From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 08 May 2026 04:54:16 -0700 Received: from mail-oi1-f185.google.com ([209.85.167.185]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1wLJmV-0002oW-GO for bitcoindev@gnusha.org; Fri, 08 May 2026 04:54:15 -0700 Received: by mail-oi1-f185.google.com with SMTP id 5614622812f47-47bcb08890asf2674406b6e.0 for ; Fri, 08 May 2026 04:54:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1778241245; x=1778846045; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=O4Lck+JVOIISVzeAWqtrkDTYtob8Zd73Hj3/U51ET4g=; b=dQYrVmXO/mgXb7fI3aRHZ7U7JKokuvWNtJejDPzPP20MyJnrlh/Lqip3TrGtNpIJd5 gskiMxJM72Wxqobh0sdd2CjDjSVJxFoeWalzwUBz9tAlX3uBJDbRX5aKNOKwP422rEMG fRZvCZGA1K9r7hlYTJGgyVn8KqlNcxZJGImS0zzOLVQrGkmmbIvhUkOCaeq1QE7IEJZw z+fzf1Vf7fgkhlht5szWPjTjIYb8LdSbgF/Vm2iIsOiewuP6VpHFf6mQSE1yOAe+O5ax T/Bs8FwLKNlwdMEg/nZNgPomDOrVCZdspeHYqgMM9GNk+fHdrbzbcHxCbpC/++/vQCbd Te9g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778241245; x=1778846045; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=O4Lck+JVOIISVzeAWqtrkDTYtob8Zd73Hj3/U51ET4g=; b=MQr+PYAIdtlxWreqtdVq0v9gOvQ7HppVSCX9hjQuo5bl1WZ0OtdBdXeMhNp4H3BixL kzgpQI3bRKv6sua/Py4SsGG3MKU41f+C21GMNOiY3uoSpV5lTlDfN4VtGeSzcsNbssLn AIUDE/0G2OEkFW75uTQ24JWU4i1a+3XYFtCVyHbtez9YQBhJ4SkdBqBIe4V7qRnhO6yc Ahzu3cKKUlmZFrF5YhrKt9HwqPONbzmCgARFHGPbf84u1+wyf30VM9kPTXafdmiAjG6v JWQtPeIuIP5wR+Yiub8mjvXSwcaCAqLeUbrBoDhHdviaYwps/Af3GC88GOYFeVYvAAta CcAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778241245; x=1778846045; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=O4Lck+JVOIISVzeAWqtrkDTYtob8Zd73Hj3/U51ET4g=; b=qowqGq7bcuiIV/Wt7m8q9ejUpESK1sBN/zfMDcBuCLD3CORln73W5vavJs53RjqDXX e6eQMM8KB7oTAQ3HWqspKWe/LkEFmECOqt2eI0tFoAvwI/ZzRq4EieAK5UAerK8/q+1t k9eOuuhp3Zg2TfOeUqXoZq0bQDvEedTke+Rb0+DM8iJoo2fGHKmaK8fP2mHFip2NSFWp 82JK4u46lH0SGdGbz8p8MkACkyxyZBi7MSAlq1wbZvTYDB98HKUhMrQZHIaZVxydAigE 9VWnYksFqbgjNWPtgqgfdyWArmBur0EsZRNrXn555Nk66aU5F0g2987ZhC/M7lcagSrl 0FYw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AFNElJ9ZSEPyhi2nBlspUHwz39Vj02EZ4V2PfteFDkAYbLoE5qQUlgPz/9BxlpoeCafqSpE0GCHZ8yvvGy1w@gnusha.org X-Gm-Message-State: AOJu0YxwiYbiI1IUY8WVIuNbtBqe0z3qDKDKr7ogyTHHTUVLiLeZjEOj 5N+vgMLgQOEADDf6TRwAvTlQaATFXhlZzk4vztiI7BY+Xb7z2bOQha9R X-Received: by 2002:a05:6808:e655:b0:479:f9df:ab44 with SMTP id 5614622812f47-480424fcd3fmr5430151b6e.35.1778241244904; Fri, 08 May 2026 04:54:04 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="AUV6zMNiN0FMtYVjZzjJnHUrsXSmAz0JLYy9g9Q6jYhXH3nWhg==" Received: by 2002:a05:6870:7d0e:b0:41c:65ea:68a1 with SMTP id 586e51a60fabf-43525034de9ls1266760fac.0.-pod-prod-03-us; Fri, 08 May 2026 04:53:59 -0700 (PDT) X-Received: by 2002:a05:6808:14ca:b0:472:ee59:7a9c with SMTP id 5614622812f47-480424da5e8mr8094040b6e.34.1778241239510; Fri, 08 May 2026 04:53:59 -0700 (PDT) Received: by 2002:a05:690c:c64a:b0:7ba:f5aa:4ab8 with SMTP id 00721157ae682-7bf5bacc176ms7b3; Fri, 8 May 2026 04:34:45 -0700 (PDT) X-Received: by 2002:a05:690c:6612:b0:7c0:56f:5b70 with SMTP id 00721157ae682-7c0056f5e1emr12029897b3.29.1778240084352; Fri, 08 May 2026 04:34:44 -0700 (PDT) Date: Fri, 8 May 2026 04:34:43 -0700 (PDT) From: Amon BAZONGO To: Bitcoin Development Mailing List Message-Id: In-Reply-To: References: <3fec8fc3-efa1-49c5-8bab-592e0138d31dn@googlegroups.com> Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_85096_1493481277.1778240083866" X-Original-Sender: amonmoce@gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: 0.0 (/) ------=_Part_85096_1493481277.1778240083866 Content-Type: multipart/alternative; boundary="----=_Part_85097_673781244.1778240083866" ------=_Part_85097_673781244.1778240083866 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have made another proposal in a recent conversation titled "what if we=20 let Quantum hunters get Bitcoin rewards?". The core argument: rather than= =20 suspending Bitcoin's neutrality to prevent quantum theft, we can structure= =20 the inevitable quantum capture of exposed coins as a self-financing prize= =20 mechanism =E2=80=94 the largest open technological prize in history. The proposal introduces three components: - Genesis Quantum Transaction (GQT): recognition of a successful spend from= =20 a quantum-exposed address - Quantum Vault (QV): automatically receives 90% of captured funds,=20 distributes periodically to proven quantum actors synchronized with the=20 halving cycle - Quantum Proof Address (QPA): the on-chain identity of any actor who=20 demonstrates quantum capture capability, forming a public, unfalsifiable=20 register of global quantum capabilities The capturing actor receives 10% immediately as a First Reward, with=20 ongoing distributions from the Vault =E2=80=94 creating long-term alignment= with=20 ecosystem stability rather than incentivizing immediate liquidation. Draft:=20 https://github.com/amonmoce/Hunting-The-Bitcoin-One-Piece/blob/master/bip-h= unting-the-bitcoin-one-piece.md Feel free to send me feedbacks here or in the original conversation. On Thursday, April 30, 2026 at 6:55:30=E2=80=AFPM UTC Saint Wenhao wrote: > > P2SH, P2WSH outputs which have never spent are not at risk > > P2SH has a risk of collision, when it is used by more than one user. Whic= h=20 > is why P2WSH uses SHA-256 alone, without pushing the result of that throu= gh=20 > RIPEMD-160. It is even described in BIP-141, as a justification for P2WSH= :=20 > https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#user-conte= nt-P2WSH > > > The scriptPubKey occupies 34 bytes, as opposed to 23 bytes of BIP16=20 > P2SH. The increased size improves security against possible collision=20 > attacks, as 2^80 work is not infeasible anymore (By the end of 2015, 2^84= =20 > hashes have been calculated in Bitcoin mining since the creation of=20 > Bitcoin). The spending script is same as the one for an equivalent BIP16= =20 > P2SH output but is moved to witness. > > And now, in 2026, we have around 2^96 chainwork. Which could make these= =20 > attacks more practical than theoretical. While quantum computers are stil= l=20 > in theory, so if I would have to guess, then I would put more money on a= =20 > scenario, where RIPEMD-160 collision is found faster than anyone will bre= ak=20 > secp256k1. There are even some canaries, which could give some incentive = to=20 > reveal RIPEMD-160 collision, for example 3KyiQEGqqdb4nqfhUzGKN6KPhXmQsLNp= ay=20 > or 39VXyuoc6SXYKp9TcAhoiN1mb4ns6z3Yu6. > > But yes, for a single user, 160-bit addresses are safe to use, at least= =20 > for now. However, publishing the first collision may create a lot of FUD,= =20 > and then, moving these coins to a different address type will be highly= =20 > recommended, because then you will never know, if new 160-bit addresses c= an=20 > be spent in more ways, which were not yet disclosed on-chain. > > wt., 28 kwi 2026 o 22:47 Thomas Suau napisa=C5=82(a): > >> Hi,=20 >> >> Against freezing. >> >> A vulnerable user post-CRQC is someone who made two active choices:=20 >> reusing addresses, and not migrating once a standard is available. That'= s=20 >> the user breaking the social contract, not the protocol. P2PKH, P2WPKH,= =20 >> P2SH, P2WSH outputs which have never spent are not at risk =E2=80=94 pub= key is=20 >> hashed, not exposed. P2PK, reused addresses, and P2TR key path are. Bitc= oin=20 >> isn't globally broken =E2=80=94 specific address types are, and users ho= lding them=20 >> after a migration path exists are accepting the risk. >> >> A script-type freeze applies uniformly to weak output types, not to=20 >> specific transactions =E2=80=94 categorically different from reversing e= xchange=20 >> hacks. But once the protocol starts deciding which coins are safe enough= to=20 >> spend, that logic is hard to contain. >> >> Either way, the freeze debate is a signal, not the goal. It tells us we= =20 >> need a standard urgently. That's where the energy should go =E2=80=94 Ma= tt's thread=20 >> is asking the right question What's our goal?=20 >> . >> >> Regards, >> >> Thomas >> >> Le jeudi 9 avril 2026 =C3=A0 10:36:50 UTC+2, Jameson Lopp a =C3=A9crit : >> >>> Scratch that; nodes should already be storing the block for which a UTX= O=20 >>> was confirmed in order to calculate relative timelock validity. So it= =20 >>> should be implementable. >>> >>> Still, there are several vague statements that could use more=20 >>> explanation. >>> >>> "predictable cliffs invite adversarial behavior." - such as? >>> >>> "This avoids retroactively invalidating old transactions while still=20 >>> phasing out insecure constructions." - how so? If you chose a relative = max=20 >>> age that's less than the total age of Bitcoin itself, it will by defaul= t=20 >>> invalidate extremely old UTXOs. >>> >>> "If the protocol begins to distinguish between =E2=80=9Clegitimate=E2= =80=9D and=20 >>> =E2=80=9Cquantum=E2=80=91recovered=E2=80=9D spends" - not sure what thi= s means. It's not possible=20 >>> to know if a transaction was made by a quantum attacker. >>> >>> On Thu, Apr 9, 2026 at 9:04=E2=80=AFAM Jameson Lopp wrote: >>> >>>> While an implied age timelock is interesting in theory, I don't think= =20 >>>> it's practical in reality. >>>> >>>> The reason that current styles of timelocks work well is because they= =20 >>>> are explicit: the actual block height / timestamp of the lock is conta= ined=20 >>>> somewhere inside of the transaction itself. >>>> >>>> In order to implement an "implied" scheme as you propose, it would=20 >>>> require all nodes to start indexing UTXOs by block height in order to = avoid=20 >>>> a massive performance drop when evaluating whether or not the UTXO is= =20 >>>> spendable. >>>> >>>> On Thu, Apr 9, 2026 at 3:01=E2=80=AFAM Bitcoin w= rote: >>>> >>>>> The protocol should not assume that future participants will be able= =20 >>>>> to coordinate around a single deadline without distortion. A fixed he= ight=20 >>>>> at which old outputs become invalid would create a predictable cliff,= and=20 >>>>> predictable cliffs invite adversarial behavior. Markets tend to rush = toward=20 >>>>> the edge. >>>>> >>>>> Bitcoin works best when incentives are continuous rather than abrupt. >>>>> >>>>> A staggered expiration of vulnerable script types is more consistent= =20 >>>>> with the system=E2=80=99s long=E2=80=91term stability. If a class of = outputs is known to be=20 >>>>> weak against new computation, then the network can define a rule that= such=20 >>>>> outputs must be spent within a certain number of blocks after creatio= n.=20 >>>>> This avoids retroactively invalidating old transactions while still p= hasing=20 >>>>> out insecure constructions. >>>>> >>>>> The network already treats some script forms as discouraged. Extendin= g=20 >>>>> this to prohibit creation of new vulnerable forms is a natural evolut= ion.=20 >>>>> Nodes can continue to validate the old chain history while refusing t= o=20 >>>>> relay or mine new transactions that expose public keys directly. >>>>> >>>>> The idea of forcing quantum=E2=80=91recovered coins into long timeloc= ks is=20 >>>>> interesting, but it introduces a new class of special=E2=80=91case be= havior.=20 >>>>> Bitcoin=E2=80=99s rules should be simple, general, and predictable. I= f the protocol=20 >>>>> begins to distinguish between =E2=80=9Clegitimate=E2=80=9D and =E2=80= =9Cquantum=E2=80=91recovered=E2=80=9D spends,=20 >>>>> it implies an authority deciding which coins are morally valid. That = is a=20 >>>>> precedent the system should avoid. >>>>> >>>>> The safest rule is the one that does not require judging intent. >>>>> >>>>> A relative or absolute timelock applied uniformly to all vulnerable= =20 >>>>> outputs, triggered only by their age, is neutral. It does not ask who= is=20 >>>>> spending the coins or why. It only enforces that insecure forms must = be=20 >>>>> migrated in time. >>>>> >>>>> The network cannot prevent advances in mathematics or computation. It= =20 >>>>> can only ensure that the incentives remain aligned so that users upgr= ade=20 >>>>> their security before adversaries can exploit weaknesses. The protoco= l=20 >>>>> should encourage timely movement without confiscation. >>>>> >>>>> The principle remains: >>>>> >>>>> Your keys, your coins =E2=80=94 but only as long as the key is strong= . >>>>> >>>>> If a key type becomes weak, the system must give ample time to move= =20 >>>>> funds to stronger constructions, and then retire the weak form gradua= lly so=20 >>>>> the chain does not become a liability. >>>>> >>>>> =E2=80=94 S. >>>>> >>>>> On Mon, Apr 7, 2025, 6:34=E2=80=AFAM Nadav Ivgi w= rote: >>>>> >>>>>> One possible alternative to freezing/burning the coins entirely is= =20 >>>>>> letting quantum attackers keep some small percent as a reward, but f= orce=20 >>>>>> them to stage the rest to future miners as an additional security bu= dget=20 >>>>>> subsidy. >>>>>> >>>>>> This can be implemented as a soft fork, by requiring transactions=20 >>>>>> spending QC-vulnerable coins to allocate some funds to an OP_CLTV[0]= -only=20 >>>>>> encumbered output timelocked far into the future. Miners would then = monitor=20 >>>>>> these outputs and claim them as they become available. >>>>>> >>>>>> For example, allow a 1% reward to be spent freely to any address but= =20 >>>>>> require 99% to be sent to an OP_CLTV output timelocked to a=20 >>>>>> deterministically random height between 10-100 years from now. >>>>>> >>>>>> The 1% reward could also be required to be sent to a script that=20 >>>>>> enforces a timelock (in addition to other conditions), to avoid floo= ding=20 >>>>>> the markets with the rewarded coins all at once. Probably a shorter= =20 >>>>>> timelock duration though, say picked randomly between 10-30 months. >>>>>> >>>>>> To further smooth out variance in the release schedule, coins could= =20 >>>>>> be split into up-to-N-BTC outputs, each staggered with a different= =20 >>>>>> deterministic timelock. So for example, a single tx spending 10,000 = BTC=20 >>>>>> won't release 9,900 BTC to the miners in a single far-future block (= which=20 >>>>>> may cause chain instability if the miners get into a reorg war over = it),=20 >>>>>> but rather as 9,900 separate outputs of 1 BTC each released graduall= y=20 >>>>>> time.