From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 13 Jul 2025 08:49:46 -0700 Received: from mail-yb1-f188.google.com ([209.85.219.188]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uayxS-0002S2-J5 for bitcoindev@gnusha.org; Sun, 13 Jul 2025 08:49:46 -0700 Received: by mail-yb1-f188.google.com with SMTP id 3f1490d57ef6-e81b872852bsf3972804276.1 for ; Sun, 13 Jul 2025 08:49:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1752421776; x=1753026576; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=; b=adXIHkxDibbuGB9005xKeMiMY4QnH8WILik3gZ39RlJmPOHcJytrzvxVprqAW5XMBe MuiOLBcWxAHooVBBW3SjqBThvjWXJpERYWboew/vEaP8dqo7fDV47V9XPiiFxa6ISugZ 0+AYRaosQhK8ykrkefhLHiIREIeU/Z1dVccC1bNivYSARbSD6o5QTHdhoDv+Zdnqv5qx 5ARGIISHqPMXpE87d59tq/jNp8o9USwZ4a2eTfm9WlxTdm/EbIs29V/GQzjTO0xNQpvH YkvMqqK89kJ74cc6/UP+qcATUHb6fLU1xeql9Ls6Rxuu36AAAEEDPH4cytXbvl5WG5FH eytA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1752421776; x=1753026576; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=; b=Z3IIxulUZ67PYjET9Zulyr3ZIj/OV7gZsSyzjyJSc+omHExVooPJhw04KhXXFNuych ecMNrPqoK6/wFzyAlftyp+pgI4c8o/Itvfltm3gZ90lbB1i8CV8ulkXzoociMdTmEC1C glQgK8FSwRzwuz2JqMfrHuPBygcsGw3BwxOeJduCAk5lnf+nXHsckt3Sdp8r3LYIHKrK ST1wy7FoEqJw7j7Vwq0ZZEDlpasbreno3ypPvnsdbOAaO8Fzge5PG+VZK6MNTrF/xsRk 9dqEcSaUi4jVIYGMPeAPErojj6jt+nkOZqOsa4B1phQz80F5LQKrWJ5zt0y5A+I/Bhug qjbA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752421776; x=1753026576; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=; b=Yl1SJKY4kdmWlD5rT8qS+jkwm8q6TAybYbkzNCGKDenzPOTLNTYI9D7WIU5Il/AQuo 6FLTR1qJTN2IkCuVM3HGIjWIx/5cZPo00gT4p2oEKG+pFz/i9e5fFElbynQ2KPBaW5wG zTVS6qDcEQ3klfsSdUyRjgeAETDEsjIjK5uiJDxtMWa7jG9gcmJduwSDkUu030Of/Xgt xNpia2RqsIeTdECxW2oXV3XZXr1YyyiLEp3FL5iMV7m33pfdKh5u4iLxUwAMM4HlYl/A ckw+GmDLqq6nC4OLxM2vrvnZSWXZFHKmzTox+dOZdqbfTAuDEsbo8ZY67qSY0IRZJupK MwAA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCXoT9x4+wZSv9oA5I9rv0qeSF1mREffbLcMaBWAcrXt5psNMBaGNhdr/IvKo0ihW0PjSfV630sRNzsT@gnusha.org X-Gm-Message-State: AOJu0YxZoAze4/whJ7Iv2YEQlSb0JRrWzrXU8TOJSeFGGTqBhT4lV3/F SKM+U1VKrH+za4Tquh14F4+TK8zCS+3zTgU/0m+5b6oGH8ouL2vchaH4 X-Google-Smtp-Source: AGHT+IHN5KWArsLlStSe7BhBgqSGtk4FjIUcuHKp58DIm1mj8JbiabNu35HBmaHrAdxiiWO86hfN1Q== X-Received: by 2002:a05:6902:4484:b0:e89:7280:bf8d with SMTP id 3f1490d57ef6-e8b85b72cb8mr10501210276.44.1752421775628; Sun, 13 Jul 2025 08:49:35 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfAioSV6+7ylWgKF2BLSJSl9voAa/FUF18xUtaTMx5dRw== Received: by 2002:a25:a02:0:b0:e84:2a56:5876 with SMTP id 3f1490d57ef6-e8b777fbfc0ls3330832276.0.-pod-prod-08-us; Sun, 13 Jul 2025 08:49:31 -0700 (PDT) X-Received: by 2002:a05:690c:9a01:b0:712:e2b5:e61b with SMTP id 00721157ae682-717d78c65b9mr166197977b3.13.1752421771396; Sun, 13 Jul 2025 08:49:31 -0700 (PDT) Received: by 2002:a05:690c:2e08:b0:711:63b1:720 with SMTP id 00721157ae682-718014dfe64ms7b3; Sun, 13 Jul 2025 08:38:14 -0700 (PDT) X-Received: by 2002:a05:690c:4b13:b0:70e:7a67:b4c5 with SMTP id 00721157ae682-717d7a68aefmr149503497b3.36.1752421092010; Sun, 13 Jul 2025 08:38:12 -0700 (PDT) Date: Sun, 13 Jul 2025 08:38:11 -0700 (PDT) From: Or Sattath To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: Subject: [bitcoindev] Re: Against Allowing Quantum Recovery of Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_248320_934919471.1752421091483" X-Original-Sender: sattath@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) ------=_Part_248320_934919471.1752421091483 Content-Type: multipart/alternative; boundary="----=_Part_248321_2076021029.1752421091483" ------=_Part_248321_2076021029.1752421091483 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, Jameson Lopp presented the freeze/not-freeze dilemma. I would like to point= =20 out that there=E2=80=99s a third approach. The main insight is that even th= ough the=20 quantum attacker knows the digital signature private key, the attacker and= =20 the owner are not symmetric: the owner, in most cases, knows the seed=20 (master secret key), whereas the quantum attacker does not. This approach,= =20 which was done in collaboration with Shai Wyborski, is available here:=20 https://eprint.iacr.org/2023/362 (our work was peer reviewed and presented= =20 here: https://www.qsmc.org/pqcsm-workshop-2023). Our main technique is called =E2=80=9Csignature lifting=E2=80=9D: it=E2=80= =99s a way to transform=20 an existing quantum-insecure signature scheme into a quantum-secure=20 signature scheme, while still using the old keys. This is possible whenever= =20 the function that maps the secret key to the public key is a quantum-secure= =20 one-way function. Informally (and there are some details under the rug that= =20 I=E2=80=99m not getting into), the quantum-secure one-way function maps the= seed to=20 the public key. (Of course, the function that maps the ECDSA signing key to= =20 the public key is not a quantum-secure one-way function. Therefore, our=20 approach does not apply to pre-2013 wallets, which did not use BIP-38.) We= =20 use Picnic (https://dl.acm.org/doi/abs/10.1145/3133956.3133997) as the=20 underlying primitive that enables signature lifting. The main drawback of signature lifting is that the signatures are extremely= =20 long. To address this, we also designed an interactive way to transact,=20 using a commit-wait-reveal approach, which we called =E2=80=9CLifted Fawkes= Coin"=20 (our main contribution over the original FawkesCoin approach by Bonneau and= =20 Miller in https://jbonneau.com/doc/BM14-SPW-fawkescoin.pdf is that we=20 resolve the issue of transaction fees, using lifted signatures). When the= =20 spender and the miner are honest, a transaction is roughly the same size as= =20 today; only if one of the parties deviates from the honest protocol must=20 the long signature be added to the blockchain, and the cheating party is=20 financially penalized. The main burden of Lifted FawkesCoin is that users= =20 who haven=E2=80=99t transitioned to quantum-secure signatures yet need to= =20 occasionally (e.g., once a year) come online and check for fraud attempts.= =20 I believe that even though this burden exists, it is a Pareto improvement= =20 over both the =E2=80=9Cfreeze=E2=80=9D and =E2=80=9Cnot-freeze=E2=80=9D app= roaches.=20 Best, Or On Sunday, March 16, 2025 at 5:22:16=E2=80=AFPM UTC+2 Jameson Lopp wrote: > The quantum computing debate is heating up. There are many controversial= =20 > aspects to this debate, including whether or not quantum computers will= =20 > ever actually become a practical threat. > > I won't tread into the unanswerable question of how worried we should be= =20 > about quantum computers. I think it's far from a crisis, but given the=20 > difficulty in changing Bitcoin it's worth starting to seriously discuss.= =20 > Today I wish to focus on a philosophical quandary related to one of the= =20 > decisions that would need to be made if and when we implement a quantum= =20 > safe signature scheme. > > Several Scenarios > Because this essay will reference game theory a fair amount, and there ar= e=20 > many variables at play that could change the nature of the game, I think= =20 > it's important to clarify the possible scenarios up front. > > 1. Quantum computing never materializes, never becomes a threat, and thus= =20 > everything discussed in this essay is moot. > 2. A quantum computing threat materializes suddenly and Bitcoin does not= =20 > have quantum safe signatures as part of the protocol. In this scenario it= =20 > would likely make the points below moot because Bitcoin would be=20 > fundamentally broken and it would take far too long to upgrade the=20 > protocol, wallet software, and migrate user funds in order to restore=20 > confidence in the network. > 3. Quantum computing advances slowly enough that we come to consensus=20 > about how to upgrade Bitcoin and post quantum security has been minimally= =20 > adopted by the time an attacker appears. > 4. Quantum computing advances slowly enough that we come to consensus=20 > about how to upgrade Bitcoin and post quantum security has been highly=20 > adopted by the time an attacker appears. > > For the purposes of this post, I'm envisioning being in situation 3 or 4. > > To Freeze or not to Freeze? > I've started seeing more people weighing in on what is likely the most=20 > contentious aspect of how a quantum resistance upgrade should be handled = in=20 > terms of migrating user funds. Should quantum vulnerable funds be left op= en=20 > to be swept by anyone with a sufficiently powerful quantum computer OR=20 > should they be permanently locked? > > "I don't see why old coins should be confiscated. The better option is to= =20 >> let those with quantum computers free up old coins. While this might hav= e=20 >> an inflationary impact on bitcoin's price, to use a turn of phrase, the= =20 >> inflation is transitory. Those with low time preference should support= =20 >> returning lost coins to circulation."=20 > > - Hunter Beast > > > On the other hand: > > "Of course they have to be confiscated. If and when (and that's a big if)= =20 >> the existence of a cryptography-breaking QC becomes a credible threat, t= he=20 >> Bitcoin ecosystem has no other option than softforking out the ability t= o=20 >> spend from signature schemes (including ECDSA and BIP340) that are=20 >> vulnerable to QCs. The alternative is that millions of BTC become=20 >> vulnerable to theft; I cannot see how the currency can maintain any valu= e=20 >> at all in such a setting. And this affects everyone; even those which=20 >> diligently moved their coins to PQC-protected schemes." >> - Pieter Wuille > > > I don't think "confiscation" is the most precise term to use, as the fund= s=20 > are not being seized and reassigned. Rather, what we're really discussing= =20 > would be better described as "burning" - placing the funds *out of reach= =20 > of everyone*. > > Not freezing user funds is one of Bitcoin's inviolable properties.=20 > However, if quantum computing becomes a threat to Bitcoin's elliptic curv= e=20 > cryptography, *an inviolable property of Bitcoin will be violated one way= =20 > or another*. > > Fundamental Properties at Risk > 5 years ago I attempted to comprehensively categorize all of Bitcoin's=20 > fundamental properties that give it value.=20 > https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ > > The particular properties in play with regard to this issue seem to be: > > *Censorship Resistance* - No one should have the power to prevent others= =20 > from using their bitcoin or interacting with the network. > > *Forward Compatibility* - changing the rules such that certain valid=20 > transactions become invalid could undermine confidence in the protocol. > > *Conservatism* - Users should not be expected to be highly responsive to= =20 > system issues. > > As a result of the above principles, we have developed a strong meme=20 > (kudos to Andreas Antonopoulos) that goes as follows: > > Not your keys, not your coins. > > > I posit that the corollary to this principle is: > > Your keys, only your coins. > > > A quantum capable entity breaks the corollary of this foundational=20 > principle. We secure our bitcoin with the mathematical probabilities=20 > related to extremely large random numbers. Your funds are only secure=20 > because truly random large numbers should not be guessable or discoverabl= e=20 > by anyone else in the world. > > This is the principle behind the motto *vires in numeris* - strength in= =20 > numbers. In a world with quantum enabled adversaries, this principle is= =20 > null and void for many types of cryptography, including the elliptic curv= e=20 > digital signatures used in Bitcoin. > > Who is at Risk? > There has long been a narrative that Satoshi's coins and others from the= =20 > Satoshi era of P2PK locking scripts that exposed the public key directly = on=20 > the blockchain will be those that get scooped up by a quantum "miner." Bu= t=20 > unfortunately it's not that simple. If I had a powerful quantum computer,= =20 > which coins would I target? I'd go to the Bitcoin rich list and find the= =20 > wallets that have exposed their public keys due to re-using addresses tha= t=20 > have previously been spent from. You can easily find them at=20 > https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html > > Note that a few of these wallets, like Bitfinex / Kraken / Tether, would= =20 > be slightly harder to crack because they are multisig wallets. So a quant= um=20 > attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfin= ex=20 > / Tether in order to spend funds. But many are single signature. > > Point being, it's not only the really old lost BTC that are at risk to a= =20 > quantum enabled adversary, at least at time of writing. If we add a quant= um=20 > safe signature scheme, we should expect those wallets to be some of the= =20 > first to upgrade given their incentives. > > The Ethical Dilemma: Quantifying Harm > Which decision results in the most harm? > > By making quantum vulnerable funds unspendable we potentially harm some= =20 > Bitcoin users who were not paying attention and neglected to migrate thei= r=20 > funds to a quantum safe locking script. This violates the "conservativism= "=20 > principle stated earlier. On the flip side, we prevent those funds plus f= ar=20 > more lost funds from falling into the hands of the few privileged folks w= ho=20 > gain early access to quantum computers. > > By leaving quantum vulnerable funds available to spend, the same set of= =20 > users who would otherwise have funds frozen are likely to see them stolen= .