From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Sun, 25 May 2025 15:06:42 -0700
Received: from mail-qv1-f60.google.com ([209.85.219.60])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBCL7RHHJZYJBBZNIZ3AQMGQEOJ3XVJA@googlegroups.com>)
	id 1uJJUM-00046r-JW
	for bitcoindev@gnusha.org; Sun, 25 May 2025 15:06:42 -0700
Received: by mail-qv1-f60.google.com with SMTP id 6a1803df08f44-6faa5ecadafsf5824346d6.2
        for <bitcoindev@gnusha.org>; Sun, 25 May 2025 15:06:38 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1748210793; cv=pass;
        d=google.com; s=arc-20240605;
        b=dOvonALhzJ/v93CQC4YElEUsoL9Yrfx/Tc1VgyKQwTlMb4aWYBhu7bymZM+p8oRVn0
         AcCWJ0ApepWpM+P325X6/JTyfie69r63EW+ePw0u9BlgUuof4Gh6y0PVtLTuJceSfGkf
         jH2Sp0S7leC7fLI+1BwIzfQfuMf4THGeym5caOAkljYM/qiUkkVNdfeiZsmZSYma6pA2
         +4Aa92XtDQUD/St+G8b6wzJKwaRYHsz2SghGvUjRoh+zU24TqwS2bIAbYhOOpx6mJDQB
         ihn4+QczEzJgghbBABY2MWYcJ8qUP1MkUiOHzKNGVsbrK6Y2T9fIyLiY9qYPXYfKg3uk
         4VRw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id
         :references:in-reply-to:message-id:subject:cc:from:to:date
         :dkim-signature;
        bh=6M6jDOztllmSyxCpiQKHYlDGuT+m7yzkogZRglrj+7Y=;
        fh=nYKLjF8l+gkEu4kcCIfzZqWEK81jFaLhrGHDaBcVbKI=;
        b=RcUbQeRaMV5hn+Ojtkba7J4MFE2OkDrDEsupU4H/Y9XLCG5DTWquXS3I7YRVsjERHt
         He/bF6+nM1eKWN15eA+nsCS/Vzlph6Ple7hiunzJwvSLf2egb7pLHfEUGXfbHm1jLsKR
         fWo0irRvRnXD5TFnPOZpddgHaTPjAeaIkjAo6Br70PgmjawOb3UbefazKojr9NbKO/68
         4oIbr6xiacr9aHrkdVVT1qaFBOYhY+swcWwfQzW/dWRWL5E9uOmMBXX8B0AkDuwevxqX
         9yG2TRkG4/EkZH4vcHVK6qJb59AFj3HVkDZGCKHG0ykl8mKmuQ4WCIaHsS77SWSOjPlz
         029A==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@proton.me header.s=hpo3656erzdqzewvhaxln4ugty.protonmail header.b=ZKyTbAfp;
       spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.28 as permitted sender) smtp.mailfrom=conduition@proton.me;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1748210793; x=1748815593; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :feedback-id:references:in-reply-to:message-id:subject:cc:from:to
         :date:from:to:cc:subject:date:message-id:reply-to;
        bh=6M6jDOztllmSyxCpiQKHYlDGuT+m7yzkogZRglrj+7Y=;
        b=U2jy8eWsoAvh9KkJ5dcvGWSdX9zxRuuP893bqb0SnCVsSH2iVPFIQmFduXwcqf3te1
         OY+1DRLH8/FpKKHgq0FME3iF56cirOs9lAtmTGiL9kbiWn1InFR5PCJXlRE5mekrPyw/
         f8mwFSuLEBYM/vodykL2q4ZNlTf+0L86Lqjf5WIU6/PUGdoGvJj5kSOFlR8s17zWyAHP
         tpX2smw8EOVxgTesrkZm6gkNT4G/JWvn6zaJmKiycNjd0WWRSjEvAZrID2oxW2aCcpH5
         f/SfRCKT6oZZOsQ2iI9FKrQ35FX0kLRGGMVeWUUSZfk9n0kf+vxr4LQQarxf454TSAJX
         LzEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748210793; x=1748815593;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :feedback-id:references:in-reply-to:message-id:subject:cc:from:to
         :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6M6jDOztllmSyxCpiQKHYlDGuT+m7yzkogZRglrj+7Y=;
        b=dhGRdNbJdY8s3+kCXCxj2TvQguPKu9U3Slywx5ZLtGYlRUAOzjFrO98jVLOa+MIz6v
         gjcLP7RGZdBvg65GMDXbSBnNEObdeWCMDKjHk9x+6B97YuAfYgrnRN/7wKN3NtzMCKWW
         Koj1pnyIZJwcwReQpmgvqPFm13Jzixlt8QI5rjB3bqDsz1+KfBvIvP4RECF5Rvl3vl22
         ktv5IjGqEDYwRuXmDzJ62Ur3X67K+o9Dl+uKBT87H8ADNZjGzoXdcHZGNKu/AU+BY3rG
         /egJAavPDkuq9lx6XPLz/YCt0wm1Y4v659eotm2z+Xd7jOgeCZ5jzmDGp1LlkE310J1d
         EEsg==
X-Forwarded-Encrypted: i=2; AJvYcCWkEMKLUXW7hfwOvCxZ+SBqVuoPgm6TdW6i4LxPEjGv89lfWYRmvUXtk4o0oyjwZc5btfye/F5ZVHuV@gnusha.org
X-Gm-Message-State: AOJu0YwtVcD4ErwYgGgSEUH7dWlwcrAdUUySCCppmLkcGld31B5MtwPf
	tJUF27MKr47EtL2IXlrJiVWvjSTYV/lcju7n5K7zCPs1oNEtio0Fi1UR
X-Google-Smtp-Source: AGHT+IHSyZkAydpkImJsfymXaX4jr3IV6MAqTtswjKBIeizEAr1YYJ929SPlOl0qUZhPtQ9oEb+Oxg==
X-Received: by 2002:a05:622a:5c18:b0:476:964a:e338 with SMTP id d75a77b69052e-49f46e3dc51mr134738201cf.28.1748210792558;
        Sun, 25 May 2025 15:06:32 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBHl5WuSl0jxqlRPK+nY7Xww+3mBCoEpxxi0ELG/vs4YgA==
Received: by 2002:a05:622a:5c8f:b0:47f:81f1:5da0 with SMTP id
 d75a77b69052e-49f3258cd6els32320521cf.1.-pod-prod-08-us; Sun, 25 May 2025
 15:06:29 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXgfRPmRIzOjsBPRQ4Ze1XQFVPRI8jdFlACZczX1lGNptrgzsCYdOIfi6/j1xC08kFNj5rBuf/Zs0vx@googlegroups.com
X-Received: by 2002:a05:620a:170a:b0:7c5:3d60:7f88 with SMTP id af79cd13be357-7ceecb7f5fdmr976059185a.16.1748210788848;
        Sun, 25 May 2025 15:06:28 -0700 (PDT)
Received: by 2002:a05:6402:22a2:b0:604:5cbf:497f with SMTP id 4fb4d7f45d1cf-6045cbf508cmsa12;
        Sun, 25 May 2025 12:03:50 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCX8m88rmMil/UeQqryz2YfMDkaKW5ZLoN8vTlr3tqin25CJsoqQILORHHZWftvsNZlLNJ+Mmno13KjE@googlegroups.com
X-Received: by 2002:a05:6402:34cc:b0:5e5:bdfe:6bfb with SMTP id 4fb4d7f45d1cf-602d9bf8dd1mr4830423a12.16.1748199827557;
        Sun, 25 May 2025 12:03:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748199827; cv=none;
        d=google.com; s=arc-20240605;
        b=kAu5xuVXA6X6J/rptbPQnkcOzHj+itROR0DbYfrDRfjYxx9B70tQ5AIs7W8sj+Y+0j
         AfybgVtM14E1yHNulmMW5GXKmeKybZfThONkfiAxf0wc1rUZoKxVg6aFAtpwxwgbmvXT
         wqQCtGpenbDrM/wLBoudb4Mf50pwE2uR16Q0ZPIpnGJ+1dwHcnhB8HnPIsLSisPPsH2F
         ICq/8MxL4owqDUHG1ipH/3deYXzXdCFd64NcJzhxwFZujndLiTuuuHHUh3524lgJifji
         etaXWYjzTDSkTAqYP60dLYzNghb6n9sspAmfoESWzdHBqhT8xHXqZmFq/elcsxQnHjMp
         EtoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=mime-version:feedback-id:references:in-reply-to:message-id:subject
         :cc:from:to:date:dkim-signature;
        bh=I+JBIxAIow0is0Z+6gnrspLbjDGxR60PU4FVW+vcGM8=;
        fh=X0JkQjtGjrIsfkwh4TpsmmFedejki4ehCu+gndiuJFg=;
        b=bOaxcf5g6KUUMqTnDHXPcETh80KxBidoezBFzbO5Qwjz1KPoajq1jTguNdB3HttmdB
         uPNT6S+wNRtb/vvvK91MrW/O0II81sRZNCi3VoqG+wmbiymRz8lhTagjrzpLnMlHD5uu
         jlv50/duVWenMJkGzZoydeLildqEZTUugG2xfsd+2cuXY2XQ7Z0ItS43NIkJsP7zu0C/
         5jRnDaQo983IXcCvWFp47MDZwEHGNpKwQwYZr1g/QkrH2FBFBY+GbXqDiNul+BQ5+DvG
         srWDf22KpZlTqG9vH20TMqTu6gevaGxhNoYDG7P+A/VeGD6EqeI2eYxdKeVgdClvnL0n
         QVPQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@proton.me header.s=hpo3656erzdqzewvhaxln4ugty.protonmail header.b=ZKyTbAfp;
       spf=pass (google.com: domain of conduition@proton.me designates 79.135.106.28 as permitted sender) smtp.mailfrom=conduition@proton.me;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me
Received: from mail-10628.protonmail.ch (mail-10628.protonmail.ch. [79.135.106.28])
        by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-6046367872csi32399a12.0.2025.05.25.12.03.47
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 25 May 2025 12:03:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of conduition@proton.me designates 79.135.106.28 as permitted sender) client-ip=79.135.106.28;
Date: Sun, 25 May 2025 19:03:40 +0000
To: Agustin Cruz <agustin.cruz@gmail.com>
From: "'conduition' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Cc: AstroTown <saulo@astrotown.de>, bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
Message-ID: <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me>
In-Reply-To: <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de> <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
Feedback-ID: 72003692:user:proton
X-Pm-Message-ID: 3c3c2eeecc73ec7036888e054cd0b2790de99c58
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------1dfcff655c6a50832f43de84ef6e12a6680b2c3e4151d9496e3107b7355b4ddc"; charset=utf-8
X-Original-Sender: conduition@proton.me
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@proton.me header.s=hpo3656erzdqzewvhaxln4ugty.protonmail
 header.b=ZKyTbAfp;       spf=pass (google.com: domain of conduition@proton.me
 designates 79.135.106.28 as permitted sender) smtp.mailfrom=conduition@proton.me;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me
X-Original-From: conduition <conduition@proton.me>
Reply-To: conduition <conduition@proton.me>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------1dfcff655c6a50832f43de84ef6e12a6680b2c3e4151d9496e3107b7355b4ddc
Content-Type: multipart/mixed;boundary=---------------------07e877d605899d35b90ea45642d097f6

