From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 15 Apr 2026 16:34:33 -0700 Received: from mail-oa1-f57.google.com ([209.85.160.57]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wD9kf-0003dM-9r for bitcoindev@gnusha.org; Wed, 15 Apr 2026 16:34:33 -0700 Received: by mail-oa1-f57.google.com with SMTP id 586e51a60fabf-40a4d2264absf14983428fac.2 for ; Wed, 15 Apr 2026 16:34:33 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1776296067; cv=pass; d=google.com; s=arc-20240605; b=Boc6K2dwFqFi+qJgUYs+RO8EAc0vtQvwt/q0YIoEhDcJsfUW5j2YyDw7pUb/M9S9GK yd5MATBoreFjVFKNJ1gxWIfl7Dm9Zf5BS9R+gFgyTkHKy5QrXXhVA06APdLZC5n+GZAX 99t/2um6EhZMOdixunGC3kf5VJAzbQT4TtiiDZoJ5JfprDR/L1iNqb99TETSUgHAiGTK glMH5QWumvKkxRQL6d0yw7FiweNIe68nhfkKYHWu38pWLphhknEyRXz++O2zcpSuphwK /ESGGwa5yBvIe3H5IkIjy7zQ4siIQehBjhtbWg4BfpqptB4vJEg1tD0mA2fZOPHnAgNJ V0pA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:sender :dkim-signature; bh=wcs0pidKg2twwX87X/08fKzbltI2mBoUSWxeBhbMi3k=; fh=rrBczH7ZlL3AaC9gL8EDV2Zdx03cdL7lHJxIHbx8Ioc=; b=OLR1sw4vSltk1hdJVHGmf+ycYY7fzvTykVmq6sYumS6fqKGghczVckDuOngpwmFLbI kHe4B11n0KM127T+vY80oZ+igRDq4hue0EQtd9iOk5HqFrjSELBpi5h66t1nTm2AvzDa deMy/81hm2bTJcb578SM2kGVENv1/Cxwe6B3bd+wrf6Di6I5DqLMB6inuJPtxeOGpLq3 JpKFsc19d5gIThtyVOd8H+WxC/oMZt3ItqmVRjmPuadpfzkk0hMBF+ngZhdGhOK18Ybz /Sm9M+kYScSIh0xmAF7kENwGiP3WHK0bo3xB1m/hHTG60eV8w/Ky1eRm6eQaXFFt1w7j zNIQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1776296067; x=1776900867; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:from:to:cc :subject:date:message-id:reply-to; bh=wcs0pidKg2twwX87X/08fKzbltI2mBoUSWxeBhbMi3k=; b=AXbd5CgrWVXPZw8IKnP3h0Oz9p+nr+FjycepiJWkkjh09usWc8uKcCFz4eLKA5uRUz ZR+SGF0Lln10HH0n1/x6wljabFMY9dccDIgdP8yNZwUqz8TmdH836s866d97Deyv+fdI ABVS3NUUsWa1fv6G73QWQ8acSX/lDuGc2j6XSezZKXvDCECCi4HGiogbD2NFBFlNfrOF 2HhalvAdZXqZYXdj+DC9RkS6a4lCvs+K7blaBPrH+Co0qjk3xSoXl7BTvZF1/O2er7cd A9f6q6+yWZ16z2vZ/SbBm2ThQm5hbkr4wxuI4LYZR1+t78audrcdgzayTS13afl1oZ0h 2Vlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776296067; x=1776900867; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=wcs0pidKg2twwX87X/08fKzbltI2mBoUSWxeBhbMi3k=; b=fq96PBJckH1iBfFGlqBkg/bwrDNh3SBpPzp3+RtwEJwf+wgmfXOiwD/4JoAGJb7yCU Lr6p9vFwxtW/DaJifQVDP5jta5xvNoaxAFTBF9hxTOl2duv38ymR+H9t5KN0KvGfjOH1 IldGNLNf6eNfoXEovqwKKN0f5UIy8+AZi4hvL6WeWG2R4N0L1++V00uVzffV5oTLrNY4 BbG45QWxCSuLA7oDQOk/V48OQl+Y7S+By6J1oDj4AG0k5pke8kzJyFn7U19lRZ/fAPKl J3TCT/jqJn02ROrU4i9soRYOcKAfKs8TH/izDYPQ0gqOAF2jPw8VVM7UgSxBzk2diHQO MIfA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ+cEZN4THyyrbYlUENZaK67Om+c+oPbJm9cxQCLht5G7XcO0MQIL+AjcvGIrUsQPCmFd8orHo6JCPjS@gnusha.org X-Gm-Message-State: AOJu0YznmVsH6/HFdJBqGKxwrEeKZ8eX0Fh4m9qF89QCnpSmgPEN015i gbrm8Dr76W/7XsiUpOuyyTq4hAV614qxwj2GbHijdT/4K9uLjk38i6YB X-Received: by 2002:a05:6870:948c:b0:41c:8723:cc0f with SMTP id 586e51a60fabf-423e1159362mr13367192fac.38.1776296066963; Wed, 15 Apr 2026 16:34:26 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AYAyTiIX/zMDnLxtldEx7+RH+UBGLelxk4bc9FsYnMbkY9d5/g==" Received: by 2002:a05:6870:1681:b0:41c:65ea:68a1 with SMTP id 586e51a60fabf-4280bda07bels158872fac.0.