[1] >>>>>> >>>>>> I'm still not sure what I think about this. This is not necessarily= =20 >>>>>> an endorsement, just a thought. :) >>>>>> >>>>>> - shesek >>>>>> >>>>>> [0] OP_CSV only supports relative timelocks of up to 65535 blocks=20 >>>>>> (~15 months), which is too short for that purpose. OP_CLTV supports = longer=20 >>>>>> (absolute) timelocks. >>>>>> >>>>>> [1] This can be made more efficient with CTV, by having a single UTX= O=20 >>>>>> carrying the full amount that slowly unrolls rather than 9,900 separ= ate=20 >>>>>> UTXO entries. >>>>>> >>>>>> >>>>>> On Sun, Mar 16, 2025 at 5:22=E2=80=AFPM Jameson Lopp =20 >>>>>> wrote: >>>>>> >>>>>>> The quantum computing debate is heating up. There are many=20 >>>>>>> controversial aspects to this debate, including whether or not quan= tum=20 >>>>>>> computers will ever actually become a practical threat. >>>>>>> >>>>>>> I won't tread into the unanswerable question of how worried we=20 >>>>>>> should be about quantum computers. I think it's far from a crisis, = but=20 >>>>>>> given the difficulty in changing Bitcoin it's worth starting to ser= iously=20 >>>>>>> discuss. Today I wish to focus on a philosophical quandary related = to one=20 >>>>>>> of the decisions that would need to be made if and when we implemen= t a=20 >>>>>>> quantum safe signature scheme. >>>>>>> >>>>>>> Several Scenarios >>>>>>> Because this essay will reference game theory a fair amount, and=20 >>>>>>> there are many variables at play that could change the nature of th= e game,=20 >>>>>>> I think it's important to clarify the possible scenarios up front. >>>>>>> >>>>>>> 1. Quantum computing never materializes, never becomes a threat, an= d=20 >>>>>>> thus everything discussed in this essay is moot. >>>>>>> 2. A quantum computing threat materializes suddenly and Bitcoin doe= s=20 >>>>>>> not have quantum safe signatures as part of the protocol. In this s= cenario=20 >>>>>>> it would likely make the points below moot because Bitcoin would be= =20 >>>>>>> fundamentally broken and it would take far too long to upgrade the= =20 >>>>>>> protocol, wallet software, and migrate user funds in order to resto= re=20 >>>>>>> confidence in the network. >>>>>>> 3. Quantum computing advances slowly enough that we come to=20 >>>>>>> consensus about how to upgrade Bitcoin and post quantum security ha= s been=20 >>>>>>> minimally adopted by the time an attacker appears. >>>>>>> 4. Quantum computing advances slowly enough that we come to=20 >>>>>>> consensus about how to upgrade Bitcoin and post quantum security ha= s been=20 >>>>>>> highly adopted by the time an attacker appears. >>>>>>> >>>>>>> For the purposes of this post, I'm envisioning being in situation 3= =20 >>>>>>> or 4. >>>>>>> >>>>>>> To Freeze or not to Freeze? >>>>>>> I've started seeing more people weighing in on what is likely the= =20 >>>>>>> most contentious aspect of how a quantum resistance upgrade should = be=20 >>>>>>> handled in terms of migrating user funds. Should quantum vulnerable= funds=20 >>>>>>> be left open to be swept by anyone with a sufficiently powerful qua= ntum=20 >>>>>>> computer OR should they be permanently locked? >>>>>>> >>>>>>> "I don't see why old coins should be confiscated. The better option= =20 >>>>>>>> is to let those with quantum computers free up old coins. While th= is might=20 >>>>>>>> have an inflationary impact on bitcoin's price, to use a turn of p= hrase,=20 >>>>>>>> the inflation is transitory. Those with low time preference should= support=20 >>>>>>>> returning lost coins to circulation."=20 >>>>>>> >>>>>>> - Hunter Beast >>>>>>> >>>>>>> >>>>>>> On the other hand: >>>>>>> >>>>>>> "Of course they have to be confiscated. If and when (and that's a= =20 >>>>>>>> big if) the existence of a cryptography-breaking QC becomes a cred= ible=20 >>>>>>>> threat, the Bitcoin ecosystem has no other option than softforking= out the=20 >>>>>>>> ability to spend from signature schemes (including ECDSA and BIP34= 0) that=20 >>>>>>>> are vulnerable to QCs. The alternative is that millions of BTC bec= ome=20 >>>>>>>> vulnerable to theft; I cannot see how the currency can maintain an= y value=20 >>>>>>>> at all in such a setting. And this affects everyone; even those wh= ich=20 >>>>>>>> diligently moved their coins to PQC-protected schemes." >>>>>>>> - Pieter Wuille >>>>>>> >>>>>>> >>>>>>> I don't think "confiscation" is the most precise term to use, as th= e=20 >>>>>>> funds are not being seized and reassigned. Rather, what we're reall= y=20 >>>>>>> discussing would be better described as "burning" - placing the fun= ds *out=20 >>>>>>> of reach of everyone*. >>>>>>> >>>>>>> Not freezing user funds is one of Bitcoin's inviolable properties.= =20 >>>>>>> However, if quantum computing becomes a threat to Bitcoin's ellipti= c curve=20 >>>>>>> cryptography, *an inviolable property of Bitcoin will be violated= =20 >>>>>>> one way or another*. >>>>>>> >>>>>>> Fundamental Properties at Risk >>>>>>> 5 years ago I attempted to comprehensively categorize all of=20 >>>>>>> Bitcoin's fundamental properties that give it value.=20 >>>>>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ >>>>>>> >>>>>>> The particular properties in play with regard to this issue seem to= =20 >>>>>>> be: >>>>>>> >>>>>>> *Censorship Resistance* - No one should have the power to prevent= =20 >>>>>>> others from using their bitcoin or interacting with the network. >>>>>>> >>>>>>> *Forward Compatibility* - changing the rules such that certain=20 >>>>>>> valid transactions become invalid could undermine confidence in the= =20 >>>>>>> protocol. >>>>>>> >>>>>>> *Conservatism* - Users should not be expected to be highly=20 >>>>>>> responsive to system issues. >>>>>>> >>>>>>> As a result of the above principles, we have developed a strong mem= e=20 >>>>>>> (kudos to Andreas Antonopoulos) that goes as follows: >>>>>>> >>>>>>> Not your keys, not your coins. >>>>>>> >>>>>>> >>>>>>> I posit that the corollary to this principle is: >>>>>>> >>>>>>> Your keys, only your coins. >>>>>>> >>>>>>> >>>>>>> A quantum capable entity breaks the corollary of this foundational= =20 >>>>>>> principle. We secure our bitcoin with the mathematical probabilitie= s=20 >>>>>>> related to extremely large random numbers. Your funds are only secu= re=20 >>>>>>> because truly random large numbers should not be guessable or disco= verable=20 >>>>>>> by anyone else in the world. >>>>>>> >>>>>>> This is the principle behind the motto *vires in numeris* -=20 >>>>>>> strength in numbers. In a world with quantum enabled adversaries, t= his=20 >>>>>>> principle is null and void for many types of cryptography, includin= g the=20 >>>>>>> elliptic curve digital signatures used in Bitcoin. >>>>>>> >>>>>>> Who is at Risk? >>>>>>> There has long been a narrative that Satoshi's coins and others fro= m=20 >>>>>>> the Satoshi era of P2PK locking scripts that exposed the public key= =20 >>>>>>> directly on the blockchain will be those that get scooped up by a q= uantum=20 >>>>>>> "miner." But unfortunately it's not that simple. If I had a powerfu= l=20 >>>>>>> quantum computer, which coins would I target? I'd go to the Bitcoin= rich=20 >>>>>>> list and find the wallets that have exposed their public keys due t= o=20 >>>>>>> re-using addresses that have previously been spent from. You can ea= sily=20 >>>>>>> find them at=20 >>>>>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html >>>>>>> >>>>>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,= =20 >>>>>>> would be slightly harder to crack because they are multisig wallets= . So a=20 >>>>>>> quantum attacker would need to reverse engineer 2 keys for Kraken o= r 3 for=20 >>>>>>> Bitfinex / Tether in order to spend funds. But many are single sign= ature. >>>>>>> >>>>>>> Point being, it's not only the really old lost BTC that are at risk= =20 >>>>>>> to a quantum enabled adversary, at least at time of writing. If we = add a=20 >>>>>>> quantum safe signature scheme, we should expect those wallets to be= some of=20 >>>>>>> the first to upgrade given their incentives. >>>>>>> >>>>>>> The Ethical Dilemma: Quantifying Harm >>>>>>> Which decision results in the most harm? >>>>>>> >>>>>>> By making quantum vulnerable funds unspendable we potentially harm= =20 >>>>>>> some Bitcoin users who were not paying attention and neglected to m= igrate=20 >>>>>>> their funds to a quantum safe locking script. This violates the=20 >>>>>>> "conservativism" principle stated earlier. On the flip side, we pre= vent=20 >>>>>>> those funds plus far more lost funds from falling into the hands of= the few=20 >>>>>>> privileged folks who gain early access to quantum computers. >>>>>>> >>>>>>> By leaving quantum vulnerable funds available to spend, the same se= t=20 >>>>>>> of users who would otherwise have funds frozen are likely to see th= em=20 >>>>>>> stolen. And many early adopters who lost their keys will eventually= see=20 >>>>>>> their unreachable funds scooped up by a quantum enabled adversary. >>>>>>> >>>>>>> Imagine, for example, being James Howells, who accidentally threw= =20 >>>>>>> away a hard drive with 8,000 BTC on it, currently worth over $600M = USD. He=20 >>>>>>> has spent a decade trying to retrieve it from the landfill where he= knows=20 >>>>>>> it's buried, but can't get permission to excavate. I suspect that, = given=20 >>>>>>> the choice, he'd prefer those funds be permanently frozen rather th= an fall=20 >>>>>>> into someone else's possession - I know I would. >>>>>>> >>>>>>> Allowing a quantum computer to access lost funds doesn't make those= =20 >>>>>>> users any worse off than they were before, however it *would* have= =20 >>>>>>> a negative impact upon everyone who is currently holding bitcoin. >>>>>>> >>>>>>> It's prudent to expect significant economic disruption if large=20 >>>>>>> amounts of coins fall into new hands. Since a quantum computer is g= oing to=20 >>>>>>> have a massive up front cost, expect those behind it to desire to r= ecoup=20 >>>>>>> their investment. We also know from experience that when someone su= ddenly=20 >>>>>>> finds themselves in possession of 9+ figures worth of highly liquid= assets,=20 >>>>>>> they tend to diversify into other things by selling. >>>>>>> >>>>>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20 >>>>>>> redistribution*. What we'd be allowing is for bitcoin to be=20 >>>>>>> redistributed from those who are ignorant of quantum computers to t= hose who=20 >>>>>>> have won the technological race to acquire quantum computers. It's = hard to=20 >>>>>>> see a bright side to that scenario. >>>>>>> >>>>>>> Is Quantum Recovery Good for Anyone? >>>>>>> >>>>>>> Does quantum recovery HELP anyone? I've yet to come across an=20 >>>>>>> argument that it's a net positive in any way. It certainly doesn't = add any=20 >>>>>>> security to the network. If anything, it greatly decreases the secu= rity of=20 >>>>>>> the network by allowing funds to be claimed by those who did not ea= rn them. >>>>>>> >>>>>>> But wait, you may be thinking, wouldn't quantum "miners" have earne= d=20 >>>>>>> their coins by all the work and resources invested in building a qu= antum=20 >>>>>>> computer? I suppose, in the same sense that a burglar earns their s= poils by=20 >>>>>>> the resources they invest into surveilling targets and learning the= skills=20 >>>>>>> needed to break into buildings. What I say "earned" I mean through= =20 >>>>>>> productive mutual trade. >>>>>>> >>>>>>> For example: >>>>>>> >>>>>>> * Investors earn BTC by trading for other currencies. >>>>>>> * Merchants earn BTC by trading for goods and services. >>>>>>> * Miners earn BTC by trading thermodynamic security. >>>>>>> * Quantum miners don't trade anything, they are vampires feeding=20 >>>>>>> upon the system. >>>>>>> >>>>>>> There's no reason to believe that allowing quantum adversaries to= =20 >>>>>>> recover vulnerable bitcoin will be of benefit to anyone other than = the=20 >>>>>>> select few organizations that win the technological arms race to bu= ild the=20 >>>>>>> first such computers. Probably nation states and/or the top few lar= gest=20 >>>>>>> tech companies. >>>>>>> >>>>>>> One could certainly hope that an organization with quantum supremac= y=20 >>>>>>> is benevolent and acts in a "white hat" manner to return lost coins= to=20 >>>>>>> their owners, but that's incredibly optimistic and foolish to rely = upon.