-----------------------07e877d605899d35b90ea45642d097f6
Content-Type: multipart/alternative;boundary=---------------------d1a656d57fe171d757e0b8d358350631

-----------------------d1a656d57fe171d757e0b8d358350631
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"

Hey Saulo,

You're right about the possibility of an ugly split. Laggards who don't mov=
e coins to PQ address schemes will be incentivized to follow any chain wher=
e they keep their coins. But those who do migrate will be incentivized to f=
ollow the chain where unmigrated pre-quantum coins are frozen.=C2=A0

While you're comparing this event to the ETH/ETC split, we should remember =
that ETH remained the dominant chain despite their heavy-handed rollback. J=
ust goes to show, confusion and face-loss is a lesser evil than allowing an=
 adversary to pwn the network.=C2=A0


> This is the free-market way to solve problems without imposing rules on e=
veryone.


It'd still be a free market even if quantum-vulnerable coins are frozen. Th=
e only way to test the relative value of quantum-safe vs quantum-vulnerable=
 coins is to split the chain and see how the market reacts.=C2=A0

IMO, the "free market way" is to give people options and let their money fl=
ow to where it works best. That means people should be able to choose wheth=
er they want their money to be part of a system that allows quantum attack,=
 or part of one which does not. I know which I would choose, but neither yo=
u nor I can make that choice for everyone.

regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agustin.cruz@gmail.co=
m> wrote:

> I=E2=80=99m against letting quantum computers scoop up funds from address=
es that don=E2=80=99t upgrade to quantum-resistant.
> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up for =
grabs if people don=E2=80=99t move them, sounds fair at first. Let luck dec=
ide, right? But I worry it=E2=80=99d turn into a mess. If quantum machines =
start cracking keys and snagging coins, it=E2=80=99s not just lost Satoshi-=
era stuff at risk. Plenty of active wallets, like those on the rich list Ja=
meson mentioned, could get hit too. Imagine millions of BTC flooding the ma=
rket. Prices tank, trust in Bitcoin takes a dive, and we all feel the pain.=
 Freezing those vulnerable funds keeps that chaos in check.
> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s heart.=
 If quantum tech can steal from you just because you didn=E2=80=99t upgrade=
 fast enough, that promise feels shaky. Freezing funds after a heads-up per=
iod (say, four years) protects that idea better than letting tech giants or=
 rogue states play vampire with our network. It also nudges people to get t=
heir act together and move to safer addresses, which strengthens Bitcoin lo=
ng-term.
> Saulo=E2=80=99s right that freezing coins could confuse folks or spark a =
split like Ethereum Classic. But I=E2=80=99d argue quantum theft would look=
 worse. Bitcoin would seem broken, not just strict. A clear plan and enough=
 time to migrate could smooth things over. History=E2=80=99s on our side to=
o. Bitcoin=E2=80=99s fixed bugs before, like SegWit. This feels like that, =
not a bailout.
> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to wh=
oever builds the first quantum rig. It=E2=80=99s less about coddling people=
 and more about keeping Bitcoin solid for everyone. What do you all think?
> Cheers,
> Agust=C3=ADn
>=20

> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo@astrotown.de> w=
rote:
>=20

> > I believe that having some entity announce the decision to freeze old U=
TXOs would be more damaging to Bitcoin=E2=80=99s image (and its value) than=
 having them gathered by QC. This would create another version of Bitcoin, =
similar to Ethereum Classic, causing confusion in the market.
> > It would be better to simply implement the possibility of moving funds =
to a PQC address without a deadline, allowing those who fail to do so to re=
ly on luck to avoid having their coins stolen. Most coins would be migrated=
 to PQC anyway, and in most cases, only the lost ones would remain vulnerab=
le. This is the free-market way to solve problems without imposing rules on=
 everyone.
> >=20

> > Saulo Fonseca
> >=20

> >=20

> >=20

> > > On 16. Mar 2025, at 15:15, Jameson Lopp <jameson.lopp@gmail.com> wrot=
e:
> > >=20

> > > The quantum computing debate is heating up. There are many controvers=
ial aspects to this debate, including whether or not quantum computers will=
 ever actually become a practical threat.
> > > I won't tread into the unanswerable question of how worried we should=
 be about quantum computers. I think it's far from a crisis, but given the =
difficulty in changing Bitcoin it's worth starting to seriously discuss. To=
day I wish to focus on a philosophical quandary related to one of the decis=
ions that would need to be made if and when we implement a quantum safe sig=
nature scheme.
> > >=20

> > > Several Scenarios
> > > Because this essay will reference game theory a fair amount, and ther=
e are many variables at play that could change the nature of the game, I th=
ink it's important to clarify the possible scenarios up front.
> > >=20

> > > 1. Quantum computing never materializes, never becomes a threat, and =
thus everything discussed in this essay is moot.
> > > 2. A quantum computing threat materializes suddenly and Bitcoin does =
not have quantum safe signatures as part of the protocol. In this scenario =
it would likely make the points below moot because Bitcoin would be fundame=
ntally broken and it would take far too long to upgrade the protocol, walle=
t software, and migrate user funds in order to restore confidence in the ne=
twork.
> > > 3. Quantum computing advances slowly enough that we come to consensus=
 about how to upgrade Bitcoin and post quantum security has been minimally =
adopted by the time an attacker appears.
> > > 4. Quantum computing advances slowly enough that we come to consensus=
 about how to upgrade Bitcoin and post quantum security has been highly ado=
pted by the time an attacker appears.
> > >=20

> > > For the purposes of this post, I'm envisioning being in situation 3 o=
r 4.
> > >=20

> > > To Freeze or not to Freeze?
> > > I've started seeing more people weighing in on what is likely the mos=
t contentious aspect of how a quantum resistance upgrade should be handled =
in terms of migrating user funds. Should quantum vulnerable funds be left o=
pen to be swept by anyone with a sufficiently powerful quantum computer OR =
should they be permanently locked?
> > >=20

> > >=20

> > > > "I don't see why old coins should be confiscated. The better option=
 is to let those with quantum computers free up old coins. While this might=
 have an inflationary impact on bitcoin's price, to use a turn of phrase, t=
he inflation is transitory. Those with low time preference should support r=
eturning lost coins to circulation."
> > >=20

> > > > - Hunter Beast
> > >=20

> > >=20

> > > On the other hand:
> > >=20

> > >=20

> > > > "Of course they have to be confiscated. If and when (and that's a b=
ig if) the existence of a cryptography-breaking QC becomes a credible threa=
t, the Bitcoin ecosystem has no other option than softforking out the abili=
ty to spend from signature schemes (including ECDSA and BIP340) that are vu=
lnerable to QCs. The alternative is that millions of BTC become vulnerable =
to theft; I cannot see how the currency can maintain any value at all in su=
ch a setting. And this affects everyone; even those which diligently moved =
their coins to PQC-protected schemes."
> > > > - Pieter Wuille
> > >=20

> > >=20

> > > I don't think "confiscation" is the most precise term to use, as the =
funds are not being seized and reassigned. Rather, what we're really discus=
sing would be better described as "burning" - placing the funds out of reac=
h of everyone.
> > >=20

> > > Not freezing user funds is one of Bitcoin's inviolable properties. Ho=
wever, if quantum computing becomes a threat to Bitcoin's elliptic curve cr=
yptography, an inviolable property of Bitcoin will be violated one way or a=
nother.
> > >=20

> > > Fundamental Properties at Risk
> > > 5 years ago I attempted to comprehensively categorize all of Bitcoin'=
s fundamental properties that give it value. https://nakamoto.com/what-are-=
the-key-properties-of-bitcoin/
> > > The particular properties in play with regard to this issue seem to b=
e:
> > >=20

> > > Censorship Resistance - No one should have the power to prevent other=
s from using their bitcoin or interacting with the network.
> > >=20

> > > Forward Compatibility - changing the rules such that certain valid tr=
ansactions become invalid could undermine confidence in the protocol.
> > >=20

> > > Conservatism - Users should not be expected to be highly responsive t=
o system issues.
> > >=20

> > > As a result of the above principles, we have developed a strong meme =
(kudos to Andreas Antonopoulos) that goes as follows:
> > >=20

> > >=20

> > > > Not your keys, not your coins.
> > >=20

> > >=20

> > > I posit that the corollary to this principle is:
> > >=20

> > >=20

> > > > Your keys, only your coins.
> > >=20

> > >=20

> > > A quantum capable entity breaks the corollary of this foundational pr=
inciple. We secure our bitcoin with the mathematical probabilities related =
to extremely large random numbers. Your funds are only secure because truly=
 random large numbers should not be guessable or discoverable by anyone els=
e in the world.
> > >=20

> > > This is the principle behind the motto vires in numeris - strength in=
 numbers. In a world with quantum enabled adversaries, this principle is nu=
ll and void for many types of cryptography, including the elliptic curve di=
gital signatures used in Bitcoin.
> > >=20

> > > Who is at Risk?
> > > There has long been a narrative that Satoshi's coins and others from =
the Satoshi era of P2PK locking scripts that exposed the public key directl=
y on the blockchain will be those that get scooped up by a quantum "miner."=
 But unfortunately it's not that simple. If I had a powerful quantum comput=
er, which coins would I target? I'd go to the Bitcoin rich list and find th=
e wallets that have exposed their public keys due to re-using addresses tha=
t have previously been spent from. You can easily find them at https://biti=
nfocharts.com/top-100-richest-bitcoin-addresses.html
> > >=20

