From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 13 Feb 2026 08:22:16 -0800 Received: from mail-oa1-f60.google.com ([209.85.160.60]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vqvvs-00080v-As for bitcoindev@gnusha.org; Fri, 13 Feb 2026 08:22:16 -0800 Received: by mail-oa1-f60.google.com with SMTP id 586e51a60fabf-4081db82088sf6335015fac.1 for ; Fri, 13 Feb 2026 08:22:16 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770999730; cv=pass; d=google.com; s=arc-20240605; b=BBsSJkHbGjHoUYU1dSpb6y3+Gaah+k86SpyoVIRWTLelR0crUtv57FGzmZJqaWJtjc vkyl3gr1gW66fzWH1yvk6a9rb6n3wHz43ShNx2LUItJquUXlj+dfa8OFA38OPOXmdDmO gLJ0krMm3TM8FfyBNc0n5ILy83aZuQt17JnDqWpK+RzbaNCge1oKObjLUM0pznDTgXtG +b+KU25jWzuykPXAXL1gTlyvIGOLmizAXrfh3hQXnBASjIw8rkG7GgXh7V4yuDe7qEBN 1t+mPWFiF948fTTz5rNRaK7ViKZkWxz4Snz7USeFPb19r9W4HcBtz8UkBPOtY0r+0o5V 8iAg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=sNp+NUlkeMqav6aOfU5Bi5KwLR7ffeufPZGU2AA15nQ=; fh=hM3VaFIVyJjSb2wh/26fhx7Zu3GDpN4DLRwlbvvdbY8=; b=Iw59yBYvImfDUIfG3fKFuFyh2D5AHq9B56OY0tvtY30iI1NgeyW9PAKGlT9oFTCHqW +36B2MgMYt6aBAHvJ5bZFr36K1e4SbcNoXoKaUcdw5qLjGA7lITXUEsCkEQrrXWDGvEK cUg45YZqjFlgPeSx8Z8x5IKOMBW/Oibh7ZUZu7WwJf2erRTZ6SbDEEBKaGmXxCwKQt0I ClefWDOmhCbpoSBf41P1IAMN38uW8cEZYbflTs21EIkDvQtevkr0ntYyxZQkUBF9BEr+ o+SXzCMXWzVXvDMMGS5a3uJfoAoGTygk+rqGZdTleW1CoHktKjQBuCItHu9ij4f3fo90 59LQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770927662 header.b=nuv4URDA; dkim=pass header.i=@clients.mail.as397444.net header.s=1770927664 header.b=ZxbGrH2I; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770999730; x=1771604530; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=sNp+NUlkeMqav6aOfU5Bi5KwLR7ffeufPZGU2AA15nQ=; b=SIomZQzDdlugqQOSl+1Ca4yX7Ij448QGoPHeai6lc9SqGCNfUgsQIvpfBt6YDfyFUO 3tT/E5mBUfJBBMoPBhS4yXQlL/jk0rbRxxoue2YDWJv/F9C7n/kdy8zNArKjQ9Zj1icH FEMZi0JJT6zB1Jv+qB4aTZ5PTMy+uwrIZoWZwdXiNzm1TjcG+myTrfSCrEIx/NfIwQIC qYDr7cYxpUj273+hJL0rHyUCfadYPikcyl967lTByUHTYSE83ZgS3RfmWysNlUXsvjOu DNy69phnbBEbKa/d/wpvolGRR1YMIgd13T7/ZzHgAwSd75/dMmUICaWwWNSXjagMPnCo AWGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770999730; x=1771604530; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=sNp+NUlkeMqav6aOfU5Bi5KwLR7ffeufPZGU2AA15nQ=; b=cOBe4P4aAan6S/BeCGh9/BJBKCBXJvqXKH27X+lBpPrplfdR0yM9oR4fd5nDzpCRLC gWtSimC8iUxoA/Qkxnk4GTP6VRb7a2cfd9py7Ioq34zwJHok81U8U/THOc8YDylcrnuN F2/YQd4GcW86JTN6JVzNo8G8e05/NeqqZ5mYSpv054N3zvzvvbffmajutWfITcbtgeUG anxkT98CkUBsIAk4UUQ8+RAfe8vSJVdVg5+Rb53J7sfbVRH7aiHKul0JNtrveNNRxA9S orusNJLK0tpcZpin6UVVi3BvaaXMcZ2CufMCqJsonrnDd4i5vAlGp+1UhgY+zsY2LkvN VLmw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCV2ZKKS+vPt/2hZK5/xLgRBldCSz+7UINskp2eYXZlP7YO/XPVjEGDyUciyIvD1T/3S63pFRpSSc9rE@gnusha.org X-Gm-Message-State: AOJu0YyoHSUTsc7LU+C+UUZ5shjofeXUdSbJx80IZk3QQ29L/Rt2ntHs +FJuNd6y2dOrpsGYHtzaFqThjTZpQ6VnKHxID5T0Usw0Zpx/pQLmac4J X-Received: by 2002:a05:6870:558b:b0:3e9:7744:1d4b with SMTP id 586e51a60fabf-40ef3aa5744mr1256321fac.4.1770999730247; Fri, 13 Feb 2026 08:22:10 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+Guaaw2vdtKsRdCKn6RgDx6f59+FvG8hizq0pkVfjMhsw==" Received: by 2002:a05:6871:3301:b0:409:6328:a767 with SMTP id 586e51a60fabf-40eca620de7ls1501228fac.1.