diff options
| -rw-r--r-- | 1e/a31f3f7d8b96f9eae1403ba36dd79fb9479d8d | 2168 |
1 files changed, 2168 insertions, 0 deletions
diff --git a/1e/a31f3f7d8b96f9eae1403ba36dd79fb9479d8d b/1e/a31f3f7d8b96f9eae1403ba36dd79fb9479d8d new file mode 100644 index 000000000..52ac464de --- /dev/null +++ b/1e/a31f3f7d8b96f9eae1403ba36dd79fb9479d8d @@ -0,0 +1,2168 @@ +Delivery-date: Sat, 07 Jun 2025 06:55:16 -0700 +Received: from mail-yb1-f187.google.com ([209.85.219.187]) + by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + (Exim 4.94.2) + (envelope-from <bitcoindev+bncBDI23FE35EIBBNEJSHBAMGQEAHDSGAQ@googlegroups.com>) + id 1uNu0t-0001jm-UW + for bitcoindev@gnusha.org; Sat, 07 Jun 2025 06:55:16 -0700 +Received: by mail-yb1-f187.google.com with SMTP id 3f1490d57ef6-e812e1573ecsf3222588276.2 + for <bitcoindev@gnusha.org>; Sat, 07 Jun 2025 06:55:11 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=googlegroups.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org; + h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post + :list-id:mailing-list:precedence:x-original-sender:mime-version + :subject:references:in-reply-to:message-id:to:from:date:sender:from + :to:cc:subject:date:message-id:reply-to; + bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; + b=RkUlEpHFre0+3f82GTZxk6/rFrd9RLtd3Y/hH07LsiL+RHBUVzjCkDOacnKUyUak9U + /1Mfm68izCtNN3Hd+j6rwsMVLWRr6f+HmBvCjTag6NE5TvF+K7h4v7ln8069pAPkLV5I + 3OUBUirsoMNApI4C0HWNvy/Yw8Fn3rdTZPcgadvvHArvcVDeD9aeDnkigFPiHAqO3sks + 3Wa5u2ob0sXtRQmWPQ6A96Hi/vX2a5Xlo7h+hj8PvLcK/AEmMRKGLdqhg8SaBQdX98de + EJaqKOqg9ZwWoc47z4P6xhiuuH/CNE5ze8Wnj1GwGRI+CgsePe3Pg3fYe08EW1+pNAy1 + 8FaQ== +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org; + h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post + :list-id:mailing-list:precedence:x-original-sender:mime-version + :subject:references:in-reply-to:message-id:to:from:date:from:to:cc + :subject:date:message-id:reply-to; + bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; + b=aeVjJaJ65W0ngv2oiSM35+bPvzZXKfLmVCCY+5st+PRhm74xvfpG1slgse9E2luQjP + KfR9MllX92bbd9sGqfL2ZrmotRegSrXNp2xNBGcHB8o5NwusTw2VJ5hwmmhKDWDG4Qxp + xtVaADjsDu71tploQB9cMQEMGIUGoITvGcRlW0CIOsaGcL7h9V/G9Ns3viX+BISDwrkQ + 7D6Azg4wrfwBKOCBwqaGt7QZPtr9HRjckfccQ+ePRatoHZaMvYAHjsGCPJflBQLy5QCl + a/3QwZhm7WNYXgPDXX6dSkSuGYj75nf9xu8X307kKes9CL9aJU52iAchNvH4zLBFwEXh + 3g3w== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20230601; t=1749304506; x=1749909306; + h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post + :list-id:mailing-list:precedence:x-original-sender:mime-version + :subject:references:in-reply-to:message-id:to:from:date:x-beenthere + :x-gm-message-state:sender:from:to:cc:subject:date:message-id + :reply-to; + bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=; + b=gvUm7rz99Lo/Y53SAfLQuPdjcHaH2ys7OjygBnD6F37/tfihbvi9Q/nI4e5OjkzVl2 + W1JNmxGH2idLB5/wTNsp7WpLdeoHtCefQyDEib4Lzz5SSRl8EJ/V58sDPkUgQtcD7d4p + HX/u0bzNZd+g4LFm+4t9jGrMus2/UdR9SVOcplKB70RfPOHEI42T6/UAUVwRHuhJb0Ss + E/H8U1bm0n5i9CLM8GQuh13tZPq14pP+IsZtmpMeRFKE58kMutGjCnAToJgnuS8lq5/n + esC/rXuXq56j46hf7IbpV3C0qMNXSmwizRkzF+2H+xuyneHXfEfpcX14+2xZnSDW5I7e + 3DCg== +Sender: bitcoindev@googlegroups.com +X-Forwarded-Encrypted: i=1; AJvYcCVgU7ids4L4BTmyqm2Tb66yAjT+pgUM3kZfwL+rBu2vuDWE04d3dfgoXJ/V5ljk2xtbENbF1fxsEB5M@gnusha.org +X-Gm-Message-State: AOJu0YzeM25xCRvRB9DoqJy4NEUgQJljPbIBJARZ7pGh7+kkweQsDnOx + 4P8UYLvCmE1e+94hcmyTknJKJzjMartI2+UsvsQ0Rpz2KOwHyIgRrOGW +X-Google-Smtp-Source: AGHT+IG2Br0Dp1pOKLfFwUWMTeKH6+g6IvzE/4mD7rSui0geEfrJmG0vbjo4qwNjbdBSmdRy62UWkg== +X-Received: by 2002:a05:6902:c06:b0:e7d:c9f4:ed7b with SMTP id 3f1490d57ef6-e81a227c993mr9757571276.1.1749304505627; + Sat, 07 Jun 2025 06:55:05 -0700 (PDT) +X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfYGfIeHbTj2cq69vkQxDWQrC35RJGZY1av3o+1sp07bg== +Received: by 2002:a25:6953:0:b0:e81:7cf7:5008 with SMTP id 3f1490d57ef6-e8188826eb1ls2611055276.0.-pod-prod-03-us; + Sat, 07 Jun 2025 06:55:00 -0700 (PDT) +X-Received: by 2002:a05:690c:6c83:b0:6fb:b1dd:a00d with SMTP id 00721157ae682-710f771c5dfmr109416417b3.30.1749304500560; + Sat, 07 Jun 2025 06:55:00 -0700 (PDT) +Received: by 2002:a05:690c:ed6:b0:70d:e0e5:164f with SMTP id 00721157ae682-710f8f40b91ms7b3; + Sat, 7 Jun 2025 06:28:35 -0700 (PDT) +X-Received: by 2002:a05:690c:6f0b:b0:6fb:a696:b23b with SMTP id 00721157ae682-710f7739ae2mr99557867b3.33.1749302914045; + Sat, 07 Jun 2025 06:28:34 -0700 (PDT) +Date: Sat, 7 Jun 2025 06:28:33 -0700 (PDT) +From: waxwing/ AdamISZ <ekaggata@gmail.com> +To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com> +Message-Id: <893891ea-34ec-4d60-9941-9f636be0d747n@googlegroups.com> +In-Reply-To: <ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY=@protonmail.com> +References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de> + <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com> + <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me> + <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com> + <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com> + <ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY=@protonmail.com> +Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin +MIME-Version: 1.0 +Content-Type: multipart/mixed; + boundary="----=_Part_18010_831844196.1749302913697" +X-Original-Sender: ekaggata@gmail.com +Precedence: list +Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com +List-ID: <bitcoindev.googlegroups.com> +X-Google-Group-Id: 786775582512 +List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com> +List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com> +List-Archive: <https://groups.google.com/group/bitcoindev +List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com> +List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>, + <https://groups.google.com/group/bitcoindev/subscribe> +X-Spam-Score: 0.0 (/) + +------=_Part_18010_831844196.1749302913697 +Content-Type: multipart/alternative; + boundary="----=_Part_18011_501201720.1749302913697" + +------=_Part_18011_501201720.1749302913697 +Content-Type: text/plain; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +> I'm not a lawyer, but if developers make a conscious decision to make a= +=20 +code change that confiscates funds, even with a reasonable heads-up, I feel= +=20 +like some lawyers might be tempted to make an argument that those=20 +developers should be held responsible for any losses. As everyone knows,=20 +Bitcoin has been under legal attacks before, and I'm not sure that anyone= +=20 +would (or should) be willing to sign off on a change that might potentially= +=20 +open them up to several billion dollars worth of personal responsibility -= +=20 +especially if the "bonded courier" actually shows up and reveals a private= +=20 +key that would have unlocked funds under the pre-QC scheme. + +Coincidentally, Peter Todd has just made the same point in another=20 +(apparently unrelated) thread, here:=20 +https://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ + +For me it's very