> > > Note that a few of these wallets, like Bitfinex / Kraken / Tether, wo=
uld be slightly harder to crack because they are multisig wallets. So a qua=
ntum attacker would need to reverse engineer 2 keys for Kraken or 3 for Bit=
finex / Tether in order to spend funds. But many are single signature.
> > >=20

> > > Point being, it's not only the really old lost BTC that are at risk t=
o a quantum enabled adversary, at least at time of writing. If we add a qua=
ntum safe signature scheme, we should expect those wallets to be some of th=
e first to upgrade given their incentives.
> > >=20

> > > The Ethical Dilemma: Quantifying Harm
> > > Which decision results in the most harm?
> > >=20

> > > By making quantum vulnerable funds unspendable we potentially harm so=
me Bitcoin users who were not paying attention and neglected to migrate the=
ir funds to a quantum safe locking script. This violates the "conservativis=
m" principle stated earlier. On the flip side, we prevent those funds plus =
far more lost funds from falling into the hands of the few privileged folks=
 who gain early access to quantum computers.
> > >=20

> > > By leaving quantum vulnerable funds available to spend, the same set =
of users who would otherwise have funds frozen are likely to see them stole=
n. And many early adopters who lost their keys will eventually see their un=
reachable funds scooped up by a quantum enabled adversary.
> > >=20

> > > Imagine, for example, being James Howells, who accidentally threw awa=
y a hard drive with 8,000 BTC on it, currently worth over $600M USD. He has=
 spent a decade trying to retrieve it from the landfill where he knows it's=
 buried, but can't get permission to excavate. I suspect that, given the ch=
oice, he'd prefer those funds be permanently frozen rather than fall into s=
omeone else's possession - I know I would.
> > >=20

> > > Allowing a quantum computer to access lost funds doesn't make those u=
sers any worse off than they were before, however it wouldhave a negative i=
mpact upon everyone who is currently holding bitcoin.
> > >=20

> > > It's prudent to expect significant economic disruption if large amoun=
ts of coins fall into new hands. Since a quantum computer is going to have =
a massive up front cost, expect those behind it to desire to recoup their i=
nvestment. We also know from experience that when someone suddenly finds th=
emselves in possession of 9+ figures worth of highly liquid assets, they te=
nd to diversify into other things by selling.
> > >=20

> > > Allowing quantum recovery of bitcoin is tantamount to wealth redistri=
bution. What we'd be allowing is for bitcoin to be redistributed from those=
 who are ignorant of quantum computers to those who have won the technologi=
cal race to acquire quantum computers. It's hard to see a bright side to th=
at scenario.
> > >=20

> > > Is Quantum Recovery Good for Anyone?
> > >=20

> > > Does quantum recovery HELP anyone? I've yet to come across an argumen=
t that it's a net positive in any way. It certainly doesn't add any securit=
y to the network. If anything, it greatly decreases the security of the net=
work by allowing funds to be claimed by those who did not earn them.
> > >=20

> > > But wait, you may be thinking, wouldn't quantum "miners" have earned =
their coins by all the work and resources invested in building a quantum co=
mputer? I suppose, in the same sense that a burglar earns their spoils by t=
he resources they invest into surveilling targets and learning the skills n=
eeded to break into buildings. What I say "earned" I mean through productiv=
e mutual trade.
> > >=20

> > > For example:
> > >=20

> > > * Investors earn BTC by trading for other currencies.
> > > * Merchants earn BTC by trading for goods and services.
> > > * Miners earn BTC by trading thermodynamic security.
> > > * Quantum miners don't trade anything, they are vampires feeding upon=
 the system.
> > >=20

> > > There's no reason to believe that allowing quantum adversaries to rec=
over vulnerable bitcoin will be of benefit to anyone other than the select =
few organizations that win the technological arms race to build the first s=
uch computers. Probably nation states and/or the top few largest tech compa=
nies.
> > >=20

> > > One could certainly hope that an organization with quantum supremacy =
is benevolent and acts in a "white hat" manner to return lost coins to thei=
r owners, but that's incredibly optimistic and foolish to rely upon. Such a=
 situation creates an insurmountable ethical dilemma of only recovering los=
t bitcoin rather than currently owned bitcoin. There's no way to precisely =
differentiate between the two; anyone can claim to have lost their bitcoin =
but if they have lost their keys then proving they ever had the keys become=
s rather difficult. I imagine that any such white hat recovery efforts woul=
d have to rely upon attestations from trusted third parties like exchanges.
> > >=20

> > > Even if the first actor with quantum supremacy is benevolent, we must=
 assume the technology could fall into adversarial hands and thus think adv=
ersarially about the potential worst case outcomes. Imagine, for example, t=
hat North Korea continues scooping up billions of dollars from hacking cryp=
to exchanges and decides to invest some of those proceeds into building a q=
uantum computer for the biggest payday ever...
> > >=20

> > > Downsides to Allowing Quantum Recovery
> > > Let's think through an exhaustive list of pros and cons for allowing =
or preventing the seizure of funds by a quantum adversary.
> > >=20

> > > Historical Precedent
> > > Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair=
 game" but rather were treated as failures to be remediated. Treating quant=
um theft differently risks rewriting Bitcoin=E2=80=99s history as a free-fo=
r-all rather than a system that seeks to protect its users.
> > >=20

> > > Violation of Property Rights
> > > Allowing a quantum adversary to take control of funds undermines the =
fundamental principle of cryptocurrency - if you keep your keys in your pos=
session, only you should be able to access your money. Bitcoin is built on =
the idea that private keys secure an individual=E2=80=99s assets, and unaut=
horized access (even via advanced tech) is theft, not a legitimate transfer=
.
> > >=20

> > > Erosion of Trust in Bitcoin
> > > If quantum attackers can exploit vulnerable addresses, confidence in =
Bitcoin as a secure store of value would collapse. Users and investors rely=
 on cryptographic integrity, and widespread theft could drive adoption away=
 from Bitcoin, destabilizing its ecosystem.
> > >=20

> > > This is essentially the counterpoint to claiming the burning of vulne=
rable funds is a violation of property rights. While some will certainly se=
e it as such, others will find the apathy toward stopping quantum theft to =
be similarly concerning.
> > >=20

> > > Unfair Advantage
> > > Quantum attackers, likely equipped with rare and expensive technology=
, would have an unjust edge over regular users who lack access to such tool=
s. This creates an inequitable system where only the technologically elite =
can exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized =
power.
> > >=20

> > > Bitcoin is designed to create an asymmetric advantage for DEFENDING o=
ne's wealth. It's supposed to be impractically expensive for attackers to c=
rack the entropy and cryptography protecting one's coins. But now we find o=
urselves discussing a situation where this asymmetric advantage is compromi=
sed in favor of a specific class of attackers.
> > >=20

> > > Economic Disruption
> > > Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=
=99s price as quantum recovered funds are dumped on exchanges. This would h=
arm all holders, not just those directly targeted, leading to broader finan=
cial chaos in the markets.
> > >=20

> > > Moral Responsibility
> > > Permitting theft via quantum computing sets a precedent that technolo=
gical superiority justifies unethical behavior. This is essentially taking =
a "code is law" stance in which we refuse to admit that both code and laws =
can be modified to adapt to previously unforeseen situations.
> > >=20

> > > Burning of coins can certainly be considered a form of theft, thus I =
think it's worth differentiating the two different thefts being discussed:
> > >=20

> > > 1. self-enriching & likely malicious
> > > 2. harm prevention & not necessarily malicious
> > >=20

> > > Both options lack the consent of the party whose coins are being burn=
t or transferred, thus I think the simple argument that theft is immoral be=
comes a wash and it's important to drill down into the details of each.
> > >=20

> > > Incentives Drive Security
> > > I can tell you from a decade of working in Bitcoin security - the ave=
rage user is lazy and is a procrastinator. If Bitcoiners are given a "drop =
dead date" after which they know vulnerable funds will be burned, this pres=
sure accelerates the adoption of post-quantum cryptography and strengthens =
Bitcoin long-term. Allowing vulnerable users to delay upgrading indefinitel=
y will result in more laggards, leaving the network more exposed when quant=
um tech becomes available.
> > >=20

> > > Steel Manning
> > > Clearly this is a complex and controversial topic, thus it's worth th=
inking through the opposing arguments.
> > >=20

> > > Protecting Property Rights
> > > Allowing quantum computers to take vulnerable bitcoin could potential=
ly be spun as a hard money narrative - we care so greatly about not violati=
ng someone's access to their coins that we allow them to be stolen!
> > >=20

> > > But I think the flip side to the property rights narrative is that bu=
rning vulnerable coins prevents said property from falling into undeserving=
 hands. If the entire Bitcoin ecosystem just stands around and allows quant=
um adversaries to claim funds that rightfully belong to other users, is tha=
t really a "win" in the "protecting property rights" category? It feels mor=
e like apathy to me.
> > >=20

> > > As such, I think the "protecting property rights" argument is a wash.
> > >=20

> > > Quantum Computers Won't Attack Bitcoin
> > > There is a great deal of skepticism that sufficiently powerful quantu=
m computers will ever exist, so we shouldn't bother preparing for a non-exi=
stent threat. Others have argued that even if such a computer was built, a =
quantum attacker would not go after bitcoin because they wouldn't want to r=
eveal their hand by doing so, and would instead attack other infrastructure=
.
> > >=20

> > > It's quite difficult to quantify exactly how valuable attacking other=
 infrastructure would be. It also really depends upon when an entity gains =
quantum supremacy and thus if by that time most of the world's systems have=
 already been upgraded. While I think you could argue that certain entities=
 gaining quantum capability might not attack Bitcoin, it would only delay t=
he inevitable - eventually somebody will achieve the capability who decides=
 to use it for such an attack.
> > >=20

> > > Quantum Attackers Would Only Steal Small Amounts
> > > Some have argued that even if a quantum attacker targeted bitcoin, th=
ey'd only go after old, likely lost P2PK outputs so as to not arouse suspic=
ion and cause a market panic.
> > >=20

