From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 14 Apr 2026 08:54:44 -0700 Received: from mail-oa1-f63.google.com ([209.85.160.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wCg67-00036E-Dl for bitcoindev@gnusha.org; Tue, 14 Apr 2026 08:54:43 -0700 Received: by mail-oa1-f63.google.com with SMTP id 586e51a60fabf-40ea48ccbd2sf4915763fac.3 for ; Tue, 14 Apr 2026 08:54:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776182077; cv=pass; d=google.com; s=arc-20240605; b=Bat0oZsjhd2AUIS61WjRUOQ4JBBUH8qwbxPNWmx8QkTlv6SXbYfRIX72tfPy9ZsKfW WVP1Aju434N9KmTQ5QZ2yTllOGCFJv5uumGBXx7m3DBtKccsyk9yADQkhZsCtaDLuPhf DHOT23rRuwqy9O60zmc3bphFmJhH1duw6wjLd5Vv/7tLD3jf2FRXRjehjP5U5ndVd5KB g59+neGyZ7YRPRCakCe400zH27EPqeagapTZsKDtUzcD7ZVC90ts0KMsV8Afw1XOpR9w jtbhv6FprKyhG+nQY/z+dukQEmCG+Cf8XQmoltqRP8T0CJGESIMhag4FAXS4J6ACLlBs yXMA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=9HQgPYg5zvLaGVgo1iLIysmp+/EMQeHoayTNQdr9XZQ=; fh=8qLDiSzIZkkZwhv4fF8D92hOtTM+XwENXRREJerPf4o=; b=DIAODhCyR6iqVOayuj2FO8CGNNEvItWHZu4OMKInTl+xExgNsOTDflGinCGISwqdpn 0VUnwwmj5LPtwCfeKYmf8G2WqSvdSqmbRqfUqedBTk3cgIWO9ex9i/fa+aFlLl9pLFdE j26qkYrpFone9HiyppvdNzfcwlrWJ9YsClfZ7H70AMWXrVoEbfq5sX+dYqhMJSH0N29G NuCNtKXtnVcQPBjBDXOntNkZ51rGc7WlK4qOnnEMrrFw0kYwTSwPcTxZH2nyg0+bqUCJ gqjXbVL6TqObOWooiyH1Q6HG6UpesFIZcVj8mmP/Hb0Y64r5fYYsxXvLqssWakSs6Dpv fIHQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776178862 header.b=iZoJ6T+q; dkim=pass header.i=@clients.mail.as397444.net header.s=1776178864 header.b=MVZB51Tq; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776182077; x=1776786877; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=9HQgPYg5zvLaGVgo1iLIysmp+/EMQeHoayTNQdr9XZQ=; b=mjBzjpioRtuXdakICWx8qzGowX+kWyIkUOVYtH4hZs8EMtDbtUyRJNnYjeMCyyOmby L3m+SZOc07eZocgA+bMIzPmIeRZBSeJKsXHb4HUNFgAgeOhOKR4UzqCS0EomEu+MVb4Z DwO5pgLHxrTKFAQv4GDDX4KrDoxn6EvNLb6eZayCj18pHeIwE5bAQyuTF139uB1MJHkG dN4HxxC5qXtnf2ogatjJbrT1ykfVha68cOfpzTPl3ljGS7wPgTsmaLKka94O9bF9m/lG YECZFEjNFTLnMli/tgEVR63Ba+PHOZJ/I+cZkXUpxZDCqCcwHluGk4vRPLiYuRX1xskn K6Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776182077; x=1776786877; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=9HQgPYg5zvLaGVgo1iLIysmp+/EMQeHoayTNQdr9XZQ=; b=Yc+kVp6JJCDr1asNaP0domhTMRhMV2XY661TpTrbr9XkuqmxKH6FBsyqXS0DG8swht wQbEDTmcze7pTevbsVAsCO9ZnVlBBqcm/Sany9B5e/qRCyt8d4v7MlY5IjUhTJ4vq6GE ikPT8y8Rk+MGLHwsGxO/tRsOw+bpmDu4dTjMD3pcS4y9l81Lu9w7d3HR9r/W+ESV6Rw5 1YzdZA2NFB51A6HQoUs/OkbPCZAXEfhhiAVbc+MWoWeq0UTtowklS/22fCGZFFTtbetx XWe8pcq8lP/mRvfzllSA5Dciui4E888WP+jXEFtv/2rruQtkPqrePcM/MsbDOeIEsmoW LHdg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ/hoR1roJdoP+5Q/h9cPXfhy1e3miF3kl+l58essKiFroz0WvNi/k9/TKRuW2GYXIPZDzdKie4AjcsS@gnusha.org X-Gm-Message-State: AOJu0Yy3g4GWOY507MYm5aQoVWyeVhklILNAnCYToAngd6MayKyuj1pi 1Y2vYMYCpSa7dZKoJSHv4R/7JPb0cKYwZlUPXRuHipZIp91wdEI/lOVF X-Received: by 2002:a05:6870:5117:b0:3f1:664f:e8db with SMTP id 586e51a60fabf-423e102cb83mr9736082fac.23.1776182077169; Tue, 14 Apr 2026 08:54:37 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiIv0WmJoGiWgFUwdB1LWw1ghnCxy9zQGKGHx66Wiv+qqA==" Received: by 2002:a05:6870:5d8d:b0:423:2560:d341 with SMTP id 586e51a60fabf-423dcfe510cls1581438fac.0.