=20 >>>>>>> Such a situation creates an insurmountable ethical dilemma of only= =20 >>>>>>> recovering lost bitcoin rather than currently owned bitcoin. There'= s no way=20 >>>>>>> to precisely differentiate between the two; anyone can claim to hav= e lost=20 >>>>>>> their bitcoin but if they have lost their keys then proving they ev= er had=20 >>>>>>> the keys becomes rather difficult. I imagine that any such white ha= t=20 >>>>>>> recovery efforts would have to rely upon attestations from trusted = third=20 >>>>>>> parties like exchanges. >>>>>>> >>>>>>> Even if the first actor with quantum supremacy is benevolent, we=20 >>>>>>> must assume the technology could fall into adversarial hands and th= us think=20 >>>>>>> adversarially about the potential worst case outcomes. Imagine, for= =20 >>>>>>> example, that North Korea continues scooping up billions of dollars= from=20 >>>>>>> hacking crypto exchanges and decides to invest some of those procee= ds into=20 >>>>>>> building a quantum computer for the biggest payday ever... >>>>>>> >>>>>>> Downsides to Allowing Quantum Recovery >>>>>>> Let's think through an exhaustive list of pros and cons for allowin= g=20 >>>>>>> or preventing the seizure of funds by a quantum adversary. >>>>>>> >>>>>>> Historical Precedent >>>>>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fa= ir game"=20 >>>>>>> but rather were treated as failures to be remediated. Treating quan= tum=20 >>>>>>> theft differently risks rewriting Bitcoin=E2=80=99s history as a fr= ee-for-all=20 >>>>>>> rather than a system that seeks to protect its users. >>>>>>> >>>>>>> Violation of Property Rights >>>>>>> Allowing a quantum adversary to take control of funds undermines th= e=20 >>>>>>> fundamental principle of cryptocurrency - if you keep your keys in = your=20 >>>>>>> possession, only you should be able to access your money. Bitcoin i= s built=20 >>>>>>> on the idea that private keys secure an individual=E2=80=99s assets= , and=20 >>>>>>> unauthorized access (even via advanced tech) is theft, not a legiti= mate=20 >>>>>>> transfer. >>>>>>> >>>>>>> Erosion of Trust in Bitcoin >>>>>>> If quantum attackers can exploit vulnerable addresses, confidence i= n=20 >>>>>>> Bitcoin as a secure store of value would collapse. Users and invest= ors rely=20 >>>>>>> on cryptographic integrity, and widespread theft could drive adopti= on away=20 >>>>>>> from Bitcoin, destabilizing its ecosystem. >>>>>>> >>>>>>> This is essentially the counterpoint to claiming the burning of=20 >>>>>>> vulnerable funds is a violation of property rights. While some will= =20 >>>>>>> certainly see it as such, others will find the apathy toward stoppi= ng=20 >>>>>>> quantum theft to be similarly concerning. >>>>>>> >>>>>>> Unfair Advantage >>>>>>> Quantum attackers, likely equipped with rare and expensive=20 >>>>>>> technology, would have an unjust edge over regular users who lack a= ccess to=20 >>>>>>> such tools. This creates an inequitable system where only the=20 >>>>>>> technologically elite can exploit others, contradicting Bitcoin=E2= =80=99s ethos of=20 >>>>>>> decentralized power. >>>>>>> >>>>>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING= =20 >>>>>>> one's wealth. It's supposed to be impractically expensive for attac= kers to=20 >>>>>>> crack the entropy and cryptography protecting one's coins. But now = we find=20 >>>>>>> ourselves discussing a situation where this asymmetric advantage is= =20 >>>>>>> compromised in favor of a specific class of attackers. >>>>>>> >>>>>>> Economic Disruption >>>>>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2= =80=99s=20 >>>>>>> price as quantum recovered funds are dumped on exchanges. This woul= d harm=20 >>>>>>> all holders, not just those directly targeted, leading to broader f= inancial=20 >>>>>>> chaos in the markets. >>>>>>> >>>>>>> Moral Responsibility >>>>>>> Permitting theft via quantum computing sets a precedent that=20 >>>>>>> technological superiority justifies unethical behavior. This is ess= entially=20 >>>>>>> taking a "code is law" stance in which we refuse to admit that both= code=20 >>>>>>> and laws can be modified to adapt to previously unforeseen situatio= ns. >>>>>>> >>>>>>> Burning of coins can certainly be considered a form of theft, thus = I=20 >>>>>>> think it's worth differentiating the two different thefts being dis= cussed: >>>>>>> >>>>>>> 1. self-enriching & likely malicious >>>>>>> 2. harm prevention & not necessarily malicious >>>>>>> >>>>>>> Both options lack the consent of the party whose coins are being=20 >>>>>>> burnt or transferred, thus I think the simple argument that theft i= s=20 >>>>>>> immoral becomes a wash and it's important to drill down into the de= tails of=20 >>>>>>> each. >>>>>>> >>>>>>> Incentives Drive Security >>>>>>> I can tell you from a decade of working in Bitcoin security - the= =20 >>>>>>> average user is lazy and is a procrastinator. If Bitcoiners are giv= en a=20 >>>>>>> "drop dead date" after which they know vulnerable funds will be bur= ned,=20 >>>>>>> this pressure accelerates the adoption of post-quantum cryptography= and=20 >>>>>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay u= pgrading=20 >>>>>>> indefinitely will result in more laggards, leaving the network more= exposed=20 >>>>>>> when quantum tech becomes available. >>>>>>> >>>>>>> Steel Manning >>>>>>> Clearly this is a complex and controversial topic, thus it's worth= =20 >>>>>>> thinking through the opposing arguments. >>>>>>> >>>>>>> Protecting Property Rights >>>>>>> Allowing quantum computers to take vulnerable bitcoin could=20 >>>>>>> potentially be spun as a hard money narrative - we care so greatly = about=20 >>>>>>> not violating someone's access to their coins that we allow them to= be=20 >>>>>>> stolen! >>>>>>> >>>>>>> But I think the flip side to the property rights narrative is that= =20 >>>>>>> burning vulnerable coins prevents said property from falling into= =20 >>>>>>> undeserving hands. If the entire Bitcoin ecosystem just stands arou= nd and=20 >>>>>>> allows quantum adversaries to claim funds that rightfully belong to= other=20 >>>>>>> users, is that really a "win" in the "protecting property rights" c= ategory?=20 >>>>>>> It feels more like apathy to me. >>>>>>> >>>>>>> As such, I think the "protecting property rights" argument is a was= h. >>>>>>> >>>>>>> Quantum Computers Won't Attack Bitcoin >>>>>>> There is a great deal of skepticism that sufficiently powerful=20 >>>>>>> quantum computers will ever exist, so we shouldn't bother preparing= for a=20 >>>>>>> non-existent threat. Others have argued that even if such a compute= r was=20 >>>>>>> built, a quantum attacker would not go after bitcoin because they w= ouldn't=20 >>>>>>> want to reveal their hand by doing so, and would instead attack oth= er=20 >>>>>>> infrastructure. >>>>>>> >>>>>>> It's quite difficult to quantify exactly how valuable attacking=20 >>>>>>> other infrastructure would be. It also really depends upon when an = entity=20 >>>>>>> gains quantum supremacy and thus if by that time most of the world'= s=20 >>>>>>> systems have already been upgraded. While I think you could argue t= hat=20 >>>>>>> certain entities gaining quantum capability might not attack Bitcoi= n, it=20 >>>>>>> would only delay the inevitable - eventually somebody will achieve = the=20 >>>>>>> capability who decides to use it for such an attack. >>>>>>> >>>>>>> Quantum Attackers Would Only Steal Small Amounts >>>>>>> Some have argued that even if a quantum attacker targeted bitcoin,= =20 >>>>>>> they'd only go after old, likely lost P2PK outputs so as to not aro= use=20 >>>>>>> suspicion and cause a market panic. >>>>>>> >>>>>>> I'm not so sure about that; why go after 50 BTC at a time when you= =20 >>>>>>> could take 250,000 BTC with the same effort as 50 BTC? This is a cl= assic=20 >>>>>>> "zero day exploit" game theory in which an attacker knows they have= a=20 >>>>>>> limited amount of time before someone else discovers the exploit an= d either=20 >>>>>>> benefits from it or patches it. Take, for example, the recent ByBit= attack=20 >>>>>>> - the highest value crypto hack of all time. Lazarus Group had comp= romised=20 >>>>>>> the Safe wallet front end JavaScript app and they could have simply= had it=20 >>>>>>> reassign ownership of everyone's Safe wallets as they were interact= ing with=20 >>>>>>> their wallet. But instead they chose to only specifically target By= Bit's=20 >>>>>>> wallet with $1.5 billion in it because they wanted to maximize thei= r=20 >>>>>>> extractable value. If Lazarus had started stealing from every walle= t, they=20 >>>>>>> would have been discovered quickly and the Safe web app would likel= y have=20 >>>>>>> been patched well before any billion dollar wallets executed the ma= licious=20 >>>>>>> code. >>>>>>> >>>>>>> I think the "only stealing small amounts" argument is strongest for= =20 >>>>>>> Situation #2 described earlier, where a quantum attacker arrives be= fore=20 >>>>>>> quantum safe cryptography has been deployed across the Bitcoin ecos= ystem.=20 >>>>>>> Because if it became clear that Bitcoin's cryptography was broken A= ND there=20 >>>>>>> was nowhere safe for vulnerable users to migrate, the only logical = option=20 >>>>>>> would be for everyone to liquidate their bitcoin as quickly as poss= ible. As=20 >>>>>>> such, I don't think it applies as strongly for situations in which = we have=20 >>>>>>> a migration path available. >>>>>>> >>>>>>> The 21 Million Coin Supply Should be in Circulation >>>>>>> Some folks are arguing that it's important for the "circulating /= =20 >>>>>>> spendable" supply to be as close to 21M as possible and that having= a=20 >>>>>>> significant portion of the supply out of circulation is somehow und= esirable. >>>>>>> >>>>>>> While the "21M BTC" attribute is a strong memetic narrative, I don'= t=20 >>>>>>> think anyone has ever expected that it would all be in circulation.= It has=20 >>>>>>> always been understood that many coins will be lost, and that's act= ually=20 >>>>>>> part of the game theory of owning bitcoin! >>>>>>> >>>>>>> And remember, the 21M number in and of itself is not a particularly= =20 >>>>>>> important detail - it's not even mentioned in the whitepaper. What'= s=20 >>>>>>> important is that the supply is well known and not subject to chang= e. >>>>>>> >>>>>>> Self-Sovereignty and Personal Responsibility >>>>>>> Bitcoin=E2=80=99s design empowers individuals to control their own = wealth,=20 >>>>>>> free from centralized intervention. This freedom comes with the bur= den of=20 >>>>>>> securing one's private keys. If quantum computing can break obsolet= e=20 >>>>>>> cryptography, the fault lies with users who didn't move their funds= to=20 >>>>>>> quantum safe locking scripts. Expecting the network to shield users= from=20 >>>>>>> their own negligence undermines the principle that you, and not a t= hird=20 >>>>>>> party, are accountable for your assets. >>>>>>> >>>>>>> I think this is generally a fair point that "the community" doesn't= =20 >>>>>>> owe you anything in terms of helping you. I think that we do, howev= er, need=20 >>>>>>> to consider the incentives and game theory in play with regard to q= uantum=20 >>>>>>> safe Bitcoiners vs quantum vulnerable Bitcoiners. More on that late= r. >>>>>>> >>>>>>> Code is Law >>>>>>> Bitcoin operates on transparent, immutable rules embedded in its=20 >>>>>>> protocol. If a quantum attacker uses superior technology to derive = private=20 >>>>>>> keys from public keys, they=E2=80=99re not "hacking" the system - t= hey're simply=20 >>>>>>> following what's mathematically permissible within the current code= .=20 >>>>>>> Altering the protocol to stop this introduces subjective human=20 >>>>>>> intervention, which clashes with the objective, deterministic natur= e of=20 >>>>>>> blockchain. >>>>>>> >>>>>>> While I tend to agree that code is law, one of the entire points of= =20 >>>>>>> laws is that they can be amended to improve their efficacy in reduc= ing=20 >>>>>>> harm. Leaning on this point seems more like a pro-ossification stan= ce that=20 >>>>>>> it's better to do nothing and allow harm to occur rather than take = action=20 >>>>>>> to stop an attack that was foreseen far in advance. >>>>>>> >>>>>>> Technological Evolution as a Feature, Not a Bug >>>>>>> It's well known that cryptography tends to weaken over time and=20 >>>>>>> eventually break. Quantum computing is just the next step in this= =20 >>>>>>> progression. Users who fail to adapt (e.g., by adopting quantum-res= istant=20 >>>>>>> wallets when available) are akin to those who ignored technological= =20 >>>>>>> advancements like multisig or hardware wallets. Allowing quantum th= eft=20 >>>>>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynam= ic, punishing=20 >>>>>>> complacency while rewarding vigilance. >>>>>>> >>>>>>> Market Signals Drive Security >>>>>>> If quantum attackers start stealing funds, it sends a clear signal= =20 >>>>>>> to the market: upgrade your security or lose everything. This press= ure=20 >>>>>>> accelerates the adoption of post-quantum cryptography and strengthe= ns=20 >>>>>>> Bitcoin long-term. Coddling vulnerable users delays this necessary= =20 >>>>>>> evolution, potentially leaving the network more exposed when quantu= m tech=20 >>>>>>> becomes widely accessible. Theft is a brutal but effective teacher. >>>>>>> >>>>>>> Centralized Blacklisting Power >>>>>>> Burning vulnerable funds requires centralized decision-making - a= =20 >>>>>>> soft fork to invalidate certain transactions. This sets a dangerous= =20 >>>>>>> precedent for future interventions, eroding Bitcoin=E2=80=99s decen= tralization. If=20 >>>>>>> quantum theft is blocked, what=E2=80=99s next - reversing exchange = hacks? The=20 >>>>>>> system must remain neutral, even if it means some lose out. >>>>>>> >>>>>>> I think this could be a potential slippery slope if the proposal wa= s=20 >>>>>>> to only burn specific addresses. Rather, I'd expect a neutral propo= sal to=20 >>>>>>> burn all funds in locking script types that are known to be quantum= =20 >>>>>>> vulnerable. Thus, we could eliminate any subjectivity from the code= . >>>>>>> >>>>>>> Fairness in Competition >>>>>>> Quantum attackers aren't cheating; they're using publicly available= =20 >>>>>>> physics and math. Anyone with the resources and foresight can build= or=20 >>>>>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with= a CPU.