clear, that it's not an accident that such "unexpected"=20 +side effects exist. It's a feature that I'd whimsically call "ethical=20 +impedance-mismatch" (the term impedance mismatch has been used in=20 +computing/programming, which itself borrowed it from the real meaning, in= +=20 +physics). People have a moral/ethical desire to make bitcoin function as=20 +well as possible, and see a failure mode in those using it for other=20 +purposes, but that line of thought clashes with the essential, basic=20 +principle of censorship-resistance. + +So we see technical borked-ness like failure to get accurate fee rates and= +=20 +the like, from doing something (attempting to filter at p2p level) that it= +=20 +is intrinsically counter to the foundational ethical, functional purpose of= +=20 +the system: censorship-resistance. And then we see "cascading failures" of= +=20 +the type discussed here: if the devs are working to break bitcoin's ethical= +=20 +promise of censorship-resistance, then thugs^H^H politicians and lawyers,= +=20 +will seek to take control of that "break" for their own purposes. + +That's why I'm not against "quantum recovery" as per the title of this=20 +thread. Recovery, independent of outside control, *is* bitcoin's function.= +=20 +If half a million btc get spent by someone who has "recovered" in an=20 +unexpected way, tough titties. If the entire system collapses because we=20 +can't get our act together before 2085 (OK I know some think it's 2035, I= +=20 +don't, but whatever), then it is what it is. That is a huge unknown. But=20 +Bitcoin will 100% fail if confiscation of *any* type becomes a thing. + +Cheers, +AdamISZ/waxwing +On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCryptologist= + wrote: + +> Hi, +> +> With the longer grace period and selective deactivation, this seems more= +=20 +> sensible, but there is one elephant in the room that I haven't seen=20 +> mentioned here - namely, the legal aspect. (If it was, sorry I missed it.= +) +> +> I'm not a lawyer, but if developers make a conscious decision to make a= +=20 +> code change that confiscates funds, even with a reasonable heads-up, I fe= +el=20 +> like some lawyers might be tempted to make an argument that those=20 +> developers should be held responsible for any losses. As everyone knows,= +=20 +> Bitcoin has been under legal attacks before, and I'm not sure that anyone= +=20 +> would (or should) be willing to sign off on a change that might potential= +ly=20 +> open them up to several billion dollars worth of personal responsibility = +-=20 +> especially if the "bonded courier" actually shows up and reveals a privat= +e=20 +> key that would have unlocked funds under the pre-QC scheme. +> +> The only safe-ish way I can see to do this is to have it only affect fund= +s=20 +> that are very likely to be lost in the first place. So at the very least,= +=20 +> it could not affect UTXOs that could potentially be encumbered with a=20 +> timelock (i.e. P2SH/P2WSH), and it could only affect UTXOs that have not= +=20 +> moved for a very long time (say 15-20 years).=20 +> +> If quantum computers capable of practical attacks against Bitcoin are eve= +r=20 +> known to actually exist, *sending*=E2=80=8B to non-PQC addresses should o= +f course=20 +> be disabled immediately. But I feel that the nature of a permissionless= +=20 +> system implies a large degree of self-responsibility, so if someone choos= +es=20 +> to keep using non-PQC addresses even after PQC addresses have become=20 +> available and practical quantum attacks are suspected to be an imminent= +=20 +> danger, it's not necessarily up to the developers to tell them they can't= +,=20 +> only that they really shouldn't. +> +> -- +> Regards, +> ArmchairCryptologist +> +> Sent with Proton Mail <https://proton.me/mail/home> secure email.=20 +> +> On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <agusti...@gmail.com>= +=20 +> wrote: +> +> Hi everyone, +> +> QRAMP proposal aims to manage the quantum transition responsibly without= +=20 +> disrupting Bitcoin=E2=80=99s core principles. +> +> QRAMP has three phases: +> +> 1. Allow wallets to optionally include PQC keys in Taproot outputs. This= +=20 +> enables early adoption without forcing anyone. +> +> 2. Announce a soft fork to disable vulnerable scripts, with a long=20 +> (~4-year) grace period. This gives ample time to migrate and avoids sudde= +n=20 +> shocks. +> +> 3. Gradually deactivate vulnerable outputs based on age or inactivity.=20 +> This avoids a harsh cutoff and gives time for adaptation. +> +> We can also allow exceptions via proof-of-possession, and delay=20 +> restrictions on timelocked outputs to avoid harming future spenders. +> +> QRAMP is not about confiscation or control. It=E2=80=99s about aligning= +=20 +> incentives, maintaining security, and offering a clear, non-coercive=20 +> upgrade path. +> +> Best, +> Agustin Cruz +> +> +> +> El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvo...@gma= +il.com>=20 +> escribi=C3=B3: +> +>> The difference between the ETH/ETC split though was that no one had=20 +>> anything confiscated except the DAO hacker, everyone retained an identic= +al=20 +>> number of tokens on each chain. The proposal for BTC is very different i= +n=20 +>> that some holders will lose access to their coins during the PQ migratio= +n=20 +>> under the confiscation approach. Just wanted to point that out. +>> +>> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop= +ment=20 +>> Mailing List <bitco...@googlegroups.com> wrote: +>> +>>> Hey Saulo, +>>> +>>> You're right about the possibility of an ugly split. Laggards who don't= +=20 +>>> move coins to PQ address schemes will be incentivized to follow any cha= +in=20 +>>> where they keep their coins. But those who do migrate will be incentivi= +zed=20 +>>> to follow the chain where unmigrated pre-quantum coins are frozen.=20 +>>> +>>> While you're comparing this event to the ETH/ETC split, we should=20 +>>> remember that ETH remained the dominant chain despite their heavy-hande= +d=20 +>>> rollback. Just goes to show, confusion and face-loss is a lesser evil t= +han=20 +>>> allowing an adversary to pwn the network.=20 +>>> +>>> This is the free-market way to solve problems without imposing rules on= +=20 +>>> everyone. +>>> +>>> +>>> It'd still be a free market even if quantum-vulnerable coins are frozen= +.=20 +>>> The only way to test the relative value of quantum-safe vs=20 +>>> quantum-vulnerable coins is to split the chain and see how the market= +=20 +>>> reacts.=20 +>>> +>>> IMO, the "free market way" is to give people options and let their mone= +y=20 +>>> flow to where it works best. That means people should be able to choose= +=20 +>>> whether they want their money to be part of a system that allows quantu= +m=20 +>>> attack, or part of one which does not. I know which I would choose, but= +=20 +>>> neither you nor I can make that choice for everyone. +>>> +>>> regards, +>>> conduition +>>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz < +>>> agusti...