=20 > And many early adopters who lost their keys will eventually see their=20 > unreachable funds scooped up by a quantum enabled adversary. > > Imagine, for example, being James Howells, who accidentally threw away a= =20 > hard drive with 8,000 BTC on it, currently worth over $600M USD. He has= =20 > spent a decade trying to retrieve it from the landfill where he knows it'= s=20 > buried, but can't get permission to excavate. I suspect that, given the= =20 > choice, he'd prefer those funds be permanently frozen rather than fall in= to=20 > someone else's possession - I know I would. > > Allowing a quantum computer to access lost funds doesn't make those users= =20 > any worse off than they were before, however it *would* have a negative= =20 > impact upon everyone who is currently holding bitcoin. > > It's prudent to expect significant economic disruption if large amounts o= f=20 > coins fall into new hands. Since a quantum computer is going to have a=20 > massive up front cost, expect those behind it to desire to recoup their= =20 > investment. We also know from experience that when someone suddenly finds= =20 > themselves in possession of 9+ figures worth of highly liquid assets, the= y=20 > tend to diversify into other things by selling. > > Allowing quantum recovery of bitcoin is *tantamount to wealth=20 > redistribution*. What we'd be allowing is for bitcoin to be redistributed= =20 > from those who are ignorant of quantum computers to those who have won th= e=20 > technological race to acquire quantum computers. It's hard to see a brigh= t=20 > side to that scenario. > > Is Quantum Recovery Good for Anyone? > > Does quantum recovery HELP anyone? I've yet to come across an argument=20 > that it's a net positive in any way. It certainly doesn't add any securit= y=20 > to the network. If anything, it greatly decreases the security of the=20 > network by allowing funds to be claimed by those who did not earn them. > > But wait, you may be thinking, wouldn't quantum "miners" have earned thei= r=20 > coins by all the work and resources invested in building a quantum=20 > computer? I suppose, in the same sense that a burglar earns their spoils = by=20 > the resources they invest into surveilling targets and learning the skill= s=20 > needed to break into buildings. What I say "earned" I mean through=20 > productive mutual trade. > > For example: > > * Investors earn BTC by trading for other currencies. > * Merchants earn BTC by trading for goods and services. > * Miners earn BTC by trading thermodynamic security. > * Quantum miners don't trade anything, they are vampires feeding upon the= =20 > system. > > There's no reason to believe that allowing quantum adversaries to recover= =20 > vulnerable bitcoin will be of benefit to anyone other than the select few= =20 > organizations that win the technological arms race to build the first suc= h=20 > computers. Probably nation states and/or the top few largest tech compani= es. > > One could certainly hope that an organization with quantum supremacy is= =20 > benevolent and acts in a "white hat" manner to return lost coins to their= =20 > owners, but that's incredibly optimistic and foolish to rely upon. Such a= =20 > situation creates an insurmountable ethical dilemma of only recovering lo= st=20 > bitcoin rather than currently owned bitcoin. There's no way to precisely= =20 > differentiate between the two; anyone can claim to have lost their bitcoi= n=20 > but if they have lost their keys then proving they ever had the keys=20 > becomes rather difficult. I imagine that any such white hat recovery=20 > efforts would have to rely upon attestations from trusted third parties= =20 > like exchanges. > > Even if the first actor with quantum supremacy is benevolent, we must=20 > assume the technology could fall into adversarial hands and thus think=20 > adversarially about the potential worst case outcomes. Imagine, for=20 > example, that North Korea continues scooping up billions of dollars from= =20 > hacking crypto exchanges and decides to invest some of those proceeds int= o=20 > building a quantum computer for the biggest payday ever... > > Downsides to Allowing Quantum Recovery > Let's think through an exhaustive list of pros and cons for allowing or= =20 > preventing the seizure of funds by a quantum adversary. > > Historical Precedent > Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam= e" but=20 > rather were treated as failures to be remediated. Treating quantum theft= =20 > differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all r= ather than=20 > a system that seeks to protect its users. > > Violation of Property Rights > Allowing a quantum adversary to take control of funds undermines the=20 > fundamental principle of cryptocurrency - if you keep your keys in your= =20 > possession, only you should be able to access your money. Bitcoin is buil= t=20 > on the idea that private keys secure an individual=E2=80=99s assets, and= =20 > unauthorized access (even via advanced tech) is theft, not a legitimate= =20 > transfer. > > Erosion of Trust in Bitcoin > If quantum attackers can exploit vulnerable addresses, confidence in=20 > Bitcoin as a secure store of value would collapse. Users and investors re= ly=20 > on cryptographic integrity, and widespread theft could drive adoption awa= y=20 > from Bitcoin, destabilizing its ecosystem. > > This is essentially the counterpoint to claiming the burning of vulnerabl= e=20 > funds is a violation of property rights. While some will certainly see it= =20 > as such, others will find the apathy toward stopping quantum theft to be= =20 > similarly concerning. > > Unfair Advantage > Quantum attackers, likely equipped with rare and expensive technology,=20 > would have an unjust edge over regular users who lack access to such tool= s.=20 > This creates an inequitable system where only the technologically elite c= an=20 > exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized po= wer. > > Bitcoin is designed to create an asymmetric advantage for DEFENDING one's= =20 > wealth. It's supposed to be impractically expensive for attackers to crac= k=20 > the entropy and cryptography protecting one's coins. But now we find=20 > ourselves discussing a situation where this asymmetric advantage is=20 > compromised in favor of a specific class of attackers. > > Economic Disruption > Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s= price as=20 > quantum recovered funds are dumped on exchanges. This would harm all=20 > holders, not just those directly targeted, leading to broader financial= =20 > chaos in the markets. > > Moral Responsibility > Permitting theft via quantum computing sets a precedent that technologica= l=20 > superiority justifies unethical behavior. This is essentially taking a=20 > "code is law" stance in which we refuse to admit that both code and laws= =20 > can be modified to adapt to previously unforeseen situations. > > Burning of coins can certainly be considered a form of theft, thus I thin= k=20 > it's worth differentiating the two different thefts being discussed: > > 1. self-enriching & likely malicious > 2. harm prevention & not necessarily malicious > > Both options lack the consent of the party whose coins are being burnt or= =20 > transferred, thus I think the simple argument that theft is immoral becom= es=20 > a wash and it's important to drill down into the details of each. > > Incentives Drive Security > I can tell you from a decade of working in Bitcoin security - the average= =20 > user is lazy and is a procrastinator. If Bitcoiners are given a "drop dea= d=20 > date" after which they know vulnerable funds will be burned, this pressur= e=20 > accelerates the adoption of post-quantum cryptography and strengthens=20 > Bitcoin long-term. Allowing vulnerable users to delay upgrading=20 > indefinitely will result in more laggards, leaving the network more expos= ed=20 > when quantum tech becomes available. > > Steel Manning > Clearly this is a complex and controversial topic, thus it's worth=20 > thinking through the opposing arguments. > > Protecting Property Rights > Allowing quantum computers to take vulnerable bitcoin could potentially b= e=20 > spun as a hard money narrative - we care so greatly about not violating= =20 > someone's access to their coins that we allow them to be stolen! > > But I think the flip side to the property rights narrative is that burnin= g=20 > vulnerable coins prevents said property from falling into undeserving=20 > hands. If the entire Bitcoin ecosystem just stands around and allows=20 > quantum adversaries to claim funds that rightfully belong to other users,= =20 > is that really a "win" in the "protecting property rights" category? It= =20 > feels more like apathy to me. > > As such, I think the "protecting property rights" argument is a wash. > > Quantum Computers Won't Attack Bitcoin > There is a great deal of skepticism that sufficiently powerful quantum=20 > computers will ever exist, so we shouldn't bother preparing for a=20 > non-existent threat. Others have argued that even if such a computer was= =20 > built, a quantum attacker would not go after bitcoin because they wouldn'= t=20 > want to reveal their hand by doing so, and would instead attack other=20 > infrastructure. > > It's quite difficult to quantify exactly how valuable attacking other=20 > infrastructure would be. It also really depends upon when an entity gains= =20 > quantum supremacy and thus if by that time most of the world's systems ha= ve=20 > already been upgraded. While I think you could argue that certain entitie= s=20 > gaining quantum capability might not attack Bitcoin, it would only delay= =20 > the inevitable - eventually somebody will achieve the capability who=20 > decides to use it for such an attack. > > Quantum Attackers Would Only Steal Small Amounts > Some have argued that even if a quantum attacker targeted bitcoin, they'd= =20 > only go after old, likely lost P2PK outputs so as to not arouse suspicion= =20 > and cause a market panic. > > I'm not so sure about that; why go after 50 BTC at a time when you could= =20 > take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero= =20 > day exploit" game theory in which an attacker knows they have a limited= =20 > amount of time before someone else discovers the exploit and either=20 > benefits from it or patches it. Take, for example, the recent ByBit attac= k=20 > - the highest value crypto hack of all time. Lazarus Group had compromise= d=20 > the Safe wallet front end JavaScript app and they could have simply had i= t=20 > reassign ownership of everyone's Safe wallets as they were interacting wi= th=20 > their wallet. But instead they chose to only specifically target ByBit's= =20 > wallet with $1.5 billion in it because they wanted to maximize their=20 > extractable value. If Lazarus had started stealing from every wallet, the= y=20 > would have been discovered quickly and the Safe web app would likely have= =20 > been patched well before any billion dollar wallets executed the maliciou= s=20 > code. > > I think the "only stealing small amounts" argument is strongest for=20 > Situation #2 described earlier, where a quantum attacker arrives before= =20 > quantum safe cryptography has been deployed across the Bitcoin ecosystem.= =20 > Because if it became clear that Bitcoin's cryptography was broken AND the= re=20 > was nowhere safe for vulnerable users to migrate, the only logical option= =20 > would be for everyone to liquidate their bitcoin as quickly as possible. = As=20 > such, I don't think it applies as strongly for situations in which we hav= e=20 > a migration path available. > > The 21 Million Coin Supply Should be in Circulation > Some folks are arguing that it's important for the "circulating /=20 > spendable" supply to be as close to 21M as possible and that having a=20 > significant portion of the supply out of circulation is somehow undesirab= le. > > While the "21M BTC" attribute is a strong memetic narrative, I don't thin= k=20 > anyone has ever expected that it would all be in circulation. It has alwa= ys=20 > been understood that many coins will be lost, and that's actually part of= =20 > the game theory of owning bitcoin! > > And remember, the 21M number in and of itself is not a particularly=20 > important detail - it's not even mentioned in the whitepaper. What's=20 > important is that the supply is well known and not subject to change. > > Self-Sovereignty and Personal Responsibility > Bitcoin=E2=80=99s design empowers individuals to control their own wealth= , free=20 > from centralized intervention. This freedom comes with the burden of=20 > securing one's private keys. If quantum computing can break obsolete=20 > cryptography, the fault lies with users who didn't move their funds to=20 > quantum safe locking scripts. Expecting the network to shield users from= =20 > their own negligence undermines the principle that you, and not a third= =20 > party, are accountable for your assets. > > I think this is generally a fair point that "the community" doesn't owe= =20 > you anything in terms of helping you. I think that we do, however, need t= o=20 > consider the incentives and game theory in play with regard to quantum sa= fe=20 > Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. > > Code is Law > Bitcoin operates on transparent, immutable rules embedded in its protocol= .