From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Sun, 19 Apr 2026 10:20:14 -0700 Received: from mail-ot1-f62.google.com ([209.85.210.62]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wEVoc-0006ZQ-6X for bitcoindev@gnusha.org; Sun, 19 Apr 2026 10:20:14 -0700 Received: by mail-ot1-f62.google.com with SMTP id 46e09a7af769-7d9d60f8e3asf3263875a34.3 for ; Sun, 19 Apr 2026 10:20:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776619208; cv=pass; d=google.com; s=arc-20240605; b=aPTw5jmgSkfin6XgdFIAdV28aX041eBGBiWMslFGeexMcA0+nuBmnsR/JIZskoMS17 27sSMAtm4kG6We521z48e2UETGEtf1byLXQ3Demk3aEUlX4g4QHRWP4xatx9+MAiRDmn 6yln+QrwsR0Z8rBFvmWC1L2b7/Xy7iccbb/QCx+0SJU/Zbey3+HkggrZJ3P2wtcU+0W/ MDTuI1B7Z3rOHR80rFUQ35QA320sraNTZxpMUBXIHFYYNf40UxR0pD/nmIElgrm0/jc5 w+UXeEPBYCUXbrfjMM4ldMs6m2LIvHnX89Xs0i1ZoP6Ybm3aQbRt7AcI5m/9Vk5wLRcN ceAg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=tAH1cLRbJxokbxjuKPyu3m/14gk9JfB2IANakqkb9yY=; fh=l3eN8UVFIaSuu2TiRXBSEqiopM2awvkqUOITzxvOumw=; b=U3kP/GU3AeXoIzhl27iRc+v+Alti24ZlOqY9EqxNAYaMYpl/BWJbSZqgqcVRtioT+v iT4teaKf8hYHocXgTAhJy1w0pzBbiQDDaWKkICT+art+SybfqlISShpJKMQDusyF28ok SYrvP38oLIKF35xhHES7tPmJW9Iv9Fk1GeEzH1SDIuRwil/vNG/ufOOK8wqRl6G3Yvxx nEYCU3hvvpmGSqXOP0L2oNE4KIj6A3lSFGS8KqujwYGrFR/XcTvKUOP7UGWdzjf1rqYr M1WDoTUOucKg8J3SqR+HyA4BPrStcKsisyFFeqSjVHnQVDCrQvN4T173plP/NSOzCdpw Qpsg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776614462 header.b="cFR7QC/r"; dkim=pass header.i=@clients.mail.as397444.net header.s=1776614465 header.b=ljwzPtEf; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776619208; x=1777224008; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=tAH1cLRbJxokbxjuKPyu3m/14gk9JfB2IANakqkb9yY=; b=fq/t9OKBBUB3mlF3dNdPv3GG7G1FvOZzag115w06fszViz2S8pGznW8o7/spymb+cI /423LTL4RRMqmbePRrPtjG52XoeRO8zr50zBmb3WSRPTjTIMYtegulBXmdUQsKy7YJxD ysMom5Kqw/WYLBBbauC3zEQE7v7L670guHuuJ9jVRsGS5EV2iQ9ZZ7lradIZGs7zsgYs vvLxiSP0wROxt7VLmNhLD7apRe0Ur52ml75C0HVBAIqTYpwadwM0WQU7YbWl/48GifCl Hkmj+W34IUDcd7nmFjkwXnXxuDtGtTrnoETZLgCeRkU/08uFPbnYZLwnVE/BkIOLi3Kl oyxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776619208; x=1777224008; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=tAH1cLRbJxokbxjuKPyu3m/14gk9JfB2IANakqkb9yY=; b=N+nqVxsptbH8ZNsJz41JVsLWjM2t5bQqTaQHR1eBFOmdyD+eo0u9fOu6BzuBRUdhQz iJiJxHipmwnKZ8OEWR24Xlk2jFweA2PdY1aW52t2c8YIX81KkN6e/KiTMPZavNUhPOiL 72FbDFkNBl23sSLmW0W2ADFQEsMvcRyGZqjJpdJNyopVPeLypaUccZwSDfdj5JhY88Ms GQ9Q6mkORk/AGnCMktg5g9gRRlv8rD/6GaO51T9wOscrlX2j1V1GmQqY2rpw3fo8Uj+r tqRAvKsL72d0+bbvGpjQIYl/oDJ7nDMy9LxBsRPA/BGi4SxE1KSVwmYd8ScJkWBqe3g4 ZesA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ/hK1/mhcd5wv3yFAbH7cPc6zM891hXoWJvVi7kdxVQmU3OJ8tblV7Xc/AexkT/XfgEGwYRd8xChNbp@gnusha.org X-Gm-Message-State: AOJu0Yz1EEqlFYhLGNvjlh/Q0ZtvsyXKbJjhsYaZTCzgql3O+DgXrupW 4FNHDyNQcTnwbZAd14AO5bzckbtA5DDy4HDla0CkFy0+riKKJuOSJ1th X-Received: by 2002:a05:6820:4b0a:b0:694:8576:5d85 with SMTP id 006d021491bc7-69485766307mr110016eaf.19.1776619207646; Sun, 19 Apr 2026 10:20:07 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiKa2/0jyXoJJcnge9TxPzq53oDFvNFh3x895EKb4mWmHQ==" Received: by 2002:a05:6820:1c8d:b0:67b:b01c:5f3d with SMTP id 006d021491bc7-6943c8e5c79ls1943216eaf.1.