@gmail.com> wrote: +>>> +>>> I=E2=80=99m against letting quantum computers scoop up funds from addre= +sses that=20 +>>> don=E2=80=99t upgrade to quantum-resistant.=20 +>>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up fo= +r grabs=20 +>>> if people don=E2=80=99t move them, sounds fair at first. Let luck decid= +e, right?=20 +>>> But I worry it=E2=80=99d turn into a mess. If quantum machines start cr= +acking keys=20 +>>> and snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at ris= +k. Plenty of=20 +>>> active wallets, like those on the rich list Jameson mentioned, could ge= +t=20 +>>> hit too. Imagine millions of BTC flooding the market. Prices tank, trus= +t in=20 +>>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerab= +le=20 +>>> funds keeps that chaos in check. +>>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear= +t. If quantum tech can=20 +>>> steal from you just because you didn=E2=80=99t upgrade fast enough, tha= +t promise=20 +>>> feels shaky. Freezing funds after a heads-up period (say, four years)= +=20 +>>> protects that idea better than letting tech giants or rogue states play= +=20 +>>> vampire with our network. It also nudges people to get their act togeth= +er=20 +>>> and move to safer addresses, which strengthens Bitcoin long-term. +>>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark = +a split=20 +>>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look w= +orse.=20 +>>> Bitcoin would seem broken, not just strict. A clear plan and enough tim= +e to=20 +>>> migrate could smooth things over. History=E2=80=99s on our side too. Bi= +tcoin=E2=80=99s=20 +>>> fixed bugs before, like SegWit. This feels like that, not a bailout. +>>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to = +whoever=20 +>>> builds the first quantum rig. It=E2=80=99s less about coddling people a= +nd more=20 +>>> about keeping Bitcoin solid for everyone. What do you all think? +>>> Cheers, +>>> Agust=C3=ADn +>>> +>>> +>>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <sa...@astrotown.de>= + wrote: +>>> +>>>> I believe that having some entity announce the decision to freeze old= +=20 +>>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value= +) than having=20 +>>>> them gathered by QC. This would create another version of Bitcoin, sim= +ilar=20 +>>>> to Ethereum Classic, causing confusion in the market. +>>>> +>>>> It would be better to simply implement the possibility of moving funds= +=20 +>>>> to a PQC address without a deadline, allowing those who fail to do so = +to=20 +>>>> rely on luck to avoid having their coins stolen. Most coins would be= +=20 +>>>> migrated to PQC anyway, and in most cases, only the lost ones would re= +main=20 +>>>> vulnerable. This is the free-market way to solve problems without impo= +sing=20 +>>>> rules on everyone. +>>>> +>>>> Saulo Fonseca +>>>> +>>>> +>>>> On 16. Mar 2025, at 15:15, Jameson Lopp <jameso...@gmail.com> wrote: +>>>> +>>>> The quantum computing debate is heating up. There are many=20 +>>>> controversial aspects to this debate, including whether or not quantum= +=20 +>>>> computers will ever actually become a practical threat. +>>>> +>>>> I won't tread into the unanswerable question of how worried we should= +=20 +>>>> be about quantum computers. I think it's far from a crisis, but given = +the=20 +>>>> difficulty in changing Bitcoin it's worth starting to seriously discus= +s.=20 +>>>> Today I wish to focus on a philosophical quandary related to one of th= +e=20 +>>>> decisions that would need to be made if and when we implement a quantu= +m=20 +>>>> safe signature scheme. +>>>> +>>>> Several Scenarios +>>>> Because this essay will reference game theory a fair amount, and there= +=20 +>>>> are many variables at play that could change the nature of the game, I= +=20 +>>>> think it's important to clarify the possible scenarios up front. +>>>> +>>>> 1. Quantum computing never materializes, never becomes a threat, and= +=20 +>>>> thus everything discussed in this essay is moot. +>>>> 2. A quantum computing threat materializes suddenly and Bitcoin does= +=20 +>>>> not have quantum safe signatures as part of the protocol. In this scen= +ario=20 +>>>> it would likely make the points below moot because Bitcoin would be=20 +>>>> fundamentally broken and it would take far too long to upgrade the=20 +>>>> protocol, wallet software, and migrate user funds in order to restore= +=20 +>>>> confidence in the network. +>>>> 3. Quantum computing advances slowly enough that we come to consensus= +=20 +>>>> about how to upgrade Bitcoin and post quantum security has been minima= +lly=20 +>>>> adopted by the time an attacker appears. +>>>> 4. Quantum computing advances slowly enough that we come to consensus= +=20 +>>>> about how to upgrade Bitcoin and post quantum security has been highly= +=20 +>>>> adopted by the time an attacker appears. +>>>> +>>>> For the purposes of this post, I'm envisioning being in situation 3 or= +=20 +>>>> 4. +>>>> +>>>> To Freeze or not to Freeze? +>>>> I've started seeing more people weighing in on what is likely the most= +=20 +>>>> contentious aspect of how a quantum resistance upgrade should be handl= +ed in=20 +>>>> terms of migrating user funds. Should quantum vulnerable funds be left= + open=20 +>>>> to be swept by anyone with a sufficiently powerful quantum computer OR= +=20 +>>>> should they be permanently locked? +>>>> +>>>> "I don't see why old coins should be confiscated. The better option is= +=20 +>>>>> to let those with quantum computers free up old coins. While this mig= +ht=20 +>>>>> have an inflationary impact on bitcoin's price, to use a turn of phra= +se,=20 +>>>>> the inflation is transitory. Those with low time preference should su= +pport=20 +>>>>> returning lost coins to circulation."=20 +>>>> +>>>> - Hunter Beast +>>>> +>>>> +>>>> On the other hand: +>>>> +>>>> "Of course they have to be confiscated. If and when (and that's a big= +=20 +>>>>> if) the existence of a cryptography-breaking QC becomes a credible th= +reat,=20 +>>>>> the Bitcoin ecosystem has no other option than softforking out the ab= +ility=20 +>>>>> to spend from signature schemes (including ECDSA and BIP340) that are= +=20 +>>>>> vulnerable to QCs. The alternative is that millions of BTC become=20 +>>>>> vulnerable to theft; I cannot see how the currency can maintain any v= +alue=20 +>>>>> at all in such a setting. And this affects everyone; even those which= +=20 +>>>>> diligently moved their coins to PQC-protected schemes." +>>>>> - Pieter Wuille +>>>> +>>>> +>>>> I don't think "confiscation" is the most precise term to use, as the= +=20 +>>>> funds are not being seized and reassigned. Rather, what we're really= +=20 +>>>> discussing would be better described as "burning" - placing the funds = +*out=20 +>>>> of reach of everyone*. +>>>> +>>>> Not freezing user funds is one of Bitcoin's inviolable properties.