-pod-prod-06-us; Tue, 14 Apr 2026 08:54:31 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ9dLDHWN5ciMI5bW9JDl7kBn1+k5jhVnwrZf3W36xfn5anqe9xVp5XrZClDuKyAiSk2jiEdHMnY9OM/@googlegroups.com X-Received: by 2002:a05:6808:30a8:b0:468:776:1e9d with SMTP id 5614622812f47-4789f9ff536mr7944356b6e.51.1776182071543; Tue, 14 Apr 2026 08:54:31 -0700 (PDT) Received: by 2002:a05:6808:628c:b0:46b:22a1:35fc with SMTP id 5614622812f47-4775d81d877msb6e; Tue, 14 Apr 2026 08:33:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8ofTQfT6u6Mx6eVouOpZXDDafUJGrepruvTS4yz048MZoJ/M4edgADT4vdqaL8Zq3m3b2NK4Zziun+@googlegroups.com X-Received: by 2002:a17:903:1d1:b0:2b2:5c31:24bf with SMTP id d9443c01a7336-2b2d59b838cmr196041585ad.19.1776180786897; Tue, 14 Apr 2026 08:33:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776180786; cv=none; d=google.com; s=arc-20240605; b=jMRbYjrY+x0/xtQouIOqPLy7O84Z2152aBU0WGMcncDko2jX8N/oZd5b66sKmPh5VW HHoY4TCZObsQ03w30Tzi0RUF2CHc6U+8RgDYhDsyL9CPLcb0/FWxTvvMUEx8mopAJVdF 0Bg7JDiLXYJM4oleHE9QUgnutoFp5Wz/rRy7ocVlGT1O2CwyH8VSby8cLyw9TPJWhGL9 A4zFGeBQeKcnsPdtkhYtu9lQnrSPb/mKXeH+nYuhmy3gcA15SvBqkEAPd+y/GLL09lPl JOd0e0w7IRUy2XHisJjfKPXE/IqFXW22jKg54JNNVvXQiz2gT06Z+xRHV4C3AGQSpozq WtUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=d5TD5UbbcdmFUmfQm/mj4Gd7F+HM2Ph9tf3ygfcDT2w=; fh=8VGnW6GupFp+E22ewfmp7L0nA8NNaiauNQDEKq5OUV0=; b=XGw/xYbjUBYjiS81MrFVTv3HfnL3dSMe8VH2el965Y+pVMyNaHhvUME/mmcMgUQ2CM /5A9nilqjAsdrTXDQ/iuoFQVTiybwJty0ZHE1j1DqzKBlUDiY93fP9IDz/wSdk/dVZLJ wu+zQxLQ+BGtwOKi5e8NTaglVhZo+2tPOi9c6CW1psOUdb2R42ReT+z2Gv/aPA78YGp1 8nVVvCKKKKKj5PWURnq+UBaN7DSe87owGAIuHAlaohzWlPjOtXZRdUlKW2NuiPK8hcgV JwA9OKU8AfLfsrHFpUI/hedjiwm/9SBlEEgcMW6TNUUjMc/vWSn1upzSWsSA2uTmQDi3 6juQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776178862 header.b=iZoJ6T+q; dkim=pass header.i=@clients.mail.as397444.net header.s=1776178864 header.b=MVZB51Tq; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [2620:6e:a000:1::99]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-2b2d4ef33f0si4821205ad.7.2026.04.14.08.33.06 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Apr 2026 08:33:06 -0700 (PDT) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) client-ip=2620:6e:a000:1::99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1wCfl9-00000005ma3-1tTf; Tue, 14 Apr 2026 15:33:03 +0000 Message-ID: <42806684-3cc4-42e2-8052-43288a93e91e@mattcorallo.com> Date: Tue, 14 Apr 2026 11:33:02 -0400 MIME-Version: 1.0 Subject: Re: [bitcoindev] In defense of a PQ output type To: conduition Cc: Ethan Heilman , Antoine Poinsot , Bitcoin Development Mailing List References: <0vqF88LoOnY4GiUB4vf-MdeZpTAtR70tokS3cLwt2DX0e6_fD1X_wyhPwWEdIdm6R88AULObIU08CWsb5QfeoaM5c4yXPqN5wHyCrqMCtfQ=@protonmail.com> <6wBygQ_pK40ZpU_CMXfzIy-6LkthOmEh-xd2g9bwUl-f8w2K6G4rUWJEssE2zeJgxyipGe2GrFH9y_TUUI48asqfh7dhi9A2rl7NpWyFW1o=@proton.me> <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> <6d075872-0db8-4e7b-ac2a-452624c991ad@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776178862 