From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 25 Feb 2026 19:20:27 -0800 Received: from mail-ot1-f64.google.com ([209.85.210.64]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vvRvO-0007m9-2N for bitcoindev@gnusha.org; Wed, 25 Feb 2026 19:20:26 -0800 Received: by mail-ot1-f64.google.com with SMTP id 46e09a7af769-7d4c3d9dd70sf6424075a34.1 for ; Wed, 25 Feb 2026 19:20:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1772076020; x=1772680820; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=VxY60lakN/fadti+p8iIqft3mjQ5chqwLFqvozaataA=; b=eFbPot5AgxHKJ2ge4S2Rb6+1aZ+pgoVIbW38s3DEsfe6z0m7FMLNaHLHEin9nzwT7S F6eeYzNqK2nhmciAbzCxlUQEoxeYlkpFhErT6wI3Y0IXdgIsgftu0VKuja4WZtuL9iZ/ nSv+oq1rqBy7KYosrqUsRYCuSICsfVv7w9RA58VcR02g0vKHnckf5xo+vSiidX0vh62x rFiDbe1FbhOgEsbj/Z/pPmFeEnsAfShIsytWiMhtypmfSxjfxxJ8xiS2gIWbUx7GtVt6 wZzSAs2yFekWkFfqCcKgQ0NuCxI88Yp3EdhUZTSr69k6gB1AG8+rwusAnnDFwafswE78 Ck6Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772076020; x=1772680820; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=VxY60lakN/fadti+p8iIqft3mjQ5chqwLFqvozaataA=; b=c7AH0A3Xb7YyaeXj/dI3iTljc5IRkWazOkCsYDaC7y78ec96iOrEHA2h35liLPng1q 6EmPiEpvZi/juuIBoImNBb/LTXC3nTh4FdfGvz3snGr0/iUoa6mhUrobtkc8Fib76uvx +/q6ZzJMZ1MWd+BSrm22E7fg+nfOp7pjvQzeB/lLseqgamODf2Y34B4V59aUZGSZZkuJ v12e5KiVe6Y3q2G1bFNu/XVIbHnXDK4DKnATNzCayaM9Pz7tEBUlhtu6wFev/P0JX38N sfufm1HwLL7Fxd4P048b3/QN4oFrA+5KeGDgMb3xkcMjdOTjEKn35ASB0PcQlz1psgpW KPbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772076020; x=1772680820; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=VxY60lakN/fadti+p8iIqft3mjQ5chqwLFqvozaataA=; b=nO/MjkjNcOccsCqvgIYC2Gwk4caFxWmUYZfrzFIh7GI4D1RPjsWQ8bCo9i68PDNGkZ 0MCOnyr3fg50LSEpVV52GjqxJMmRveDOMEYK71VSjynA2GPvURE+7vnKYKh3/4wD6IzR R+h6Zh4eKUxGn27J4DM1qEIUFjleySOiKm8kxz5LlACFtrkGxWuWAUGk4E4EL2+rS6up z71lWDX2028W21wQ3UqeGZg+Be9x78VHJp03HHCmAnpE72rug0OVfWfhKozTaSljjII5 ZNC4M0nadD2pEtEtV6m3Zy3oz5Mj7dc2+hh9AE5zs2Ve3ap52IUjL60XKUyyAHWH2St4 iFOw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCVd9w6MRLWmjbhGKw2zRbfHtcPC/IT5cYZa74h5zeHmsjb+m8DA37TJ71ZpOxWKBoooiSyT/MHmdnT1@gnusha.org X-Gm-Message-State: AOJu0YyC/w587ap+WRSJo4enXCaGwG+sIOBPcWakBUOS+z6hA/au0dqL afVVC74v8SJVYFLCRMNSoSdAKv9sOUPKzfpFGVatw0rYdliUF17bDkml X-Received: by 2002:a05:6870:8997:b0:409:62c9:5cb8 with SMTP id 586e51a60fabf-4157ac21970mr11552152fac.10.1772076019604; Wed, 25 Feb 2026 19:20:19 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+Gr3vQsWPyQHWNpEVSTRxdiRB1cu5xh5MSp6YLH0bmbcg==" Received: by 2002:a05:6870:a01:b0:40f:612:dea8 with SMTP id 586e51a60fabf-415cf441ba4ls508963fac.2.-pod-prod-00-us-canary; Wed, 25 Feb 2026 19:20:14 -0800 (PST) X-Received: by 2002:a05:6808:c2d7:b0:457:a9bc:dbf7 with SMTP id 5614622812f47-464a5dfb2b3mr784899b6e.20.1772076014121; Wed, 25 Feb 2026 19:20:14 -0800 (PST) Received: by 2002:a05:690c:c007:b0:794:2788:2ae4 with SMTP id 00721157ae682-7986692eec0ms7b3; Wed, 25 Feb 2026 18:07:26 -0800 (PST) X-Received: by 2002:a05:690c:45c1:b0:795:905:c047 with SMTP id 00721157ae682-79874b51a5bmr11108577b3.3.1772071645199; Wed, 25 Feb 2026 18:07:25 -0800 (PST) Date: Wed, 25 Feb 2026 18:07:24 -0800 (PST) From: Alex To: Bitcoin Development Mailing List Message-Id: <188bb1b6-e86e-468b-b09b-ace7e084794dn@googlegroups.com> In-Reply-To: References: <823db0fa-08d3-4273-a428-04dc3d6da4d2n@googlegroups.com> Subject: Re: [bitcoindev] Re: The limitations of cryptographic agility in Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_27662_1029080386.1772071644640" X-Original-Sender: alexhultman@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) ------=_Part_27662_1029080386.1772071644640 Content-Type: multipart/alternative; boundary="----=_Part_27663_808038561.1772071644640" ------=_Part_27663_808038561.1772071644640 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > bitcoin *cannot* respond to claims that unicorns exist with protocol=20 change This is not claiming that a unicorn is currently existing, it's claiming=20 the obviously-under-construction unicorn eventually having the chance of=20 becoming a unicorn. There are many famously wrong tech. predictions=20 throughout history (and they are hilarious by today's knowledge). The only= =20 thing you can know for sure is that you know nothing at all, and so=20 considering both possibilities and their risk implications: 1. There is never any such thing as a quantum computer (unicorn); it=20 renders the optional PQC script spend path and PQ signatures unnecessary=20 bloat to Bitcoin (and the entire tech and military industry) and makes=20 Schnorr signatures slightly more expensive (script spend path as a=20 necessity; no key spend path implied) 2. There is eventually such a thing as a quantum computer, rendering=20 Bitcoin worthless or critically injured, and/or in need of the first total= =20 outage and network halting (no blocks, no fees, no action) in order to try= =20 and duct tape existing wallets to new PQC wallets using hundreds of KB of= =20 zero knowledge proofs that are significantly more costly to validate and=20 store (and therefore basically DOS vulnerabilities to Bitcoin nodes) per=20 individual UTXO (which nobody will be reasonably able to afford) and so the= =20 network essentially becomes useless for anything more than the handful of= =20 mega whales that can afford such a move. Introducing SLH-DSA now (or any such bloated PQC) means you have the=20 _optionality_ to seamlessly migrate your funds at a cost of basically 10=20 USD per transaction (if and only if you do chose to use SLH-DSA in the=20 first place). SLH-DSA is bloated, yes, but it is from what I have gathered= =20 MASSIVELY less bloated than a ZK proof used to migrate funds after the=20 unicorn. onsdag 25 februari 2026 kl. 23:46:02 UTC+1 skrev Ethan Heilman: > > the physics is cool, but the engineering needed to scale may still wel= l=20 > be impossible in the physical world. bitcoin *cannot* respond to claims= =20 > that unicorns exist with protocol change > > We may never have a CRQC that's a real but unlikely possibility. Let's sa= y=20 > you believe in your heart of hearts that CRQCs are impossible. Algorithm= =20 > agility is still critical to the future of Bitcoin in such a world. > > To quote from Guidelines for Cryptographic Algorithm Agility and=20 > Selecting Mandatory-to-Implement Algorithms (RFC 7596)=20 > > > "Cryptographic algorithms age; they become weaker with time. As new=20 > cryptanalysis techniques are developed and computing capabilities improve= ,=20 > the work required to break a particular cryptographic algorithm will=20 > reduce, making an attack on the algorithm more