> > > I'm not so sure about that; why go after 50 BTC at a time when you co=
uld take 250,000 BTC with the same effort as 50 BTC? This is a classic "zer=
o day exploit" game theory in which an attacker knows they have a limited a=
mount of time before someone else discovers the exploit and either benefits=
 from it or patches it. Take, for example, the recent ByBit attack - the hi=
ghest value crypto hack of all time. Lazarus Group had compromised the Safe=
 wallet front end JavaScript app and they could have simply had it reassign=
 ownership of everyone's Safe wallets as they were interacting with their w=
allet. But instead they chose to only specifically target ByBit's wallet wi=
th $1.5 billion in it because they wanted to maximize their extractable val=
ue. If Lazarus had started stealing from every wallet, they would have been=
 discovered quickly and the Safe web app would likely have been patched wel=
l before any billion dollar wallets executed the malicious code.
> > >=20

> > > I think the "only stealing small amounts" argument is strongest for S=
ituation #2 described earlier, where a quantum attacker arrives before quan=
tum safe cryptography has been deployed across the Bitcoin ecosystem. Becau=
se if it became clear that Bitcoin's cryptography was broken AND there was =
nowhere safe for vulnerable users to migrate, the only logical option would=
 be for everyone to liquidate their bitcoin as quickly as possible. As such=
, I don't think it applies as strongly for situations in which we have a mi=
gration path available.
> > >=20

> > > The 21 Million Coin Supply Should be in Circulation
> > > Some folks are arguing that it's important for the "circulating / spe=
ndable" supply to be as close to 21M as possible and that having a signific=
ant portion of the supply out of circulation is somehow undesirable.
> > >=20

> > > While the "21M BTC" attribute is a strong memetic narrative, I don't =
think anyone has ever expected that it would all be in circulation. It has =
always been understood that many coins will be lost, and that's actually pa=
rt of the game theory of owning bitcoin!
> > >=20

> > > And remember, the 21M number in and of itself is not a particularly i=
mportant detail - it's not even mentioned in the whitepaper. What's importa=
nt is that the supply is well known and not subject to change.
> > >=20

> > > Self-Sovereignty and Personal Responsibility
> > > Bitcoin=E2=80=99s design empowers individuals to control their own we=
alth, free from centralized intervention. This freedom comes with the burde=
n of securing one's private keys. If quantum computing can break obsolete c=
ryptography, the fault lies with users who didn't move their funds to quant=
um safe locking scripts. Expecting the network to shield users from their o=
wn negligence undermines the principle that you, and not a third party, are=
 accountable for your assets.
> > >=20

> > > I think this is generally a fair point that "the community" doesn't o=
we you anything in terms of helping you. I think that we do, however, need =
to consider the incentives and game theory in play with regard to quantum s=
afe Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
> > >=20

> > > Code is Law
> > > Bitcoin operates on transparent, immutable rules embedded in its prot=
ocol. If a quantum attacker uses superior technology to derive private keys=
 from public keys, they=E2=80=99re not "hacking" the system - they're simpl=
y following what's mathematically permissible within the current code. Alte=
ring the protocol to stop this introduces subjective human intervention, wh=
ich clashes with the objective, deterministic nature of blockchain.
> > >=20

> > > While I tend to agree that code is law, one of the entire points of l=
aws is that they can be amended to improve their efficacy in reducing harm.=
 Leaning on this point seems more like a pro-ossification stance that it's =
better to do nothing and allow harm to occur rather than take action to sto=
p an attack that was foreseen far in advance.
> > >=20

> > > Technological Evolution as a Feature, Not a Bug
> > > It's well known that cryptography tends to weaken over time and event=
ually break. Quantum computing is just the next step in this progression. U=
sers who fail to adapt (e.g., by adopting quantum-resistant wallets when av=
ailable) are akin to those who ignored technological advancements like mult=
isig or hardware wallets. Allowing quantum theft incentivizes innovation an=
d keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency while re=
warding vigilance.
> > >=20

> > > Market Signals Drive Security
> > > If quantum attackers start stealing funds, it sends a clear signal to=
 the market: upgrade your security or lose everything. This pressure accele=
rates the adoption of post-quantum cryptography and strengthens Bitcoin lon=
g-term. Coddling vulnerable users delays this necessary evolution, potentia=
lly leaving the network more exposed when quantum tech becomes widely acces=
sible. Theft is a brutal but effective teacher.
> > >=20

> > > Centralized Blacklisting Power
> > > Burning vulnerable funds requires centralized decision-making - a sof=
t fork to invalidate certain transactions. This sets a dangerous precedent =
for future interventions, eroding Bitcoin=E2=80=99s decentralization. If qu=
antum theft is blocked, what=E2=80=99s next - reversing exchange hacks? The=
 system must remain neutral, even if it means some lose out.
> > >=20

> > > I think this could be a potential slippery slope if the proposal was =
to only burn specific addresses. Rather, I'd expect a neutral proposal to b=
urn all funds in locking script types that are known to be quantum vulnerab=
le. Thus, we could eliminate any subjectivity from the code.
> > >=20

> > > Fairness in Competition
> > > Quantum attackers aren't cheating; they're using publicly available p=
hysics and math. Anyone with the resources and foresight can build or acces=
s quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early=
 adopters took risks and reaped rewards; quantum innovators are doing the s=
ame. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never pro=
mised equality of outcome - only equality of opportunity within its rules.
> > >=20

> > > I find this argument to be a mischaracterization because we're not ta=
lking about CPUs. This is more akin to talking about ASICs, except each ASI=
C costs millions if not billions of dollars. This is out of reach from all =
but the wealthiest organizations.
> > >=20

> > > Economic Resilience
> > > Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and e=
merged stronger. The market can absorb quantum losses, with unaffected user=
s continuing to hold and new entrants buying in at lower prices. Fear of ec=
onomic collapse overestimates the impact - the network=E2=80=99s antifragil=
ity thrives on such challenges.
> > >=20

> > > This is a big grey area because we don't know when a quantum computer=
 will come online and we don't know how quickly said computers would be abl=
e to steal bitcoin. If, for example, the first generation of sufficiently p=
owerful quantum computers were stealing less volume than the current block =
reward then of course it will have minimal economic impact. But if they're =
taking thousands of BTC per day and bringing them back into circulation, th=
ere will likely be a noticeable market impact as it absorbs the new supply.
> > >=20

> > > This is where the circumstances will really matter. If a quantum atta=
cker appears AFTER the Bitcoin protocol has been upgraded to support quantu=
m resistant cryptography then we should expect the most valuable active wal=
lets will have upgraded and the juiciest target would be the 31,000 BTC in =
the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since=
 2010. In general I'd expect that the amount of BTC re-entering the circula=
ting supply would look somewhat similar to the mining emission curve: volum=
e would start off very high as the most valuable addresses are drained and =
then it would fall off as quantum computers went down the list targeting ad=
dresses with less and less BTC.
> > >=20

> > > Why is economic impact a factor worth considering? Miners and busines=
ses in general. More coins being liquidated will push down the price, which=
 will negatively impact miner revenue. Similarly, I can attest from working=
 in the industry for a decade, that lower prices result in less demand from=
 businesses across the entire industry. As such, burning quantum vulnerable=
 bitcoin is good for the entire industry.
> > >=20

> > > Practicality & Neutrality of Non-Intervention
> > > There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=
=9D from legitimate "white hat" key recovery. If someone loses their privat=
e key and a quantum computer recovers it, is that stealing or reclaiming? P=
olicing quantum actions requires invasive assumptions about intent, which B=
itcoin=E2=80=99s trustless design can=E2=80=99t accommodate. Letting the ch=
ips fall where they may avoids this mess.
> > >=20

> > > Philosophical Purity
> > > Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outc=
omes reflect preparation and skill, not sentimentality. If quantum computin=
g upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant t=
o be safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. Us=
ers who lose funds to quantum attacks are casualties of liberty and their o=
wn ignorance, not victims of injustice.
> > >=20

> > > Bitcoin's DAO Moment
> > > This situation has some similarities to The DAO hack of an Ethereum s=
mart contract in 2016, which resulted in a fork to stop the attacker and re=
turn funds to their original owners. The game theory is similar because it'=
s a situation where a threat is known but there's some period of time befor=
e the attacker can actually execute the theft. As such, there's time to mit=
igate the attack by changing the protocol.
> > >=20

> > > It also created a schism in the community around the true meaning of =
"code is law," resulting in Ethereum Classic, which decided to allow the at=
tacker to retain control of the stolen funds.
> > >=20

> > > A soft fork to burn vulnerable bitcoin could certainly result in a ha=
rd fork if there are enough miners who reject the soft fork and continue in=
cluding transactions.
> > >=20

> > > Incentives Matter
> > > We can wax philosophical until the cows come home, but what are the a=
ctual incentives for existing Bitcoin holders regarding this decision?
> > >=20

> > >=20

> > > > "Lost coins only make everyone else's coins worth slightly more. Th=
ink of it as a donation to everyone." - Satoshi Nakamoto
> > >=20

> > >=20

> > > If true, the corollary is:
> > >=20

> > >=20

> > > > "Quantum recovered coins only make everyone else's coins worth less=
. Think of it as a theft from everyone." - Jameson Lopp
> > >=20

> > >=20

> > > Thus, assuming we get to a point where quantum resistant signatures a=
re supported within the Bitcoin protocol, what's the incentive to let vulne=
rable coins remain spendable?
> > >=20

> > > * It's not good for the actual owners of those coins. It disincentivi=
zes owners from upgrading until perhaps it's too late.
> > > * It's not good for the more attentive / responsible owners of coins =
who have quantum secured their stash. Allowing the circulating supply to ba=
lloon will assuredly reduce the purchasing power of all bitcoin holders.
> > >=20

> > > Forking Game Theory
> > > From a game theory point of view, I see this as incentivizing users t=
o upgrade their wallets. If you disagree with the burning of vulnerable coi=
ns, all you have to do is move your funds to a quantum safe signature schem=
e. Point being, I don't see there being an economic majority (or even more =
than a tiny minority) of users who would fight such a soft fork. Why expend=
 significant resources fighting a fork when you can just move your coins to=
 a new address?
> > >=20

> > > Remember that blocking spending of certain classes of locking scripts=
 is a tightening of the rules - a soft fork. As such, it can be meaningfull=
y enacted and enforced by a mere majority of hashpower. If miners generally=
 agree that it's in their best interest to burn vulnerable coins, are other=
 users going to care enough to put in the effort to run new node software t=
hat resists the soft fork? Seems unlikely to me.
> > >=20

> > > How to Execute Burning
> > > In order to be as objective as possible, the goal would be to announc=
e to the world that after a specific block height / timestamp, Bitcoin node=
s will no longer accept transactions (or blocks containing such transaction=
s) that spend funds from any scripts other than the newly instituted quantu=
m safe schemes.
> > >=20