=20 >>>>>>> Early adopters took risks and reaped rewards; quantum innovators ar= e doing=20 >>>>>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin = has never promised=20 >>>>>>> equality of outcome - only equality of opportunity within its rules= . >>>>>>> >>>>>>> I find this argument to be a mischaracterization because we're not= =20 >>>>>>> talking about CPUs. This is more akin to talking about ASICs, excep= t each=20 >>>>>>> ASIC costs millions if not billions of dollars. This is out of reac= h from=20 >>>>>>> all but the wealthiest organizations. >>>>>>> >>>>>>> Economic Resilience >>>>>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and= =20 >>>>>>> emerged stronger. The market can absorb quantum losses, with unaffe= cted=20 >>>>>>> users continuing to hold and new entrants buying in at lower prices= . Fear=20 >>>>>>> of economic collapse overestimates the impact - the network=E2=80= =99s antifragility=20 >>>>>>> thrives on such challenges. >>>>>>> >>>>>>> This is a big grey area because we don't know when a quantum=20 >>>>>>> computer will come online and we don't know how quickly said comput= ers=20 >>>>>>> would be able to steal bitcoin. If, for example, the first generati= on of=20 >>>>>>> sufficiently powerful quantum computers were stealing less volume t= han the=20 >>>>>>> current block reward then of course it will have minimal economic i= mpact.=20 >>>>>>> But if they're taking thousands of BTC per day and bringing them ba= ck into=20 >>>>>>> circulation, there will likely be a noticeable market impact as it = absorbs=20 >>>>>>> the new supply. >>>>>>> >>>>>>> This is where the circumstances will really matter. If a quantum=20 >>>>>>> attacker appears AFTER the Bitcoin protocol has been upgraded to su= pport=20 >>>>>>> quantum resistant cryptography then we should expect the most valua= ble=20 >>>>>>> active wallets will have upgraded and the juiciest target would be = the=20 >>>>>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which = has been=20 >>>>>>> dormant since 2010. In general I'd expect that the amount of BTC=20 >>>>>>> re-entering the circulating supply would look somewhat similar to t= he=20 >>>>>>> mining emission curve: volume would start off very high as the most= =20 >>>>>>> valuable addresses are drained and then it would fall off as quantu= m=20 >>>>>>> computers went down the list targeting addresses with less and less= BTC. >>>>>>> >>>>>>> Why is economic impact a factor worth considering? Miners and=20 >>>>>>> businesses in general. More coins being liquidated will push down t= he=20 >>>>>>> price, which will negatively impact miner revenue. Similarly, I can= attest=20 >>>>>>> from working in the industry for a decade, that lower prices result= in less=20 >>>>>>> demand from businesses across the entire industry. As such, burning= quantum=20 >>>>>>> vulnerable bitcoin is good for the entire industry. >>>>>>> >>>>>>> Practicality & Neutrality of Non-Intervention >>>>>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80= =9D from legitimate=20 >>>>>>> "white hat" key recovery. If someone loses their private key and a = quantum=20 >>>>>>> computer recovers it, is that stealing or reclaiming? Policing quan= tum=20 >>>>>>> actions requires invasive assumptions about intent, which Bitcoin= =E2=80=99s=20 >>>>>>> trustless design can=E2=80=99t accommodate. Letting the chips fall = where they may=20 >>>>>>> avoids this mess. >>>>>>> >>>>>>> Philosophical Purity >>>>>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where ou= tcomes=20 >>>>>>> reflect preparation and skill, not sentimentality. If quantum compu= ting=20 >>>>>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t m= eant to be safe or fair=20 >>>>>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lo= se funds to=20 >>>>>>> quantum attacks are casualties of liberty and their own ignorance, = not=20 >>>>>>> victims of injustice. >>>>>>> >>>>>>> Bitcoin's DAO Moment >>>>>>> This situation has some similarities to The DAO hack of an Ethereum= =20 >>>>>>> smart contract in 2016, which resulted in a fork to stop the attack= er and=20 >>>>>>> return funds to their original owners. The game theory is similar b= ecause=20 >>>>>>> it's a situation where a threat is known but there's some period of= time=20 >>>>>>> before the attacker can actually execute the theft. As such, there'= s time=20 >>>>>>> to mitigate the attack by changing the protocol. >>>>>>> >>>>>>> It also created a schism in the community around the true meaning o= f=20 >>>>>>> "code is law," resulting in Ethereum Classic, which decided to allo= w the=20 >>>>>>> attacker to retain control of the stolen funds. >>>>>>> >>>>>>> A soft fork to burn vulnerable bitcoin could certainly result in a= =20 >>>>>>> hard fork if there are enough miners who reject the soft fork and c= ontinue=20 >>>>>>> including transactions. >>>>>>> >>>>>>> Incentives Matter >>>>>>> We can wax philosophical until the cows come home, but what are the= =20 >>>>>>> actual incentives for existing Bitcoin holders regarding this decis= ion? >>>>>>> >>>>>>> "Lost coins only make everyone else's coins worth slightly more.=20 >>>>>>>> Think of it as a donation to everyone." - Satoshi Nakamoto >>>>>>> >>>>>>> >>>>>>> If true, the corollary is: >>>>>>> >>>>>>> "Quantum recovered coins only make everyone else's coins worth less= .=20 >>>>>>>> Think of it as a theft from everyone." - Jameson Lopp >>>>>>> >>>>>>> >>>>>>> Thus, assuming we get to a point where quantum resistant signatures= =20 >>>>>>> are supported within the Bitcoin protocol, what's the incentive to = let=20 >>>>>>> vulnerable coins remain spendable? >>>>>>> >>>>>>> * It's not good for the actual owners of those coins. It=20 >>>>>>> disincentivizes owners from upgrading until perhaps it's too late. >>>>>>> * It's not good for the more attentive / responsible owners of coin= s=20 >>>>>>> who have quantum secured their stash. Allowing the circulating supp= ly to=20 >>>>>>> balloon will assuredly reduce the purchasing power of all bitcoin h= olders. >>>>>>> >>>>>>> Forking Game Theory >>>>>>> From a game theory point of view, I see this as incentivizing users= =20 >>>>>>> to upgrade their wallets. If you disagree with the burning of vulne= rable=20 >>>>>>> coins, all you have to do is move your funds to a quantum safe sign= ature=20 >>>>>>> scheme. Point being, I don't see there being an economic majority (= or even=20 >>>>>>> more than a tiny minority) of users who would fight such a soft for= k. Why=20 >>>>>>> expend significant resources fighting a fork when you can just move= your=20 >>>>>>> coins to a new address? >>>>>>> >>>>>>> Remember that blocking spending of certain classes of locking=20 >>>>>>> scripts is a tightening of the rules - a soft fork. As such, it can= be=20 >>>>>>> meaningfully enacted and enforced by a mere majority of hashpower. = If=20 >>>>>>> miners generally agree that it's in their best interest to burn vul= nerable=20 >>>>>>> coins, are other users going to care enough to put in the effort to= run new=20 >>>>>>> node software that resists the soft fork? Seems unlikely to me. >>>>>>> >>>>>>> How to Execute Burning >>>>>>> In order to be as objective as possible, the goal would be to=20 >>>>>>> announce to the world that after a specific block height / timestam= p,=20 >>>>>>> Bitcoin nodes will no longer accept transactions (or blocks contain= ing such=20 >>>>>>> transactions) that spend funds from any scripts other than the newl= y=20 >>>>>>> instituted quantum safe schemes. >>>>>>> >>>>>>> It could take a staggered approach to first freeze funds that are= =20 >>>>>>> susceptible to long-range attacks such as those in P2PK scripts or = those=20 >>>>>>> that exposed their public keys due to previously re-using addresses= , but I=20 >>>>>>> expect the additional complexity would drive further controversy. >>>>>>> >>>>>>> How long should the grace period be in order to give the ecosystem= =20 >>>>>>> time to upgrade? I'd say a minimum of 1 year for software wallets t= o=20 >>>>>>> upgrade. We can only hope that hardware wallet manufacturers are ab= le to=20 >>>>>>> implement post quantum cryptography on their existing hardware with= only a=20 >>>>>>> firmware update. >>>>>>> >>>>>>> Beyond that, it will take at least 6 months worth of block space fo= r=20 >>>>>>> all users to migrate their funds, even in a best case scenario. Tho= ugh if=20 >>>>>>> you exclude dust UTXOs you could probably get 95% of BTC value migr= ated in=20 >>>>>>> 1 month. Of course this is a highly optimistic situation where ever= yone is=20 >>>>>>> completely focused on migrations - in reality it will take far long= er. >>>>>>> >>>>>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's= =20 >>>>>>> conservatism it would be preferable to allow a 4 year migration win= dow. In=20 >>>>>>> the meantime, mining pools could coordinate emergency soft forking = logic=20 >>>>>>> such that if quantum attackers materialized, they could accelerate = the=20 >>>>>>> countdown to the quantum vulnerable funds burn. >>>>>>> >>>>>>> Random Tangential Benefits >>>>>>> On the plus side, burning all quantum vulnerable bitcoin would allo= w=20 >>>>>>> us to prune all of those UTXOs out of the UTXO set, which would als= o clean=20 >>>>>>> up a lot of dust. Dust UTXOs are a bit of an annoyance and there ha= s even=20 >>>>>>> been a recent proposal for how to incentivize cleaning them up. >>>>>>> >>>>>>> We should also expect that incentivizing migration of the entire=20 >>>>>>> UTXO set will create substantial demand for block space that will s= ustain a=20 >>>>>>> fee market for a fairly lengthy amount of time. >>>>>>> >>>>>>> In Summary >>>>>>> While the moral quandary of violating any of Bitcoin's inviolable= =20 >>>>>>> properties can make this a very complex issue to discuss, the game = theory=20 >>>>>>> and incentives between burning vulnerable coins versus allowing the= m to be=20 >>>>>>> claimed by entities with quantum supremacy appears to be a much sim= pler=20 >>>>>>> issue. >>>>>>> >>>>>>> I, for one, am not interested in rewarding quantum capable entities= =20 >>>>>>> by inflating the circulating money supply just because some people = lost=20 >>>>>>> their keys long ago and some laggards are not upgrading their bitco= in=20 >>>>>>> wallet's security. >>>>>>> >>>>>>> We can hope that this scenario never comes to pass, but hope is not= =20 >>>>>>> a strategy. >>>>>>> >>>>>>> I welcome your feedback upon any of the above points, and=20 >>>>>>> contribution of any arguments I failed to consider. >>>>>>> >>>>>>> --=20 >>>>>>> You received this message because you are subscribed to the Google= =20 >>>>>>> Groups "Bitcoin Development Mailing List" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it,= =20 >>>>>>> send an email to bitcoindev+...@googlegroups.com. >>>>>>> To view this discussion visit=20 >>>>>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXR= eMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com=20 >>>>>>> >>>>>>> . >>>>>>> >>>>>> --=20 >>>>>> You received this message because you are subscribed to the Google= =20 >>>>>> Groups "Bitcoin Development Mailing List" group. >>>>>> To unsubscribe from this group and stop receiving emails from it,=20 >>>>>> send an email to bitcoindev+...@googlegroups.com. >>>>>> To view this discussion visit=20 >>>>>> https://groups.google.com/d/msgid/bitcoindev/CAGXD5f1eTwqMAkxzdJOup3= syR%2B5UjrkAaHroBJT0HQw5FA2_YQ%40mail.gmail.com=20 >>>>>> >>>>>> . >>>>>> >>>>> --=20 >> You received this message because you are subscribed to the Google Group= s=20 >> "Bitcoin Development Mailing List" group. >> To unsubscribe from this group and stop receiving emails from it, send a= n=20 >> email to bitcoindev+...@googlegroups.com. >> > To view this discussion visit=20 >> https://groups.google.com/d/msgid/bitcoindev/3fec8fc3-efa1-49c5-8bab-592= e0138d31dn%40googlegroups.com=20 >> >> . >> > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= efbb873b-61b4-40a3-91e7-29826173865fn%40googlegroups.com. ------=_Part_85097_673781244.1778240083866 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I have made another proposal in a recent conversation titled "what if we le= t Quantum hunters get Bitcoin rewards?". The core argument: rather than sus= pending Bitcoin's neutrality to prevent quantum theft, we can structure the= inevitable quantum capture of exposed coins as a self-financing prize mech= anism =E2=80=94 the largest open technological prize in history.