feasible for more=20 > attackers. While it is unknown how cryptoanalytic attacks will evolve, i= t=20 > is certain that they will get better." > ... > Protocol designers need to assume that advances in computing power or=20 > advances in cryptoanalytic techniques will eventually make any algorithm= =20 > obsolete." > > A CRQC is one of many threats to the cryptography used in Bitcoin=20 > signatures. If we want Bitcoin to be a secure store of value over at leas= t=20 > one human lifetime, then algorithm agility is a must. Part of that securi= ty=20 > is that your coins don't get stolen due to cryptographic weaknesses, part= =20 > of that security is that know your coins are unlikely to get stolen,=20 > i.e. epistemological problem. > > > On Wed, Feb 25, 2026 at 10:03=E2=80=AFAM Erik Aronesty wr= ote: > >> >> I'm in, I think, a group of people now, that have pointed this out, here= =20 >>> and elsewhere ... I like to call it the "epistemological problem" becau= se,=20 >>> why use short words when a long one will do :) The scenario is all the= =20 >>> worse because (as, again, has been pointed out before): the "I have a C= RQC"=20 >>> signed message you mention is (more likely), or can be, someone who has= =20 >>> just placed a short in the market, rather than an actual CRQC holder. T= he=20 >>> point is that during a period from "bitcoin doesn't have PQ algos" to= =20 >>> "bitcoin has PQ algos" the transition will always be essentially 100%= =20 >>> opaque; every honest action of moving to safety looks identical, onchai= n,=20 >>> to theft. >>> >> >> >> a key that is crackable in-advance of bitcoin being cracked, so that w= e=20 >> know quanutm is "real". >> >> 1. deterministic random elliptic-curve address on a much=20 >> smaller-bit-strength curve, but not so much smaller that classical attac= ks=20 >> are feasable =20 >> 2. bounty for the solution enforceable with a smart contract >> 3. refusal to accept that "i have a CRQC" message unless this=20 >> well-known-key is used, because anything else is likely a scam (private = key=20 >> known in advance) >> 4. understanding that cracking a 180-bit key only gives us 6 months to = a=20 >> year of quantum engineering scaling to fix bitcoin >> 6. published plan to move quickly as needed >> =20 >> the physics is cool, but the engineering needed to scale may still well= =20 >> be impossible in the physical world. bitcoin *cannot* respond to claim= s=20 >> that unicorns exist with protocol changes. but we *can* respond with a = bip=20 >> that allows us to rapidly deploy defense against unicorn horns once=20 >> irrefutable evicence arrives that they exist. =20 >> >> --=20 >> > You received this message because you are subscribed to the Google Groups= =20 >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n=20 >> email to bitcoindev+...@googlegroups.com. >> > To view this discussion visit=20 >> https://groups.google.com/d/msgid/bitcoindev/CAJowKgJwq88yfJEQzZ%2Bv-33E= tEuYif1y6qsXtyoRyk2V%2B44cww%40mail.gmail.com=20 >> >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 188bb1b6-e86e-468b-b09b-ace7e084794dn%40googlegroups.com. ------=_Part_27663_808038561.1772071644640 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable >=C2=A0 bitcoin *cannot* respond to claims t= hat unicorns exist with protocol change

