin is good for the entire industry.

Prac= ticality & Neutrality of Non-Intervention
There=E2=80=99s no = reliable way to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "w= hite hat" key recovery. If someone loses their private key and a quant= um computer recovers it, is that stealing or reclaiming? Policing quantum a= ctions requires invasive assumptions about intent, which Bitcoin=E2=80=99s = trustless design can=E2=80=99t accommodate. Letting the chips fall where th= ey may avoids this mess.

Philosophical Purity
Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco= mes reflect preparation and skill, not sentimentality. If quantum computing= upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to= be safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. Use= rs who lose funds to quantum attacks are casualties of liberty and their ow= n ignorance, not victims of injustice.

Bitcoin'= s DAO Moment
This situation has some similarities to The DAO hack= of an Ethereum smart contract in 2016, which resulted in a fork to stop th= e attacker and return funds to their original owners. The game theory is si= milar because it's a situation where a threat is known but there's = some period of time before the attacker can actually execute the theft. As = such, there's time to mitigate the attack by changing the protocol.
=
It also created a schism in the community around the true meaning of &q= uot;code is law," resulting in Ethereum Classic, which decided to allo= w the attacker to retain control of the stolen funds.

A soft fork to= burn vulnerable bitcoin could certainly result in a hard fork if there are= enough miners who reject the soft fork and continue including transactions= .

Incentives Matter
We can wax philosophi= cal until the cows come home, but what are the actual incentives for existi= ng Bitcoin holders regarding this decision?

"Lost coins only make everyone else's co= ins worth slightly more. Think of it as a donation to everyone." - Sat= oshi Nakamoto

If true, the corollary is:

"Quantum recovered coins only m= ake everyone else's coins worth less. Think of it as a theft from every= one." - Jameson Lopp

Thus, assuming we get to a point = where quantum resistant signatures are supported within the Bitcoin protoco= l, what's the incentive to let vulnerable coins remain spendable?
* It's not good for the actual owners of those coins. It disincentivi= zes owners from upgrading until perhaps it's too late.
* It's no= t good for the more attentive / responsible owners of coins who have quantu= m secured their stash. Allowing the circulating supply to balloon will assu= redly reduce the purchasing power of all bitcoin holders.

Forking Game Theory
From a game theory point of view, I se= e this as incentivizing users to upgrade their wallets. If you disagree wit= h the burning of vulnerable coins, all you have to do is move your funds to= a quantum safe signature scheme. Point being, I don't see there being = an economic majority (or even more than a tiny minority) of users who would= fight such a soft fork. Why expend significant resources fighting a fork w= hen you can just move your coins to a new address?

Remember that blo= cking spending of certain classes of locking scripts is a tightening of the= rules - a soft fork. As such, it can be meaningfully enacted and enforced = by a mere majority of hashpower. If miners generally agree that it's in= their best interest to burn vulnerable coins, are other users going to car= e enough to put in the effort to run new node software that resists the sof= t fork? Seems unlikely to me.

How to Execute Burnin= g
In order to be as objective as possible, the goal would be to a= nnounce to the world that after a specific block height / timestamp, Bitcoi= n nodes will no longer accept transactions (or blocks containing such trans= actions) that spend funds from any scripts other than the newly instituted = quantum safe schemes.

It could take a staggered approach to first fr= eeze funds that are susceptible to long-range attacks such as those in P2PK= scripts or those that exposed their public keys due to previously re-using= addresses, but I expect the additional complexity would drive further cont= roversy.

How long should the grace period be in order to give the ec= osystem time to upgrade? I'd say a minimum of 1 year for software walle= ts to upgrade. We can only hope that hardware wallet manufacturers are able= to implement post quantum cryptography on their existing hardware with onl= y a firmware update.

Beyond that, it will take at least 6 months wor= th of block space for all users to migrate their funds, even in a best case= scenario. Though if you exclude dust UTXOs you could probably get 95% of B= TC value migrated in 1 month. Of course this is a highly optimistic situati= on where everyone is completely focused on migrations - in reality it will = take far longer.

Regardless, I'd think that in order to reasonab= ly uphold Bitcoin's conservatism it would be preferable to allow a 4 ye= ar migration window. In the meantime, mining pools could coordinate emergen= cy soft forking logic such that if quantum attackers materialized, they cou= ld accelerate the countdown to the quantum vulnerable funds burn.

Random Tangential Benefits
On the plus side, burni= ng all quantum vulnerable bitcoin would allow us to prune all of those UTXO= s out of the UTXO set, which would also clean up a lot of dust. Dust UTXOs = are a bit of an annoyance and there has even been a recent proposal for how= to incentivize cleaning them up.

We should also expect that incenti= vizing migration of the entire UTXO set will create substantial demand for = block space that will sustain a fee market for a fairly lengthy amount of t= ime.

In Summary
While the moral quandary = of violating any of Bitcoin's inviolable properties can make this a ver= y complex issue to discuss, the game theory and incentives between burning = vulnerable coins versus allowing them to be claimed by entities with quantu= m supremacy appears to be a much simpler issue.

I, for one, am not i= nterested in rewarding quantum capable entities by inflating the circulatin= g money supply just because some people lost their keys long ago and some l= aggards are not upgrading their bitcoin wallet's security.

We ca= n hope that this scenario never comes to pass, but hope is not a strategy.<= br>
I welcome your feedback upon any of the above points, and contributi= on of any arguments I failed to consider.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegro= ups.com.
To view this discussion visit https://groups.google.com/d/msgi= d/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40= mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/dbe7018c-149f-4ead-be39-fa368eca06f0n%40googlegroups.com.
------=_Part_2151_517126783.1746027641620-- ------=_Part_2150_1829896903.1746027641620--