From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 15 Apr 2026 13:41:59 -0700 Received: from mail-oa1-f62.google.com ([209.85.160.62]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wD73e-00027q-Ob for bitcoindev@gnusha.org; Wed, 15 Apr 2026 13:41:59 -0700 Received: by mail-oa1-f62.google.com with SMTP id 586e51a60fabf-42342b79ae4sf13244785fac.1 for ; Wed, 15 Apr 2026 13:41:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776285710; cv=pass; d=google.com; s=arc-20240605; b=P6NiptJwb12oV5XWMJQkpdKEdJJDB0wQpQsDX2bVSCW6hGl+qJqhZD692gHQkuljVG vLpKLZ3w9uN/syhyH4OA/uR5qAX5RcIAJAYwwyGYwwvHeda8f9+EyvaHTgrh1jW3SM1j l4a+z3j07mxvZGtwArJMFgEWhk2Tncl0TAx4kxZBxd9+dFF4kZGr/bUzZ2HVc9hq02Nq 5fzi+397DRBMlNXrTgUoWnpMy7MDIdyV6ZWTjAe5t1ao9KeuWicvI0ZMn4MAUWr4Zf9D ZYRYtyTcGOokoXQ2pnMW656y2H4h/iktJuJRWD4DS9GE1LbFutmmThRTgjcRkMnZ8H30 QESw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:sender :dkim-signature; bh=CD8J2KORqDOFgC+9QMqT4DwUDqc4vOFOA18wn48usdY=; fh=/dvGCUlIMScz/qWVi84o77xHu5J8iLJ/Rdx3EVAe2HM=; b=GcLN1kCX9TyEJRjykBGrVJeHdC1PcdDif3pIWyLq0PUovdm/WhKEpjFSkPL+srE+TB zjIE2ach3HZGhNndBjWwP7cE9UMaqOvugZSa++R0eStEJbh1I2GwLOz4V8RrszJY0knm KF5X9ujK0ZULyTv24dLIdHGLDMlAL7KG2CdT+GMuviZ6wW0GrHxCBvncZkrC9LYitZ2p UxU0sSYYK6vMPwn771ClJL/vzxuNG+Hnz4Rm4SaMY0ymt01hldY3hgBa0mmnHmRot6Rh WDSfc1g9UxyUu27qf5jB8rMQtVxpP7ioJ/o5NGj8dLvY7QFNhwlB97QpUZZWXJP7hJPA BQNA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776285710; x=1776890510; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:from:to:cc :subject:date:message-id:reply-to; bh=CD8J2KORqDOFgC+9QMqT4DwUDqc4vOFOA18wn48usdY=; b=V19lEB6x+DPOeAPZ6AowGPfzQEqKOQjnIcsBbZgMWYNstsHu5quvejR0+t0DI3DgQx dNgdYk4f0J71bjBUfe92gxsgcV5s+xJSzH363oVsEkl8DCHw2Wc845PnvXR4chQkIdgK zi4lyyk9MIpfdRh5ijSh/fOaf1/8y3EfEXXMAqSwacuXChM/+Aw44RRHbSUpL7/TcNH6 9i4ijTD5G6QYfGaDnA8MampZDFycsehBHCS2YRqH90HozZoSqrdE8sLuDFPlwPrh2a2y tdw7aopBUka3rcrSxRv4ZX9Gca+Z16ENh7uaa2Yy+OA3NXXhVwgjzoBTwMhKNEtiYOb6 lEYg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776285710; x=1776890510; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=CD8J2KORqDOFgC+9QMqT4DwUDqc4vOFOA18wn48usdY=; b=QY4qs32W5k09ooQsmQH8rcSqUoO1mj0GbWWJtFMcdFHWsH+Tdr+V0TtzuktS2R/fu+ 9sAzhC4ZxVHnxXgUqFXLddDElwZPjwAaqyv/VAR+lWnEVoX9dY+as6nJnZ3VmCUpQaSG i25EnhXQZki1rD5+/87B8EfewSjqzFWdgUig1LkWjXJCiwYCWUIl+i8pHoy2BYGHAFVc QsKu7tJ83zYzEa1QExRCKSnDtHmvpg9gFoq07QTfxZMaqzv1RrplQ323UGaCBaD71Vec NjJcyqY/tnf0n269ouGJJSiE2gF5YV2bbVxdmKBpH8KCJo6qzyClQukoMdORhiAUU23V wYWQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ/+RUBFxu824nl41M29dTuPs25oXi/litJ/m1TQ5uHQ7/SIAXs/3oYMUFi0c62D1fVQpLZoGqd6oHpO@gnusha.org X-Gm-Message-State: AOJu0YxDIEWsXYfs8kWK6iFmcpZKFB8iWKWfVx1Poo7FF0810NhbpkKm PThOGftVqcR/XWnCP/iqSOO+zeZLguwK/PBgOWgduegWtrT4sBd5hlfi X-Received: by 2002:a05:6870:ac87:b0:41c:4c93:4234 with SMTP id 586e51a60fabf-423e113e7bcmr12724824fac.35.1776285710426; Wed, 15 Apr 2026 13:41:50 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiIextgQgahl82GTN2TF7YRUN4Tnsrxr5elrBe9U4/MHFQ==" Received: by 2002:a05:6870:23a9:b0:417:821f:fca0 with SMTP id 586e51a60fabf-4280bdaaff4ls140801fac.0.