-pod-prod-04-us; Fri, 13 Feb 2026 08:22:05 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVSMOpNM9mhkg1smNlLbl+Eh9jdqAsKLldiFzt9pfRW1Fp7XIGnSMrm4Z87/bKUjfj6GuVkV3wM4WUR@googlegroups.com X-Received: by 2002:a05:6808:11cb:b0:45f:12bc:4579 with SMTP id 5614622812f47-4639ef35338mr1116512b6e.19.1770999725128; Fri, 13 Feb 2026 08:22:05 -0800 (PST) Received: by 2002:ae9:e101:0:b0:8b2:e5d4:9264 with SMTP id af79cd13be357-8cb33765a09ms85a; Thu, 12 Feb 2026 12:46:15 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV/9R/Npyw2uvDlkhJgR06fayNt1bsivWlATofp5gZDtIThXH1gs7QSPC194lUlzrFAtQVnvriKN/82@googlegroups.com X-Received: by 2002:ac8:5789:0:b0:4f1:e928:3fda with SMTP id d75a77b69052e-506a67be0a2mr612021cf.26.1770929174439; Thu, 12 Feb 2026 12:46:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770929174; cv=none; d=google.com; s=arc-20240605; b=JK4fpbHDiZDHzSI9CzDlTuIYKbccqcdliWChbmkpe0f2hleVzbiswbLQpQ+OusdDPc 2cRZ0ZKRN6iGzu1S/g0bmuVbx7+VPMUIaO8ERfGlFnanC5eDsLyJDOQ4NFURfHa9KCqw KoMEO3xeQkRG8BQJMEle7VnTDQR7XDrz9OXXOM6WL85XIzf/FmMe1Sc0Pn+NYQ5TNkQF 28Ylwv4FP0rTDlRvIq56Apb0pMUVIG1C181/xuDJgfrkDAot1jLOoTK/t5B/iA7pACoF /5PtBjCmA1IKuBc0FRBsKVg0zfamfWi2xzlV103GdtstwwEVCDF6PO4DAWIE+lsuehrM vXlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=j4nJZLDZTGuFltKNH+81YtMay6rjA/+BImeNwarj+CQ=; fh=S2qDizNoQti8YZADscR9tIHcHPuP+xTz24Htsxvm3BA=; b=lCfD9KjmjnSFBDV8TVJEQL/jRV60VsBrXlh0/A0qOlZd4UIbJkihMGR9tr6bNHdOvE 9lqweKB19sPfT30RN0Vz6nLbPbQ9uEML1eZCfxuuCCC8uSJjGqiebcA2o6U07Wv/1m7Y NRpTaKVdbvkv6+20jXvFHReuPnYgqDE7WAPsp0WlZy0po/LzQlGse0vWhr7RxsVDM0Km PCk8Cgd1sC8jImuoGak73PX0yTEzn8Vq6cZeIqlyNIcF2RwS1cARb0T9pCDZNKIgNdmm m11vbkFTbvgHsMS9YKpiq4LfBgLSzi/eYTraiS20hi9MFZF8HN9LKHVIp6AKgAm4I77O r+yQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770927662 header.b=nuv4URDA; dkim=pass header.i=@clients.mail.as397444.net header.s=1770927664 header.b=ZxbGrH2I; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id d75a77b69052e-50684b2f445si1601341cf.8.2026.02.12.12.46.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 12:46:14 -0800 (PST) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1vqdXZ-00000008Ine-2c0d; Thu, 12 Feb 2026 20:43:57 +0000 Message-ID: <1e0842c2-a89b-44b6-a9d7-bc4a43636e9e@mattcorallo.com> Date: Thu, 12 Feb 2026 15:43:56 -0500 MIME-Version: 1.0 Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms To: Ethan Heilman Cc: Jonas Nick , bitcoindev@googlegroups.com References: <22073a56-1cbf-4ba9-a2ea-46c621d4619c@mattcorallo.com> <1f0ebca9-2d23-44f9-8e6d-aaea99a832e3@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770927662 header.b=nuv4URDA; dkim=pass header.i=@clients.mail.as397444.net header.s=1770927664 header.b=ZxbGrH2I; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2/12/26 3:35 PM, Ethan Heilman wrote: > =C2=A0Replying to Waxwing, and Matt in this email >=20 > Waxwing: > > If supply and demand is king, why not just delete supply as much as po= ssible? No more mining? >=20 > I agree with you that a soft-fork that simply burns=C2=A0outputs to reduc= e supply is unlikely to=20 > activate. I do agree with Matt's point given the specific circumstances h= ere. >=20 > Everyone would want soft-fork1. It freezes coins that would otherwise be = stolen with the promise to=20 > unfreeze them with a planned PQ ZKP proof of seed phrase. Even the people= whose coins would be=20 > frozen would want soft-fork1 since it protects them. This makes it very l= ikely that if the threat of=20 > quantum theft is credible, soft-fork1 would activate and everyone would b= e happy with this result=20 > (assuming it activates in time). >=20 > Now time passes, and the people whose coins are frozen want soft-fork2. T= hey feel they have waited=20 > long enough, but there is a problem. While soft-fork1 was trivial to writ= e, soft-fork2 requires=C2=A0a=20 > complex PQ ZKP that will become consensus critical=C2=A0to Bitcoin. This = is=C2=A0a complex task requiring=20 > expertise. Will it actually get done? By whom? >=20 > Assume soft-fork2 actually gets built. Now it has to get activated. Block= ing a soft-fork