> > > It could take a staggered approach to first freeze funds that are sus=
ceptible to long-range attacks such as those in P2PK scripts or those that =
exposed their public keys due to previously re-using addresses, but I expec=
t the additional complexity would drive further controversy.
> > >=20

> > > How long should the grace period be in order to give the ecosystem ti=
me to upgrade? I'd say a minimum of 1 year for software wallets to upgrade.=
 We can only hope that hardware wallet manufacturers are able to implement =
post quantum cryptography on their existing hardware with only a firmware u=
pdate.
> > >=20

> > > Beyond that, it will take at least 6 months worth of block space for =
all users to migrate their funds, even in a best case scenario. Though if y=
ou exclude dust UTXOs you could probably get 95% of BTC value migrated in 1=
 month. Of course this is a highly optimistic situation where everyone is c=
ompletely focused on migrations - in reality it will take far longer.
> > >=20

> > > Regardless, I'd think that in order to reasonably uphold Bitcoin's co=
nservatism it would be preferable to allow a 4 year migration window. In th=
e meantime, mining pools could coordinate emergency soft forking logic such=
 that if quantum attackers materialized, they could accelerate the countdow=
n to the quantum vulnerable funds burn.
> > >=20

> > > Random Tangential Benefits
> > > On the plus side, burning all quantum vulnerable bitcoin would allow =
us to prune all of those UTXOs out of the UTXO set, which would also clean =
up a lot of dust. Dust UTXOs are a bit of an annoyance and there has even b=
een a recent proposal for how to incentivize cleaning them up.
> > >=20

> > > We should also expect that incentivizing migration of the entire UTXO=
 set will create substantial demand for block space that will sustain a fee=
 market for a fairly lengthy amount of time.
> > >=20

> > > In Summary
> > > While the moral quandary of violating any of Bitcoin's inviolable pro=
perties can make this a very complex issue to discuss, the game theory and =
incentives between burning vulnerable coins versus allowing them to be clai=
med by entities with quantum supremacy appears to be a much simpler issue.
> > >=20

> > > I, for one, am not interested in rewarding quantum capable entities b=
y inflating the circulating money supply just because some people lost thei=
r keys long ago and some laggards are not upgrading their bitcoin wallet's =
security.
> > >=20

> > > We can hope that this scenario never comes to pass, but hope is not a=
 strategy.
> > >=20

> > > I welcome your feedback upon any of the above points, and contributio=
n of any arguments I failed to consider.
> > >=20

> > > --
> > > You received this message because you are subscribed to the Google Gr=
oups "Bitcoin Development Mailing List" group.
> > > To unsubscribe from this group and stop receiving emails from it, sen=
d an email to bitcoindev+unsubscribe@googlegroups.com.
> > > To view this discussion visit https://groups.google.com/d/msgid/bitco=
indev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gm=
ail.com.
> >=20

> > --
> > You received this message because you are subscribed to the Google Grou=
ps "Bitcoin Development Mailing List" group.
> > To unsubscribe from this group and stop receiving emails from it, send =
an email to bitcoindev+unsubscribe@googlegroups.com.
> > To view this discussion visit https://groups.google.com/d/msgid/bitcoin=
dev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de.
>=20

> --
> You received this message because you are subscribed to the Google Groups=
 "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
 email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoinde=
v/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.co=
m.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c=
3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me.

-----------------------d1a656d57fe171d757e0b8d358350631
Content-Type: multipart/related;boundary=---------------------cc9cb78b22f294ee74e352bc171ac547