-pod-prod-09-us; Wed, 15 Apr 2026 13:41:46 -0700 (PDT) X-Received: by 2002:a05:6808:c2b8:b0:467:2926:1252 with SMTP id 5614622812f47-4789f9ff601mr11560411b6e.30.1776285706170; Wed, 15 Apr 2026 13:41:46 -0700 (PDT) Received: by 2002:a05:6808:6189:b0:467:e362:ec8e with SMTP id 5614622812f47-47974686444msb6e; Wed, 15 Apr 2026 13:19:50 -0700 (PDT) X-Received: by 2002:a05:6830:6ecd:b0:7dc:7de2:3e99 with SMTP id 46e09a7af769-7dc7de24a2fmr1314446a34.30.1776284389393; Wed, 15 Apr 2026 13:19:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776284389; cv=none; d=google.com; s=arc-20240605; b=LOtdP8CCpHeu7Cutzhq6un5ioguNlvuplj3AH5nE84gHWVKaHZBFL+PYRfwHxc0XgL uGthIxph76fiYupoi2l7+hAqGDoO3XnyvMHs8uCH00olkDbMk8UZX7G+uHVDspPWrrSy T8AD8z0E/qjby7r/01gMZkYudBhBemfHp+ClP+PB8Ah7QOIj5nGiEWn2zpP0xaWAjoFQ boWezd0LNdJwycQKTBIkFah7MqfVEIKhhoz+1Ql+ZOohctKr26SC7wsnxBoPitagZoSs DA5qgprSsiKwL0yyZ52uwtmS4xadRM0oqht+tVPmergI3eO8VbhzXH1Ho/m4xAHpR8Ip dQRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date; bh=wMgnqlHFeDARGhQ6ZGKxPKikDnFY2vvgoKPYKYOV92c=; fh=xW8bxyqQYHE1uH3XvdCMfZVppoYs0vQZCdqgnVz97es=; b=iTmp8aDf1CXPsvBqEthjgdkyB03bt+GWq/2sROrczqGWTRFZBwk5Thr7lvFHqWYFYE IuHU1V1d6jlXIwNATKx06u18EJuGbpHc2fJ11skOk9NoV3DFdrNiqsd92+GAyPMQLK44 cXjqCDqKIYAcencty3ADKFNEXP4urabCBGBvaPSpaMRao0q8tMedOyNEXuihD3gkH8dF Y06unry4Jk3PIXCQoHiNfU6cmxtKn2yeT9Rur7ZRFAOSTOqxPDWmnr8H6jrWbkX/rwVI yVmwru63MolAcMPpNMPUjDl9wx6ow9yWtjDJjskCbNFgmn3ytXTBI4R7MosYOUyImzbs SLsA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au Received: from cerulean.erisian.com.au (azure.erisian.com.au. [172.104.61.193]) by gmr-mx.google.com with ESMTPS id 46e09a7af769-7dc76a14de8si89523a34.2.2026.04.15.13.19.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 13:19:49 -0700 (PDT) Received-SPF: pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) client-ip=172.104.61.193; Received: from aj@azure.erisian.com.au by cerulean.erisian.com.au with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wD6hv-0004Mr-07; Thu, 16 Apr 2026 06:19:46 +1000 Received: by email (sSMTP sendmail emulation); Thu, 16 Apr 2026 06:19:42 +1000 Date: Thu, 16 Apr 2026 06:19:42 +1000 From: Anthony Towns To: Matt Corallo Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] In defense of a PQ output type Message-ID: References: <0vqF88LoOnY4GiUB4vf-MdeZpTAtR70tokS3cLwt2DX0e6_fD1X_wyhPwWEdIdm6R88AULObIU08CWsb5QfeoaM5c4yXPqN5wHyCrqMCtfQ=@protonmail.com> <6wBygQ_pK40ZpU_CMXfzIy-6LkthOmEh-xd2g9bwUl-f8w2K6G4rUWJEssE2zeJgxyipGe2GrFH9y_TUUI48asqfh7dhi9A2rl7NpWyFW1o=@proton.me> <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> <6d075872-0db8-4e7b-ac2a-452624c991ad@mattcorallo.com> <42806684-3cc4-42e2-8052-43288a93e91e@mattcorallo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: X-Spam_score: -0.0 X-Spam_bar: / X-Original-Sender: aj@erisian.com.au X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On Tue, Apr 14, 2026 at 04:04:02PM -0400, Matt Corallo wrote: > I'm gonna top-post because I think we're too far in the weeds and the > high-level argument is getting lost. No, of course I do not thing that our > job is to "convince" any quantum skeptics. What is our job is making sure > the *bitcoin system* is ready in case a CRQC does become a reality. That > means looking at the system as a whole, not individuals. Notably, this means > that if the decisions we make result in a bitcoin where some people who are > super worried about a CRQC have migrated but everyone else hasn't, and a > CRQC becomes an imminent reality, *we've failed*. I think those views are contradictory. Preparing for a post-quantum world is not free: even if you come up with a new address scheme that imposes zero overhead to make a PQ spending path available, there are still switching costs associated with moving to that new address scheme, so the only way you get the people who aren't super worried about CRQC