=20 +>>>> However, if quantum computing becomes a threat to Bitcoin's elliptic c= +urve=20 +>>>> cryptography, *an inviolable property of Bitcoin will be violated one= +=20 +>>>> way or another*. +>>>> +>>>> Fundamental Properties at Risk +>>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's= +=20 +>>>> fundamental properties that give it value.=20 +>>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/ +>>>> +>>>> The particular properties in play with regard to this issue seem to be= +: +>>>> +>>>> *Censorship Resistance* - No one should have the power to prevent=20 +>>>> others from using their bitcoin or interacting with the network. +>>>> +>>>> *Forward Compatibility* - changing the rules such that certain valid= +=20 +>>>> transactions become invalid could undermine confidence in the protocol= +. +>>>> +>>>> *Conservatism* - Users should not be expected to be highly responsive= +=20 +>>>> to system issues. +>>>> +>>>> As a result of the above principles, we have developed a strong meme= +=20 +>>>> (kudos to Andreas Antonopoulos) that goes as follows: +>>>> +>>>> Not your keys, not your coins. +>>>> +>>>> +>>>> I posit that the corollary to this principle is: +>>>> +>>>> Your keys, only your coins. +>>>> +>>>> +>>>> A quantum capable entity breaks the corollary of this foundational=20 +>>>> principle. We secure our bitcoin with the mathematical probabilities= +=20 +>>>> related to extremely large random numbers. Your funds are only secure= +=20 +>>>> because truly random large numbers should not be guessable or discover= +able=20 +>>>> by anyone else in the world. +>>>> +>>>> This is the principle behind the motto *vires in numeris* - strength= +=20 +>>>> in numbers. In a world with quantum enabled adversaries, this principl= +e is=20 +>>>> null and void for many types of cryptography, including the elliptic c= +urve=20 +>>>> digital signatures used in Bitcoin. +>>>> +>>>> Who is at Risk? +>>>> There has long been a narrative that Satoshi's coins and others from= +=20 +>>>> the Satoshi era of P2PK locking scripts that exposed the public key=20 +>>>> directly on the blockchain will be those that get scooped up by a quan= +tum=20 +>>>> "miner." But unfortunately it's not that simple. If I had a powerful= +=20 +>>>> quantum computer, which coins would I target? I'd go to the Bitcoin ri= +ch=20 +>>>> list and find the wallets that have exposed their public keys due to= +=20 +>>>> re-using addresses that have previously been spent from. You can easil= +y=20 +>>>> find them at=20 +>>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html +>>>> +>>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,=20 +>>>> would be slightly harder to crack because they are multisig wallets. S= +o a=20 +>>>> quantum attacker would need to reverse engineer 2 keys for Kraken or 3= + for=20 +>>>> Bitfinex / Tether in order to spend funds. But many are single signatu= +re. +>>>> +>>>> Point being, it's not only the really old lost BTC that are at risk to= +=20 +>>>> a quantum enabled adversary, at least at time of writing. If we add a= +=20 +>>>> quantum safe signature scheme, we should expect those wallets to be so= +me of=20 +>>>> the first to upgrade given their incentives. +>>>> +>>>> The Ethical Dilemma: Quantifying Harm +>>>> Which decision results in the most harm? +>>>> +>>>> By making quantum vulnerable funds unspendable we potentially harm som= +e=20 +>>>> Bitcoin users who were not paying attention and neglected to migrate t= +heir=20 +>>>> funds to a quantum safe locking script. This violates the "conservativ= +ism"=20 +>>>> principle stated earlier. On the flip side, we prevent those funds plu= +s far=20 +>>>> more lost funds from falling into the hands of the few privileged folk= +s who=20 +>>>> gain early access to quantum computers. +>>>> +>>>> By leaving quantum vulnerable funds available to spend, the same set o= +f=20 +>>>> users who would otherwise have funds frozen are likely to see them sto= +len.=20 +>>>> And many early adopters who lost their keys will eventually see their= +=20 +>>>> unreachable funds scooped up by a quantum enabled adversary. +>>>> +>>>> Imagine, for example, being James Howells, who accidentally threw away= +=20 +>>>> a hard drive with 8,000 BTC on it, currently worth over $600M USD. He = +has=20 +>>>> spent a decade trying to retrieve it from the landfill where he knows = +it's=20 +>>>> buried, but can't get permission to excavate. I suspect that, given th= +e=20 +>>>> choice, he'd prefer those funds be permanently frozen rather than fall= + into=20 +>>>> someone else's possession - I know I would. +>>>> +>>>> Allowing a quantum computer to access lost funds doesn't make those=20 +>>>> users any worse off than they were before, however it *would*have a=20 +>>>> negative impact upon everyone who is currently holding bitcoin. +>>>> +>>>> It's prudent to expect significant economic disruption if large amount= +s=20 +>>>> of coins fall into new hands. Since a quantum computer is going to hav= +e a=20 +>>>> massive up front cost, expect those behind it to desire to recoup thei= +r=20 +>>>> investment. We also know from experience that when someone suddenly fi= +nds=20 +>>>> themselves in possession of 9+ figures worth of highly liquid assets, = +they=20 +>>>> tend to diversify into other things by selling. +>>>> +>>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20 +>>>> redistribution*. What we'd be allowing is for bitcoin to be=20 +>>>> redistributed from those who are ignorant of quantum computers to thos= +e who=20 +>>>> have won the technological race to acquire quantum computers. It's har= +d to=20 +>>>> see a bright side to that scenario. +>>>> +>>>> Is Quantum Recovery Good for Anyone? +>>>> +>>>> Does quantum recovery HELP anyone? I've yet to come across an argument= +=20 +>>>> that it's a net positive in any way. It certainly doesn't add any secu= +rity=20 +>>>> to the network. If anything, it greatly decreases the security of the= +=20 +>>>> network by allowing funds to be claimed by those who did not earn them= +. +>>>> +>>>> But wait, you may be thinking, wouldn't quantum "miners" have earned= +=20 +>>>> their coins by all the work and resources invested in building a quant= +um=20 +>>>> computer? I suppose, in the same sense that a burglar earns their spoi= +ls by=20 +>>>> the resources they invest into surveilling targets and learning the sk= +ills=20 +>>>> needed to break into buildings. What I say "earned" I mean through=20 +>>>> productive mutual trade. +>>>> +>>>> For example: +>>>> +>>>> * Investors earn BTC by trading for other currencies. +>>>> * Merchants earn BTC by trading for goods and services. +>>>> * Miners earn BTC by trading thermodynamic security. +>>>> * Quantum miners don't trade anything, they are vampires feeding upon= +=20 +>>>> the system. +>>>> +>>>> There's no reason to believe that allowing quantum adversaries to=20 +>>>> recover vulnerable bitcoin will be of benefit to anyone other than the= +=20 +>>>> select few