The proposal introduces three components:

- Genesis Quantum Tra= nsaction (GQT): recognition of a successful spend from a quantum-exposed ad= dress
- Quantum Vault (QV): automatically receives 90% of captured fun= ds, distributes periodically to proven quantum actors synchronized with the= halving cycle
- Quantum Proof Address (QPA): the on-chain identity of= any actor who demonstrates quantum capture capability, forming a public, u= nfalsifiable register of global quantum capabilities

The capturi= ng actor receives 10% immediately as a First Reward, with ongoing distribut= ions from the Vault =E2=80=94 creating long-term alignment with ecosystem s= tability rather than incentivizing immediate liquidation.

Draft:= =C2=A0https://github.com/amonmoce/H= unting-The-Bitcoin-One-Piece/blob/master/bip-hunting-the-bitcoin-one-piece.= md

Feel free to send me feedbacks here or in the o= riginal conversation.

On Thursday, April 30, 2026 at 6:55:30=E2=80= =AFPM UTC Saint Wenhao wrote:
> P2SH, P2WSH outputs which have never= spent are not at risk

P2SH has a risk of col= lision, when it is used by more than one user. Which is why P2WSH uses SHA-= 256 alone, without pushing the result of that through RIPEMD-160. It is eve= n described in BIP-141, as a justification for P2WSH: https://github.com/bitcoin/bip= s/blob/master/bip-0141.mediawiki#user-content-P2WSH

> The scr= iptPubKey occupies 34 bytes, as opposed to 23 bytes of BIP16 P2SH. The incr= eased size improves security against possible collision attacks, as 2^80 wo= rk is not infeasible anymore (By the end of 2015, 2^84 hashes have been cal= culated in Bitcoin mining since the creation of Bitcoin). The spending scri= pt is same as the one for an equivalent BIP16 P2SH output but is moved to w= itness.