to migrate beforehand is precisely to "convince" them that the (low) risk is worth the (low) cost. If the outcome of not doing something is that you've "failed", then doing that thing is your "job". > In such a world, bitcoin > becomes largely value-less and the paranoid folks who migrated long ago and > paid for it have accomplished absolutely nothing. I hope we can at least > agree on this point. I don't believe that's necessarily true either though. A path forward in such a scenario (30%-95% of BTC held in CRQC-vulnerable addresses, CRQC is believed by the public to exist, and willingness to hold BTC when large portions of supply are CRQC-vulnerable is already low or dropping fast) could be to create a hard-fork the chain, preserving the UTXO set, but making all quantum-vulnerable addresses only spendable via a scheme like roasbeef's recent demo (ie, provide a PQ ZK proof of a hardened derivation path to the pubkey that links that knowledge to a new quantum-safe pubkey). Of course, there are plenty of difficulties with such a path, notably: * deployment (chain forks have been done before, but they're not easy) * post-quantum cryptography implementation (there's a whole host of new crypto needed, relative to bitcoin today) * market agreement on *which* new hard fork coin is the winner (if there's one such fork that gains any traction, there will certainly be many clones launched at a similar time, some of which may have meaningful technical/economic differences) * avoiding capture by a "hardfork core team" via an ongoing sequence of mandatory hard fork upgrades (traditionally chain splits have resulted in multiple followup consensus changes, eg to tweak PoW rules) But if the only alternative is the end of Satoshi's grand experiment, then it sure seems worth trying. The "Q-day hard-fork" approach has a few benefits too: * it's a clean split; people who still don't believe in quantum risk can ignore it * if done prematurely, it's equally irrelevant to all other hard forks * as a hard fork, adding new spending paths to old coins is a viable option, rather than freezing everything being the only choice * it's a voluntary, opt-in solution, where everyone gets coins under both the old and the new rules that they can spend or save as they see fit In a scenario like that, the people who migrated long ago benefit by retaining immediate access to their coins on the hard fork chain with only minor updates to their systems; the people who didn't, instead need to retool and perhaps extract private keys in order to generate the ZK proofs that will allow them to regain access to their funds on the fork chain. Personally, I'm skeptical that there'll be any agreement on disabling spending paths without a concrete CRQC to analyse: it seems to me there's likely significant risk that you'll either freeze spending paths too early (someone gets lucky and triggers the freezing condition 10 years early, even though it turns out scaling CRQC is harder than expected) or too late (eg, after significant funds have already been stolen). I also don't think there's much point discussing disabling spending paths when there isn't any other way to spend funds. From what I've seen, there have been demo Winternitz implementations in bllsh (~4,000 WU) and GSR (~24,000 WU), and a SHRINCS implementation in Simplicity deployed on Liquid (~36,000 WU??). Cheers, aj -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ad_y3iFzPOGTiVAn%40erisian.com.au.