From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Mon, 13 Apr 2026 07:23:38 -0700 Received: from mail-oa1-f63.google.com ([209.85.160.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wCICP-0004g5-SV for bitcoindev@gnusha.org; Mon, 13 Apr 2026 07:23:38 -0700 Received: by mail-oa1-f63.google.com with SMTP id 586e51a60fabf-415e1e9aa5dsf6154395fac.0 for ; Mon, 13 Apr 2026 07:23:37 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776090211; cv=pass; d=google.com; s=arc-20240605; b=UXrtgR6n22Qduixf4iVEkp0iils69caQfagTzFqWD6M+yd2dxPGZxRSIWJnvzkuSav rp6zQF49UvHJ9Jv+b30leWecWPpObvS/2txDI0QSJWaLkc4urEiyERymaGyIywhY1MbL ksUZJ3s8RSxtWNtVfq4IzQTylK6C0x8cTqP0w/U9wzpPh4eoX7NAsTTDVezFXRRJsRrD 28PbunGThtxitDGMgvesxuLhP1/ll04w9BT8JawV5iqi3/FX6JtLXPeVah+hn9pyE+TW y+dw+q1fsuEiA4ew0fnqXf3CKxhM2/205O0Wca93U6VHKW132h8SVxOkCjqiSS1qz3R/ XP2g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=3ODI3KhUl9auXLHkA56s6zPF7qzmIdV/hAXL8E8L/cE=; fh=A47OptfBNWQntqRPKk32ETth7H29xCrD2WNs6YqFqfA=; b=Fk1ESO1UCHsYRnK7qHdAjtCNTf+8wLoFZRYEC9iTpbF/yK1qrrplm+7omObDTbQ+gf ZanCHeUG+CRLAgf6lDgkWHeFw3ijOH+P+i0nn6tBq7UlggP8R4SdFVd4wI4FRttZkLlt 8MMTT6Q3Hq/N4neByZ6kFzd4NV6+Q9v8tCV/LE5tPyMAEpGMUKddZLW3lc5XfnC+oxaC oJd4r4kyVsaUQUqRB3vRosYMoUZcQPA1S4IossIxp56O1my91Q2TjK8iKRKXH6APG/hI xBvglPAF9Uezfvn1eK1mUBFem43XaQSj6F42Gse27RXdXJb5bM/gWJlqo7UQ/YrjUJ4b fExg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776087662 header.b=YgYfQGmV; dkim=pass header.i=@clients.mail.as397444.net header.s=1776087664 header.b=XFbasVbF; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776090211; x=1776695011; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=3ODI3KhUl9auXLHkA56s6zPF7qzmIdV/hAXL8E8L/cE=; b=EKm3wgCnEa97rxkTv3LihndSnRMrlIVrAJssiivflK1F3L7GcFiqVXiNm1Y09l2rRn Wt9D+XS055GH+qm8JUIagVdYrCa8XlgYxm75F/oVEuPg1c1nWiY795XZ58zHYRYEL8on 8f2KmW56D9mYywhDqzN8EMZIh4zxddHgneHx8DJjJeq6IH/j8B0lTSgZdSjXOz5AtDTO Xjt3JPMCZnm+BNz1ODDCyUwqxogSciclj1yGCg0+Gwq+m/mLOuxG/l0ZS9O160dvb3YI STDYTDnfu958PLRaaruNXWoTzkzDaXEHnysSnpVrsZj7R3Ho8FLmSVEDgxszhBX0xQUL tg4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776090211; x=1776695011; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=3ODI3KhUl9auXLHkA56s6zPF7qzmIdV/hAXL8E8L/cE=; b=YOb9sxmQNKiRDbrEo4hWFAH+YfusmWAr1MRKz/2Q6meMfMngDeKpHlRk7/vqwJu+yD a1jVYuz7Knme5eoMlsx2T5xP1go33uNxMe4xTtOBUex9++PeBkJuB0rP5TvKXXOzKTwj Pn1lbYWdyCjE4/Fk8pco6auDqqJzsxLfjd/phrCTetgwavlMj1G+cwgSIb00gjzwFCfi WNYXoA9ezH82YCQyZVGDZt7UwckNhVLnbfjblOnBOHmSVUm2/qluDw8ISHcLBK+69tiI JPojyuDjdQwYxqwYTGc4Jmdf2nE2cMskSx1T+AvvJHPFrVATuqn92kb33pO4D/vFbc2a tAyg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ8uwWWMwL1LNxJQN2UoTyzGojs+yWVrFZCibujUrNUyzqP1Z64dsbQ3LtpX0XFuedhSsZfd/AtS20P4@gnusha.org X-Gm-Message-State: AOJu0Ywq5zGlGYfmV1zeyif+7cO4MDqee59SdUzRuDjnLsnGBcTmT+xo jw6hG02CJMPJuO4aqsyKs2/j2STUxyJiglhFIH1Ip1sI8u5dJo4YOve2 X-Received: by 2002:a05:6870:898d:b0:417:5a8c:feba with SMTP id 586e51a60fabf-423e0eace5amr7131822fac.12.1776090211099; Mon, 13 Apr 2026 07:23:31 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiIGVVTzUuZ3efS535Fu+NEI/BY1OBPwttODdqCq4gmgBQ==" Received: by 2002:a05:6870:d409:b0:409:4c04:fab5 with SMTP id 586e51a60fabf-423dd9b0a41ls1592319fac.2.