From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 13 Feb 2026 08:21:15 -0800 Received: from mail-oo1-f56.google.com ([209.85.161.56]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vqvut-0007zp-9c for bitcoindev@gnusha.org; Fri, 13 Feb 2026 08:21:15 -0800 Received: by mail-oo1-f56.google.com with SMTP id 006d021491bc7-672c40f3873sf8311086eaf.2 for ; Fri, 13 Feb 2026 08:21:14 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1770999669; cv=pass; d=google.com; s=arc-20240605; b=IZtkvQhEq4AK9PgVfD8srd+b8w43FtPg62WB3JKxfJ7wyXJHvKnZZX6mO0/mZiozYZ dtHUCMIdCpzMVwtanKFaJBHfdIREzlGUCbtjOSpCBu0+rhNQ7xke4qy/qSE9LYUDq1se 4NfeMjOpLW1ez9nngJDBjGyxR42QbRIohHDzJaGWEYfVjh+lzG5+lLpGQjcXikdFebJn Ef3eMrTWd2YJuGj3vaxgn2h+QA+jPMF5lu5l+2uJESy1zT5tCGd5nq3pDKOrC/NmTiWk T+gwLBduuDj6stnd5dHcw4YujAd7CR4Ztqdo8yebMfsFQTTwM54R+H3PQ6YTy3OVpfAB OmLg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding :in-reply-to:from:content-language:references:cc:to:subject :mime-version:date:message-id:sender:dkim-signature; bh=56veK+S9qgKeTJ6jKOZAIdfETx9JBVQGB9GCh346lro=; fh=/RbnGiCi0FCgRghah39uijv+IL8UjFLpfCg7JJRhY8M=; b=aS7Nh5Va4TwPCLqnpx0biL4eZLgpLPKtvzCVuWAq6Xp9cz7D73sgpudig6BRGKVQxi v97aXAWquBL3fuz4FWEeGEKUR67I6goPdYQrO7TaSP8ZkI4rbPqHDBaByIjDFrsW1skj O22hcczPD9MKKmDxkgNaQezYNt49aWEmCdTAUSe51qqJYUUUIuYULbEL+E5EmDeogE4f jwCxHxDhHFQNPtuI9PkQH8XkbVnZpnVP796L8Bp1InMA6b3VTaMXwgqlmd79RUiDFLbA RArCr89vMZ9EWtwsnMDYzPFjBteCxmJWbi/TgsnJEl9d4dGrhle03327G8mb7FwjdjiP vtsw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770921662 header.b=HQakqPNL; dkim=pass header.i=@clients.mail.as397444.net header.s=1770921664 header.b=uZExqjjn; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1770999669; x=1771604469; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:sender:from:to:cc:subject:date:message-id:reply-to; bh=56veK+S9qgKeTJ6jKOZAIdfETx9JBVQGB9GCh346lro=; b=A+uwO6XR6KgovRjxERys+nFHDNyOjGbewuKLBAkl2DNBac0s6I40QHMl4UBUw1XNjj PvwJ0c6TbfW96m44FQypIoKY+spSrEHCQO73rbSO6E1vHMxuYZozgT9ImqS1+NCxkzV4 jKETXSnChmN85rK9Ih/kUrFSJs9FL55GQbSQxU7hAd01/ur0CElrJwce0gL8RWVdzA6m /ba0V3GTLUSh/0mYGPxwFYsnTCJuXupaymp/3OeTyzQiTrPqUMKW30SXGmzxeTL/NolI v3KQAFMRoWuo+SgOPfZX/UMzBMqBwFS95a3Xd0XnsEV/QJEJLg2qqnvucVy3OW5T/b+S YauA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770999669; x=1771604469; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:in-reply-to:from :content-language:references:cc:to:subject:mime-version:date :message-id:x-beenthere:x-gm-message-state:sender:from:to:cc:subject :date:message-id:reply-to; bh=56veK+S9qgKeTJ6jKOZAIdfETx9JBVQGB9GCh346lro=; b=P2AocmkJ+P1o+rPCjJDLOXJc8XTWtT8QJjitqnsHSjvRfaj7zwVjgRi/eBLBqghdeD PEn8vXK7QW1gEBvAVJSRKyJdmWc1FIBgVGJk5J+trbkUnqoC3EdW0Z8+i5uobjSV1ngJ mXmp+sYZ2kKMVkpGnficI0ai2R+FdV1wBmnaSQQ61qpBX3bB8garSB/rLhwNRlpunEPn ISt+uCllZEfADlxT6Mg7lmx5xXdXpHKGdePGDK95SbHIAqmomy7FvOZwnwVgAsoMdsf6 cedthMgsaSMKY5zdTkfMFeohNAr2X4EMX75erI6DzsClB43zQoTDSV/N92sB1KBQbfQ1 