From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 13 Feb 2026 08:21:45 -0800 Received: from mail-oa1-f55.google.com ([209.85.160.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vqvvM-00080T-Px for bitcoindev@gnusha.org; Fri, 13 Feb 2026 08:21:45 -0800 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-4042356948fsf8762809fac.3 for ; Fri, 13 Feb 2026 08:21:44 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770999699; cv=pass; d=google.com; s=arc-20240605; b=esbynXRM4K/RHA0uemB44g/6GR3VX13Ma0p6oL7Lp7FozeCKCernho3sDopm0WmqHy ErFi5fLsnAsWc329vD3Uzuk+dRoHFyFg2LjpFNQxpKOHh+rE42Ry9uj8ReE3R9Df97Fh QMvIyktbMAbxOFfiRsFtuz/XLs2e0xekcaedaqNd6xQQPkC+O6FptFseTEVdB+u6y+Q+ 0u78dNJ61/A36plk0ZUcbjoyPhOIyTnLTpTCLAxEJqnw3NJFbJrBGg6E7rABr7vUJleV A8rqh06z4SO38ZFa/bnvqmKKPTd1H4/ZDqQAmxCwHBhEGC6eNsVAqeGqXUcCVhDzkvbQ UNLg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:content-language:references:to:from:subject :mime-version:date:message-id:sender:dkim-signature; bh=Jhm7l6oUA1aOAWktug4qsqxYLSe8DWGYUI/sdwLcV9w=; fh=CmfXk/8b0Q90FgoSE9tM8dMAH3qJjgJDIZayjBEQ+mw=; b=Em8OjotusHzMJJc8m3aKFnfeQMbvn1z5YDdS9gBHI8lX5pGkncfc4x6geQu+upvxw3 tMCCvnkWEGkYduqMjdDK2MArSOMFYWAMoDv93Ci2XIHTse8tBKxm2oVCsJGcntXqM+xB Omv87LGiGP4IS6y0tdZuTp8YSGxFDsvbADRMGowISQ3loQpCEGXyMYU87cwYqBagHlnQ +/Tsw5cyU52FaV79jW4FUdOmD/Dchd9PNwR0n8vdLSDYzPpb1orSEkQs1FibW83Ri9M5 L+dZsRmnIXu9u0lrKarmCLH2NjMYoqWUhk6AcFSK8PWuJkSR1TCXJIQN9klW438HbjHK mp/w==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770924062 header.b=hZzTJR4H; dkim=pass header.i=@clients.mail.as397444.net header.s=1770924065 header.b=AthIcTmg; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770999699; x=1771604499; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to :content-language:references:to:from:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=Jhm7l6oUA1aOAWktug4qsqxYLSe8DWGYUI/sdwLcV9w=; b=AFBFbfvSB0G3giDa6XbeHRTq+Ukh0Q9SAT8oFXAZA71F2TC9KWRXOPWvXqBtplaiw4 AlXVVbQK22b/UGzTomfpHL8r95WNz0EKpLTjTha0ORSBCJOs3nzl31COjEhuKLG5wWn5 xTZi0KB/ttoZYIRhhTnrNijgkIwGoHin46IFHY9sqpwwQ3HlDWaz6T2sV4aBI+gqeDGL ZpBZzxKGOA9676SvEWITQZ21It0nA4sdpi4I2TGrimqFDdM8SuHVV8lkstbNrA61w215 5OIQu1tJD37JV452SBPEXYCRaLXWpxU14uJ5tbJrB+rQGIKI9gELUa8zVOnwTQ60vRmP M2Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770999699; x=1771604499; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to :content-language:references:to:from:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=Jhm7l6oUA1aOAWktug4qsqxYLSe8DWGYUI/sdwLcV9w=; b=FSmQGBkkEoq++lNgqji4uNQtviE3G/cftdoOc2mhndx/UfPEMoBCljJL4vu+JXCcsY GAWCMmv+JL74p9DMGUMmKUwTGDD300TeA+umMoKGySFirmc5aoLPB7RuQryfvIa2d2sl AIzmF/psmf8jT7Z095t5y2eGYAuwZPfw5VQFvZREgXB2YF4KEBSp9WmnQNCRA/6asvCb 2ykHgk2DmGUjvg+SZONluE4ackgOBt67QUOhOqe2EMJV5WMiAZzKyPenx0dMAlf0rMUp 7d8tHyIkzsDSN5ySrFjCoo9PpXjf/1RgH3C+bHCQwgCdFNL6yMTfxXjwD9y5cImClDTQ XHTw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUW+ZUr6IXyuOiHO67qDorvm/j+jjLAq09CXD4uclO/2kUZfOKS9sJp0Pm/Wxq817hqDdpNZKHYPsHw@gnusha.org X-Gm-Message-State: AOJu0Yw2Njf6vJUcRf+t79YqC0jUE6Gdkr56WWJQMbqKVOyk13kDNTgy SY8NN87wFebi1gpz+3f7ArLd5o+2CyKBKD+wQJ6aFZ5cmA2CinB/52fv X-Received: by 2002:a05:6820:2912:b0:662:fe02:daf2 with SMTP id 006d021491bc7-677666f464emr988395eaf.6.1770999699048; Fri, 13 Feb 2026 08:21:39 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+EumEsT4HOBdt63drLGCZ1KSIHn4VmlCmmzoBtZAEa95A==" Received: by 2002:a05:6820:229b:b0:669:ef59:55e2 with SMTP id 006d021491bc7-675d33f96a4ls1552588eaf.2.