-pod-prod-05-us; Mon, 13 Apr 2026 07:23:25 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8QylsOm7GsudSJOOu+qgJ5Yc1keARfVgT0LaDZM999AhcbkWaTqEGBj+djzsFWQZlvWiYz2M7G7WlG@googlegroups.com X-Received: by 2002:a05:6808:17a5:b0:463:8fba:5df5 with SMTP id 5614622812f47-4789e91faa7mr6634394b6e.24.1776090205882; Mon, 13 Apr 2026 07:23:25 -0700 (PDT) Received: by 2002:a05:6808:6691:20b0:467:52e4:df4a with SMTP id 5614622812f47-4775b712654msb6e; Mon, 13 Apr 2026 07:02:17 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/nbesBfI6YH+Y/CYx3xhxIz0zvfgb2qhgEAKwFnUlDezhQ/8+H0vlylq1OsxGNzTfEoWrVJceajno+@googlegroups.com X-Received: by 2002:a05:6820:c08e:b0:67d:e7c3:3c65 with SMTP id 006d021491bc7-68be8dcf17emr6041675eaf.56.1776088936999; Mon, 13 Apr 2026 07:02:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776088936; cv=none; d=google.com; s=arc-20240605; b=FAmz0Ux7JYxAuIlDVwtH+3pQ+Ju9E/k6sFjKiXX6mDwKyGEDetsy5gsLsUjDgG+iy6 zpcBpBxIHKQdp3MkRZ5P942v/dZUwg7gSA9jd+p0iQ1tMEIZECaCbsqFdU8jSzOK0Vw0 yF82BZ4Ocul3Y7+zz3vHE2HcTQGnALEqPoCKmHKeLlGlObjXNKmNI3rzS78t0MxEN6+2 O7f5UVHxEcB2VgzbvPSfa64BoAYrxqS5aPWwgYzVhnbWCjeRTd7c7VsNfe7PjW917NRj ZvjP7jr/gwqWZxu/1LSQEPEQCkJNDkbaUUGmjtt/kw40+BwbzQry8HIpAsVxGptlfU6W fn2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=S2NWhLjry2cNQI6Xea/HLYEXnZMPJA0e7m8Nqh5itLY=; fh=biCrrFUzwrk+s8uyLKz6iBSvFYsjRxTUJ8jpnJ9DprI=; b=Y7XVKfE4Ix4O4GYbdRj3cBSHXssLQpJ8/uBLpakDc4NN8yhjo7o0O52/DITGr3vQz4 CpmX9K6HCIPWEScndp7ZgUnsnr5ynoaWtY76Qhm1pnBlV7h+bx1O3tnoH7xpU1x6y1cK IuofUcMkZdrhxa4aBvqd2V2N3i6mHRiDX4yoJR1lmbtG7syjnFXbluoigrrDqtfQZLgA q8HQdbQFROxQ50A3Qt9RdWwHS9vxZf76BDmlL9C1d8oipIlEXy2cZwGFBvIbPHDfW3JP hLJMy5uJAjwxxPXOGw6Inmu+Bh4PFBeZkTv/W4vCAxT/K+nTnXr+kDB0B96zighvTl7U J9EA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776087662 header.b=YgYfQGmV; dkim=pass header.i=@clients.mail.as397444.net header.s=1776087664 header.b=XFbasVbF; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id af79cd13be357-8ddb915b4adsi35796985a.5.2026.04.13.07.02.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Apr 2026 07:02:16 -0700 (PDT) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1wCHrg-00000005a1Z-0rrf; Mon, 13 Apr 2026 14:02:12 +0000 Message-ID: <6d075872-0db8-4e7b-ac2a-452624c991ad@mattcorallo.com> Date: Mon, 13 Apr 2026 10:02:10 -0400 MIME-Version: 1.0 Subject: Re: [bitcoindev] In defense of a PQ output type To: Ethan Heilman Cc: conduition , Antoine Poinsot , Bitcoin Development Mailing List References: <0vqF88LoOnY4GiUB4vf-MdeZpTAtR70tokS3cLwt2DX0e6_fD1X_wyhPwWEdIdm6R88AULObIU08CWsb5QfeoaM5c4yXPqN5wHyCrqMCtfQ=@protonmail.com> <6wBygQ_pK40ZpU_CMXfzIy-6LkthOmEh-xd2g9bwUl-f8w2K6G4rUWJEssE2zeJgxyipGe2GrFH9y_TUUI48asqfh7dhi9A2rl7NpWyFW1o=@proton.me> <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776087662 header.b=YgYfQGmV; dkim=pass header.i=@clients.mail.as397444.net header.s=1776087664 header.b=XFbasVbF; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 4/10/26 8:20 PM, Ethan Heilman wrote: > > IMO even something like P2MR's additional cost will strongly discourag= e adoption. >=20 > I don't agree. >=20 > Over time as quantum attacks become a bigger and bigger concern for holde= rs, wallets will want to=20 > show that they can offer security against CRQCs. This is especially true = for wallets focused on high=20 > value Bitcoin outputs. Even if someone thinks there is only a 2% chance t= hey lose all their Bitcoin=20 > because of a quantum computer, that 2% chance will keep them up at night. >=20 > P2MR would have 17.25 more vBytes, an 11% overhead. >=20 > P2TR 1 input, 2 output - key path spend. 