Zh7w== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWnGp7bM4KYrxTNq0QAvWgrfBsxdk/KEg4HWgRAcKyCLoxK51kZN1Z/LeohaVzrd5/wpLINQ9vXB+lc@gnusha.org X-Gm-Message-State: AOJu0YzLuAMvkbuB2LkGmx7KeeMBezu1kydT+gguO1TG4yOUYvAvqZcM CXKYlcdXRVqqNk0gZg5+Nr3zaQFTMjERYpKzCdZJKwWeUnVn7g17tBXE X-Received: by 2002:a4a:e3c1:0:b0:677:bd4a:8f6e with SMTP id 006d021491bc7-677bd4a9353mr582439eaf.21.1770999668765; Fri, 13 Feb 2026 08:21:08 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com; h="AV1CL+HAPmKXLCMzTjbnzjxy0Scm/9DOLxefIbfRrWM7fa3Lcg==" Received: by 2002:a05:6871:b21:b0:40e:e8a6:36f0 with SMTP id 586e51a60fabf-40ee8a66148ls725057fac.0.-pod-prod-08-us; Fri, 13 Feb 2026 08:21:03 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVnvFWKkx8OXtHjoBkMnM1KI5xKxYJL4vujwRywl2WYgJtq51JuZcXpavq8XVv/RlGo0f8Yjt/JS0tt@googlegroups.com X-Received: by 2002:a05:6808:4f2b:b0:45e:f0af:5148 with SMTP id 5614622812f47-4639f066425mr1305162b6e.30.1770999662970; Fri, 13 Feb 2026 08:21:02 -0800 (PST) Received: by 2002:ae9:e101:0:b0:8b2:e5d4:9264 with SMTP id af79cd13be357-8cb33765a09ms85a; Thu, 12 Feb 2026 11:16:15 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXtwQjaDS15AKr56lD95az3l7z1dxIIgrKVX5ciCo3liW2QcjzbSsYuR2nNW7gO/sy9YlOJhfCY/QPB@googlegroups.com X-Received: by 2002:a05:620a:4801:b0:8c7:177f:cc17 with SMTP id af79cd13be357-8cb351099e4mr380445085a.46.1770923774786; Thu, 12 Feb 2026 11:16:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1770923774; cv=none; d=google.com; s=arc-20240605; b=fVf7tX5ogLrFHSMhN4XnssccA4KFw7tdAeS3nyAo+u1lJ5xQCEO9wR3tF5hmOCBaGK wnpRUQCnxlp7bVWIC2Ktsc8U2c/M56uzH7Oyf5vnmS1SR0eXitq7DC/eJY7tZDXjUagL 5rLNTDRq4QckjPgEo8TXz/KcydOLCXHPDR8GQPcXsS0muCqR6+ou3EsxX1dGv3mdUeHO vKEszgoW5AmuEmfPMEHgaOdWDZUeqQaeynzvyCmLQSgHSQQB0nSCkG9t80f3ZMIKjB9w 8S1Sd1bnfQOCP2iOZbQYO8gr+BPGJzMkAaPNskO6Fk0HhTaubP0l+pzK3cp+7l0vMR40 Rd0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:mime-version:date:message-id :dkim-signature:dkim-signature; bh=ZW6PGOxdQoJAdKBS9hdYxUX3G040chmnXl3otmjfSCw=; fh=S2qDizNoQti8YZADscR9tIHcHPuP+xTz24Htsxvm3BA=; b=G+7XlW12RwjL2NACATxCr1mTYEcEeXcWKYDKG7O6WPtmQtuM/tAHGWfjVmG+CqiJCY mnpMF7RCu1pxvNAWRO/biPTYAAvGPhCwRHWMnbCsbh8Ez5sqBbFO5zcJSj4Vv3PL/Kfy cXN80bok+YNHXg8kx4PLD6n2qoPjSRhMf9U18JBsCDaNcLoqCKXvhWU191Ra4WUAUD4I d6ccfbjaHb90+5tTsMoOjWvi+ghVyAVjPXQxlof++uEliZXMsMmndzC21IdnMo207vOg 4Yhr6MMrdNHO4vEwHVhARYJmXGp9Jq5+DmJukWqYVarC7GS8c2l97tcsTBTm0Arq2xKw kegw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770921662 header.b=HQakqPNL; dkim=pass header.i=@clients.mail.as397444.net header.s=1770921664 header.b=uZExqjjn; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Received: from mail.as397444.net (mail.as397444.net. [69.59.18.99]) by gmr-mx.google.com with ESMTPS id af79cd13be357-8cb2b13d1d3si19878085a.4.2026.02.12.11.16.