organizations that win the technological arms race to build= + the=20 +>>>> first such computers. Probably nation states and/or the top few larges= +t=20 +>>>> tech companies. +>>>> +>>>> One could certainly hope that an organization with quantum supremacy i= +s=20 +>>>> benevolent and acts in a "white hat" manner to return lost coins to th= +eir=20 +>>>> owners, but that's incredibly optimistic and foolish to rely upon. Suc= +h a=20 +>>>> situation creates an insurmountable ethical dilemma of only recovering= + lost=20 +>>>> bitcoin rather than currently owned bitcoin. There's no way to precise= +ly=20 +>>>> differentiate between the two; anyone can claim to have lost their bit= +coin=20 +>>>> but if they have lost their keys then proving they ever had the keys= +=20 +>>>> becomes rather difficult. I imagine that any such white hat recovery= +=20 +>>>> efforts would have to rely upon attestations from trusted third partie= +s=20 +>>>> like exchanges. +>>>> +>>>> Even if the first actor with quantum supremacy is benevolent, we must= +=20 +>>>> assume the technology could fall into adversarial hands and thus think= +=20 +>>>> adversarially about the potential worst case outcomes. Imagine, for=20 +>>>> example, that North Korea continues scooping up billions of dollars fr= +om=20 +>>>> hacking crypto exchanges and decides to invest some of those proceeds = +into=20 +>>>> building a quantum computer for the biggest payday ever... +>>>> +>>>> Downsides to Allowing Quantum Recovery +>>>> Let's think through an exhaustive list of pros and cons for allowing o= +r=20 +>>>> preventing the seizure of funds by a quantum adversary. +>>>> +>>>> Historical Precedent +>>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair = +game" but=20 +>>>> rather were treated as failures to be remediated. Treating quantum the= +ft=20 +>>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al= +l rather than=20 +>>>> a system that seeks to protect its users. +>>>> +>>>> Violation of Property Rights +>>>> Allowing a quantum adversary to take control of funds undermines the= +=20 +>>>> fundamental principle of cryptocurrency - if you keep your keys in you= +r=20 +>>>> possession, only you should be able to access your money. Bitcoin is b= +uilt=20 +>>>> on the idea that private keys secure an individual=E2=80=99s assets, a= +nd=20 +>>>> unauthorized access (even via advanced tech) is theft, not a legitimat= +e=20 +>>>> transfer. +>>>> +>>>> Erosion of Trust in Bitcoin +>>>> If quantum attackers can exploit vulnerable addresses, confidence in= +=20 +>>>> Bitcoin as a secure store of value would collapse. Users and investors= + rely=20 +>>>> on cryptographic integrity, and widespread theft could drive adoption = +away=20 +>>>> from Bitcoin, destabilizing its ecosystem. +>>>> +>>>> This is essentially the counterpoint to claiming the burning of=20 +>>>> vulnerable funds is a violation of property rights. While some will=20 +>>>> certainly see it as such, others will find the apathy toward stopping= +=20 +>>>> quantum theft to be similarly concerning. +>>>> +>>>> Unfair Advantage +>>>> Quantum attackers, likely equipped with rare and expensive technology,= +=20 +>>>> would have an unjust edge over regular users who lack access to such t= +ools.=20 +>>>> This creates an inequitable system where only the technologically elit= +e can=20 +>>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized= + power. +>>>> +>>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING=20 +>>>> one's wealth. It's supposed to be impractically expensive for attacker= +s to=20 +>>>> crack the entropy and cryptography protecting one's coins. But now we = +find=20 +>>>> ourselves discussing a situation where this asymmetric advantage is=20 +>>>> compromised in favor of a specific class of attackers. +>>>> +>>>> Economic Disruption +>>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80= +=99s price=20 +>>>> as quantum recovered funds are dumped on exchanges. This would harm al= +l=20 +>>>> holders, not just those directly targeted, leading to broader financia= +l=20 +>>>> chaos in the markets. +>>>> +>>>> Moral Responsibility +>>>> Permitting theft via quantum computing sets a precedent that=20 +>>>> technological superiority justifies unethical behavior. This is essent= +ially=20 +>>>> taking a "code is law" stance in which we refuse to admit that both co= +de=20 +>>>> and laws can be modified to adapt to previously unforeseen situations. +>>>> +>>>> Burning of coins can certainly be considered a form of theft, thus I= +=20 +>>>> think it's worth differentiating the two different thefts being discus= +sed: +>>>> +>>>> 1. self-enriching & likely malicious +>>>> 2. harm prevention & not necessarily malicious +>>>> +>>>> Both options lack the consent of the party whose coins are being burnt= +=20 +>>>> or transferred, thus I think the simple argument that theft is immoral= +=20 +>>>> becomes a wash and it's important to drill down into the details of ea= +ch. +>>>> +>>>> Incentives Drive Security +>>>> I can tell you from a decade of working in Bitcoin security - the=20 +>>>> average user is lazy and is a procrastinator. If Bitcoiners are given = +a=20 +>>>> "drop dead date" after which they know vulnerable funds will be burned= +,=20 +>>>> this pressure accelerates the adoption of post-quantum cryptography an= +d=20 +>>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgr= +ading=20 +>>>> indefinitely will result in more laggards, leaving the network more ex= +posed=20 +>>>> when quantum tech becomes available. +>>>> +>>>> Steel Manning +>>>> Clearly this is a complex and controversial topic, thus it's worth=20 +>>>> thinking through the opposing arguments. +>>>> +>>>> Protecting Property Rights +>>>> Allowing quantum computers to take vulnerable bitcoin could potentiall= +y=20 +>>>> be spun as a hard money narrative - we care so greatly about not viola= +ting=20 +>>>> someone's access to their coins that we allow them to be stolen! +>>>> +>>>> But I think the flip side to the property rights narrative is that=20 +>>>> burning vulnerable coins prevents said property from falling into=20 +>>>> undeserving hands. If the entire Bitcoin ecosystem just stands around = +and=20 +>>>> allows quantum adversaries to claim funds that rightfully belong to ot= +her=20 +>>>> users, is that really a "win" in the "protecting property rights" cate= +gory?