-pod-prod-07-us; Fri, 13 Feb 2026 08:21:34 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV+ufwei+9XI2DPdGQeXDsJiZ+3NxS3t98yYlk4ODf1CjGxhYPm5/eQOXuHgWO3/Rh+rKgUXpFxkZNR@googlegroups.com X-Received: by 2002:a05:6808:188b:b0:450:275c:8803 with SMTP id 5614622812f47-4639f099282mr1723848b6e.28.1770999694727; Fri, 13 Feb 2026 08:21:34 -0800 (PST) Received: by 2002:a05:620a:1655:b0:892:e292:65ef with SMTP id af79cd13be357-8cb3f83c80ams85a; Thu, 12 Feb 2026 11:43:27 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXEl4LOvmsEqn/1XJ+giCa6EB7Vly7t4bRtoBfbo4ZIiDYJbe4paR4qy0fGWJiOR0Hjp3klcokOCiom@googlegroups.com X-Received: by 2002:a05:620a:2688:b0:8c6:ff8f:58af with SMTP id af79cd13be357-8cb408f1199mr4796785a.51.1770925406673; Thu, 12 Feb 2026 11:43:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770925406; cv=none; d=google.com; s=arc-20240605; b=CCvKkWAMuI1kXsryU17p03RiAgN/RY2nXM5CaPGMF2nEgSXPGv1cJ/vNOJRUjjsbKW 2ItdLzYG0/lZFZk3OBHjNHtXFJ0tTqW2ug8AhDD8Ic1w/34CqBvoaZWz1w6/r0sDtHcR 25lM1m3EvHYkoQkRqO4R6wwqo6hZFyF/XRevkbjZUzNo0gbHO/CpoGq/2KXSy+yVETLX qHZFxZ37hNV7Xrb9NLEZS71UeyITUKTGyoB43d5H8yf3EIoM3T/OLGhk9PbFftveeePW Yx7/8DdA0/e2iUPaopJiwFu4+XzI0a75qgPI+uEc4Z6zABuXuJ2gAWGLmzy64SJtBukc a9Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:content-language:references :to:from:subject:mime-version:date:message-id:dkim-signature :dkim-signature; bh=j+AoPGJXNtZQ/TrJokqBj+tIJrfw2aOk9nHW53bM1DM=; fh=2EV9HtMw1QTzGSfUm2X/O0xVoxxmy5vUj8s0Z9ARrDA=; b=gIZuK9GBXliD00ESIcIcN1hKOos3JbxlJIG7sEZAgT3mbEnbntJYk7J2xj3LLdtbI+ xPaU+i6jB3tKeOdWw1441kzpeCubp3AFfeJ/IiyajD3H6MuuWtZQ9HcaUXsZ4avd3Hvb lCaSGGCrpLgM3itdXueaxfZBPk8hSRhtzL796cId1heQXzwLmtd5AeMH+q2BTNfDl05I kPIbQaK6wNWZbg6xZnj3IUBqzj6l+nsUm0bn4va9nBIJm5Eqx2dXyTXCbpAtden02KJu upxHiNtfuYK3kF4nFB6kCF/fdKHZrkh5G+TKTIWYUv+bMM1kGtzEpQlAmfDsYmp7NUjh DkUQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770924062 header.b=hZzTJR4H; dkim=pass header.i=@clients.mail.as397444.net header.s=1770924065 header.b=AthIcTmg; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id af79cd13be357-8cb2b13a0desi19888785a.3.2026.02.12.11.43.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 11:43:26 -0800 (PST) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1vqcaz-00000008IK8-0SPp; Thu, 12 Feb 2026 19:43:25 +0000 Message-ID: <8b4e4438-329b-47a7-b31b-e410ab60d024@mattcorallo.com> Date: Thu, 12 Feb 2026 14:43:23 -0500 MIME-Version: 1.0 Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms From: Matt Corallo To: waxwing/ AdamISZ , Bitcoin Development Mailing List References: <22073a56-1cbf-4ba9-a2ea-46c621d4619c@mattcorallo.com> Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770924062 header.b=hZzTJR4H; dkim=pass header.i=@clients.mail.as397444.net header.s=1770924065 header.b=AthIcTmg; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2/12/26 2:35 PM, Matt Corallo wrote: >=20 >=20 > On 2/12/26 10:36 AM, waxwing/ AdamISZ wrote: > >=C2=A0 > For what its worth I do not see a scenario where a decision ul= timately made by the market will=20 > pick > > the fork side with materially, say 5-10x higher, supply, over the side= with lower supply...supply > > and demand is king, especially with the "confiscatory" nature is basic= ally nil as ~all wallets today > > use seedphrases, which could still be spent with a ZK proof-of-seedphr= ase :). > > > > This line of reasoning is wrong imo. > > > > If supply and demand is king, why not just delete supply as much as po= ssible? No more mining? > > Arbitrary freezing of various actors' coins (but with warning! so it's= only confiscation in quotes, > > right?). > > > > Hypothetical: someone proposes a fork which freezes all coins residing= at utxos with addresses > > containing "234"=C2=A0 (insert technical description as appropriate - = you get the idea). It'll be a bit > > like the rules about driving into town with various letters in your li= cense plate, though, a bit > > more permanent :) The vast majority will benefit economically from the= lazy few who don't notice, > > since if they pay attention, they can hop out of the frozen addresses = with time to spare, so why > > doesn't it happen? > > > > Obviously, ridiculous examples, but .. point stands in general: > > > > It's a curious kind of self-referential. The "market" here is really t= he set of holders, their > > *short term* interest is to grab any they can, but their long term int= erest is to have their stash > > keep its value. There is *nothing* that will destroy bitcoin's value m= ore effectively (certainly not > > technical issues like bugs, certainly not an unexpected unlock of a bi= g amount of coins to be moved > > in the market) than an event that questions the "private property prom= ise": > > > > 1/ coin inflation schedule is set in stone; > > 2/ if you can cryptographically validate a transfer, bitcoin will let = you do it, i.e. you can always > > spend your own money; > > 3/ if you "locked" a utxo with a certain ruleset in the past, that rul= eset will still be active and > > let you spend in future, i.e. you can't be locked out of your own mone= y. > > > > Bitcoin is the only digital asset in the world for which those asserti= ons are credible; it has never > > yet violated them, and imo it's the thing that keeps it unique and imp= ortant (PoW ties in; it's > > another aspect of the same rigid adherence to no controlling entities)= . > > > > That's why both this idea and Peter Todd's tail emission idea, both hi= gh quality engineering-safety > > thinking, will not happen, in my opinion. >=20 > I obviously agree with you at a high level - the value of Bitcoin derives= from its (attempt at)=20 > trustlessness and any attempts to break that will necessarily result in t= he market rejecting them=20 > precisely because they break the exact thing that gives Bitcoin value. >=20 > Its also hard to analyze this because it depends so much on the very exac= t scenario we're talking=20 > about. There are indeed certainly scenarios I can imagine where I think t= he market would prefer to=20 > not disable insecure spend paths. But at the risk of using an equally abs= urd example as yours, >=20 > Imagine we discover a breakthrough in refrigeration technology that we've= missed for 200 years=20 > tomorrow (or a room temperature superconductor, or...) plus a few other m= ajor engineering=20 > breakthroughs and we're now on track to have a CRQC in 2-3 years instead = of 15-20, and oh in 6=20 > months we discover that they're not just gonna be buildable soon but pret= ty easy to build farms and=20 > they'll be able to calculate a private key in seconds. Yes, we can stand = on principle and watch as=20 > the CRQCs steal all the bitcoin and sell them to recoup their investment,= but the market is=20 > obviously not going to value that because the thing that's left isn't rec= ognizable as Bitcoin - its=20 > just some weird cryptographic scheme where tokens are shifting around all= the time and everyone is=20 > stealing from everyone else. >=20 > There would certainly be market participants (like you, I guess :p) that = try to hold on to the=20 > original Bitcoin and might even