And now, in 2026, we have around 2^96 chainwork. Which could= make these attacks more practical than theoretical. While quantum computer= s are still in theory, so if I would have to guess, then I would put more m= oney on a scenario, where RIPEMD-160 collision is found faster than anyone = will break secp256k1. There are even some canaries, which could give some i= ncentive to reveal RIPEMD-160 collision, for example 3KyiQEGqqdb4nqfhUzGKN6= KPhXmQsLNpay or 39VXyuoc6SXYKp9TcAhoiN1mb4ns6z3Yu6.

But yes, for a s= ingle user, 160-bit addresses are safe to use, at least for now. However, p= ublishing the first collision may create a lot of FUD, and then, moving the= se coins to a different address type will be highly recommended, because th= en you will never know, if new 160-bit addresses can be spent in more ways,= which were not yet disclosed on-chain.

wt.= , 28 kwi 2026 o 22:47=C2=A0Thomas Suau <tome...@gmail.com> napisa=C5=82(a):

H= i,=C2=A0

Against freezing.

A vulnerable user post-CRQC is someone who made two active choices: reus= ing addresses, and not migrating once a standard is available. That's t= he user breaking the social contract, not the protocol. P2PKH, P2WPKH, P2SH= , P2WSH outputs which have never spent are not at risk =E2=80=94 pubkey is = hashed, not exposed. P2PK, reused addresses, and P2TR key path are. Bitcoin= isn't globally broken =E2=80=94 specific address types are, and users = holding them after a migration path exists are accepting the risk.

A script-type freeze applies uniformly to weak output types, not to spec= ific transactions =E2=80=94 categorically different from reversing exchange= hacks. But once the protocol starts deciding which coins are safe enough t= o spend, that logic is hard to contain.

Either way, the freeze debate is a signal, not the goal. It tells us we = need a standard urgently. That's where the energy should go =E2=80=94 M= att's thread is asking the right question What's our goal?.

Regards,

Thomas


Le jeudi 9 avril 2026 =C3=A0 10:36:50 UTC+2,= Jameson Lopp a =C3=A9crit=C2=A0:
Scratch that; nodes should already be st= oring the block for which a UTXO was confirmed in order to calculate relati= ve timelock validity. So it should be implementable.

Still, there ar= e several vague statements that could use more explanation.

"pr= edictable cliffs invite adversarial behavior." - such as?

"= ;This avoids retroactively invalidating old transactions while still phasin= g out insecure constructions." - how so? If you chose a relative max a= ge that's less than the total age of Bitcoin itself, it will by default= invalidate extremely old UTXOs.

"If the protocol begins to dis= tinguish between =E2=80=9Clegitimate=E2=80=9D and =E2=80=9Cquantum=E2=80=91= recovered=E2=80=9D spends" - not sure what this means. It's not po= ssible to know if a transaction was made by a quantum attacker.

On Thu, Apr = 9, 2026 at 9:04=E2=80=AFAM Jameson Lopp <jameso...@g= mail.com> wrote:
While an implied age timelock is interesting in th= eory, I don't think it's practical in reality.

The reason th= at current styles of timelocks work well is because they are explicit: the = actual block height / timestamp of the lock is contained somewhere inside o= f the transaction itself.

In order to implement an "implied&quo= t; scheme as you propose, it would require all nodes to start indexing UTXO= s by block height in order to avoid a massive performance drop when evaluat= ing whether or not the UTXO is spendable.

On Thu, Apr 9, 2026 at 3:01=E2=80= =AFAM Bitcoin <lovelo...@gmail.com> wrote:
= The protocol should not assume that future participants will be able to coo= rdinate around a single deadline without distortion. A fixed height at whic= h old outputs become invalid would create a predictable cliff, and predicta= ble cliffs invite adversarial behavior. Markets tend to rush toward the edg= e.

Bitcoin works best when inc= entives are continuous rather than abrupt.

A staggered expiration of vulnerable script types is mor= e consistent with the system=E2=80=99s long=E2=80=91term stability. If a cl= ass of outputs is known to be weak against new computation, then the networ= k can define a rule that such outputs must be spent within a certain number= of blocks after creation. This avoids retroactively invalidating old trans= actions while still phasing out insecure constructions.

The network already treats some script form= s as discouraged. Extending this to prohibit creation of new vulnerable for= ms is a natural evolution. Nodes can continue to validate the old chain his= tory while refusing to relay or mine new transactions that expose public ke= ys directly.

The idea of= forcing quantum=E2=80=91recovered coins into long timelocks is interesting= , but it introduces a new class of special=E2=80=91case behavior. Bitcoin= =E2=80=99s rules should be simple, general, and predictable. If the protoco= l begins to distinguish between =E2=80=9Clegitimate=E2=80=9D and =E2=80=9Cq= uantum=E2=80=91recovered=E2=80=9D spends, it implies an authority deciding = which coins are morally valid. That is a precedent the system should avoid.=

The safest rule is the = one that does not require judging intent.

=
A relative or absolute timelock applied uniformly to all = vulnerable outputs, triggered only by their age, is neutral. It does not as= k who is spending the coins or why. It only enforces that insecure forms mu= st be migrated in time.

= The network cannot prevent advances in mathematics or computation. It can o= nly ensure that the incentives remain aligned so that users upgrade their s= ecurity before adversaries can exploit weaknesses. The protocol should enco= urage timely movement without confiscation.

The principle remains:

Your keys, your coins =E2=80=94 but only as long as the = key is strong.

If a key = type becomes weak, the system must give ample time to move funds to stronge= r constructions, and then retire the weak form gradually so the chain does = not become a liability.

= =E2=80=94 S.

On Mon, Apr 7, 2025, 6:34=E2=80=AFAM Nadav Ivgi <na...@shesek.info> wrote:
One= possible alternative to freezing/burning the coins entirely is letting qua= ntum attackers keep some small percent as a reward, but force them to stage= the rest to future miners as an additional security budget subsidy.
<= div>
This can be implemented as a soft fork, by req= uiring transactions=20 spending QC-vulnerable coins to allocate some funds to an OP_CLTV[0]-only e= ncumbered output timelocked far into the future. Miners would then monitor = these outputs and claim them as they become available.

For example, allow a 1% reward to be spent freely to any a= ddress but require 99% to be sent to an OP_CLTV output timelocked to a dete= rministically random height between 10-100 years from now.

Th= e 1% reward could also be required to be sent to a script that enforces a t= imelock (in addition to other conditions), to avoid flooding the markets wi= th the rewarded coins all at once. Probably a shorter timelock duration tho= ugh, say picked randomly between 10-30 months.

To = further smooth out variance in the release schedule, coins could be split i= nto up-to-N-BTC outputs, each staggered with a different deterministic time= lock. So for example, a single tx spending 10,000 BTC won't release 9,9= 00 BTC to the miners in a single far-future block (which may cause chain in= stability if the miners get into a reorg war over it), but rather as 9,900 = separate outputs of 1 BTC each released=C2=A0gradually time.[1]
<= br>
I'm still not sure what I think about this. This is not n= ecessarily an endorsement, just a thought. :)

- sh= esek

[0] OP_CSV only supports relative timelocks o= f up to 65535 blocks (~15 months), which is too short for that purpose. OP_= CLTV supports longer (absolute) timelocks.

[1] Thi= s can be made more efficient with CTV, by having a single UTXO carrying the= full amount that slowly unrolls rather than 9,900 separate UTXO entries.


On Sun, Mar 16, 2025 at 5:22=E2=80=AFPM Jameson Lopp <jameso...@gmail.com> wrote:
The quantu= m computing debate is heating up. There are many controversial aspects to t= his debate, including whether or not quantum computers will ever actually b= ecome a practical threat.

I won't tread into the unanswerable q= uestion of how worried we should be about quantum computers. I think it'= ;s far from a crisis, but given the difficulty in changing Bitcoin it's= worth starting to seriously discuss. Today I wish to focus on a philosophi= cal quandary related to one of the decisions that would need to be made if = and when we implement a quantum safe signature scheme.

Several Scenarios
Because this essay will reference game theo= ry a fair amount, and there are many variables at play that could change th= e nature of the game, I think it's important to clarify the possible sc= enarios up front.

1. Quantum computing never materializes, never bec= omes a threat, and thus everything discussed in this essay is moot.
2. A= quantum computing threat materializes suddenly and Bitcoin does not have q= uantum safe signatures as part of the protocol. In this scenario it would l= ikely make the points below moot because Bitcoin would be fundamentally bro= ken and it would take far too long to upgrade the protocol, wallet software= , and migrate user funds in order to restore confidence in the network.
= 3. Quantum computing advances slowly enough that we come to consensus about= how to upgrade Bitcoin and post quantum security has been minimally adopte= d by the time an attacker appears.
4. Quantum computing advances slowly = enough that we come to consensus about how to upgrade Bitcoin and post quan= tum security has been highly adopted by the time an attacker appears.
For the purposes of this post, I'm envisioning being in situation 3 o= r 4.

To Freeze or not to Freeze?
I've= started seeing more people weighing in on what is likely the most contenti= ous aspect of how a quantum resistance upgrade should be handled in terms o= f migrating user funds. Should quantum vulnerable funds be left open to be = swept by anyone with a sufficiently powerful quantum computer OR should the= y be permanently locked?

"I don't see why old coins should be confiscated. The bette= r option is to let those with quantum computers free up old coins. While th= is might have an inflationary impact on bitcoin's price, to use a turn = of phrase, the inflation is transitory. Those with low time preference shou= ld support returning lost coins to circulation."=C2=A0
- Hunter Beast
<= div>
On the other hand:

"Of course they have to be confiscated. If and w= hen (and that's a big if) the existence of a cryptography-breaking QC b= ecomes a credible threat, the Bitcoin ecosystem has no other option than so= ftforking out the ability to spend from signature schemes (including ECDSA = and BIP340) that are vulnerable to QCs. The alternative is that millions of= BTC become vulnerable to theft; I cannot see how the currency can maintain= any value at all in such a setting. And this affects everyone; even those = which diligently moved their coins to PQC-protected schemes."
- Pie= ter Wuille

I don't think "confiscation" is th= e most precise term to use, as the funds are not being seized and reassigne= d. Rather, what we're really discussing would be better described as &q= uot;burning" - placing the funds out of reach of everyone.
<= br>Not freezing user funds is one of Bitcoin's inviolable properties. H= owever, if quantum computing becomes a threat to Bitcoin's elliptic cur= ve cryptography, an inviolable property of Bitcoin will be violated one = way or another.

Fundamental Properties at Risk<= br>5 years ago I attempted to comprehensively categorize all of Bitc= oin's fundamental properties that give it value. https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
=
The particular properties in play with regard to this issue seem to= be:

Censorship Resistance - No one should have the power to = prevent others from using their bitcoin or interacting with the network.
Forward Compatibility - changing the rules such that certain va= lid transactions become invalid could undermine confidence in the protocol.=

Conservatism - Users should not be expected to be highly res= ponsive to system issues.

As a result of the above principles, we ha= ve developed a strong meme (kudos to Andreas Antonopoulos) that goes as fol= lows:

Not your key= s, not your coins.