This is not claim= ing that a unicorn is currently existing, it's claiming the obviously-under= -construction unicorn eventually having the chance of becoming a unicorn. T= here are many famously wrong tech. predictions throughout history (and they= are hilarious by today's knowledge). The only thing you can know for sure = is that you know nothing at all, and so considering both possibilities and = their risk implications:

1. There is never any such thing as a q= uantum computer (unicorn); it renders the optional PQC script spend path an= d PQ signatures unnecessary bloat to Bitcoin (and the entire tech and milit= ary industry) and makes Schnorr signatures slightly more expensive (script = spend path as a necessity; no key spend path implied)

2. There is= eventually such a thing as a quantum computer, rendering Bitcoin worthless= or critically injured, and/or in need of the first total outage and networ= k halting (no blocks, no fees, no action) in order to try and duct tape exi= sting wallets to new PQC wallets using hundreds of KB of zero knowledge pro= ofs that are significantly more costly to validate and store (and therefore= basically DOS vulnerabilities to Bitcoin nodes) per individual UTXO (which= nobody will be reasonably able to afford) and so the network essentially b= ecomes useless for anything more than the handful of mega whales that can a= fford such a move.

Introducing SLH-DSA now (or any such bloated = PQC) means you have the _optionality_ to seamlessly migrate your funds at a= cost of basically 10 USD per transaction (if and only if you do chose to u= se SLH-DSA in the first place). SLH-DSA is bloated, yes, but it is from wha= t I have gathered MASSIVELY less bloated than a ZK proof used to migrate fu= nds after the unicorn.

onsdag 25 februari 2026 kl. 23:46:02 UTC+1 s= krev Ethan Heilman:
>=C2=A0 the physics is cool, but the engineering needed to scale may still well be = impossible in the physical world.=C2=A0 =C2=A0bitcoin *cannot* respond to c= laims that unicorns exist with protocol change

We may never have a CRQC that's a real but unlikely possibility. Let&= #39;s say you believe in your heart of hearts that CRQCs=C2=A0are impossibl= e. Algorithm agility is still=C2=A0critical to the future of Bitcoin in suc= h a world.

To quote from Guidelines for Cryptographic Algorithm Agility and = Selecting Mandatory-to-Implement Algorithms (RFC 7596)

"Cry= ptographic algorithms age; they become weaker with time.=C2=A0 As new crypt= analysis techniques are developed and computing capabilities=C2=A0improve, = the work required to break a particular cryptographic=C2=A0algorithm will r= educe, making an attack on the algorithm more=C2=A0feasible for more attack= ers.=C2=A0 While it is unknown how cryptoanalytic attacks will evolve, it i= s certain that they will get better."
...
Protocol designers nee= d to assume that advances in computing=C2=A0power or advances in cryptoanal= ytic techniques will eventually make any algorithm obsolete."

A= CRQC is one of many threats to the cryptography used in Bitcoin signatures= . If we want Bitcoin to be a secure store of value over at least one human = lifetime, then algorithm agility is a must. Part of that security is that y= our coins don't get stolen due to cryptographic weaknesses, part of tha= t security is that know your coins are unlikely to get stolen, i.e.=C2=A0ep= istemological problem.


On Wed, Feb = 25, 2026 at 10:03=E2=80=AFAM Erik Aronesty <er...@q32.com> wrote:

I'm in, I think, a group of peopl= e now, that have pointed this out, here and elsewhere ... I like to call it= the "epistemological problem" because, why use short words when = a long one will do :) The scenario is all the worse because (as, again, has= been pointed out before): the "I have a CRQC" signed message you= mention is (more likely), or can be, someone who has just placed a short i= n the market, rather than an actual CRQC holder. The point is that during a= period from "bitcoin doesn't have PQ algos" to "bitcoin= has PQ algos" the transition will always be essentially 100% opaque; = every honest action of moving to safety looks identical, onchain, to theft.=


=C2=A0 a key that is = crackable in-advance of bitcoin being cracked, so that we know quanutm is &= quot;real".

=C2=A01. deterministic random elliptic-curve addres= s on a much smaller-bit-strength curve, but not so much smaller that classi= cal attacks are feasable=C2=A0 =C2=A0=C2=A0
=C2=A02. bounty for the solu= tion enforceable with a smart contract
=C2=A03. refusal to accept that &= quot;i have a CRQC" message unless this well-known-key is used, becaus= e anything else is likely a scam (private key known in advance)
=C2=A04.= understanding that cracking a 180-bit key only gives us 6 months to a year= of quantum engineering scaling to fix bitcoin
=C2=A06. published plan t= o move quickly as needed
=C2=A0
the physics is cool, but the engineer= ing needed to scale may still well be impossible in the physical world.=C2= =A0 =C2=A0bitcoin *cannot* respond to claims that unicorns exist with proto= col changes.=C2=A0 but we *can* respond with a bip that allows us to rapidl= y deploy defense against unicorn horns once irrefutable evicence arrives th= at they exist.=C2=A0 =C2=A0

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegro= ups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/CAJowKgJwq88yfJEQzZ%2Bv-33EtEuYif1y6qsXtyoRyk2V%2B44cww%40mail.gmail.com= .

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/188bb1b6-e86e-468b-b09b-ace7e084794dn%40googlegroups.com.
------=_Part_27663_808038561.1772071644640-- ------=_Part_27662_1029080386.1772071644640--