=20 > If a quantum attacker uses superior technology to derive private keys fro= m=20 > public keys, they=E2=80=99re not "hacking" the system - they're simply fo= llowing=20 > what's mathematically permissible within the current code. Altering the= =20 > protocol to stop this introduces subjective human intervention, which=20 > clashes with the objective, deterministic nature of blockchain. > > While I tend to agree that code is law, one of the entire points of laws= =20 > is that they can be amended to improve their efficacy in reducing harm.= =20 > Leaning on this point seems more like a pro-ossification stance that it's= =20 > better to do nothing and allow harm to occur rather than take action to= =20 > stop an attack that was foreseen far in advance. > > Technological Evolution as a Feature, Not a Bug > It's well known that cryptography tends to weaken over time and eventuall= y=20 > break. Quantum computing is just the next step in this progression. Users= =20 > who fail to adapt (e.g., by adopting quantum-resistant wallets when=20 > available) are akin to those who ignored technological advancements like= =20 > multisig or hardware wallets. Allowing quantum theft incentivizes=20 > innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing compl= acency=20 > while rewarding vigilance. > > Market Signals Drive Security > If quantum attackers start stealing funds, it sends a clear signal to the= =20 > market: upgrade your security or lose everything. This pressure accelerat= es=20 > the adoption of post-quantum cryptography and strengthens Bitcoin=20 > long-term. Coddling vulnerable users delays this necessary evolution,=20 > potentially leaving the network more exposed when quantum tech becomes=20 > widely accessible. Theft is a brutal but effective teacher. > > Centralized Blacklisting Power > Burning vulnerable funds requires centralized decision-making - a soft=20 > fork to invalidate certain transactions. This sets a dangerous precedent= =20 > for future interventions, eroding Bitcoin=E2=80=99s decentralization. If = quantum=20 > theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sys= tem must=20 > remain neutral, even if it means some lose out. > > I think this could be a potential slippery slope if the proposal was to= =20 > only burn specific addresses. Rather, I'd expect a neutral proposal to bu= rn=20 > all funds in locking script types that are known to be quantum vulnerable= .=20 > Thus, we could eliminate any subjectivity from the code. > > Fairness in Competition > Quantum attackers aren't cheating; they're using publicly available=20 > physics and math. Anyone with the resources and foresight can build or=20 > access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU= .=20 > Early adopters took risks and reaped rewards; quantum innovators are doin= g=20 > the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne= ver promised=20 > equality of outcome - only equality of opportunity within its rules. > > I find this argument to be a mischaracterization because we're not talkin= g=20 > about CPUs. This is more akin to talking about ASICs, except each ASIC=20 > costs millions if not billions of dollars. This is out of reach from all= =20 > but the wealthiest organizations. > > Economic Resilience > Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20 > emerged stronger. The market can absorb quantum losses, with unaffected= =20 > users continuing to hold and new entrants buying in at lower prices. Fear= =20 > of economic collapse overestimates the impact - the network=E2=80=99s ant= ifragility=20 > thrives on such challenges. > > This is a big grey area because we don't know when a quantum computer wil= l=20 > come online and we don't know how quickly said computers would be able to= =20 > steal bitcoin. If, for example, the first generation of sufficiently=20 > powerful quantum computers were stealing less volume than the current blo= ck=20 > reward then of course it will have minimal economic impact. But if they'r= e=20 > taking thousands of BTC per day and bringing them back into circulation,= =20 > there will likely be a noticeable market impact as it absorbs the new=20 > supply. > > This is where the circumstances will really matter. If a quantum attacker= =20 > appears AFTER the Bitcoin protocol has been upgraded to support quantum= =20 > resistant cryptography then we should expect the most valuable active=20 > wallets will have upgraded and the juiciest target would be the 31,000 BT= C=20 > in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant= =20 > since 2010. In general I'd expect that the amount of BTC re-entering the= =20 > circulating supply would look somewhat similar to the mining emission=20 > curve: volume would start off very high as the most valuable addresses ar= e=20 > drained and then it would fall off as quantum computers went down the lis= t=20 > targeting addresses with less and less BTC. > > Why is economic impact a factor worth considering? Miners and businesses= =20 > in general. More coins being liquidated will push down the price, which= =20 > will negatively impact miner revenue. Similarly, I can attest from workin= g=20 > in the industry for a decade, that lower prices result in less demand fro= m=20 > businesses across the entire industry. As such, burning quantum vulnerabl= e=20 > bitcoin is good for the entire industry. > > Practicality & Neutrality of Non-Intervention > There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D fr= om legitimate "white hat"=20 > key recovery. If someone loses their private key and a quantum computer= =20 > recovers it, is that stealing or reclaiming? Policing quantum actions=20 > requires invasive assumptions about intent, which Bitcoin=E2=80=99s trust= less=20 > design can=E2=80=99t accommodate. Letting the chips fall where they may a= voids this=20 > mess. > > Philosophical Purity > Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes= reflect=20 > preparation and skill, not sentimentality. If quantum computing upends th= e=20 > game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe o= r fair in a=20 > nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds to= quantum=20 > attacks are casualties of liberty and their own ignorance, not victims of= =20 > injustice. > > Bitcoin's DAO Moment > This situation has some similarities to The DAO hack of an Ethereum smart= =20 > contract in 2016, which resulted in a fork to stop the attacker and retur= n=20 > funds to their original owners. The game theory is similar because it's a= =20 > situation where a threat is known but there's some period of time before= =20 > the attacker can actually execute the theft. As such, there's time to=20 > mitigate the attack by changing the protocol. > > It also created a schism in the community around the true meaning of "cod= e=20 > is law," resulting in Ethereum Classic, which decided to allow the attack= er=20 > to retain control of the stolen funds. > > A soft fork to burn vulnerable bitcoin could certainly result in a hard= =20 > fork if there are enough miners who reject the soft fork and continue=20 > including transactions. > > Incentives Matter > We can wax philosophical until the cows come home, but what are the actua= l=20 > incentives for existing Bitcoin holders regarding this decision? > > "Lost coins only make everyone else's coins worth slightly more. Think of= =20 >> it as a donation to everyone." - Satoshi Nakamoto > > > If true, the corollary is: > > "Quantum recovered coins only make everyone else's coins worth less. Thin= k=20 >> of it as a theft from everyone." - Jameson Lopp > > > Thus, assuming we get to a point where quantum resistant signatures are= =20 > supported within the Bitcoin protocol, what's the incentive to let=20 > vulnerable coins remain spendable? > > * It's not good for the actual owners of those coins. It disincentivizes= =20 > owners from upgrading until perhaps it's too late. > * It's not good for the more attentive / responsible owners of coins who= =20 > have quantum secured their stash. Allowing the circulating supply to=20 > balloon will assuredly reduce the purchasing power of all bitcoin holders= . > > Forking Game Theory > From a game theory point of view, I see this as incentivizing users to=20 > upgrade their wallets. If you disagree with the burning of vulnerable=20 > coins, all you have to do is move your funds to a quantum safe signature= =20 > scheme. Point being, I don't see there being an economic majority (or eve= n=20 > more than a tiny minority) of users who would fight such a soft fork. Why= =20 > expend significant resources fighting a fork when you can just move your= =20 > coins to a new address? > > Remember that blocking spending of certain classes of locking scripts is = a=20 > tightening of the rules - a soft fork. As such, it can be meaningfully=20 > enacted and enforced by a mere majority of hashpower. If miners generally= =20 > agree that it's in their best interest to burn vulnerable coins, are othe= r=20 > users going to care enough to put in the effort to run new node software= =20 > that resists the soft fork? Seems unlikely to me. > > How to Execute Burning > In order to be as objective as possible, the goal would be to announce to= =20 > the world that after a specific block height / timestamp, Bitcoin nodes= =20 > will no longer accept transactions (or blocks containing such transaction= s)=20 > that spend funds from any scripts other than the newly instituted quantum= =20 > safe schemes. > > It could take a staggered approach to first freeze funds that are=20 > susceptible to long-range attacks such as those in P2PK scripts or those= =20 > that exposed their public keys due to previously re-using addresses, but = I=20 > expect the additional complexity would drive further controversy. > > How long should the grace period be in order to give the ecosystem time t= o=20 > upgrade? I'd say a minimum of 1 year for software wallets to upgrade. We= =20 > can only hope that hardware wallet manufacturers are able to implement po= st=20 > quantum cryptography on their existing hardware with only a firmware upda= te. > > Beyond that, it will take at least 6 months worth of block space for all= =20 > users to migrate their funds, even in a best case scenario. Though if you= =20 > exclude dust UTXOs you could probably get 95% of BTC value migrated in 1= =20 > month. Of course this is a highly optimistic situation where everyone is= =20 > completely focused on migrations - in reality it will take far longer. > > Regardless, I'd think that in order to reasonably uphold Bitcoin's=20 > conservatism it would be preferable to allow a 4 year migration window. I= n=20 > the meantime, mining pools could coordinate emergency soft forking logic= =20 > such that if quantum attackers materialized, they could accelerate the=20 > countdown to the quantum vulnerable funds burn. > > Random Tangential Benefits > On the plus side, burning all quantum vulnerable bitcoin would allow us t= o=20 > prune all of those UTXOs out of the UTXO set, which would also clean up a= =20 > lot of dust. Dust UTXOs are a bit of an annoyance and there has even been= a=20 > recent proposal for how to incentivize cleaning them up. > > We should also expect that incentivizing migration of the entire UTXO set= =20 > will create substantial demand for block space that will sustain a fee=20 > market for a fairly lengthy amount of time. > > In Summary > While the moral quandary of violating any of Bitcoin's inviolable=20 > properties can make this a very complex issue to discuss, the game theory= =20 > and incentives between burning vulnerable coins versus allowing them to b= e=20 > claimed by entities with quantum supremacy appears to be a much simpler= =20 > issue. > > I, for one, am not interested in rewarding quantum capable entities by=20 > inflating the circulating money supply just because some people lost thei= r=20 > keys long ago and some laggards are not upgrading their bitcoin wallet's= =20 > security. > > We can hope that this scenario never comes to pass, but hope is not a=20 > strategy. > > I welcome your feedback upon any of the above points, and contribution of= =20 > any arguments I failed to consider. > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com. ------=_Part_248321_2076021029.1752421091483 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