-----------------------cc9cb78b22f294ee74e352bc171ac547
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div style=3D"font-family: Arial, sans-serif; font-size: 14px;">Hey Saulo,<=
/div><div style=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></=
div><div style=3D"font-family: Arial, sans-serif; font-size: 14px;">You're =
right about the possibility of an ugly split. Laggards who don't move coins=
 to PQ address schemes will be incentivized to follow any chain where they =
keep their coins. But those who do migrate will be incentivized to follow t=
he chain where unmigrated pre-quantum coins are frozen.&nbsp;</div><div sty=
le=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></div><div styl=
e=3D"font-family: Arial, sans-serif; font-size: 14px;">While you're compari=
ng this event to the ETH/ETC split, we should remember that ETH remained th=
e dominant chain despite their heavy-handed rollback. Just goes to show, co=
nfusion and face-loss is a lesser evil than allowing an adversary to pwn th=
e network.&nbsp;</div><div style=3D"font-family: Arial, sans-serif; font-si=
ze: 14px;"><br></div><blockquote style=3D"border-left: 3px solid rgb(200, 2=
00, 200); border-top-color: rgb(200, 200, 200); border-right-color: rgb(200=
, 200, 200); border-bottom-color: rgb(200, 200, 200); padding-left: 10px; c=
olor: rgb(102, 102, 102);"><div style=3D"font-family: Arial, sans-serif; fo=
nt-size: 14px;">This is the free-market way to solve problems without impos=
ing rules on everyone.<br></div></blockquote><div style=3D"font-family: Ari=
al, sans-serif; font-size: 14px;"><br></div><div style=3D"font-family: Aria=
l, sans-serif; font-size: 14px;">It'd still be a free market even if quantu=
m-vulnerable coins are frozen. The only way to test the relative value of q=
uantum-safe vs quantum-vulnerable coins is to split the chain and see how t=
he market reacts.&nbsp;</div><div style=3D"font-family: Arial, sans-serif; =
font-size: 14px;"><br></div><div style=3D"font-family: Arial, sans-serif; f=
ont-size: 14px;">IMO, the "free market way" is to give people options and l=
et their money flow to where it works best. That means people should be abl=
e to choose whether they want their money to be part of a system that allow=
s quantum attack, or part of one which does not. I know which I would choos=
e, but neither you nor I can make that choice for everyone.</div><div style=
=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></div><div style=
=3D"font-family: Arial, sans-serif; font-size: 14px;">regards,</div><div st=
yle=3D"font-family: Arial, sans-serif; font-size: 14px;">conduition</div><d=
iv class=3D"protonmail_quote">
        On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz &lt;agustin.cr=
uz@gmail.com&gt; wrote:<br>
        <blockquote class=3D"protonmail_quote" type=3D"cite">
            <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q=
uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t=
o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le=
aving old coins up for grabs if people don=E2=80=99t move them, sounds fair=
 at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes=
s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s=
 not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th=
ose on the rich list Jameson mentioned, could get hit too. Imagine millions=
 of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an=
d we all feel the pain. Freezing those vulnerable funds keeps that chaos in=
 check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=
=99s heart. If quantum tech can steal from you just because you didn=E2=80=
=99t upgrade fast enough, that promise feels shaky. Freezing funds after a =
heads-up period (say, four years) protects that idea better than letting te=
ch giants or rogue states play vampire with our network. It also nudges peo=
ple to get their act together and move to safer addresses, which strengthen=
s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con=
fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu=
antum theft would look worse. Bitcoin would seem broken, not just strict. A=
 clear plan and enough time to migrate could smooth things over. History=E2=
=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. =
This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul=
nerable coins locked than handed to whoever builds the first quantum rig. I=
t=E2=80=99s less about coddling people and more about keeping Bitcoin solid=
 for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d=
iv><br><div class=3D"gmail_quote gmail_quote_container"><div class=3D"gmail=
_attr" dir=3D"ltr">On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<=
a href=3D"mailto:saulo@astrotown.de" rel=3D"noreferrer nofollow noopener">s=
aulo@astrotown.de</a>&gt; wrote:<br></div><blockquote style=3D"margin:0px 0=
px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class=
=3D"gmail_quote"><div dir=3D"auto"><div dir=3D"ltr"><span style=3D"color:rg=
b(0,0,0)">I believe that having some entity announce the decision to freeze=
 old UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value=
) than having them gathered by QC. This would create another version of Bit=
coin, similar to Ethereum Classic, causing confusion in the market.</span><=
div dir=3D"ltr"><div style=3D"color:rgb(0,0,0)"><br></div><div style=3D"col=
or:rgb(0,0,0)">It would be better to simply implement the possibility of mo=
ving funds to a PQC address without a deadline, allowing those who fail to =
do so to rely on luck to avoid having their coins stolen. Most coins would =
be migrated to PQC anyway, and in most cases, only the lost ones would rema=
in vulnerable. This is the free-market way to solve problems without imposi=
ng rules on everyone.</div><div style=3D"color:rgb(0,0,0)"><br></div><div s=
tyle=3D"color:rgb(0,0,0)">Saulo Fonseca</div><div style=3D"color:rgb(0,0,0)=
"><br></div><div style=3D"color:rgb(0,0,0)"><br><blockquote type=3D"cite"><=
div>On 16. Mar 2025, at 15:15, Jameson Lopp &lt;<span dir=3D"ltr"><a target=
=3D"_blank" href=3D"mailto:jameson.lopp@gmail.com" rel=3D"noreferrer nofoll=
ow noopener">jameson.lopp@gmail.com</a></span>&gt; wrote:</div><br><div><di=
v dir=3D"ltr">The quantum computing debate is heating up. There are many co=
ntroversial aspects to this debate, including whether or not quantum comput=
ers will ever actually become a practical threat.<div><br>I won't tread int=
o the unanswerable question of how worried we should be about quantum compu=
ters. I think it's far from a crisis, but given the difficulty in changing =
Bitcoin it's worth starting to seriously discuss. Today I wish to focus on =
a philosophical quandary related to one of the decisions that would need to=
 be made if and when we implement a quantum safe signature scheme.<br><br><=
font size=3D"6">Several Scenarios<br></font>Because this essay will referen=
ce game theory a fair amount, and there are many variables at play that cou=
ld change the nature of the game, I think it's important to clarify the pos=
sible scenarios up front.<br><br>1. Quantum computing never materializes, n=
ever becomes a threat, and thus everything discussed in this essay is moot.=
<br>2. A quantum computing threat materializes suddenly and Bitcoin does no=
t have quantum safe signatures as part of the protocol. In this scenario it=
 would likely make the points below moot because Bitcoin would be fundament=
ally broken and it would take far too long to upgrade the protocol, wallet =
software, and migrate user funds in order to restore confidence in the netw=
ork.<br>3. Quantum computing advances slowly enough that we come to consens=
us about how to upgrade Bitcoin and post quantum security has been minimall=
y adopted by the time an attacker appears.<br>4. Quantum computing advances=
 slowly enough that we come to consensus about how to upgrade Bitcoin and p=
ost quantum security has been highly adopted by the time an attacker appear=
s.<br><br>For the purposes of this post, I'm envisioning being in situation=
 3 or 4.<br><br><font size=3D"6">To Freeze or not to Freeze?<br></font>I've=
 started seeing more people weighing in on what is likely the most contenti=
ous aspect of how a quantum resistance upgrade should be handled in terms o=
f migrating user funds. Should quantum vulnerable funds be left open to be =
swept by anyone with a sufficiently powerful quantum computer OR should the=
y be permanently locked?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8=
ex;border-left-color:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quot=
e">"I don't see why old coins should be confiscated. The better option is t=
o let those with quantum computers free up old coins. While this might have=
 an inflationary impact on bitcoin's price, to use a turn of phrase, the in=
flation is transitory. Those with low time preference should support return=
ing lost coins to circulation." </blockquote><blockquote style=3D"margin:0p=
x 0px 0px 0.8ex;border-left-color:rgb(204,204,204);padding-left:1ex" class=
=3D"gmail_quote">- Hunter Beast</blockquote><div><br></div>On the other han=
d:</div><div><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left-=
color:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">"Of course t=
hey have to be confiscated. If and when (and that's a big if) the existence=
 of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosy=
stem has no other option than softforking out the ability to spend from sig=
nature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The=
 alternative is that millions of BTC become vulnerable to theft; I cannot s=
ee how the currency can maintain any value at all in such a setting. And th=
is affects everyone; even those which diligently moved their coins to PQC-p=
rotected schemes."<br>- Pieter Wuille</blockquote><br>I don't think "confis=
cation" is the most precise term to use, as the funds are not being seized =
and reassigned. Rather, what we're really discussing would be better descri=
bed as "burning" - placing the funds <b>out of reach of everyone</b>.<br><b=
r>Not freezing user funds is one of Bitcoin's inviolable properties. Howeve=
r, if quantum computing becomes a threat to Bitcoin's elliptic curve crypto=
graphy, <b>an inviolable property of Bitcoin will be violated one way or an=
other</b>.<br><br><font size=3D"6">Fundamental Properties at Risk<br></font=
>5 years ago I attempted to comprehensively categorize all of Bitcoin's fun=
damental properties that give it value. <a target=3D"_blank" href=3D"https:=
//nakamoto.com/what-are-the-key-properties-of-bitcoin/" rel=3D"noreferrer n=
ofollow noopener">https://nakamoto.com/what-are-the-key-properties-of-bitco=
in/<br></a><br>The particular properties in play with regard to this issue =
seem to be:<br><br><b>Censorship Resistance</b> - No one should have the po=
wer to prevent others from using their bitcoin or interacting with the netw=
ork.<br><br><b>Forward Compatibility</b> - changing the rules such that cer=
tain valid transactions become invalid could undermine confidence in the pr=
otocol.<br><br><b>Conservatism</b> - Users should not be expected to be hig=
hly responsive to system issues.<br><br>As a result of the above principles=
, we have developed a strong meme (kudos to Andreas Antonopoulos) that goes=
 as follows:<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-le=
ft-color:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">Not your =
keys, not your coins.</blockquote><br>I posit that the corollary to this pr=
inciple is:<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t-color:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">Your keys,=
 only your coins.</blockquote><br>A quantum capable entity breaks the corol=
lary of this foundational principle. We secure our bitcoin with the mathema=
tical probabilities related to extremely large random numbers. Your funds a=
re only secure because truly random large numbers should not be guessable o=
r discoverable by anyone else in the world.<br><br>This is the principle be=
hind the motto <i>vires in numeris</i> - strength in numbers. In a world wi=
th quantum enabled adversaries, this principle is null and void for many ty=
pes of cryptography, including the elliptic curve digital signatures used i=
n Bitcoin.<br><br><font size=3D"6">Who is at Risk?<br></font>There has long=
 been a narrative that Satoshi's coins and others from the Satoshi era of P=
2PK locking scripts that exposed the public key directly on the blockchain =
will be those that get scooped up by a quantum "miner." But unfortunately i=
t's not that simple. If I had a powerful quantum computer, which coins woul=
d I target? I'd go to the Bitcoin rich list and find the wallets that have =
exposed their public keys due to re-using addresses that have previously be=
en spent from. You can easily find them at <a target=3D"_blank" href=3D"htt=
ps://bitinfocharts.com/top-100-richest-bitcoin-addresses.html" rel=3D"noref=
errer nofollow noopener">https://bitinfocharts.com/top-100-richest-bitcoin-=
addresses.html</a><br><br>Note that a few of these wallets, like Bitfinex /=
 Kraken / Tether, would be slightly harder to crack because they are multis=
ig wallets. So a quantum attacker would need to reverse engineer 2 keys for=
 Kraken or 3 for Bitfinex / Tether in order to spend funds. But many are si=
ngle signature.<br><br>Point being, it's not only the really old lost BTC t=
hat are at risk to a quantum enabled adversary, at least at time of writing=
. If we add a quantum safe signature scheme, we should expect those wallets=
 to be some of the first to upgrade given their incentives.<br><br><font si=
ze=3D"6">The Ethical Dilemma: Quantifying Harm<br></font>Which decision res=
ults in the most harm?<br><br>By making quantum vulnerable funds unspendabl=
e we potentially harm some Bitcoin users who were not paying attention and =
neglected to migrate their funds to a quantum safe locking script. This vio=
lates the "conservativism" principle stated earlier. On the flip side, we p=
revent those funds plus far more lost funds from falling into the hands of =
the few privileged folks who gain early access to quantum computers.<br><br=
>By leaving quantum vulnerable funds available to spend, the same set of us=
ers who would otherwise have funds frozen are likely to see them stolen. An=
d many early adopters who lost their keys will eventually see their unreach=
able funds scooped up by a quantum enabled adversary.<br><br>Imagine, for e=
xample, being James Howells, who accidentally threw away a hard drive with =
8,000 BTC on it, currently worth over $600M USD. He has spent a decade tryi=
ng to retrieve it from the landfill where he knows it's buried, but can't g=
et permission to excavate. I suspect that, given the choice, he'd prefer th=
ose funds be permanently frozen rather than fall into someone else's posses=
sion - I know I would.<br><br>Allowing a quantum computer to access lost fu=
nds doesn't make those users any worse off than they were before, however i=
t <i>would</i>have a negative impact upon everyone who is currently holding=
 bitcoin.<br><br>It's prudent to expect significant economic disruption if =
large amounts of coins fall into new hands. Since a quantum computer is goi=
ng to have a massive up front cost, expect those behind it to desire to rec=
oup their investment. We also know from experience that when someone sudden=
ly finds themselves in possession of 9+ figures worth of highly liquid asse=
ts, they tend to diversify into other things by selling.<br><br>Allowing qu=
antum recovery of bitcoin is <i>tantamount to wealth redistribution</i>. Wh=
at we'd be allowing is for bitcoin to be redistributed from those who are i=
gnorant of quantum computers to those who have won the technological race t=
o acquire quantum computers. It's hard to see a bright side to that scenari=
o.<br><br><font size=3D"6">Is Quantum Recovery Good for Anyone?</font><br><=
br>Does quantum recovery HELP anyone? I've yet to come across an argument t=
hat it's a net positive in any way. It certainly doesn't add any security t=
o the network. If anything, it greatly decreases the security of the networ=
k by allowing funds to be claimed by those who did not earn them.<br><br>Bu=
t wait, you may be thinking, wouldn't quantum "miners" have earned their co=
ins by all the work and resources invested in building a quantum computer? =
I suppose, in the same sense that a burglar earns their spoils by the resou=
rces they invest into surveilling targets and learning the skills needed to=
 break into buildings. What I say "earned" I mean through productive mutual=
 trade.<br><br>For example:<br><br>* Investors earn BTC by trading for othe=
r currencies.<br>* Merchants earn BTC by trading for goods and services.<br=
>* Miners earn BTC by trading thermodynamic security.<br>* Quantum miners d=
on't trade anything, they are vampires feeding upon the system.<br><br>Ther=
e's no reason to believe that allowing quantum adversaries to recover vulne=
rable bitcoin will be of benefit to anyone other than the select few organi=
zations that win the technological arms race to build the first such comput=
ers. Probably nation states and/or the top few largest tech companies.<br><=
br>One could certainly hope that an organization with quantum supremacy is =
benevolent and acts in a "white hat" manner to return lost coins to their o=
wners, but that's incredibly optimistic and foolish to rely upon. Such a si=
tuation creates an insurmountable ethical dilemma of only recovering lost b=
itcoin rather than currently owned bitcoin. There's no way to precisely dif=
ferentiate between the two; anyone can claim to have lost their bitcoin but=
 if they have lost their keys then proving they ever had the keys becomes r=
ather difficult. I imagine that any such white hat recovery efforts would h=
ave to rely upon attestations from trusted third parties like exchanges.<br=
><br>Even if the first actor with quantum supremacy is benevolent, we must =
assume the technology could fall into adversarial hands and thus think adve=
rsarially about the potential worst case outcomes. Imagine, for example, th=
at North Korea continues scooping up billions of dollars from hacking crypt=
o exchanges and decides to invest some of those proceeds into building a qu=
antum computer for the biggest payday ever...<br><br><font size=3D"6">Downs=
ides to Allowing Quantum Recovery</font><br>Let's think through an exhausti=
ve list of pros and cons for allowing or preventing the seizure of funds by=
 a quantum adversary.<br><br><font size=3D"4">Historical Precedent</font><b=
r>Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam=
e" but rather were treated as failures to be remediated. Treating quantum t=
heft differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al=
l rather than a system that seeks to protect its users.<br><br><font size=
=3D"4">Violation of Property Rights</font><br>Allowing a quantum adversary =
to take control of funds undermines the fundamental principle of cryptocurr=
ency - if you keep your keys in your possession, only you should be able to=
 access your money. Bitcoin is built on the idea that private keys secure a=
n individual=E2=80=99s assets, and unauthorized access (even via advanced t=
ech) is theft, not a legitimate transfer.<br><br><font size=3D"4">Erosion o=
f Trust in Bitcoin</font><br>If quantum attackers can exploit vulnerable ad=
dresses, confidence in Bitcoin as a secure store of value would collapse. U=
sers and investors rely on cryptographic integrity, and widespread theft co=
uld drive adoption away from Bitcoin, destabilizing its ecosystem.<br><br>T=
his is essentially the counterpoint to claiming the burning of vulnerable f=
unds is a violation of property rights. While some will certainly see it as=
 such, others will find the apathy toward stopping quantum theft to be simi=
larly concerning.<br><br><font size=3D"4">Unfair Advantage</font><br>Quantu=
m attackers, likely equipped with rare and expensive technology, would have=
 an unjust edge over regular users who lack access to such tools. This crea=
tes an inequitable system where only the technologically elite can exploit =
others, contradicting Bitcoin=E2=80=99s ethos of decentralized power.<br><b=
r>Bitcoin is designed to create an asymmetric advantage for DEFENDING one's=
 wealth. It's supposed to be impractically expensive for attackers to crack=
 the entropy and cryptography protecting one's coins. But now we find ourse=
lves discussing a situation where this asymmetric advantage is compromised =
in favor of a specific class of attackers.<br><br><font size=3D"4">Economic=
 Disruption</font><br>Large-scale theft from vulnerable addresses could cra=
sh Bitcoin=E2=80=99s price as quantum recovered funds are dumped on exchang=
es. This would harm all holders, not just those directly targeted, leading =
to broader financial chaos in the markets.<br><br><font size=3D"4">Moral Re=
sponsibility</font><br>Permitting theft via quantum computing sets a preced=
ent that technological superiority justifies unethical behavior. This is es=