=20 +>>>> It feels more like apathy to me. +>>>> +>>>> As such, I think the "protecting property rights" argument is a wash. +>>>> +>>>> Quantum Computers Won't Attack Bitcoin +>>>> There is a great deal of skepticism that sufficiently powerful quantum= +=20 +>>>> computers will ever exist, so we shouldn't bother preparing for a=20 +>>>> non-existent threat. Others have argued that even if such a computer w= +as=20 +>>>> built, a quantum attacker would not go after bitcoin because they woul= +dn't=20 +>>>> want to reveal their hand by doing so, and would instead attack other= +=20 +>>>> infrastructure. +>>>> +>>>> It's quite difficult to quantify exactly how valuable attacking other= +=20 +>>>> infrastructure would be. It also really depends upon when an entity ga= +ins=20 +>>>> quantum supremacy and thus if by that time most of the world's systems= + have=20 +>>>> already been upgraded. While I think you could argue that certain enti= +ties=20 +>>>> gaining quantum capability might not attack Bitcoin, it would only del= +ay=20 +>>>> the inevitable - eventually somebody will achieve the capability who= +=20 +>>>> decides to use it for such an attack. +>>>> +>>>> Quantum Attackers Would Only Steal Small Amounts +>>>> Some have argued that even if a quantum attacker targeted bitcoin,=20 +>>>> they'd only go after old, likely lost P2PK outputs so as to not arouse= +=20 +>>>> suspicion and cause a market panic. +>>>> +>>>> I'm not so sure about that; why go after 50 BTC at a time when you=20 +>>>> could take 250,000 BTC with the same effort as 50 BTC? This is a class= +ic=20 +>>>> "zero day exploit" game theory in which an attacker knows they have a= +=20 +>>>> limited amount of time before someone else discovers the exploit and e= +ither=20 +>>>> benefits from it or patches it. Take, for example, the recent ByBit at= +tack=20 +>>>> - the highest value crypto hack of all time. Lazarus Group had comprom= +ised=20 +>>>> the Safe wallet front end JavaScript app and they could have simply ha= +d it=20 +>>>> reassign ownership of everyone's Safe wallets as they were interacting= + with=20 +>>>> their wallet. But instead they chose to only specifically target ByBit= +'s=20 +>>>> wallet with $1.5 billion in it because they wanted to maximize their= +=20 +>>>> extractable value. If Lazarus had started stealing from every wallet, = +they=20 +>>>> would have been discovered quickly and the Safe web app would likely h= +ave=20 +>>>> been patched well before any billion dollar wallets executed the malic= +ious=20 +>>>> code. +>>>> +>>>> I think the "only stealing small amounts" argument is strongest for=20 +>>>> Situation #2 described earlier, where a quantum attacker arrives befor= +e=20 +>>>> quantum safe cryptography has been deployed across the Bitcoin ecosyst= +em.=20 +>>>> Because if it became clear that Bitcoin's cryptography was broken AND = +there=20 +>>>> was nowhere safe for vulnerable users to migrate, the only logical opt= +ion=20 +>>>> would be for everyone to liquidate their bitcoin as quickly as possibl= +e. As=20 +>>>> such, I don't think it applies as strongly for situations in which we = +have=20 +>>>> a migration path available. +>>>> +>>>> The 21 Million Coin Supply Should be in Circulation +>>>> Some folks are arguing that it's important for the "circulating /=20 +>>>> spendable" supply to be as close to 21M as possible and that having a= +=20 +>>>> significant portion of the supply out of circulation is somehow undesi= +rable. +>>>> +>>>> While the "21M BTC" attribute is a strong memetic narrative, I don't= +=20 +>>>> think anyone has ever expected that it would all be in circulation. It= + has=20 +>>>> always been understood that many coins will be lost, and that's actual= +ly=20 +>>>> part of the game theory of owning bitcoin! +>>>> +>>>> And remember, the 21M number in and of itself is not a particularly=20 +>>>> important detail - it's not even mentioned in the whitepaper. What's= +=20 +>>>> important is that the supply is well known and not subject to change. +>>>> +>>>> Self-Sovereignty and Personal Responsibility +>>>> Bitcoin=E2=80=99s design empowers individuals to control their own wea= +lth, free=20 +>>>> from centralized intervention. This freedom comes with the burden of= +=20 +>>>> securing one's private keys. If quantum computing can break obsolete= +=20 +>>>> cryptography, the fault lies with users who didn't move their funds to= +=20 +>>>> quantum safe locking scripts. Expecting the network to shield users fr= +om=20 +>>>> their own negligence undermines the principle that you, and not a thir= +d=20 +>>>> party, are accountable for your assets. +>>>> +>>>> I think this is generally a fair point that "the community" doesn't ow= +e=20 +>>>> you anything in terms of helping you. I think that we do, however, nee= +d to=20 +>>>> consider the incentives and game theory in play with regard to quantum= + safe=20 +>>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later. +>>>> +>>>> Code is Law +>>>> Bitcoin operates on transparent, immutable rules embedded in its=20 +>>>> protocol. If a quantum attacker uses superior technology to derive pri= +vate=20 +>>>> keys from public keys, they=E2=80=99re not "hacking" the system - they= +'re simply=20 +>>>> following what's mathematically permissible within the current code.= +=20 +>>>> Altering the protocol to stop this introduces subjective human=20 +>>>> intervention, which clashes with the objective, deterministic nature o= +f=20 +>>>> blockchain. +>>>> +>>>> While I tend to agree that code is law, one of the entire points of=20 +>>>> laws is that they can be amended to improve their efficacy in reducing= +=20 +>>>> harm. Leaning on this point seems more like a pro-ossification stance = +that=20 +>>>> it's better to do nothing and allow harm to occur rather than take act= +ion=20 +>>>> to stop an attack that was foreseen far in advance. +>>>> +>>>> Technological Evolution as a Feature, Not a Bug +>>>> It's well known that cryptography tends to weaken over time and=20 +>>>> eventually break. Quantum computing is just the next step in this=20 +>>>> progression. Users who fail to adapt (e.g., by adopting quantum-resist= +ant=20 +>>>> wallets when available) are akin to those who ignored technological=20 +>>>> advancements like multisig or hardware wallets. Allowing quantum theft= +=20 +>>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic,= + punishing=20 +>>>> complacency while rewarding vigilance. +>>>> +>>>> Market Signals Drive Security +>>>> If quantum attackers start stealing funds, it sends a clear signal to= +=20 +>>>> the market: upgrade your security or lose everything. This pressure=20 +>>>> accelerates the adoption of post-quantum cryptography and strengthens= +=20 +>>>> Bitcoin long-term. Coddling vulnerable users delays this necessary=20 +>>>> evolution, potentially leaving the network more exposed when quantum t= +ech=20 +>>>> becomes widely accessible. Theft is a brutal but effective teacher. +>>>> +>>>> Centralized Blacklisting Power +>>>> Burning vulnerable funds requires centralized decision-making - a soft= +=20 +>>>> fork to invalidate certain transactions. This sets a dangerous precede= +nt=20 +>>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. = +If quantum=20 +>>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The = +system must=20 +>>>> remain neutral, even if it means some lose out. +>>>> +>>>> I think this could be a potential slippery slope if the proposal was t= +o=20 +>>>> only burn specific addresses. Rather, I'd expect a neutral proposal to= + burn=20 +>>>> all funds in locking script types that are known to be quantum vulnera= +ble.