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Feb 2026 11:16:14 -0800 (PST) Received-SPF: pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) client-ip=69.59.18.99; X-DKIM-Note: Keys used to sign are likely public at X-DKIM-Note: https://as397444.net/dkim/mattcorallo.com and X-DKIM-Note: https://as397444.net/dkim/clients.mail.as397444.net X-DKIM-Note: For more info, see https://as397444.net/dkim/ Received: by mail.as397444.net with esmtpsa (TLS1.3) (Exim) (envelope-from ) id 1vqc8T-00000008I2k-31UL; Thu, 12 Feb 2026 19:13:57 +0000 Message-ID: Date: Thu, 12 Feb 2026 14:13:55 -0500 MIME-Version: 1.0 Subject: Re: [bitcoindev] Algorithm Agility for Bitcoin to maintain security in the face of quantum and classic breaks in the signature algorithms To: Ethan Heilman Cc: Jonas Nick , bitcoindev@googlegroups.com References: <22073a56-1cbf-4ba9-a2ea-46c621d4619c@mattcorallo.com> <1f0ebca9-2d23-44f9-8e6d-aaea99a832e3@mattcorallo.com> Content-Language: en-US From: Matt Corallo In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: quoted-printable X-Original-Sender: lf-lists@mattcorallo.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mattcorallo.com header.s=1770921662 header.b=HQakqPNL; dkim=pass header.i=@clients.mail.as397444.net header.s=1770921664 header.b=uZExqjjn; spf=pass (google.com: domain of lf-lists@mattcorallo.com designates 69.59.18.99 as permitted sender) smtp.mailfrom=lf-lists@mattcorallo.com; dmarc=pass (p=NONE sp=REJECT dis=NONE) header.from=mattcorallo.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On 2/12/26 1:08 PM, Ethan Heilman wrote: > >=C2=A0 Yep, we absolutely agree! I just don't see a reason to do P2MR o= ver just utilizing P2TR (or=20 > maybe P2TRv2). >=20 > Here is my P2TRv2/ P2TRD vs P2MR analysis. >=20 > Terms: > - P2TRv2-disable-soft-fork - refers to the soft-fork that disables key sp= end paths for P2TRv2=20 > outputs, but does not disable key spend paths for other P2TR outputs. > - Q-day-long - The day at which long exposure attacks start happening. >=20 > Set of outcomes for P2TRv2: > Future-A: Q-day-long happens and P2TRv2-disable-soft-fork is NOT activate= d.=C2=A0Funds are stolen from=20 > P2TRv2 outputs, trust in Bitcoin declines. > Future-B: Q-day-long happens and P2TRv2-disable-soft-fork is activated. P= 2TRv2 outputs are protected=20 > from quantum attacks. >=20 > Set of outcomes for P2MR: > Future-C: Funds in P2MR are safe even if Q-day-long happens unexpectedly. >=20 > The risk of Future-A will be priced into the value of Bitcoin. We can red= uce Future-A risk by=20 > activating=C2=A0P2TRv2-disable-soft-fork as early as possible.