-pod-prod-03-us; Wed, 15 Apr 2026 16:34:22 -0700 (PDT) X-Received: by 2002:a05:6808:654a:b0:479:3a08:b4ff with SMTP id 5614622812f47-4793a08d1bfmr5958437b6e.7.1776296062485; Wed, 15 Apr 2026 16:34:22 -0700 (PDT) Received: by 2002:a05:6808:4408:b0:46b:22a1:35fc with SMTP id 5614622812f47-47988b84428msb6e; Wed, 15 Apr 2026 16:30:45 -0700 (PDT) X-Received: by 2002:a17:903:3def:b0:2b0:cb96:9815 with SMTP id d9443c01a7336-2b2d5a90324mr174863175ad.43.1776295843856; Wed, 15 Apr 2026 16:30:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776295843; cv=none; d=google.com; s=arc-20240605; b=PmZZthDv3CxHZ3D8nOR9hgR+vmyc3yJWm8/mdapuyIUOujArWyJLrUz+eTZ8EWyoaX gvC4u0DaO03qt3MiVSk8QXykXkiOanrMJ36LPqJL8/niX2gB1+DF/RGAdpf3tIHFD7/e rYgD6O2eVuF5Yhly7b3VebQ9u7e4DDmgI8T/2ewtzKQw+mrcSbC2fsV7Ft4MzzhLPlRg k7KpOPpqJ2h1ycHhoJs3p1g9QcOsAwtoKZnLs+5CDxm6eBv2ZIxDkN1EWOPWA39vYTsy HD4Aw+486dE5jjLAwq6hviW0qCRQRYJQWiRrLiTI6cmUHdJbjkV9f2lrKmL3D+BJYRdF yARw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date; bh=kZuVD8eZWfHVztu7VNSUXEVBhe8Wa2O2/IzsHha2tUA=; fh=xW8bxyqQYHE1uH3XvdCMfZVppoYs0vQZCdqgnVz97es=; b=SgY3nFkCJiOsjHalwkDWtWOy8lvRN6psHQ2G6faO1bMqnXIbSISlYHqgmbrqTEp9Ux sVUTBDrCSbYUAvE6A8iTI3+XFNy8dK2VyuoFqHHyVMYmXuS+ni0ieiOVzSZF2jQnV42I Gagq83IfhqSfge9S7kG7iFR18zx0wET6NNv/LwnGz0gPHxlbrBkY19qSWWkNH1x2Kznm b4qzpAe+CRKSzk4k5bmUERuu6IB6U5PyT2v9lqASowQTwJ/1TcfY541nlwFxut3+C6Ma UU/7PtFsNUox3J8v5lKR5UUXN0hcINWThrl1HBhPAgEHtMKzH5A3ydBu7PeRQtcUK0cn +92A==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au Received: from cerulean.erisian.com.au (azure.erisian.com.au. [172.104.61.193]) by gmr-mx.google.com with ESMTPS id d9443c01a7336-2b47822539dsi1274065ad.4.2026.04.15.16.30.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 16:30:43 -0700 (PDT) Received-SPF: pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) client-ip=172.104.61.193; Received: from aj@azure.erisian.com.au by cerulean.erisian.com.au with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wD9gg-00059x-0U; Thu, 16 Apr 2026 09:30:41 +1000 Received: by email (sSMTP sendmail emulation); Thu, 16 Apr 2026 09:30:38 +1000 Date: Thu, 16 Apr 2026 09:30:38 +1000 From: Anthony Towns To: Matt Corallo Cc: Bitcoin Development Mailing List Subject: Re: [bitcoindev] In defense of a PQ output type Message-ID: References: <6wBygQ_pK40ZpU_CMXfzIy-6LkthOmEh-xd2g9bwUl-f8w2K6G4rUWJEssE2zeJgxyipGe2GrFH9y_TUUI48asqfh7dhi9A2rl7NpWyFW1o=@proton.me> <765490aa-5df3-4619-86cc-17570b6d3e99@mattcorallo.com> <6d075872-0db8-4e7b-ac2a-452624c991ad@mattcorallo.com> <42806684-3cc4-42e2-8052-43288a93e91e@mattcorallo.com> <61159968-e2cd-44a6-8171-a815e6055cff@mattcorallo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: <61159968-e2cd-44a6-8171-a815e6055cff@mattcorallo.com> X-Spam_score: -0.0 X-Spam_bar: / X-Original-Sender: aj@erisian.com.au X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of aj@erisian.com.au designates 172.104.61.193 as permitted sender) smtp.mailfrom=aj@erisian.com.au Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) On Wed, Apr 15, 2026 at 05:50:31PM -0400, Matt Corallo wrote: > On 4/15/26 4:19 PM, Anthony Towns wrote: > > On Tue, Apr 14, 2026 at 04:04:02PM -0400, Matt Corallo wrote: > > > I'm gonna top-post because I think we're too far in the weeds and the > > > high-level argument is getting lost. No, of course I do not thing that our > > > job is to "convince" any quantum skeptics. What is our job is making sure > > > the *bitcoin system* is ready in case a CRQC does become a reality. That > > > means looking at the system as a whole, not individuals. Notably, this means > > > that if the decisions we make result in a bitcoin where some people who are > > > super worried about a CRQC have migrated but everyone else hasn't, and a > > > CRQC becomes an imminent reality, *we've failed*. > > > > I think those views are contradictory. Preparing for a post-quantum > > world is not free: even if you come up with a new address scheme that > > imposes zero overhead to make a PQ spending path available, there are > > still switching costs associated with moving to that new address scheme, > > so the only way you get the people who aren't super worried about CRQC > > to migrate beforehand is precisely to "convince" them that the (low) > > risk is worth the (low) cost. > > > > If the outcome of not doing something is that you've "failed", then > > doing that thing is your "job". > > I mean I agree with everything you said but I think that's also what I said > above. Well, I imagine you're not lean4 validated, so I guess holding contradictory views is your right... > > A path forward in such a scenario > > (30%-95% of BTC held in CRQC-vulnerable > > addresses, CRQC is believed by the public to exist, and willingness > > to hold BTC when large portions of supply are CRQC-vulnerable is > > already low or dropping fast) > > could be to create a hard-fork the chain, > > preserving the UTXO set, but > > making all quantum-vulnerable addresses only spendable > > via a scheme like roasbeef's recent demo > > (ie, provide a PQ ZK proof of a hardened derivation path > > to the pubkey that links that knowledge to a new > > quantum-safe pubkey). > Oh we're very much on the same page here. Such an outcome sucks but its > better than literally nothing. My point was more that some people do have to > migrate because the proof costs to do such a fork (which is definitely not a > hard fork, [...] Making existing UTXOs ("all quantum-vulnerable addresses") spendable via a previously non-existant quantum safe path is a hard fork. Sorry if I didn't phrase that clearly enough. > Also many of these users have a balance in > the $100 range, a recovery transaction fee of $50 is kinda not really useful > for them. At at my last utxo set (height 923,997) there's about 20k BTC ($1.5B) in utxos between 100k sats ($75) and 300k sats ($225), across about 11M utxos. There's about 25M utxos with more than 300k sats. Another advantage of a hard-fork approach is you could relatively easily include an increased blocksize to mitigate some of the impact of larger signature sizes. > > I also don't think there's much point discussing disabling spending paths > > when there isn't any other way to spend funds. From what I've seen, > > there have been demo Winternitz implementations in bllsh (~4,000 WU) > > and GSR (~24,000 WU), and a SHRINCS implementation in Simplicity deployed > > on Liquid (~36,000 WU??). > Yep, all the more reason to add OP_SHRINCS or whatever, which I think all of > this discussion largely assumes. The 36kB withness size was for the "stateful signature transaction / normal operation" case (which AIUI should have been perhaps ~500 WU), not just the fallback. I don't understand it at all, but also haven't tried decoding the simplicity source code. I'm personally a bit skeptical of the dedicated opcode approach, given how fast things move here, both in new improvements being invented and old ideas getting broken. Cheers, aj -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aeAfnufGvf1pG85h%40erisian.com.au.