I posit that the corollary to this princ= iple is:

Your keys= , only your coins.

A quantum capable entity breaks the coro= llary of this foundational principle. We secure our bitcoin with the mathem= atical probabilities related to extremely large random numbers. Your funds = are only secure because truly random large numbers should not be guessable = or discoverable by anyone else in the world.

This is the principle b= ehind the motto vires in numeris - strength in numbers. In a world w= ith quantum enabled adversaries, this principle is null and void for many t= ypes of cryptography, including the elliptic curve digital signatures used = in Bitcoin.

Who is at Risk?
There has lon= g been a narrative that Satoshi's coins and others from the Satoshi era= of P2PK locking scripts that exposed the public key directly on the blockc= hain will be those that get scooped up by a quantum "miner." But = unfortunately it's not that simple. If I had a powerful quantum compute= r, which coins would I target? I'd go to the Bitcoin rich list and find= the wallets that have exposed their public keys due to re-using addresses = that have previously been spent from. You can easily find them at https://bitinfocharts.com/top-100-riche= st-bitcoin-addresses.html

Note that a few of these wallets, like= Bitfinex / Kraken / Tether, would be slightly harder to crack because they= are multisig wallets. So a quantum attacker would need to reverse engineer= 2 keys for Kraken or 3 for Bitfinex / Tether in order to spend funds. But = many are single signature.

Point being, it's not only the really= old lost BTC that are at risk to a quantum enabled adversary, at least at = time of writing. If we add a quantum safe signature scheme, we should expec= t those wallets to be some of the first to upgrade given their incentives.<= br>
The Ethical Dilemma: Quantifying Harm
Whi= ch decision results in the most harm?

By making quantum vulnerable f= unds unspendable we potentially harm some Bitcoin users who were not paying= attention and neglected to migrate their funds to a quantum safe locking s= cript. This violates the "conservativism" principle stated earlie= r. On the flip side, we prevent those funds plus far more lost funds from f= alling into the hands of the few privileged folks who gain early access to = quantum computers.

By leaving quantum vulnerable funds available to = spend, the same set of users who would otherwise have funds frozen are like= ly to see them stolen. And many early adopters who lost their keys will eve= ntually see their unreachable funds scooped up by a quantum enabled adversa= ry.

Imagine, for example, being James Howells, who accidentally thre= w away a hard drive with 8,000 BTC on it, currently worth over $600M USD. H= e has spent a decade trying to retrieve it from the landfill where he knows= it's buried, but can't get permission to excavate. I suspect that,= given the choice, he'd prefer those funds be permanently frozen rather= than fall into someone else's possession - I know I would.

Allo= wing a quantum computer to access lost funds doesn't make those users a= ny worse off than they were before, however it would have a negative= impact upon everyone who is currently holding bitcoin.

It's pru= dent to expect significant economic disruption if large amounts of coins fa= ll into new hands. Since a quantum computer is going to have a massive up f= ront cost, expect those behind it to desire to recoup their investment. We = also know from experience that when someone suddenly finds themselves in po= ssession of 9+ figures worth of highly liquid assets, they tend to diversif= y into other things by selling.

Allowing quantum recovery of bitcoin= is tantamount to wealth redistribution. What we'd be allowing i= s for bitcoin to be redistributed from those who are ignorant of quantum co= mputers to those who have won the technological race to acquire quantum com= puters. It's hard to see a bright side to that scenario.

Is Quantum Recovery Good for Anyone?

Does quantum r= ecovery HELP anyone? I've yet to come across an argument that it's = a net positive in any way. It certainly doesn't add any security to the= network. If anything, it greatly decreases the security of the network by = allowing funds to be claimed by those who did not earn them.

But wai= t, you may be thinking, wouldn't quantum "miners" have earned= their coins by all the work and resources invested in building a quantum c= omputer? I suppose, in the same sense that a burglar earns their spoils by = the resources they invest into surveilling targets and learning the skills = needed to break into buildings. What I say "earned" I mean throug= h productive mutual trade.

For example:

* Investors earn BTC = by trading for other currencies.
* Merchants earn BTC by trading for goo= ds and services.
* Miners earn BTC by trading thermodynamic security.* Quantum miners don't trade anything, they are vampires feeding upon = the system.

There's no reason to believe that allowing quantum a= dversaries to recover vulnerable bitcoin will be of benefit to anyone other= than the select few organizations that win the technological arms race to = build the first such computers. Probably nation states and/or the top few l= argest tech companies.

One could certainly hope that an organization= with quantum supremacy is benevolent and acts in a "white hat" m= anner to return lost coins to their owners, but that's incredibly optim= istic and foolish to rely upon. Such a situation creates an insurmountable = ethical dilemma of only recovering lost bitcoin rather than currently owned= bitcoin. There's no way to precisely differentiate between the two; an= yone can claim to have lost their bitcoin but if they have lost their keys = then proving they ever had the keys becomes rather difficult. I imagine tha= t any such white hat recovery efforts would have to rely upon attestations = from trusted third parties like exchanges.

Even if the first actor w= ith quantum supremacy is benevolent, we must assume the technology could fa= ll into adversarial hands and thus think adversarially about the potential = worst case outcomes. Imagine, for example, that North Korea continues scoop= ing up billions of dollars from hacking crypto exchanges and decides to inv= est some of those proceeds into building a quantum computer for the biggest= payday ever...

Downsides to Allowing Quantum Recov= ery
Let's think through an exhaustive list of pros and cons f= or allowing or preventing the seizure of funds by a quantum adversary.
<= br>Historical Precedent
Previous protocol vulner= abilities weren=E2=80=99t celebrated as "fair game" but rather we= re treated as failures to be remediated. Treating quantum theft differently= risks rewriting Bitcoin=E2=80=99s history as a free-for-all rather than a = system that seeks to protect its users.

Violation o= f Property Rights
Allowing a quantum adversary to take control of= funds undermines the fundamental principle of cryptocurrency - if you keep= your keys in your possession, only you should be able to access your money= . Bitcoin is built on the idea that private keys secure an individual=E2=80= =99s assets, and unauthorized access (even via advanced tech) is theft, not= a legitimate transfer.

Erosion of Trust in Bitcoin=
If quantum attackers can exploit vulnerable addresses, confidenc= e in Bitcoin as a secure store of value would collapse. Users and investors= rely on cryptographic integrity, and widespread theft could drive adoption= away from Bitcoin, destabilizing its ecosystem.

This is essentially= the counterpoint to claiming the burning of vulnerable funds is a violatio= n of property rights. While some will certainly see it as such, others will= find the apathy toward stopping quantum theft to be similarly concerning.<= br>
Unfair Advantage
Quantum attackers, likel= y equipped with rare and expensive technology, would have an unjust edge ov= er regular users who lack access to such tools. This creates an inequitable= system where only the technologically elite can exploit others, contradict= ing Bitcoin=E2=80=99s ethos of decentralized power.

Bitcoin is desig= ned to create an asymmetric advantage for DEFENDING one's wealth. It= 9;s supposed to be impractically expensive for attackers to crack the entro= py and cryptography protecting one's coins. But now we find ourselves d= iscussing a situation where this asymmetric advantage is compromised in fav= or of a specific class of attackers.

Economic Disru= ption
Large-scale theft from vulnerable addresses could crash Bit= coin=E2=80=99s price as quantum recovered funds are dumped on exchanges. Th= is would harm all holders, not just those directly targeted, leading to bro= ader financial chaos in the markets.

Moral Responsi= bility
Permitting theft via quantum computing sets a precedent th= at technological superiority justifies unethical behavior. This is essentia= lly taking a "code is law" stance in which we refuse to admit tha= t both code and laws can be modified to adapt to previously unforeseen situ= ations.

Burning of coins can certainly be considered a form of theft= , thus I think it's worth differentiating the two different thefts bein= g discussed:

1. self-enriching & likely malicious
2. harm pre= vention & not necessarily malicious

Both options lack the consen= t of the party whose coins are being burnt or transferred, thus I think the= simple argument that theft is immoral becomes a wash and it's importan= t to drill down into the details of each.

Incentive= s Drive Security
I can tell you from a decade of working in Bitco= in security - the average user is lazy and is a procrastinator. If Bitcoine= rs are given a "drop dead date" after which they know vulnerable = funds will be burned, this pressure accelerates the adoption of post-quantu= m cryptography and strengthens Bitcoin long-term. Allowing vulnerable users= to delay upgrading indefinitely will result in more laggards, leaving the = network more exposed when quantum tech becomes available.

Steel Manning
Clearly this is a complex and controversial = topic, thus it's worth thinking through the opposing arguments.

= Protecting Property Rights
Allowing quantum comp= uters to take vulnerable bitcoin could potentially be spun as a hard money = narrative - we care so greatly about not violating someone's access to = their coins that we allow them to be stolen!

But I think the flip si= de to the property rights narrative is that burning vulnerable coins preven= ts said property from falling into undeserving hands. If the entire Bitcoin= ecosystem just stands around and allows quantum adversaries to claim funds= that rightfully belong to other users, is that really a "win" in= the "protecting property rights" category? It feels more like ap= athy to me.

As such, I think the "protecting property rights&qu= ot; argument is a wash.

Quantum Computers Won't= Attack Bitcoin
There is a great deal of skepticism that sufficie= ntly powerful quantum computers will ever exist, so we shouldn't bother= preparing for a non-existent threat. Others have argued that even if such = a computer was built, a quantum attacker would not go after bitcoin because= they wouldn't want to reveal their hand by doing so, and would instead= attack other infrastructure.

It's quite difficult to quantify e= xactly how valuable attacking other infrastructure would be. It also really= depends upon when an entity gains quantum supremacy and thus if by that ti= me most of the world's systems have already been upgraded. While I thin= k you could argue that certain entities gaining quantum capability might no= t attack Bitcoin, it would only delay the inevitable - eventually somebody = will achieve the capability who decides to use it for such an attack.
Quantum Attackers Would Only Steal Small Amounts<= br>Some have argued that even if a quantum attacker targeted bitcoin, they&= #39;d only go after old, likely lost P2PK outputs so as to not arouse suspi= cion and cause a market panic.

I'm not so sure about that; why g= o after 50 BTC at a time when you could take 250,000 BTC with the same effo= rt as 50 BTC? This is a classic "zero day exploit" game theory in= which an attacker knows they have a limited amount of time before someone = else discovers the exploit and either benefits from it or patches it. Take,= for example, the recent ByBit attack - the highest value crypto hack of al= l time. Lazarus Group had compromised the Safe wallet front end JavaScript = app and they could have simply had it reassign ownership of everyone's = Safe wallets as they were interacting with their wallet. But instead they c= hose to only specifically target ByBit's wallet with $1.5 billion in it= because they wanted to maximize their extractable value. If Lazarus had st= arted stealing from every wallet, they would have been discovered quickly a= nd the Safe web app would likely have been patched well before any billion = dollar wallets executed the malicious code.

I think the "only s= tealing small amounts" argument is strongest for Situation #2 describe= d earlier, where a quantum attacker arrives before quantum safe cryptograph= y has been deployed across the Bitcoin ecosystem. Because if it became clea= r that Bitcoin's cryptography was broken AND there was nowhere safe for= vulnerable users to migrate, the only logical option would be for everyone= to liquidate their bitcoin as quickly as possible. As such, I don't th= ink it applies as strongly for situations in which we have a migration path= available.

The 21 Million Coin Supply Should be in= Circulation
Some folks are arguing that it's important for t= he "circulating / spendable" supply to be as close to 21M as poss= ible and that having a significant portion of the supply out of circulation= is somehow undesirable.