=C2=A0Activ= ating P2TRv2-disable-soft-fork as=20 > early as possible is equivalent to activating P2MR. Thus, might as well a= ctivate P2MR instead. >=20 > Do we want to tell holders: > - Move to P2TRv2 and then trust us to activate the P2TRv2-disable-soft-fo= rk in time > - Or move to P2MR, you'll be safe. No, P2TRv2 and P2MR are totally equivalent here. Because address reuse is r= ampant, P2MR will *also*=20 require an equivalent P2MR-disable-soft-fork. The only material difference = is the cost, and some=20 small minority that doesn't do heavy address reuse. > > Still, I think my point stands - in the face of many bitcoiners writin= g off the quantum=20 > threat,=C2=A0wallets aren't going to have a lot of incentive to adopt tec= hnologies that make things=20 > marginally=C2=A0more expensive. >=20 > Maybe in 2027, but what about 2028, 2029? If we see steady progress towar= d a CRQC the drumbeat will=20 > become louder and louder and wallets will want to tell their users they a= re quantum-safe and secure=20 > against classical attacks on ECC. >=20 > The first parties to move over will likely be big holders willing to pay = a trivial increase in fees=20 > for security against existential tail risks. Right, so the first parties to move will be the ones we don't really care a= bout (because they can=20 just move quickly later anyway) :). > >=C2=A0 I'm confused by this comment - a soft fork that disables insecur= e spend paths to avoid them=20 > being=C2=A0stolen is likely going to have a very easy time, not "fight an= uphill battle"? >=20 > soft-fork-1: Disables insecure key spend paths in P2TR. I don't have an o= pinion on the ethics of=20 > this, but the incentives are aligned to make this happen (reduces supply)= . > soft-fork-2: ZKP proof of seed phase to allow people to safely spend from= a disabled key spend path.=20 > The incentives are aligned to oppose this soft-fork (increases supply). >=20 > The incentives support soft-fork-1 happening, but soft-fork-2 not happeni= ng. I don't claim to=20 > predict a future here, but the incentive issue here worries me. Fair. Given the ethics questions and the amount of pushback I have to imagi= ne every effort *has* to=20 be made to allow maximum wallets to retain coin ownership as otherwise the = resulting Bitcoin has=20 less value just because of seizure concerns. This all depends a ton on spec= ifics, though - has it=20 been 5 years since P2TRv2 was added? 10? 25? When did wallets start migrati= ng in earnest? Did they=20 even until it was too late? > Other questions: >=20 > Soft-fork-1 must be designed so that soft-fork-2 is not a hard fork, that= seems doable, has anyone=20 > written up a plan for it? I believe this is largely only possible either with an ethereum-style "diff= iculty bomb" or simply=20 doint it all in one go. > How big=C2=A0is this proposed PQ ZKP proof of seed phase? I've been assum= ing ~100kb per spend since we=20 > have to use PQ ZKPs. Yes, I imagine quite large. Hence good to push migration along first. If mi= gration is limited, I=20 imagine there will be some desire to provide strong fee-discounts for these= ZKPs, maybe also=20 aggregating them in blocks. Matt --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= ade8d7f0-8793-4971-a5bd-fc60e76f513a%40mattcorallo.com.