154 vbytes > P2MR 1 input, 2 output - spending a=C2=A0schnorr sig leaf of a P2MR outpu= t with two leafs: 1. PQ sig leaf=20 > and 2. Schnorr sig leaf.=C2=A0171.25 vbytes >=20 > I'm stacking the deck against=C2=A0P2MR here. Under some circumstances P2= MR has lower fees than P2TR. >=20 > It is hard to imagine someone holding significant quantities of Bitcoin n= ot wanting to pay 50=20 > sats=C2=A0to ensure their Bitcoin isn't stolen by a quantum computer. Right, but I think we're focusing on two very different groups. The "holds = significant quantities of=20 Bitcoin" group I'm much less worried about vs the "holds some quantity of B= itcoin in an average=20 consumer Bitcoin wallet". The first group includes institutions, funds, and= people relatively "into"=20 bitcoin - they're paying attention, (hopefully) using decent wallet softwar= e, holding funds in cold=20 storage, and aren't fee-sensitive. But this group is going to have no probl= em migrating no matter=20 what the solution is - the institutions and funds camp can migrate in a few= days in an urgent=20 scenario and the long-term holder with a significant portion of their net-w= roth in Bitcoin is also,=20 likely, paying reasonably close attention to Bitcoin and can react quickly. Because those groups are quite capable of reacting quickly, I don't really = buy that they're the=20 "target market" for short-term PQC in Bitcoin. Our goal is to get as many w= allets migrated as=20 possible, which really means focusing on the wallets that are likely to tak= e the longest to migrate.=20 That includes both "consumer" wallets which may be infrequently used by peo= ple who bought a pile of=20 bitcoin and touch it once every few years as well as those who are quantum-= skeptical and will see no=20 reason to upgrade until its urgent. Importantly, the decisions here are mad= e by the developers of=20 the software, generally not the actual end users holding Bitcoin. To put it a different way, the goal of adding PQC to Bitcoin is *not* to "g= ive people an option to=20 migrate" but rather to "make use of the PQC scheme the default" across the = ecosystem. The former may=20 get the migration process started, yes, but it does not ease the future com= munity's difficulties=20 materially - the slower-to-migrate coins will still be just as stuck as bef= ore and just as much=20 Bitcoin will be available to steal by a theoretical CRQC. Thus, ISTM the fo= cus *has* to be on=20 something that has minimal drawbacks - not losing the script policy privacy= of P2TR, low or no fee=20 overhead, etc. Of course that isn't to say that P2MR might not also make sense in addition= , but focusing only on=20 that misunderstands the goal. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 6d075872-0db8-4e7b-ac2a-452624c991ad%40mattcorallo.com.