Jameson Lopp presented the freeze/n= ot-freeze dilemma. I would like to point out that there=E2=80=99s a third a= pproach. The main insight is that even though the quantum attacker knows th= e digital signature private key, the attacker and the owner are not symmetr= ic: the owner, in most cases, knows the seed (master secret key), whereas t= he quantum attacker does not. This approach, which was done in collaboratio= n with Shai Wyborski, is available here:=C2=A0https:= //eprint.iacr.org/2023/362=C2=A0(our work was peer reviewed and present= ed here:=C2=A0https://www.qsmc.org/pqcsm-w= orkshop-2023).

Our main technique is called =E2=80=9Csignatu= re lifting=E2=80=9D: it=E2=80=99s a way to transform an existing quantum-in= secure signature scheme into a quantum-secure signature scheme, while still= using the old keys. This is possible whenever the function that maps the s= ecret key to the public key is a quantum-secure one-way function. Informall= y (and there are some details under the rug that I=E2=80=99m not getting in= to), the quantum-secure one-way function maps the seed to the public key. (= Of course, the function that maps the ECDSA signing key to the public key i= s not a quantum-secure one-way function. Therefore, our approach does not a= pply to pre-2013 wallets, which did not use BIP-38.) We use Picnic (https://dl.acm.org/doi/abs/10.1145/313395= 6.3133997) as the underlying primitive that enables signature lifting.<= br />
The main drawback of signature lifting is that the signatures ar= e extremely long. To address this, we also designed an interactive way to t= ransact, using a commit-wait-reveal approach, which we called =E2=80=9CLift= ed FawkesCoin" (our main contribution over the original FawkesCoin approach= by Bonneau and Miller in=C2=A0https= ://jbonneau.com/doc/BM14-SPW-fawkescoin.pdf=C2=A0is that we resolve the= issue of transaction fees, using lifted signatures). When the spender and = the miner are honest, a transaction is roughly the same size as today; only= if one of the parties deviates from the honest protocol must the long sign= ature be added to the blockchain, and the cheating party is financially pen= alized. The main burden of Lifted FawkesCoin is that users who haven=E2=80= =99t transitioned to quantum-secure signatures yet need to occasionally (e.= g., once a year) come online and check for fraud attempts. I believe that e= ven though this burden exists, it is a Pareto improvement over both the =E2= =80=9Cfreeze=E2=80=9D and =E2=80=9Cnot-freeze=E2=80=9D approaches.=C2=A0