While the "21M BTC" attribute is = a strong memetic narrative, I don't think anyone has ever expected that= it would all be in circulation. It has always been understood that many co= ins will be lost, and that's actually part of the game theory of owning= bitcoin!

And remember, the 21M number in and of itself is not a par= ticularly important detail - it's not even mentioned in the whitepaper.= What's important is that the supply is well known and not subject to c= hange.

Self-Sovereignty and Personal Responsibility=
Bitcoin=E2=80=99s design empowers individuals to control their o= wn wealth, free from centralized intervention. This freedom comes with the = burden of securing one's private keys. If quantum computing can break o= bsolete cryptography, the fault lies with users who didn't move their f= unds to quantum safe locking scripts. Expecting the network to shield users= from their own negligence undermines the principle that you, and not a thi= rd party, are accountable for your assets.

I think this is generally= a fair point that "the community" doesn't owe you anything i= n terms of helping you. I think that we do, however, need to consider the i= ncentives and game theory in play with regard to quantum safe Bitcoiners vs= quantum vulnerable Bitcoiners. More on that later.

Code is Law
Bitcoin operates on transparent, immutable rules emb= edded in its protocol. If a quantum attacker uses superior technology to de= rive private keys from public keys, they=E2=80=99re not "hacking"= the system - they're simply following what's mathematically permis= sible within the current code. Altering the protocol to stop this introduce= s subjective human intervention, which clashes with the objective, determin= istic nature of blockchain.

While I tend to agree that code is law, = one of the entire points of laws is that they can be amended to improve the= ir efficacy in reducing harm. Leaning on this point seems more like a pro-o= ssification stance that it's better to do nothing and allow harm to occ= ur rather than take action to stop an attack that was foreseen far in advan= ce.

Technological Evolution as a Feature, Not a Bug=
It's well known that cryptography tends to weaken over time = and eventually break. Quantum computing is just the next step in this progr= ession. Users who fail to adapt (e.g., by adopting quantum-resistant wallet= s when available) are akin to those who ignored technological advancements = like multisig or hardware wallets. Allowing quantum theft incentivizes inno= vation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency= while rewarding vigilance.

Market Signals Drive Se= curity
If quantum attackers start stealing funds, it sends a clea= r signal to the market: upgrade your security or lose everything. This pres= sure accelerates the adoption of post-quantum cryptography and strengthens = Bitcoin long-term. Coddling vulnerable users delays this necessary evolutio= n, potentially leaving the network more exposed when quantum tech becomes w= idely accessible. Theft is a brutal but effective teacher.

Centralized Blacklisting Power
Burning vulnerable funds r= equires centralized decision-making - a soft fork to invalidate certain tra= nsactions. This sets a dangerous precedent for future interventions, erodin= g Bitcoin=E2=80=99s decentralization. If quantum theft is blocked, what=E2= =80=99s next - reversing exchange hacks? The system must remain neutral, ev= en if it means some lose out.

I think this could be a potential slip= pery slope if the proposal was to only burn specific addresses. Rather, I&#= 39;d expect a neutral proposal to burn all funds in locking script types th= at are known to be quantum vulnerable. Thus, we could eliminate any subject= ivity from the code.

Fairness in Competition=
Quantum attackers aren't cheating; they're using publicly avail= able physics and math. Anyone with the resources and foresight can build or= access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU.= Early adopters took risks and reaped rewards; quantum innovators are doing= the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has nev= er promised equality of outcome - only equality of opportunity within its r= ules.

I find this argument to be a mischaracterization because we= 9;re not talking about CPUs. This is more akin to talking about ASICs, exce= pt each ASIC costs millions if not billions of dollars. This is out of reac= h from all but the wealthiest organizations.

Econom= ic Resilience
Bitcoin has weathered thefts before (MTGOX, Bitfine= x, FTX, etc) and emerged stronger. The market can absorb quantum losses, wi= th unaffected users continuing to hold and new entrants buying in at lower = prices. Fear of economic collapse overestimates the impact - the network=E2= =80=99s antifragility thrives on such challenges.

This is a big grey= area because we don't know when a quantum computer will come online an= d we don't know how quickly said computers would be able to steal bitco= in. If, for example, the first generation of sufficiently powerful quantum = computers were stealing less volume than the current block reward then of c= ourse it will have minimal economic impact. But if they're taking thous= ands of BTC per day and bringing them back into circulation, there will lik= ely be a noticeable market impact as it absorbs the new supply.

This= is where the circumstances will really matter. If a quantum attacker appea= rs AFTER the Bitcoin protocol has been upgraded to support quantum resistan= t cryptography then we should expect the most valuable active wallets will = have upgraded and the juiciest target would be the 31,000 BTC in the addres= s 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In = general I'd expect that the amount of BTC re-entering the circulating s= upply would look somewhat similar to the mining emission curve: volume woul= d start off very high as the most valuable addresses are drained and then i= t would fall off as quantum computers went down the list targeting addresse= s with less and less BTC.

Why is economic impact a factor worth cons= idering? Miners and businesses in general. More coins being liquidated will= push down the price, which will negatively impact miner revenue. Similarly= , I can attest from working in the industry for a decade, that lower prices= result in less demand from businesses across the entire industry. As such,= burning quantum vulnerable bitcoin is good for the entire industry.
Practicality & Neutrality of Non-Intervention<= br>There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D f= rom legitimate "white hat" key recovery. If someone loses their p= rivate key and a quantum computer recovers it, is that stealing or reclaimi= ng? Policing quantum actions requires invasive assumptions about intent, wh= ich Bitcoin=E2=80=99s trustless design can=E2=80=99t accommodate. Letting t= he chips fall where they may avoids this mess.

Phil= osophical Purity
Bitcoin rejects bailouts. It=E2=80=99s a cold, h= ard system where outcomes reflect preparation and skill, not sentimentality= . If quantum computing upends the game, that=E2=80=99s the point - Bitcoin = isn=E2=80=99t meant to be safe or fair in a nanny-state sense; it=E2=80=99s= meant to be free. Users who lose funds to quantum attacks are casualties o= f liberty and their own ignorance, not victims of injustice.

Bitcoin's DAO Moment
This situation has some simila= rities to The DAO hack of an Ethereum smart contract in 2016, which resulte= d in a fork to stop the attacker and return funds to their original owners.= The game theory is similar because it's a situation where a threat is = known but there's some period of time before the attacker can actually = execute the theft. As such, there's time to mitigate the attack by chan= ging the protocol.

It also created a schism in the community around = the true meaning of "code is law," resulting in Ethereum Classic,= which decided to allow the attacker to retain control of the stolen funds.=

A soft fork to burn vulnerable bitcoin could certainly result in a = hard fork if there are enough miners who reject the soft fork and continue = including transactions.

Incentives MatterWe can wax philosophical until the cows come home, but what are the actual= incentives for existing Bitcoin holders regarding this decision?

"Lost coins only make = everyone else's coins worth slightly more. Think of it as a donation to= everyone." - Satoshi Nakamoto

If true, the corollary = is:

"Quantum = recovered coins only make everyone else's coins worth less. Think of it= as a theft from everyone." - Jameson Lopp

Thus, assum= ing we get to a point where quantum resistant signatures are supported with= in the Bitcoin protocol, what's the incentive to let vulnerable coins r= emain spendable?

* It's not good for the actual owners of those = coins. It disincentivizes owners from upgrading until perhaps it's too = late.
* It's not good for the more attentive / responsible owners of= coins who have quantum secured their stash. Allowing the circulating suppl= y to balloon will assuredly reduce the purchasing power of all bitcoin hold= ers.

Forking Game Theory
From a game theo= ry point of view, I see this as incentivizing users to upgrade their wallet= s. If you disagree with the burning of vulnerable coins, all you have to do= is move your funds to a quantum safe signature scheme. Point being, I don&= #39;t see there being an economic majority (or even more than a tiny minori= ty) of users who would fight such a soft fork. Why expend significant resou= rces fighting a fork when you can just move your coins to a new address?
Remember that blocking spending of certain classes of locking scripts = is a tightening of the rules - a soft fork. As such, it can be meaningfully= enacted and enforced by a mere majority of hashpower. If miners generally = agree that it's in their best interest to burn vulnerable coins, are ot= her users going to care enough to put in the effort to run new node softwar= e that resists the soft fork? Seems unlikely to me.

How to Execute Burning
In order to be as objective as possible, = the goal would be to announce to the world that after a specific block heig= ht / timestamp, Bitcoin nodes will no longer accept transactions (or blocks= containing such transactions) that spend funds from any scripts other than= the newly instituted quantum safe schemes.

It could take a staggere= d approach to first freeze funds that are susceptible to long-range attacks= such as those in P2PK scripts or those that exposed their public keys due = to previously re-using addresses, but I expect the additional complexity wo= uld drive further controversy.

How long should the grace period be i= n order to give the ecosystem time to upgrade? I'd say a minimum of 1 y= ear for software wallets to upgrade. We can only hope that hardware wallet = manufacturers are able to implement post quantum cryptography on their exis= ting hardware with only a firmware update.

Beyond that, it will take= at least 6 months worth of block space for all users to migrate their fund= s, even in a best case scenario. Though if you exclude dust UTXOs you could= probably get 95% of BTC value migrated in 1 month. Of course this is a hig= hly optimistic situation where everyone is completely focused on migrations= - in reality it will take far longer.

Regardless, I'd think tha= t in order to reasonably uphold Bitcoin's conservatism it would be pref= erable to allow a 4 year migration window. In the meantime, mining pools co= uld coordinate emergency soft forking logic such that if quantum attackers = materialized, they could accelerate the countdown to the quantum vulnerable= funds burn.

Random Tangential Benefits
O= n the plus side, burning all quantum vulnerable bitcoin would allow us to p= rune all of those UTXOs out of the UTXO set, which would also clean up a lo= t of dust. Dust UTXOs are a bit of an annoyance and there has even been a r= ecent proposal for how to incentivize cleaning them up.

We should al= so expect that incentivizing migration of the entire UTXO set will create s= ubstantial demand for block space that will sustain a fee market for a fair= ly lengthy amount of time.

In Summary
Whi= le the moral quandary of violating any of Bitcoin's inviolable properti= es can make this a very complex issue to discuss, the game theory and incen= tives between burning vulnerable coins versus allowing them to be claimed b= y entities with quantum supremacy appears to be a much simpler issue.
I, for one, am not interested in rewarding quantum capable entities by in= flating the circulating money supply just because some people lost their ke= ys long ago and some laggards are not upgrading their bitcoin wallet's = security.

We can hope that this scenario never comes to pass, but ho= pe is not a strategy.

I welcome your feedback upon any of the above = points, and contribution of any arguments I failed to consider.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegroups.com.=
To view this discussion visit https://groups.google= .com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0G= YN97P6hQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegroups.com.=
To view this discussion visit https://groups.google.com/d/msgid/bitco= indev/CAGXD5f1eTwqMAkxzdJOup3syR%2B5UjrkAaHroBJT0HQw5FA2_YQ%40mail.gmail.co= m.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+...@googlegro= ups.com.
To view this discussion visit https= ://groups.google.com/d/msgid/bitcoindev/3fec8fc3-efa1-49c5-8bab-592e0138d31= dn%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/efbb873b-61b4-40a3-91e7-29826173865fn%40googlegroups.com.
------=_Part_85097_673781244.1778240083866-- ------=_Part_85096_1493481277.1778240083866--