> the physics is cool, but the engineering needed to scale may still well be impossible in the physical world. bitcoin *cannot* respond to claims that unicorns exist with protocol change

We may never have a CRQC that's a real but unlikely possibility. Let's say you believe in your heart of hearts that CRQCs are impossible. Algorithm agility is still critical to the future of Bitcoin in such a world.

To quote from Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms (RFC 7596)

"Cryptographic algorithms age; they become weaker with time. As new cryptanalysis techniques are developed and computing capabilities improve, the work required to break a particular cryptographic algorithm will reduce, making an attack on the algorithm more feasible for more attackers. While it is unknown how cryptoanalytic attacks will evolve, it is certain that they will get better."
...
Protocol designers need to assume that advances in computing power or advances in cryptoanalytic techniques will eventually make any algorithm obsolete."

A CRQC is one of many threats to the cryptography used in Bitcoin signatures. If we want Bitcoin to be a secure store of value over at least one human lifetime, then algorithm agility is a must. Part of that security is that your coins don't get stolen due to cryptographic weaknesses, part of that security is that know your coins are unlikely to get stolen, i.e. epistemological problem.

On Wed, Feb 25, 2026 at 10:03 AM Erik Aronesty <erik@q32.com> wrote:

I'm in, I think, a group of people now, that have pointed this out, here and elsewhere ... I like to call it the "epistemological problem" because, why use short words when a long one will do :) The scenario is all the worse because (as, again, has been pointed out before): the "I have a CRQC" signed message you mention is (more likely), or can be, someone who has just placed a short in the market, rather than an actual CRQC holder. The point is that during a period from "bitcoin doesn't have PQ algos" to "bitcoin has PQ algos" the transition will always be essentially 100% opaque; every honest action of moving to safety looks identical, onchain, to theft.

a key that is crackable in-advance of bitcoin being cracked, so that we know quanutm is "real".

1. deterministic random elliptic-curve address on a much smaller-bit-strength curve, but not so much smaller that classical attacks are feasable
2. bounty for the solution enforceable with a smart contract
3. refusal to accept that "i have a CRQC" message unless this well-known-key is used, because anything else is likely a scam (private key known in advance)
4. understanding that cracking a 180-bit key only gives us 6 months to a year of quantum engineering scaling to fix bitcoin
6. published plan to move quickly as needed

the physics is cool, but the engineering needed to scale may still well be impossible in the physical world. bitcoin *cannot* respond to claims that unicorns exist with protocol changes. but we *can* respond with a bip that allows us to rapidly deploy defense against unicorn horns once irrefutable evicence arrives that they exist.

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJowKgJwq88yfJEQzZ%2Bv-33EtEuYif1y6qsXtyoRyk2V%2B44cww%40mail.gmail.com.