Best,
Or

On Sunday, March 16, 2025= at 5:22:16=E2=80=AFPM UTC+2 Jameson Lopp wrote:
The quantum computing = debate is heating up. There are many controversial aspects to this debate, = including whether or not quantum computers will ever actually become a prac= tical threat.

I won't tread into the unanswerable question of h= ow worried we should be about quantum computers. I think it's far from = a crisis, but given the difficulty in changing Bitcoin it's worth start= ing to seriously discuss. Today I wish to focus on a philosophical quandary= related to one of the decisions that would need to be made if and when we = implement a quantum safe signature scheme.

Several = Scenarios
Because this essay will reference game theory a fair am= ount, and there are many variables at play that could change the nature of = the game, I think it's important to clarify the possible scenarios up f= ront.

1. Quantum computing never materializes, never becomes a threa= t, and thus everything discussed in this essay is moot.
2. A quantum com= puting threat materializes suddenly and Bitcoin does not have quantum safe = signatures as part of the protocol. In this scenario it would likely make t= he points below moot because Bitcoin would be fundamentally broken and it w= ould take far too long to upgrade the protocol, wallet software, and migrat= e user funds in order to restore confidence in the network.
3. Quantum c= omputing advances slowly enough that we come to consensus about how to upgr= ade Bitcoin and post quantum security has been minimally adopted by the tim= e an attacker appears.
4. Quantum computing advances slowly enough that = we come to consensus about how to upgrade Bitcoin and post quantum security= has been highly adopted by the time an attacker appears.

For the pu= rposes of this post, I'm envisioning being in situation 3 or 4.

= To Freeze or not to Freeze?
I've started see= ing more people weighing in on what is likely the most contentious aspect o= f how a quantum resistance upgrade should be handled in terms of migrating = user funds. Should quantum vulnerable funds be left open to be swept by any= one with a sufficiently powerful quantum computer OR should they be permane= ntly locked?