sentially taking a "code is law" stance in which we refuse to admit that bo=
th code and laws can be modified to adapt to previously unforeseen situatio=
ns.<br><br>Burning of coins can certainly be considered a form of theft, th=
us I think it's worth differentiating the two different thefts being discus=
sed:<br><br>1. self-enriching &amp; likely malicious<br>2. harm prevention =
&amp; not necessarily malicious<br><br>Both options lack the consent of the=
 party whose coins are being burnt or transferred, thus I think the simple =
argument that theft is immoral becomes a wash and it's important to drill d=
own into the details of each.<br><br><font size=3D"4">Incentives Drive Secu=
rity</font><br>I can tell you from a decade of working in Bitcoin security =
- the average user is lazy and is a procrastinator. If Bitcoiners are given=
 a "drop dead date" after which they know vulnerable funds will be burned, =
this pressure accelerates the adoption of post-quantum cryptography and str=
engthens Bitcoin long-term. Allowing vulnerable users to delay upgrading in=
definitely will result in more laggards, leaving the network more exposed w=
hen quantum tech becomes available.<br><br><font size=3D"6">Steel Manning<b=
r></font>Clearly this is a complex and controversial topic, thus it's worth=
 thinking through the opposing arguments.<br><br><font size=3D"4">Protectin=
g Property Rights</font><br>Allowing quantum computers to take vulnerable b=
itcoin could potentially be spun as a hard money narrative - we care so gre=
atly about not violating someone's access to their coins that we allow them=
 to be stolen!<br><br>But I think the flip side to the property rights narr=
ative is that burning vulnerable coins prevents said property from falling =
into undeserving hands. If the entire Bitcoin ecosystem just stands around =
and allows quantum adversaries to claim funds that rightfully belong to oth=
er users, is that really a "win" in the "protecting property rights" catego=
ry? It feels more like apathy to me.<br><br>As such, I think the "protectin=
g property rights" argument is a wash.<br><br><font size=3D"4">Quantum Comp=
uters Won't Attack Bitcoin</font><br>There is a great deal of skepticism th=
at sufficiently powerful quantum computers will ever exist, so we shouldn't=
 bother preparing for a non-existent threat. Others have argued that even i=
f such a computer was built, a quantum attacker would not go after bitcoin =
because they wouldn't want to reveal their hand by doing so, and would inst=
ead attack other infrastructure.<br><br>It's quite difficult to quantify ex=
actly how valuable attacking other infrastructure would be. It also really =
depends upon when an entity gains quantum supremacy and thus if by that tim=
e most of the world's systems have already been upgraded. While I think you=
 could argue that certain entities gaining quantum capability might not att=
ack Bitcoin, it would only delay the inevitable - eventually somebody will =
achieve the capability who decides to use it for such an attack.<br><br><fo=
nt size=3D"4">Quantum Attackers Would Only Steal Small Amounts</font><br>So=
me have argued that even if a quantum attacker targeted bitcoin, they'd onl=
y go after old, likely lost P2PK outputs so as to not arouse suspicion and =
cause a market panic.<br><br>I'm not so sure about that; why go after 50 BT=
C at a time when you could take 250,000 BTC with the same effort as 50 BTC?=
 This is a classic "zero day exploit" game theory in which an attacker know=
s they have a limited amount of time before someone else discovers the expl=
oit and either benefits from it or patches it. Take, for example, the recen=
t ByBit attack - the highest value crypto hack of all time. Lazarus Group h=
ad compromised the Safe wallet front end JavaScript app and they could have=
 simply had it reassign ownership of everyone's Safe wallets as they were i=
nteracting with their wallet. But instead they chose to only specifically t=
arget ByBit's wallet with $1.5 billion in it because they wanted to maximiz=
e their extractable value. If Lazarus had started stealing from every walle=
t, they would have been discovered quickly and the Safe web app would likel=
y have been patched well before any billion dollar wallets executed the mal=
icious code.<br><br>I think the "only stealing small amounts" argument is s=
trongest for Situation #2 described earlier, where a quantum attacker arriv=
es before quantum safe cryptography has been deployed across the Bitcoin ec=
osystem. Because if it became clear that Bitcoin's cryptography was broken =
AND there was nowhere safe for vulnerable users to migrate, the only logica=
l option would be for everyone to liquidate their bitcoin as quickly as pos=
sible. As such, I don't think it applies as strongly for situations in whic=
h we have a migration path available.<br><br><font size=3D"4">The 21 Millio=
n Coin Supply Should be in Circulation</font><br>Some folks are arguing tha=
t it's important for the "circulating / spendable" supply to be as close to=
 21M as possible and that having a significant portion of the supply out of=
 circulation is somehow undesirable.<br><br>While the "21M BTC" attribute i=
s a strong memetic narrative, I don't think anyone has ever expected that i=
t would all be in circulation. It has always been understood that many coin=
s will be lost, and that's actually part of the game theory of owning bitco=
in!<br><br>And remember, the 21M number in and of itself is not a particula=
rly important detail - it's not even mentioned in the whitepaper. What's im=
portant is that the supply is well known and not subject to change.<br><br>=
<font size=3D"4">Self-Sovereignty and Personal Responsibility</font><br>Bit=
coin=E2=80=99s design empowers individuals to control their own wealth, fre=
e from centralized intervention. This freedom comes with the burden of secu=
ring one's private keys. If quantum computing can break obsolete cryptograp=
hy, the fault lies with users who didn't move their funds to quantum safe l=
ocking scripts. Expecting the network to shield users from their own neglig=
ence undermines the principle that you, and not a third party, are accounta=
ble for your assets.<br><br>I think this is generally a fair point that "th=
e community" doesn't owe you anything in terms of helping you. I think that=
 we do, however, need to consider the incentives and game theory in play wi=
th regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners. More=
 on that later.<br><br><font size=3D"4">Code is Law</font><br>Bitcoin opera=
tes on transparent, immutable rules embedded in its protocol. If a quantum =
attacker uses superior technology to derive private keys from public keys, =
they=E2=80=99re not "hacking" the system - they're simply following what's =
mathematically permissible within the current code. Altering the protocol t=
o stop this introduces subjective human intervention, which clashes with th=
e objective, deterministic nature of blockchain.<br><br>While I tend to agr=
ee that code is law, one of the entire points of laws is that they can be a=
mended to improve their efficacy in reducing harm. Leaning on this point se=
ems more like a pro-ossification stance that it's better to do nothing and =
allow harm to occur rather than take action to stop an attack that was fore=
seen far in advance.<br><br><font size=3D"4">Technological Evolution as a F=
eature, Not a Bug</font><br>It's well known that cryptography tends to weak=
en over time and eventually break. Quantum computing is just the next step =
in this progression. Users who fail to adapt (e.g., by adopting quantum-res=
istant wallets when available) are akin to those who ignored technological =
advancements like multisig or hardware wallets. Allowing quantum theft ince=
ntivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishin=
g complacency while rewarding vigilance.<br><br><font size=3D"4">Market Sig=
nals Drive Security</font><br>If quantum attackers start stealing funds, it=
 sends a clear signal to the market: upgrade your security or lose everythi=
ng. This pressure accelerates the adoption of post-quantum cryptography and=
 strengthens Bitcoin long-term. Coddling vulnerable users delays this neces=
sary evolution, potentially leaving the network more exposed when quantum t=
ech becomes widely accessible. Theft is a brutal but effective teacher.<br>=
<br><font size=3D"4">Centralized Blacklisting Power</font><br>Burning vulne=
rable funds requires centralized decision-making - a soft fork to invalidat=
e certain transactions. This sets a dangerous precedent for future interven=
tions, eroding Bitcoin=E2=80=99s decentralization. If quantum theft is bloc=
ked, what=E2=80=99s next - reversing exchange hacks? The system must remain=
 neutral, even if it means some lose out.<br><br>I think this could be a po=
tential slippery slope if the proposal was to only burn specific addresses.=
 Rather, I'd expect a neutral proposal to burn all funds in locking script =
types that are known to be quantum vulnerable. Thus, we could eliminate any=
 subjectivity from the code.<br><br><font size=3D"4">Fairness in Competitio=
n</font><br>Quantum attackers aren't cheating; they're using publicly avail=
able physics and math. Anyone with the resources and foresight can build or=
 access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU.=
 Early adopters took risks and reaped rewards; quantum innovators are doing=
 the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has nev=
er promised equality of outcome - only equality of opportunity within its r=
ules.<br><br>I find this argument to be a mischaracterization because we're=
 not talking about CPUs. This is more akin to talking about ASICs, except e=
ach ASIC costs millions if not billions of dollars. This is out of reach fr=
om all but the wealthiest organizations.<br><br><font size=3D"4">Economic R=
esilience</font><br>Bitcoin has weathered thefts before (MTGOX, Bitfinex, F=
TX, etc) and emerged stronger. The market can absorb quantum losses, with u=
naffected users continuing to hold and new entrants buying in at lower pric=
es. Fear of economic collapse overestimates the impact - the network=E2=80=
=99s antifragility thrives on such challenges.<br><br>This is a big grey ar=
ea because we don't know when a quantum computer will come online and we do=
n't know how quickly said computers would be able to steal bitcoin. If, for=
 example, the first generation of sufficiently powerful quantum computers w=
ere stealing less volume than the current block reward then of course it wi=
ll have minimal economic impact. But if they're taking thousands of BTC per=
 day and bringing them back into circulation, there will likely be a notice=
able market impact as it absorbs the new supply.<br><br>This is where the c=
ircumstances will really matter. If a quantum attacker appears AFTER the Bi=
tcoin protocol has been upgraded to support quantum resistant cryptography =
then we should expect the most valuable active wallets will have upgraded a=
nd the juiciest target would be the 31,000 BTC in the address 12ib7dApVFvg8=
2TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general I'd exp=
ect that the amount of BTC re-entering the circulating supply would look so=
mewhat similar to the mining emission curve: volume would start off very hi=
gh as the most valuable addresses are drained and then it would fall off as=
 quantum computers went down the list targeting addresses with less and les=
s BTC.<br><br>Why is economic impact a factor worth considering? Miners and=
 businesses in general. More coins being liquidated will push down the pric=
e, which will negatively impact miner revenue. Similarly, I can attest from=
 working in the industry for a decade, that lower prices result in less dem=
and from businesses across the entire industry. As such, burning quantum vu=
lnerable bitcoin is good for the entire industry.<br><br><font size=3D"4">P=
racticality &amp; Neutrality of Non-Intervention</font><br>There=E2=80=99s =
no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "whi=
te hat" key recovery. If someone loses their private key and a quantum comp=
uter recovers it, is that stealing or reclaiming? Policing quantum actions =
requires invasive assumptions about intent, which Bitcoin=E2=80=99s trustle=
ss design can=E2=80=99t accommodate. Letting the chips fall where they may =
avoids this mess.<br><br><font size=3D"4">Philosophical Purity</font><br>Bi=
tcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes ref=
lect preparation and skill, not sentimentality. If quantum computing upends=
 the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be saf=
e or fair in a nanny-state sense; it=E2=80=99s meant to be free. Users who =
lose funds to quantum attacks are casualties of liberty and their own ignor=
ance, not victims of injustice.<br><br><font size=3D"6">Bitcoin's DAO Momen=
t</font><br>This situation has some similarities to The DAO hack of an Ethe=
reum smart contract in 2016, which resulted in a fork to stop the attacker =
and return funds to their original owners. The game theory is similar becau=
se it's a situation where a threat is known but there's some period of time=
 before the attacker can actually execute the theft. As such, there's time =
to mitigate the attack by changing the protocol.<br><br>It also created a s=
chism in the community around the true meaning of "code is law," resulting =
in Ethereum Classic, which decided to allow the attacker to retain control =
of the stolen funds.<br><br>A soft fork to burn vulnerable bitcoin could ce=
rtainly result in a hard fork if there are enough miners who reject the sof=
t fork and continue including transactions.<br><br><font size=3D"6">Incenti=
ves Matter</font><br>We can wax philosophical until the cows come home, but=
 what are the actual incentives for existing Bitcoin holders regarding this=
 decision?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left=
-color:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">"Lost coins=
 only make everyone else's coins worth slightly more. Think of it as a dona=
tion to everyone." - Satoshi Nakamoto</blockquote><br>If true, the corollar=
y is:<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left-colo=
r:rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">"Quantum recover=
ed coins only make everyone else's coins worth less. Think of it as a theft=
 from everyone." - Jameson Lopp</blockquote><br>Thus, assuming we get to a =
point where quantum resistant signatures are supported within the Bitcoin p=
rotocol, what's the incentive to let vulnerable coins remain spendable?<br>=
<br>* It's not good for the actual owners of those coins. It disincentivize=
s owners from upgrading until perhaps it's too late.<br>* It's not good for=
 the more attentive / responsible owners of coins who have quantum secured =
their stash. Allowing the circulating supply to balloon will assuredly redu=
ce the purchasing power of all bitcoin holders.<br><br><font size=3D"6">For=
king Game Theory</font><br>From a game theory point of view, I see this as =
incentivizing users to upgrade their wallets. If you disagree with the burn=
ing of vulnerable coins, all you have to do is move your funds to a quantum=
 safe signature scheme. Point being, I don't see there being an economic ma=
jority (or even more than a tiny minority) of users who would fight such a =
soft fork. Why expend significant resources fighting a fork when you can ju=
st move your coins to a new address?<br><br>Remember that blocking spending=
 of certain classes of locking scripts is a tightening of the rules - a sof=
t fork. As such, it can be meaningfully enacted and enforced by a mere majo=
rity of hashpower. If miners generally agree that it's in their best intere=
st to burn vulnerable coins, are other users going to care enough to put in=
 the effort to run new node software that resists the soft fork? Seems unli=
kely to me.<br><br><font size=3D"6">How to Execute Burning</font><br>In ord=
er to be as objective as possible, the goal would be to announce to the wor=
ld that after a specific block height / timestamp, Bitcoin nodes will no lo=
nger accept transactions (or blocks containing such transactions) that spen=
d funds from any scripts other than the newly instituted quantum safe schem=
es.<br><br>It could take a staggered approach to first freeze funds that ar=
e susceptible to long-range attacks such as those in P2PK scripts or those =
that exposed their public keys due to previously re-using addresses, but I =
expect the additional complexity would drive further controversy.<br><br>Ho=
w long should the grace period be in order to give the ecosystem time to up=
grade? I'd say a minimum of 1 year for software wallets to upgrade. We can =
only hope that hardware wallet manufacturers are able to implement post qua=
ntum cryptography on their existing hardware with only a firmware update.<b=
r><br>Beyond that, it will take at least 6 months worth of block space for =
all users to migrate their funds, even in a best case scenario. Though if y=
ou exclude dust UTXOs you could probably get 95% of BTC value migrated in 1=
 month. Of course this is a highly optimistic situation where everyone is c=
ompletely focused on migrations - in reality it will take far longer.<br><b=
r>Regardless, I'd think that in order to reasonably uphold Bitcoin's conser=
vatism it would be preferable to allow a 4 year migration window. In the me=
antime, mining pools could coordinate emergency soft forking logic such tha=
t if quantum attackers materialized, they could accelerate the countdown to=
 the quantum vulnerable funds burn.<br><br><font size=3D"6">Random Tangenti=
al Benefits</font><br>On the plus side, burning all quantum vulnerable bitc=
oin would allow us to prune all of those UTXOs out of the UTXO set, which w=
ould also clean up a lot of dust. Dust UTXOs are a bit of an annoyance and =
there has even been a recent proposal for how to incentivize cleaning them =
up.<br><br>We should also expect that incentivizing migration of the entire=
 UTXO set will create substantial demand for block space that will sustain =
a fee market for a fairly lengthy amount of time.<br><br><font size=3D"6">I=
n Summary</font><br>While the moral quandary of violating any of Bitcoin's =
inviolable properties can make this a very complex issue to discuss, the ga=
me theory and incentives between burning vulnerable coins versus allowing t=
hem to be claimed by entities with quantum supremacy appears to be a much s=
impler issue.<br><br>I, for one, am not interested in rewarding quantum cap=
able entities by inflating the circulating money supply just because some p=
eople lost their keys long ago and some laggards are not upgrading their bi=
tcoin wallet's security.<br><br>We can hope that this scenario never comes =
to pass, but hope is not a strategy.<br><br>I welcome your feedback upon an=
y of the above points, and contribution of any arguments I failed to consid=
er.</div></div><div><br></div>-- <br>You received this message because you =
are subscribed to the Google Groups "Bitcoin Development Mailing List" grou=
p.<br>To unsubscribe from this group and stop receiving emails from it, sen=
d an email to <a target=3D"_blank" href=3D"mailto:bitcoindev+unsubscribe@go=
oglegroups.com" rel=3D"noreferrer nofollow noopener">bitcoindev+unsubscribe=
@googlegroups.com</a>.<br>To view this discussion visit <a target=3D"_blank=
" href=3D"https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7Cit=
XReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com" rel=3D"noreferrer=
 nofollow noopener">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%=
3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</di=
v></blockquote></div><div dir=3D"ltr"></div></div></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a target=3D"_blank" href=3D"mailto:bitcoindev+unsubscribe@googlegr=
oups.com" rel=3D"noreferrer nofollow noopener">bitcoindev+unsubscribe@googl=
egroups.com</a>.<br>
To view this discussion visit <a target=3D"_blank" href=3D"https://groups.g=
oogle.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astroto=
wn.de" rel=3D"noreferrer nofollow noopener">https://groups.google.com/d/msg=
id/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de</a>.<br>
</blockquote></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"n=
oreferrer nofollow noopener">bitcoindev+unsubscribe@googlegroups.com</a>.<b=
r>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail=
.gmail.com" target=3D"_blank" rel=3D"noreferrer nofollow noopener">https://=
groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa=
_yZDwmwx6U_eO5JhZLg%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuH=
Mjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me?utm_medium=3Dema=
il&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoindev/zyx7G6=
H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_=
6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me</a>.<br />