is much=20 > easier than activating a soft-fork and this will be a particularly conten= tious soft-fork. >=20 > Some will argue it is unfair that holders who did the right thing and upg= raded to secure outputs=20 > will be forced to on the consensus risks of a dangerous soft-fork simply = to unfreeze coins that the=20 > original owners didn't even bother to secure. Others will just stall soft= -fork2 by saying it hasn't=20 > been tested enough or there isn't consensus. Making this worse, miners ar= e unlikely to want to=20 > increase supply. Getting miners to activate soft-fork2 is much harder tha= n soft-fork1. >=20 > Soft-fork1 activated because everyone was aligned. Soft-fork2 no longer h= as that alignment and is=20 > much riskier. >=20 > "Aww shucks,=C2=A0we really support unfreezing these coins, but we the mi= ners just don't think the=20 > current iteration is ready for prime time, why don't you put more work in= to it and try again in five=20 > years." - every five years until the heat death of the universe. >=20 > Matt: > > I believe this is largely only possible either with an ethereum-style = "difficulty bomb" or=20 > simply=C2=A0doint it all in one go. >=20 > The do it all in one go approach avoids the incentive problem, but how wi= ll this be built?=C2=A0How many=20 > cryptographers are willing to invest the years of effort to create a soft= fork that is unlikely to=20 > activate, all to protect holders who can't be bothered to move to a safer= output? >=20 > The most likely outcome is some kid just writes a simple soft-fork that f= reezes all the insecure=20 > outputs, and miners activate it because they have cover to reduce supply/= pump the price. I'm not=20 > endorsing this course of action, but it impacts my thinking on building P= Q ZKP proof of seed phrase.=20 > I ask myself why spend 5+ years on a PQ ZKP proof of seed phrase soft-for= k just to=C2=A0watch a low=20 > effort soft-fork annihilate all that work? I think this is all totally fair analysis, but I certainly hope the availab= ility of decent PQ ZKPs=20 will improve over time and at least one PQ ZKP will be generally considered= high quality by the time=20 a CRQC is on the immediate horizon. If you think that's unlikely, this is m= aybe something the=20 Bitcoin community should fund in the shorter term! > > No, P2TRv2 and P2MR are totally equivalent here. Because address reuse= is rampant, P2MR will=20 > *also* require an equivalent P2MR-disable-soft-fork. The only material di= fference is the cost, and=20 > some small minority that doesn't do heavy address reuse. >=20 > Wallets that encourage Schnorr key reuse with P2MR should be thrown out t= he metaphorical airlock. I agree! But also I try to be realistic. I mentioned in another email but a= wallet reliably in the=20 top three app store results for "Bitcoin wallet" over the past few years (T= rust wallet) started off=20 with fresh addresses regularly, then made it optional because it confused t= heir users, then they=20 simply removed it entirely because no one ever turned it on. > Wallets claiming quantum safety must warn a user if that user has exposed= a Schnorr public key on=20 > the blockchain and make it easy to move to a new address. There is UX wor= k to be done on this=20 > problem, but=C2=A0it is achievable and worthwhile. There has been some non-zero work to improve this situation for as long as = I've been in Bitcoin, and=20 its only gotten worse and worse over the years. I wish I shared your optimi= sm. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 1e0842c2-a89b-44b6-a9d7-bc4a43636e9e%40mattcorallo.com.