"= ;I don't see why old coins should be confiscated. The better option is = to let those with quantum computers free up old coins. While this might hav= e an inflationary impact on bitcoin's price, to use a turn of phrase, t= he inflation is transitory. Those with low time preference should support r= eturning lost coins to circulation."=C2=A0
- Hunter Beast

On the other hand:

"Of course they have to be confiscated. If and when (and th= at's a big if) the existence of a cryptography-breaking QC becomes a cr= edible threat, the Bitcoin ecosystem has no other option than softforking o= ut the ability to spend from signature schemes (including ECDSA and BIP340)= that are vulnerable to QCs. The alternative is that millions of BTC become= vulnerable to theft; I cannot see how the currency can maintain any value = at all in such a setting. And this affects everyone; even those which dilig= ently moved their coins to PQC-protected schemes."
- Pieter Wuille<= /blockquote>
I don't think "confiscation" is the most prec= ise term to use, as the funds are not being seized and reassigned. Rather, = what we're really discussing would be better described as "burning= " - placing the funds out of reach of everyone.

Not free= zing user funds is one of Bitcoin's inviolable properties. However, if = quantum computing becomes a threat to Bitcoin's elliptic curve cryptogr= aphy, an inviolable property of Bitcoin will be violated one way or anot= her.

Fundamental Properties at Risk
5= years ago I attempted to comprehensively categorize all of Bitcoin's f= undamental properties that give it value. https://nak= amoto.com/what-are-the-key-properties-of-bitcoin/

The particular= properties in play with regard to this issue seem to be:

Censors= hip Resistance - No one should have the power to prevent others from us= ing their bitcoin or interacting with the network.

Forward Compat= ibility - changing the rules such that certain valid transactions becom= e invalid could undermine confidence in the protocol.

Conservatis= m - Users should not be expected to be highly responsive to system issu= es.

As a result of the above principles, we have developed a strong = meme (kudos to Andreas Antonopoulos) that goes as follows:

Not your keys, not your coins.
I posit that the corollary to this principle is:

Your keys, only your coins.
A quantum capable entity breaks the corollary of this foundati= onal principle. We secure our bitcoin with the mathematical probabilities r= elated to extremely large random numbers. Your funds are only secure becaus= e truly random large numbers should not be guessable or discoverable by any= one else in the world.

This is the principle behind the motto vir= es in numeris - strength in numbers. In a world with quantum enabled ad= versaries, this principle is null and void for many types of cryptography, = including the elliptic curve digital signatures used in Bitcoin.

Who is at Risk?
There has long been a narrative tha= t Satoshi's coins and others from the Satoshi era of P2PK locking scrip= ts that exposed the public key directly on the blockchain will be those tha= t get scooped up by a quantum "miner." But unfortunately it's= not that simple. If I had a powerful quantum computer, which coins would I= target? I'd go to the Bitcoin rich list and find the wallets that have= exposed their public keys due to re-using addresses that have previously b= een spent from. You can easily find them at https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
Note that a few of these wallets, like Bitfinex / Kraken / Tether, would = be slightly harder to crack because they are multisig wallets. So a quantum= attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfine= x / Tether in order to spend funds. But many are single signature.

P= oint being, it's not only the really old lost BTC that are at risk to a= quantum enabled adversary, at least at time of writing. If we add a quantu= m safe signature scheme, we should expect those wallets to be some of the f= irst to upgrade given their incentives.

The Ethical= Dilemma: Quantifying Harm
Which decision results in the most har= m?

By making quantum vulnerable funds unspendable we potentially har= m some Bitcoin users who were not paying attention and neglected to migrate= their funds to a quantum safe locking script. This violates the "cons= ervativism" principle stated earlier. On the flip side, we prevent tho= se funds plus far more lost funds from falling into the hands of the few pr= ivileged folks who gain early access to quantum computers.

By leavin= g quantum vulnerable funds available to spend, the same set of users who wo= uld otherwise have funds frozen are likely to see them stolen. And many ear= ly adopters who lost their keys will eventually see their unreachable funds= scooped up by a quantum enabled adversary.

Imagine, for example, be= ing James Howells, who accidentally threw away a hard drive with 8,000 BTC = on it, currently worth over $600M USD. He has spent a decade trying to retr= ieve it from the landfill where he knows it's buried, but can't get= permission to excavate. I suspect that, given the choice, he'd prefer = those funds be permanently frozen rather than fall into someone else's = possession - I know I would.

Allowing a quantum computer to access l= ost funds doesn't make those users any worse off than they were before,= however it would have a negative impact upon everyone who is curren= tly holding bitcoin.

It's prudent to expect significant economic= disruption if large amounts of coins fall into new hands. Since a quantum = computer is going to have a massive up front cost, expect those behind it t= o desire to recoup their investment. We also know from experience that when= someone suddenly finds themselves in possession of 9+ figures worth of hig= hly liquid assets, they tend to diversify into other things by selling.
=
Allowing quantum recovery of bitcoin is tantamount to wealth redistr= ibution. What we'd be allowing is for bitcoin to be redistributed f= rom those who are ignorant of quantum computers to those who have won the t= echnological race to acquire quantum computers. It's hard to see a brig= ht side to that scenario.

Is Quantum Recovery Good = for Anyone?

Does quantum recovery HELP anyone? I've yet t= o come across an argument that it's a net positive in any way. It certa= inly doesn't add any security to the network. If anything, it greatly d= ecreases the security of the network by allowing funds to be claimed by tho= se who did not earn them.

But wait, you may be thinking, wouldn'= t quantum "miners" have earned their coins by all the work and re= sources invested in building a quantum computer? I suppose, in the same sen= se that a burglar earns their spoils by the resources they invest into surv= eilling targets and learning the skills needed to break into buildings. Wha= t I say "earned" I mean through productive mutual trade.

F= or example:

* Investors earn BTC by trading for other currencies.* Merchants earn BTC by trading for goods and services.
* Miners earn B= TC by trading thermodynamic security.
* Quantum miners don't trade a= nything, they are vampires feeding upon the system.

There's no r= eason to believe that allowing quantum adversaries to recover vulnerable bi= tcoin will be of benefit to anyone other than the select few organizations = that win the technological arms race to build the first such computers. Pro= bably nation states and/or the top few largest tech companies.

One c= ould certainly hope that an organization with quantum supremacy is benevole= nt and acts in a "white hat" manner to return lost coins to their= owners, but that's incredibly optimistic and foolish to rely upon. Suc= h a situation creates an insurmountable ethical dilemma of only recovering = lost bitcoin rather than currently owned bitcoin. There's no way to pre= cisely differentiate between the two; anyone can claim to have lost their b= itcoin but if they have lost their keys then proving they ever had the keys= becomes rather difficult. I imagine that any such white hat recovery effor= ts would have to rely upon attestations from trusted third parties like exc= hanges.

Even if the first actor with quantum supremacy is benevolent= , we must assume the technology could fall into adversarial hands and thus = think adversarially about the potential worst case outcomes. Imagine, for e= xample, that North Korea continues scooping up billions of dollars from hac= king crypto exchanges and decides to invest some of those proceeds into bui= lding a quantum computer for the biggest payday ever...

Downsides to Allowing Quantum Recovery
Let's think thr= ough an exhaustive list of pros and cons for allowing or preventing the sei= zure of funds by a quantum adversary.

Historical Pr= ecedent
Previous protocol vulnerabilities weren=E2=80=99t celebra= ted as "fair game" but rather were treated as failures to be reme= diated. Treating quantum theft differently risks rewriting Bitcoin=E2=80=99= s history as a free-for-all rather than a system that seeks to protect its = users.

Violation of Property Rights
Allow= ing a quantum adversary to take control of funds undermines the fundamental= principle of cryptocurrency - if you keep your keys in your possession, on= ly you should be able to access your money. Bitcoin is built on the idea th= at private keys secure an individual=E2=80=99s assets, and unauthorized acc= ess (even via advanced tech) is theft, not a legitimate transfer.

Erosion of Trust in Bitcoin
If quantum attackers c= an exploit vulnerable addresses, confidence in Bitcoin as a secure store of= value would collapse. Users and investors rely on cryptographic integrity,= and widespread theft could drive adoption away from Bitcoin, destabilizing= its ecosystem.