invest some money in buying more (from th= e CRQC-operators). And the=20 > insecure-spend-paths-disabled fork would probably have somewhat less valu= e than the original as a=20 > result. But the original chain would without question have nearly zero va= lue, and the fork might=20 > have some. >=20 > Now, this scenario maybe seems exaggerated, but actually I think its equi= valent to the most likely=20 > outcome. Not that I think we'll see multiple major 100-year physics break= throughs soon, but rather=20 > if we see a CRQC in the next 10-20 years, that the state of Bitcoin walle= t adoption of PQ spend=20 > paths will be only marginally better than it is today. Sure, maybe 50% of= wallets have upgraded, but=20 > that's not enough to have any outcome materially different from the above= . >=20 > Finally, more philosophically, I disagree that these are somehow equivale= nt. Yes, in stated black-=20 > and-white principles it violates the "ethics of Bitcoin", but that the *a= lternative does too*.=20 > Leaving the coins to be stolen by a CRQC almost equally violates the "eth= ics of Bitcoin" - the=20 > rightful owner of the coins, the one that created the private key and did= not leak that private key=20 > to anyone else no longer has the coins! but... >=20 > >=C2=A0 > ZK proof-of-seedphrase :). > > > > Oh cool, that's a good point. Ethan's counterpoint is good too, that w= e would need a consensus rule > > and that's v. hard, but: my spidey sense is tingling a bit about wheth= er people might find tricks to > > avoid it: if you consider the very clever tricks recently discovered a= round Glock, ArgoMAC and so > > on, they enable gating txs behind ZKP schemes w/o new consensus but wh= at we're talking about here is > > way more narrowly defined than the larger problem they're trying to so= lve, which might support being > > optimistic ...). >=20 > I think this makes the philosophical point more stark! Now the options in= front of the future=20 > Bitcoin community aren't "burn the coins or let the CRQC-operator steal t= hem" then options in front=20 > of the future Bitcoin community are "burn some of the coins and let a pro= bably-majority of the=20 > rightful owners claim them, or let the CRQC-operator steal all of them". = I cannot justify why the=20 > second option is somehow more ethical or more in line with building the b= est, most trustless money=20 > on the planet. And maybe to clarify this somewhat further, my thinking is the value of bit= coin derives entirely=20 from this concept of "trustlessness". "property rights" is a somewhat simil= ar concept here, but the=20 point is that you can own this thing without having to trust someone else t= o enforce that ownership. If a CRQC steals that thing that you supposedly own, you didn't own it, and= it sure as hell wasn't=20 trustless! If, on the other hand, at least *some* coin owners get to keep t= heir coins, that's at=20 least somewhat further up the "trustlessnes" curve than before. This goes double for the, IMO likely, scenario that the long-tail of non-se= edphrase wallets is able=20 to adopt a P2MR or P2TRv2 PQC design years/decades before a CRQC, but there= 's quite some straggler=20 seedphrase-based wallets near that point. This means that ~only coins that = haven't been touched in a=20 decade and didn't take action, are burned, but in exchange a lot of coins f= rom straggler wallets are=20 saved. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 8b4e4438-329b-47a7-b31b-e410ab60d024%40mattcorallo.com.