Re: [bitcoindev] Proposal for Quantum-Resistant Address Migration Protocol (QRAMP) BIP

[Pieter Wuille <bitcoin-dev@wuille.net>]

[-- Attachment #1: Type: text/plain, Size: 2757 bytes --]

On Wednesday, February 19th, 2025 at 11:06 AM, Hunter Beast <hunter@surmount.systems> wrote:

> I don't see why old coins should be confiscated. The better option is to let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the inflation is transitory. Those with low time preference should support returning lost coins to circulation.

Of course they have to be confiscated. If and when (and that's a big if) the existence of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosystem has no other option than softforking(*) out the ability to spend from signature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The alternative is that millions of BTC become vulnerable to theft; I cannot see how the currency can maintain any value at all in such a setting. And this affects everyone; even those which diligently moved their coins to PQC-protected schemes.

> Also, I don't see the urgency, considering the majority of coins are in either P2PKH, P2WPKH, P2SH, and P2WSH addresses. If PQC signatures aren't added, such as with BIP-360, there will be some concern around long exposure attacks on P2TR coins.

There were literally millions of BTC locked in outputs whose public keys are already known to the public, long before P2TR. Either because of they're in P2PK outputs, because they're in hashed addresses which have been reused and already using for spending, or because they're been spent in forked chains. There are likely substantially more BTC in outputs whose public keys are known to multiple parties (multisig, lightning channels, escrow services, ...) but not to the entire world.

I certainly agree there is no urgency right now, but if (and only if) cryptography-breaking QCs become a reality, the ecosystem has no choice but disabling(*) the spending of coins through schemes that become broken, and needs to have done so before such a machine exists.

(*) There may exist ways of retaining the ability to spend coins in vulnerable schemes, if they involve a PQC proof of knowledge of some additional secret, e.g. the xprv the key was derived with. It's a significant complication, not and applicable to everything, but might be an option.

--
Pieter

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/pXZj0cBHqBVPjkNPKBjiNE1BjPHhvRp-MwPaBsQu-s6RTEL9oBJearqZE33A2yz31LNRNUpZstq_q8YMN1VsCY2vByc9w4QyTOmIRCE3BFM%3D%40wuille.net.

[-- Attachment #2: Type: text/html, Size: 5549 bytes --]