header.b=iZoJ6T+q; dkim=pass header.i=@clients.mail.as397444.net header.s=1776178864 header.b=MVZB51Tq; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 2620:6e:a000:1::99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 4/13/26 9:45 PM, conduition wrote: > =3D=3D=3D=3D=3D=3D=3D >=20 > At the risk of this thread further devolving into a debate around P2MR an= d P2TRv2... >=20 >> Our goal is to get as many wallets migrated as possible, which really me= ans focusing on the wallets that are likely to take the longest to migrate. >=20 > I can't speak for others, but my goal is to design and deploy a secure an= d efficient soft-fork upgrade package so that myself and other bitcoin user= s may retain control of our bitcoins in a world where the future security o= f the ECDLP is uncertain. Encouraging adoption is a secondary goal which fo= llows immediately if we design the upgrade well. >=20 > I personally don't see P2TRv2 as a suitable path towards this goal, becau= se it still depends on ECDLP. At best, P2TRv2 PROMISES to be quantum-secure= later, at the chaotic whim of the future Bitcoin community. Personally, I = would rather keep my coins on P2WPKH than on P2TRv2. No: If we are going to= have a PQ soft fork, it should be conclusive, self-contained, and require = no follow up. Otherwise, we haven't actually fixed the core uncertainty we = need to address. Right but you didn't contend with my point at all, only ignored it. Its gre= at that you can move your=20 coins into something so that your coins aren't stolen but...who cares? If a= huge % of outstanding=20 bitcoin supply is being stolen that impacts you just as much as if your own= coins were being stolen!=20 Pieter put this very well in his "The limitations of cryptographic agility = in Bitcoin" thread. >> That includes both "consumer" wallets which may be infrequently used by = people who bought a pile of bitcoin and touch it once every few years as we= ll as those who are quantum-skeptical and will see no reason to upgrade unt= il its urgent. >=20 > Low-frequency users aren't fee sensitive, almost by definition, so I don'= t see them caring much about the minor witness size increase of P2MR compar= ed to P2TR. >=20 > As for quantum-skeptical users, I see no reason why they would migrate th= eir coins to ANY quantum-resistant output type, whether P2TRv2 or P2MR. To = someone who today sees quantum computers as 100% FUD with zero room for dou= bt, they will see any PQ output type as a slightly worse version of whateve= r they use today. So I don't really understand why it would be so important= to encourage this class of user to migrate. They won't - not until their w= orld-view about the quantum threat changes. >=20 > If and when their attitude does change, then a few vbytes of overhead com= pared to P2TR won't deter them - not with an existential threat motivating = them to migrate. If fees DO deter them, then they're probably an active hig= h-frequency user like a miner or