This is essentially the counterpoint to claiming the= burning of vulnerable funds is a violation of property rights. While some = will certainly see it as such, others will find the apathy toward stopping = quantum theft to be similarly concerning.

Unfair Ad= vantage
Quantum attackers, likely equipped with rare and expensiv= e technology, would have an unjust edge over regular users who lack access = to such tools. This creates an inequitable system where only the technologi= cally elite can exploit others, contradicting Bitcoin=E2=80=99s ethos of de= centralized power.

Bitcoin is designed to create an asymmetric advan= tage for DEFENDING one's wealth. It's supposed to be impractically = expensive for attackers to crack the entropy and cryptography protecting on= e's coins. But now we find ourselves discussing a situation where this = asymmetric advantage is compromised in favor of a specific class of attacke= rs.

Economic Disruption
Large-scale theft= from vulnerable addresses could crash Bitcoin=E2=80=99s price as quantum r= ecovered funds are dumped on exchanges. This would harm all holders, not ju= st those directly targeted, leading to broader financial chaos in the marke= ts.

Moral Responsibility
Permitting theft= via quantum computing sets a precedent that technological superiority just= ifies unethical behavior. This is essentially taking a "code is law&qu= ot; stance in which we refuse to admit that both code and laws can be modif= ied to adapt to previously unforeseen situations.

Burning of coins c= an certainly be considered a form of theft, thus I think it's worth dif= ferentiating the two different thefts being discussed:

1. self-enric= hing & likely malicious
2. harm prevention & not necessarily mal= icious

Both options lack the consent of the party whose coins are be= ing burnt or transferred, thus I think the simple argument that theft is im= moral becomes a wash and it's important to drill down into the details = of each.

Incentives Drive Security
I can = tell you from a decade of working in Bitcoin security - the average user is= lazy and is a procrastinator. If Bitcoiners are given a "drop dead da= te" after which they know vulnerable funds will be burned, this pressu= re accelerates the adoption of post-quantum cryptography and strengthens Bi= tcoin long-term. Allowing vulnerable users to delay upgrading indefinitely = will result in more laggards, leaving the network more exposed when quantum= tech becomes available.

Steel Manning
Cl= early this is a complex and controversial topic, thus it's worth thinki= ng through the opposing arguments.

Protecting Prope= rty Rights
Allowing quantum computers to take vulnerable bitcoin = could potentially be spun as a hard money narrative - we care so greatly ab= out not violating someone's access to their coins that we allow them to= be stolen!

But I think the flip side to the property rights narrati= ve is that burning vulnerable coins prevents said property from falling int= o undeserving hands. If the entire Bitcoin ecosystem just stands around and= allows quantum adversaries to claim funds that rightfully belong to other = users, is that really a "win" in the "protecting property ri= ghts" category? It feels more like apathy to me.

As such, I thi= nk the "protecting property rights" argument is a wash.

Quantum Computers Won't Attack Bitcoin
There i= s a great deal of skepticism that sufficiently powerful quantum computers w= ill ever exist, so we shouldn't bother preparing for a non-existent thr= eat. Others have argued that even if such a computer was built, a quantum a= ttacker would not go after bitcoin because they wouldn't want to reveal= their hand by doing so, and would instead attack other infrastructure.
=
It's quite difficult to quantify exactly how valuable attacking oth= er infrastructure would be. It also really depends upon when an entity gain= s quantum supremacy and thus if by that time most of the world's system= s have already been upgraded. While I think you could argue that certain en= tities gaining quantum capability might not attack Bitcoin, it would only d= elay the inevitable - eventually somebody will achieve the capability who d= ecides to use it for such an attack.

Quantum Attack= ers Would Only Steal Small Amounts
Some have argued that even if = a quantum attacker targeted bitcoin, they'd only go after old, likely l= ost P2PK outputs so as to not arouse suspicion and cause a market panic.
I'm not so sure about that; why go after 50 BTC at a time when you= could take 250,000 BTC with the same effort as 50 BTC? This is a classic &= quot;zero day exploit" game theory in which an attacker knows they hav= e a limited amount of time before someone else discovers the exploit and ei= ther benefits from it or patches it. Take, for example, the recent ByBit at= tack - the highest value crypto hack of all time. Lazarus Group had comprom= ised the Safe wallet front end JavaScript app and they could have simply ha= d it reassign ownership of everyone's Safe wallets as they were interac= ting with their wallet. But instead they chose to only specifically target = ByBit's wallet with $1.5 billion in it because they wanted to maximize = their extractable value. If Lazarus had started stealing from every wallet,= they would have been discovered quickly and the Safe web app would likely = have been patched well before any billion dollar wallets executed the malic= ious code.

I think the "only stealing small amounts" argum= ent is strongest for Situation #2 described earlier, where a quantum attack= er arrives before quantum safe cryptography has been deployed across the Bi= tcoin ecosystem. Because if it became clear that Bitcoin's cryptography= was broken AND there was nowhere safe for vulnerable users to migrate, the= only logical option would be for everyone to liquidate their bitcoin as qu= ickly as possible. As such, I don't think it applies as strongly for si= tuations in which we have a migration path available.

The 21 Million Coin Supply Should be in Circulation
Some folks= are arguing that it's important for the "circulating / spendable&= quot; supply to be as close to 21M as possible and that having a significan= t portion of the supply out of circulation is somehow undesirable.

W= hile the "21M BTC" attribute is a strong memetic narrative, I don= 't think anyone has ever expected that it would all be in circulation. = It has always been understood that many coins will be lost, and that's = actually part of the game theory of owning bitcoin!

And remember, th= e 21M number in and of itself is not a particularly important detail - it&#= 39;s not even mentioned in the whitepaper. What's important is that the= supply is well known and not subject to change.

Se= lf-Sovereignty and Personal Responsibility
Bitcoin=E2=80=99s desi= gn empowers individuals to control their own wealth, free from centralized = intervention. This freedom comes with the burden of securing one's priv= ate keys. If quantum computing can break obsolete cryptography, the fault l= ies with users who didn't move their funds to quantum safe locking scri= pts. Expecting the network to shield users from their own negligence underm= ines the principle that you, and not a third party, are accountable for you= r assets.

I think this is generally a fair point that "the comm= unity" doesn't owe you anything in terms of helping you. I think t= hat we do, however, need to consider the incentives and game theory in play= with regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners. M= ore on that later.

Code is Law
Bitcoin op= erates on transparent, immutable rules embedded in its protocol. If a quant= um attacker uses superior technology to derive private keys from public key= s, they=E2=80=99re not "hacking" the system - they're simply = following what's mathematically permissible within the current code. Al= tering the protocol to stop this introduces subjective human intervention, = which clashes with the objective, deterministic nature of blockchain.
While I tend to agree that code is law, one of the entire points of laws = is that they can be amended to improve their efficacy in reducing harm. Lea= ning on this point seems more like a pro-ossification stance that it's = better to do nothing and allow harm to occur rather than take action to sto= p an attack that was foreseen far in advance.

Techn= ological Evolution as a Feature, Not a Bug
It's well known th= at cryptography tends to weaken over time and eventually break. Quantum com= puting is just the next step in this progression. Users who fail to adapt (= e.g., by adopting quantum-resistant wallets when available) are akin to tho= se who ignored technological advancements like multisig or hardware wallets= . Allowing quantum theft incentivizes innovation and keeps Bitcoin=E2=80=99= s ecosystem dynamic, punishing complacency while rewarding vigilance.
Market Signals Drive Security
If quantum attac= kers start stealing funds, it sends a clear signal to the market: upgrade y= our security or lose everything. This pressure accelerates the adoption of = post-quantum cryptography and strengthens Bitcoin long-term. Coddling vulne= rable users delays this necessary evolution, potentially leaving the networ= k more exposed when quantum tech becomes widely accessible. Theft is a brut= al but effective teacher.