-----------------------cc9cb78b22f294ee74e352bc171ac547--
-----------------------d1a656d57fe171d757e0b8d358350631--
-----------------------07e877d605899d35b90ea45642d097f6
Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc"

LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI
YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO
dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3
Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL
YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox
K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo
CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J
MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr
T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR
TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp
S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag
UFVCTElDIEtFWSBCTE9DSy0tLS0tCg==
-----------------------07e877d605899d35b90ea45642d097f6--

--------1dfcff655c6a50832f43de84ef6e12a6680b2c3e4151d9496e3107b7355b4ddc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wrsEARYKAG0FgmgzaXsJkHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp
b25zLm9wZW5wZ3Bqcy5vcmeEUm/qt1JOXNWbBkbn0BjGoPd9mmzqtKPpEKSt
O9/06xYhBEdIka0CMtrLdg13a3gpbO2E9rPFAABfWQD/TXtVI7dtgUXu+BMQ
KKMfx1cQ7NyCWWDhndCTz6fW64YBAOcvlQhGR+q76tCkQYthyuI8ADTlQQCh
bMbe1sor/VYJ
=7Fla
-----END PGP SIGNATURE-----


--------1dfcff655c6a50832f43de84ef6e12a6680b2c3e4151d9496e3107b7355b4ddc--