-pod-prod-04-us; Sun, 19 Apr 2026 10:20:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ9bpb3mfPle1G6PE4L7nkac3n24V2RQIl+c+5uqHb6VOXpfZ5LCycpXhVDGjmxtlxnOuEuFBL0Ad/23@googlegroups.com X-Received: by 2002:a05:6808:1789:b0:44f:ec23:2375 with SMTP id 5614622812f47-4799c917846mr4962340b6e.3.1776619203249; Sun, 19 Apr 2026 10:20:03 -0700 (PDT) Received: by 2002:a54:4898:0:b0:479:9f23:6621 with SMTP id 5614622812f47-4799f236c9emsb6e; Sun, 19 Apr 2026 09:37:36 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/IUwCa7eZaqhfRmUgvhojHFzxtH7g7MiNFc9ZgFiavekgHXITeJBvwPUbMyoel7fm3PWPIqbhn2hqT@googlegroups.com X-Received: by 2002:a05:6820:561c:b0:694:854b:c153 with SMTP id 006d021491bc7-694854bc788mr39841eaf.40.1776616655713; Sun, 19 Apr 2026 09:37:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776616655; cv=none; d=google.com; s=arc-20240605; b=S1po5yyZLuiJGko075kI4bsCSysrB9Dr4w2QlSSotSyQ135WzbGEZZwt0vPKc4G0VU pPmyb3WDeI0+yiIY3rh3ALaVQRx5owFkPfvjzqsVj3pegOjI/eiepGDamtNE9CMzJMik pPO3g08MNvt/WXIC8D18+FvKIG/nZ8MOX41vG4eeFiBxDCWoRzoZbBGVqd6EFCDywkbk iJGyB0d99Gah40fZP61/DbMnVm6GVDUBeCpVen4E9SKpuHAvYsqPUOqdpiqj+CmA1q6z VGZoiuN2imCRbnSsCTyFn5MwGQn4S1t/h+iaP+xDKcglZ9rlHJANJNHG/7Jgs50Izdvb h9Pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=5yXlgcMB5PLJlrK89W6ZmaXf0FBwjTIdFR/x/SSuM3g=; fh=WrUyyu3mL4sxXQ2aR5jDpwrAN6zeUdtrDDUVJDZkThA=; b=agrESnrtvt6fsTRYl6zHZl9Ei2xZ/0GaRV1N3YNYw4Q+kodYLQsQO6tTZ6VzYoIdt8 AHCPqp81Wzj84axeNU5Xm56un893zrDqXgjv+R0m1uYmxO2GpgHIHNv2I0qYURLGGmPG sU3DnbgBC6l5erK8M1ZtMVMeMkN7Al5Ps2JQ4pSvCPBtAVeMZWKeBfjJG5rLYs3/bJJP 21WQjsvFmnUPYYO7TWTJ/pWmYRYV3wdZcoDeHcxjDefW80huihxGDJQgfHLIDhDxJbZn etoBW9vozSdrCgQGw5hU0MC5zOS7A9xKltvWny7bqmxyKVjavGmSRLFgYBggc/8VqMoW 8Tgg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776614462 header.b="cFR7QC/r"; dkim=pass header.i=@clients.mail.as397444.net header.s=1776614465 header.b=ljwzPtEf; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id 006d021491bc7-69464f71e3dsi251449eaf.2.2026.04.19.09.37.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Apr 2026 09:37:35 -0700 (PDT) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1wEV9H-000000002cQ-0jtT; Sun, 19 Apr 2026 16:37:33 +0000 Message-ID: <71374026-6365-45fa-8168-ff1c8cb83dc9@mattcorallo.com> Date: Sun, 19 Apr 2026 12:37:32 -0400 MIME-Version: 1.0 Subject: Re: [bitcoindev] PQC - What is our Goal, Even? To: conduition Cc: Ethan Heilman , bitcoindev@googlegroups.com References: <2b8d2a1b-9e9c-4918-9ac7-4bdcb15f5886@mattcorallo.com> <39f3c26e-2cb5-4dcb-a269-78c793174b2a@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1776614462 header.b="cFR7QC/r"; dkim=pass header.i=@clients.mail.as397444.net header.s=1776614465 header.b=ljwzPtEf; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 4/19/26 12:27 PM, conduition wrote: > Hi Matt, thanks for elaborating. But I think you didn't address the overa= ll point of my last email, which is that address reuse is a null argument i= n the P2MR vs P2TRv2 debate. >=20 > What difference does it make if wallets use P2MR or P2TRv2 when they reus= e addresses? EC pubkeys are exposed on-chain either way. The only diff is t= hat in reused-P2MR, EC pubkeys are exposed slightly later at spend time, ra= ther than at receive time. >=20 > Even if you take the highly pessimistic view that 100% of P2MR usage will= always be through reused addresses, then those coins would be no more secu= re in P2TRv2 than they were in P2MR. To protect coins in this context, an E= C restriction is needed either way, and that can be applied equally to eith= er P2MR or P2TRv2. Correct, I did not address the question of "why is P2TRv2 better", I was hi= ghlighting that I don't=20 think, from a "quantum security" point of view, P2MR is any *different*. If= I read your email right=20 you were suggesting that both P2MR and P2TRv2 are equivalent in a "many reu= sed addresses" case, but=20 also claiming that because some addresses are not reused P2MR should be pre= ferable because at least=20 "the people who did it right" retain ownership of their coins. I reject tha= t view entirely. I believe I've mentioned in previous mails that I think P2TRv2 is better th= an P2MR, if only=20 marginally, in a world where they're equivalent from a "quantum security" P= oV - P2TRv2 might retain=20 somewhat more script privacy, is marginally more efficient, and trivially r= etains (what exists of)=20 existing taproot wallet implementation, rather than requiring more engineer= ing build-out. In the extreme, the "well you were using it wrong" responses to address reu= se in P2MR that have=20 already cropped up might reduce the likelihood of saving the coins of walle= ts that have reused=20 addresses, which is also a negative, but maybe you could argue that they're= equivalent by having an=20 updated BIP spell it out. >> I think the gap between our views is that I don't buy that the "percenta= ge harm reduction" outcome is all that interesting. Sure, there's some % wh= ere it certainly is, but its probably in the 99+% range, not in the 75-90% = range. I think maybe the biggest gap is I just don't find any "solution" th= at results in 10-20% of bitcoin (*especially* active bitcoin people hold ke= ys to that made some progress in migrating but maybe screwed up address reu= se) being stolen as at all interesting. If we manage to get 90% of active c= oins secured and then 10-20% of active wallets get some of their funds stol= en, have we actually accomplished something grand, or is Bitcoin's reputati= on so shot that we might as well pack it up and go work on some new fresh c= hain that is PQC from day one? I'm fairly confident the answer is the secon= d, not just in that "we"'ve failed, but that the market will see it the sam= e way. >=20 > Am I reading this right? You think it'd be better to abandon the entire c= hain if a CRQC can steal more than 10% of the active coin supply? That's a = bleak outlook. I hope you change your mind on this. I hope even more that w= e can prevent such theft from happening in the first place. But again, deba= ting P2TRv2 and P2MR is irrelevant to that goal if you assume address reuse= will be rampant and exploitable. Yes, you are reading me right. I genuinely don't see why we should care abo= ut a bitcoin if some=20 nontrivial portion of wallets *that "upgraded" to be quantum-secure* get th= eir funds stolen by a=20 quantum computer. The amount of reputational damage from this isn't trivial= , but maybe more=20 importantly what on earth do we think the point of bitcoin is if its genuin= ely that hard to secure? >> In a world where there's material address reuse, and those folks are usi= ng P2MR, suddenly it becomes "their fault" for "using it wrong" (even in ca= ses when it isn't). >=20 > People will blame whoever they like. Our concern isn't to direct the blam= e for theft correctly; Our concern is to reduce theft by deploying the righ= t upgrades. If CRQCs become a threat and too many pubkeys are exposed, we d= eploy a restriction on EC spending. If we can do that on P2TRv2, we can do = it on P2MR too. >=20 >> On address reuse, as far as I'm aware, its driven by at least three fact= ors >=20 > All address reuse scenarios, including the examples you gave, can be prot= ected by restricting EC spending regardless of whether we deploy P2MR or P2= TRv2 as a first step. Sure, my point was only that they're totally equivalent, and thus we should= consider the decision=20 based on other factors. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 71374026-6365-45fa-8168-ff1c8cb83dc9%40mattcorallo.com.