Centralized Blacklisting = Power
Burning vulnerable funds requires centralized decision-maki= ng - a soft fork to invalidate certain transactions. This sets a dangerous = precedent for future interventions, eroding Bitcoin=E2=80=99s decentralizat= ion. If quantum theft is blocked, what=E2=80=99s next - reversing exchange = hacks? The system must remain neutral, even if it means some lose out.
<= br>I think this could be a potential slippery slope if the proposal was to = only burn specific addresses. Rather, I'd expect a neutral proposal to = burn all funds in locking script types that are known to be quantum vulnera= ble. Thus, we could eliminate any subjectivity from the code.

Fairness in Competition
Quantum attackers aren't c= heating; they're using publicly available physics and math. Anyone with= the resources and foresight can build or access quantum tech, just as anyo= ne could mine Bitcoin in 2009 with a CPU. Early adopters took risks and rea= ped rewards; quantum innovators are doing the same. Calling it =E2=80=9Cunf= air=E2=80=9D ignores that Bitcoin has never promised equality of outcome - = only equality of opportunity within its rules.

I find this argument = to be a mischaracterization because we're not talking about CPUs. This = is more akin to talking about ASICs, except each ASIC costs millions if not= billions of dollars. This is out of reach from all but the wealthiest orga= nizations.

Economic Resilience
Bitcoin ha= s weathered thefts before (MTGOX, Bitfinex, FTX, etc) and emerged stronger.= The market can absorb quantum losses, with unaffected users continuing to = hold and new entrants buying in at lower prices. Fear of economic collapse = overestimates the impact - the network=E2=80=99s antifragility thrives on s= uch challenges.

This is a big grey area because we don't know wh= en a quantum computer will come online and we don't know how quickly sa= id computers would be able to steal bitcoin. If, for example, the first gen= eration of sufficiently powerful quantum computers were stealing less volum= e than the current block reward then of course it will have minimal economi= c impact. But if they're taking thousands of BTC per day and bringing t= hem back into circulation, there will likely be a noticeable market impact = as it absorbs the new supply.

This is where the circumstances will r= eally matter. If a quantum attacker appears AFTER the Bitcoin protocol has = been upgraded to support quantum resistant cryptography then we should expe= ct the most valuable active wallets will have upgraded and the juiciest tar= get would be the 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1= dr which has been dormant since 2010. In general I'd expect that the am= ount of BTC re-entering the circulating supply would look somewhat similar = to the mining emission curve: volume would start off very high as the most = valuable addresses are drained and then it would fall off as quantum comput= ers went down the list targeting addresses with less and less BTC.

W= hy is economic impact a factor worth considering? Miners and businesses in = general. More coins being liquidated will push down the price, which will n= egatively impact miner revenue. Similarly, I can attest from working in the= industry for a decade, that lower prices result in less demand from busine= sses across the entire industry. As such, burning quantum vulnerable bitcoi= n is good for the entire industry.

Practicality &am= p; Neutrality of Non-Intervention
There=E2=80=99s no reliable way= to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "white hat&quo= t; key recovery. If someone loses their private key and a quantum computer = recovers it, is that stealing or reclaiming? Policing quantum actions requi= res invasive assumptions about intent, which Bitcoin=E2=80=99s trustless de= sign can=E2=80=99t accommodate. Letting the chips fall where they may avoid= s this mess.

Philosophical Purity
Bitcoin= rejects bailouts. It=E2=80=99s a cold, hard system where outcomes reflect = preparation and skill, not sentimentality. If quantum computing upends the = game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe or = fair in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose = funds to quantum attacks are casualties of liberty and their own ignorance,= not victims of injustice.

Bitcoin's DAO Moment=
This situation has some similarities to The DAO hack of an Ether= eum smart contract in 2016, which resulted in a fork to stop the attacker a= nd return funds to their original owners. The game theory is similar becaus= e it's a situation where a threat is known but there's some period = of time before the attacker can actually execute the theft. As such, there&= #39;s time to mitigate the attack by changing the protocol.

It also = created a schism in the community around the true meaning of "code is = law," resulting in Ethereum Classic, which decided to allow the attack= er to retain control of the stolen funds.

A soft fork to burn vulner= able bitcoin could certainly result in a hard fork if there are enough mine= rs who reject the soft fork and continue including transactions.

Incentives Matter
We can wax philosophical until th= e cows come home, but what are the actual incentives for existing Bitcoin h= olders regarding this decision?

"Lost coins only make everyone else's coins worth sl= ightly more. Think of it as a donation to everyone." - Satoshi Nakamot= o

If true, the corollary is:

"Quantum recovered coins only make everyone= else's coins worth less. Think of it as a theft from everyone." -= Jameson Lopp

Thus, assuming we get to a point where quantu= m resistant signatures are supported within the Bitcoin protocol, what'= s the incentive to let vulnerable coins remain spendable?

* It's= not good for the actual owners of those coins. It disincentivizes owners f= rom upgrading until perhaps it's too late.
* It's not good for t= he more attentive / responsible owners of coins who have quantum secured th= eir stash. Allowing the circulating supply to balloon will assuredly reduce= the purchasing power of all bitcoin holders.

Forki= ng Game Theory
From a game theory point of view, I see this as in= centivizing users to upgrade their wallets. If you disagree with the burnin= g of vulnerable coins, all you have to do is move your funds to a quantum s= afe signature scheme. Point being, I don't see there being an economic = majority (or even more than a tiny minority) of users who would fight such = a soft fork. Why expend significant resources fighting a fork when you can = just move your coins to a new address?

Remember that blocking spendi= ng of certain classes of locking scripts is a tightening of the rules - a s= oft fork. As such, it can be meaningfully enacted and enforced by a mere ma= jority of hashpower. If miners generally agree that it's in their best = interest to burn vulnerable coins, are other users going to care enough to = put in the effort to run new node software that resists the soft fork? Seem= s unlikely to me.

How to Execute Burning
= In order to be as objective as possible, the goal would be to announce to t= he world that after a specific block height / timestamp, Bitcoin nodes will= no longer accept transactions (or blocks containing such transactions) tha= t spend funds from any scripts other than the newly instituted quantum safe= schemes.

It could take a staggered approach to first freeze funds t= hat are susceptible to long-range attacks such as those in P2PK scripts or = those that exposed their public keys due to previously re-using addresses, = but I expect the additional complexity would drive further controversy.
=
How long should the grace period be in order to give the ecosystem time= to upgrade? I'd say a minimum of 1 year for software wallets to upgrad= e. We can only hope that hardware wallet manufacturers are able to implemen= t post quantum cryptography on their existing hardware with only a firmware= update.

Beyond that, it will take at least 6 months worth of block = space for all users to migrate their funds, even in a best case scenario. T= hough if you exclude dust UTXOs you could probably get 95% of BTC value mig= rated in 1 month. Of course this is a highly optimistic situation where eve= ryone is completely focused on migrations - in reality it will take far lon= ger.

Regardless, I'd think that in order to reasonably uphold Bi= tcoin's conservatism it would be preferable to allow a 4 year migration= window. In the meantime, mining pools could coordinate emergency soft fork= ing logic such that if quantum attackers materialized, they could accelerat= e the countdown to the quantum vulnerable funds burn.

Random Tangential Benefits
On the plus side, burning all quant= um vulnerable bitcoin would allow us to prune all of those UTXOs out of the= UTXO set, which would also clean up a lot of dust. Dust UTXOs are a bit of= an annoyance and there has even been a recent proposal for how to incentiv= ize cleaning them up.

We should also expect that incentivizing migra= tion of the entire UTXO set will create substantial demand for block space = that will sustain a fee market for a fairly lengthy amount of time.

= In Summary
While the moral quandary of violating= any of Bitcoin's inviolable properties can make this a very complex is= sue to discuss, the game theory and incentives between burning vulnerable c= oins versus allowing them to be claimed by entities with quantum supremacy = appears to be a much simpler issue.

I, for one, am not interested in= rewarding quantum capable entities by inflating the circulating money supp= ly just because some people lost their keys long ago and some laggards are = not upgrading their bitcoin wallet's security.

We can hope that = this scenario never comes to pass, but hope is not a strategy.

I wel= come your feedback upon any of the above points, and contribution of any ar= guments I failed to consider.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com.
------=_Part_248321_2076021029.1752421091483-- ------=_Part_248320_934919471.1752421091483--