exchange, who can keep tabs on the situati= on and continue to grind savings out of P2TR until the very last minute [^1= ]. But what about someone who sees quantum computers as 90% FUD that might hap= pen eventually but won't=20 for 50 years but still gets users nagging them about it and support for imp= orting some new=20 seedphrase format that derives a SHRINCS key in addition to the EC ones? Th= at's much less of a straw=20 man and way more realistic - and also a place where someone might do the wo= rk (or, well, merge a PR=20 if its done for them) but probably won't if they're building a consumer wal= let that is used by some=20 to transact regularly (but, let's face it, used primarily by some people wh= o put some money in and=20 then forgot about it for five years). > It is a mistake to compromise on long-term design choices [^2] to please = quantum-skeptics, because: Again, you ignore that the impact is global, not local. Yes, quantum-skepti= cs have to be brought=20 along over time if you want to have any hope of bitcoin actually being rele= vant. > 1. If the quantum threat is indeed real, then sooner or later, whether by= theft or migration, this class of bitcoin user will no longer exist. And with them they will take bitcoin's value... > 2. On the other hand, if CRQCs turn out to be not-so-relevant after all, = then everyone becomes a quantum-skeptic, and we can all return to P2TR whil= e the new PQ output type slowly fades into obscurity. >=20 > Note in scenario (2), P2MR actually still has utility: P2MR can be used a= s a more-efficient way to construct script-path-only addresses, without the= need to commit to a NUMS point. P2TRv2 has no such secondary utility. >=20 > regards, > conduition >=20 >=20 > [^1]: By the way Matt, I think it's a mistake to assume that large corpor= ate users are not fee-sensitive. If anything they are more fee-sensitive th= an Joe-Average - When you conduct thousands of transactions per day, 10% la= rger witnesses could mean a lot. Sure, their hot wallet that is probably true, but also not super interestin= g - they can/will migrate=20 their hot wallet over the course of an hour if/when Q-day starts to be a re= al threat. > [^2]: P2TRv2 is a compromise in the long-term compared to P2MR, because a= fter key-spending is disabled, P2TRv2 is strictly worse than P2MR: It would= have worse performance and larger witnesses, more cryptographic complexity= , and it commits us to carry legacy ECC as cruft well into the future. Sure, but any short term hash-based signature migration path is really not = intended as the final=20 state anyway - if Bitcoin is stuck with only hash based signatures and a CR= QC exists in 20 years=20 that's a pretty terrible outcome. Hopefully by the time a CRQC becomes a re= al threat we have much=20 more confidence in lattice-based systems (or whatever PQC is popular then) = and we can add whatever=20 output type makes sense at that point. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 42806684-3cc4-42e2-8052-43288a93e91e%40mattcorallo.com.