=20 +>>>> Thus, we could eliminate any subjectivity from the code. +>>>> +>>>> Fairness in Competition +>>>> Quantum attackers aren't cheating; they're using publicly available=20 +>>>> physics and math. Anyone with the resources and foresight can build or= +=20 +>>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a = +CPU.=20 +>>>> Early adopters took risks and reaped rewards; quantum innovators are d= +oing=20 +>>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has= + never promised=20 +>>>> equality of outcome - only equality of opportunity within its rules. +>>>> +>>>> I find this argument to be a mischaracterization because we're not=20 +>>>> talking about CPUs. This is more akin to talking about ASICs, except e= +ach=20 +>>>> ASIC costs millions if not billions of dollars. This is out of reach f= +rom=20 +>>>> all but the wealthiest organizations. +>>>> +>>>> Economic Resilience +>>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20 +>>>> emerged stronger. The market can absorb quantum losses, with unaffecte= +d=20 +>>>> users continuing to hold and new entrants buying in at lower prices. F= +ear=20 +>>>> of economic collapse overestimates the impact - the network=E2=80=99s = +antifragility=20 +>>>> thrives on such challenges. +>>>> +>>>> This is a big grey area because we don't know when a quantum computer= +=20 +>>>> will come online and we don't know how quickly said computers would be= + able=20 +>>>> to steal bitcoin. If, for example, the first generation of sufficientl= +y=20 +>>>> powerful quantum computers were stealing less volume than the current = +block=20 +>>>> reward then of course it will have minimal economic impact. But if the= +y're=20 +>>>> taking thousands of BTC per day and bringing them back into circulatio= +n,=20 +>>>> there will likely be a noticeable market impact as it absorbs the new= +=20 +>>>> supply. +>>>> +>>>> This is where the circumstances will really matter. If a quantum=20 +>>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppo= +rt=20 +>>>> quantum resistant cryptography then we should expect the most valuable= +=20 +>>>> active wallets will have upgraded and the juiciest target would be the= +=20 +>>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has= + been=20 +>>>> dormant since 2010. In general I'd expect that the amount of BTC=20 +>>>> re-entering the circulating supply would look somewhat similar to the= +=20 +>>>> mining emission curve: volume would start off very high as the most=20 +>>>> valuable addresses are drained and then it would fall off as quantum= +=20 +>>>> computers went down the list targeting addresses with less and less BT= +C. +>>>> +>>>> Why is economic impact a factor worth considering? Miners and=20 +>>>> businesses in general. More coins being liquidated will push down the= +=20 +>>>> price, which will negatively impact miner revenue. Similarly, I can at= +test=20 +>>>> from working in the industry for a decade, that lower prices result in= + less=20 +>>>> demand from businesses across the entire industry. As such, burning qu= +antum=20 +>>>> vulnerable bitcoin is good for the entire industry. +>>>> +>>>> Practicality & Neutrality of Non-Intervention +>>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D= + from legitimate "white=20 +>>>> hat" key recovery. If someone loses their private key and a quantum=20 +>>>> computer recovers it, is that stealing or reclaiming? Policing quantum= +=20 +>>>> actions requires invasive assumptions about intent, which Bitcoin=E2= +=80=99s=20 +>>>> trustless design can=E2=80=99t accommodate. Letting the chips fall whe= +re they may=20 +>>>> avoids this mess. +>>>> +>>>> Philosophical Purity +>>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco= +mes=20 +>>>> reflect preparation and skill, not sentimentality. If quantum computin= +g=20 +>>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t mean= +t to be safe or fair=20 +>>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose = +funds to=20 +>>>> quantum attacks are casualties of liberty and their own ignorance, not= +=20 +>>>> victims of injustice. +>>>> +>>>> Bitcoin's DAO Moment +>>>> This situation has some similarities to The DAO hack of an Ethereum=20 +>>>> smart contract in 2016, which resulted in a fork to stop the attacker = +and=20 +>>>> return funds to their original owners. The game theory is similar beca= +use=20 +>>>> it's a situation where a threat is known but there's some period of ti= +me=20 +>>>> before the attacker can actually execute the theft. As such, there's t= +ime=20 +>>>> to mitigate the attack by changing the protocol. +>>>> +>>>> It also created a schism in the community around the true meaning of= +=20 +>>>> "code is law," resulting in Ethereum Classic, which decided to allow t= +he=20 +>>>> attacker to retain control of the stolen funds. +>>>> +>>>> A soft fork to burn vulnerable bitcoin could certainly result in a har= +d=20 +>>>> fork if there are enough miners who reject the soft fork and continue= +=20 +>>>> including transactions. +>>>> +>>>> Incentives Matter +>>>> We can wax philosophical until the cows come home, but what are the=20 +>>>> actual incentives for existing Bitcoin holders regarding this decision= +? +>>>> +>>>> "Lost coins only make everyone else's coins worth slightly more. Think= +=20 +>>>>> of it as a donation to everyone." - Satoshi Nakamoto +>>>> +>>>> +>>>> If true, the corollary is: +>>>> +>>>> "Quantum recovered coins only make everyone else's coins worth less.= +=20 +>>>>> Think of it as a theft from everyone." - Jameson Lopp +>>>> +>>>> +>>>> Thus, assuming we get to a point where quantum resistant signatures ar= +e=20 +>>>> supported within the Bitcoin protocol, what's the incentive to let=20 +>>>> vulnerable coins remain spendable? +>>>> +>>>> * It's not good for the actual owners of those coins. It=20 +>>>> disincentivizes owners from upgrading until perhaps it's too late. +>>>> * It's not good for the more attentive / responsible owners of coins= +=20 +>>>> who have quantum secured their stash. Allowing the circulating supply = +to=20 +>>>> balloon will assuredly reduce the purchasing power of all bitcoin hold= +ers. +>>>> +>>>> Forking Game Theory +>>>> From a game theory point of view, I see this as incentivizing users to= +=20 +>>>> upgrade their wallets. If you disagree with the burning of vulnerable= +=20 +>>>> coins, all you have to do is move your funds to a quantum safe signatu= +re=20 +>>>> scheme. Point being, I don't see there being an economic majority (or = +even=20 +>>>> more than a tiny minority) of users who would fight such a soft fork. = +Why=20 +>>>> expend significant resources fighting a fork when you can just move yo= +ur=20 +>>>> coins to a new address? +>>>> +>>>> Remember that blocking spending of certain classes of locking scripts= +=20 +>>>> is a tightening of the rules - a soft fork. As such, it can be meaning= +fully=20 +>>>> enacted and enforced by a mere majority of hashpower. If miners genera= +lly=20 +>>>> agree that it's in their best interest to burn vulnerable coins, are o= +ther=20 +>>>> users going to care enough to put in the effort to run new node softwa= +re=20 +>>>> that resists the soft fork? Seems unlikely to me. +>>>> +>>>> How to Execute Burning +>>>> In order to be as objective as possible, the goal would be to announce= +=20 +>>>> to the world that after a specific block height / timestamp, Bitcoin n= +odes=20 +>>>> will no longer accept transactions (or blocks containing such transact= +ions)=20 +>>>> that spend funds from any scripts other than the newly instituted quan= +tum=20 +>>>> safe schemes. +>>>> +>>>> It could take a staggered approach to first freeze funds that are=20 +>>>> susceptible to long-range attacks such as those in P2PK scripts or tho= +se=20 +>>>> that exposed their public keys due to previously re-using addresses, b= +ut I=20 +>>>> expect the additional complexity would drive further controversy. +>>>> +>>>> How long should the grace period be in order to give the ecosystem tim= +e=20 +>>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrad= +e. We=20 +>>>> can only hope that hardware wallet manufacturers are able to implement= + post=20 +>>>> quantum cryptography on their existing hardware with only a firmware u= +pdate. +>>>> +>>>> Beyond that, it will take at least 6 months worth of block space for= +=20 +>>>> all users to migrate their funds, even in a best case scenario. Though= + if=20 +>>>> you exclude dust UTXOs you could probably get 95% of BTC value migrate= +d in=20 +>>>> 1 month. Of course this is a highly optimistic situation where everyon= +e is=20 +>>>> completely focused on migrations - in reality it will take far longer. +>>>> +>>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20 +>>>> conservatism it would be preferable to allow a 4 year migration window= +. In=20 +>>>> the meantime, mining pools could coordinate emergency soft forking log= +ic=20 +>>>> such that if quantum attackers materialized, they could accelerate the= +=20 +>>>> countdown to the quantum vulnerable funds burn. +>>>> +>>>> Random Tangential Benefits +>>>> On the plus side, burning all quantum vulnerable bitcoin would allow u= +s=20 +>>>> to prune all of those UTXOs out of the UTXO set, which would also clea= +n up=20 +>>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even= + been=20 +>>>> a recent proposal for how to incentivize cleaning them up. +>>>> +>>>> We should also expect that incentivizing migration of the entire UTXO= +=20 +>>>> set will create substantial demand for block space that will sustain a= + fee=20 +>>>> market for a fairly lengthy amount of time. +>>>> +>>>> In Summary +>>>> While the moral quandary of violating any of Bitcoin's inviolable=20 +>>>> properties can make this a very complex issue to discuss, the game the= +ory=20 +>>>> and incentives between burning vulnerable coins versus allowing them t= +o be=20 +>>>> claimed by entities with quantum supremacy appears to be a much simple= +r=20 +>>>> issue. +>>>> +>>>> I, for one, am not interested in rewarding quantum capable entities by= +=20 +>>>> inflating the circulating money supply just because some people lost t= +heir=20 +>>>> keys long ago and some laggards are not upgrading their bitcoin wallet= +'s=20 +>>>> security. +>>>> +>>>> We can hope that this scenario never comes to pass, but hope is not a= +=20 +>>>> strategy. +>>>> +>>>> I welcome your feedback upon any of the above points, and contribution= +=20 +>>>> of any arguments I failed to consider. +>>>> +>>>> --=20 +>>>> You received this message because you are subscribed to the Google=20 +>>>> Groups "Bitcoin Development Mailing List" group. +>>>> To unsubscribe from this group and stop receiving emails from it, send= +=20 +>>>> an email to bitcoindev+...@googlegroups.com. +>>>> To view this discussion visit=20 +>>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq= +8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com +>>>> . +>>>> +>>>> --=20 +>>>> You received this message because you are subscribed to the Google=20 +>>>> Groups "Bitcoin Development Mailing List" group. +>>>> To unsubscribe from this group and stop receiving emails from it, send= +=20 +>>>> an email to bitcoindev+...@googlegroups.com. +>>>> To view this discussion visit=20 +>>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4= +D9D2B732364%40astrotown.de +>>>> . +>>> +>>> +>>>> --=20 +>>> You received this message because you are subscribed to the Google=20 +>>> Groups "Bitcoin Development Mailing List" group. +>>> To unsubscribe from this group and stop receiving emails from it, send= +=20 +>>> an email to bitcoindev+...@googlegroups.com. +>>> To view this discussion visit=20 +>>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br= +6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com +>>> . +>>> +>>> +>>> --=20 +>>> You received this message because you are subscribed to the Google=20 +>>> Groups "Bitcoin Development Mailing List" group. +>>> To unsubscribe from this group and stop receiving emails from it, send= +=20 +>>> an email to bitcoindev+...@googlegroups.com. +>>> To view this discussion visit=20 +>>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf= +XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL= +miCJOY%3D%40proton.me +>>> . +>>> +>> --=20 +> You received this message because you are subscribed to the Google Groups= +=20 +> "Bitcoin Development Mailing List" group. +> To unsubscribe from this group and stop receiving emails from it, send an= +=20 +> email to bitcoindev+...@googlegroups.com. +> +> To view this discussion visit=20 +> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C= +-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com +> . +> +> +> + +--=20 +You received this message because you are subscribed to the Google Groups "= +Bitcoin Development Mailing List" group. +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to bitcoindev+unsubscribe@googlegroups.com. +To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= +893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com. + +------=_Part_18011_501201720.1749302913697 +Content-Type: text/html; charset="UTF-8" +Content-Transfer-Encoding: quoted-printable + +<div>> I'm not a lawyer, but if developers make a conscious decision to = +make a=20 +code change that confiscates funds, even with a reasonable heads-up, I=20 +feel like some lawyers might be tempted to make an argument that those=20 +developers should be held responsible for any losses. As everyone knows, + Bitcoin has been under legal attacks before, and I'm not sure that=20 +anyone would (or should) be willing to sign off on a change that might=20 +potentially open them up to several billion dollars worth of personal=20 +responsibility - especially if the "bonded courier" actually shows up=20 +and reveals a private key that would have unlocked funds under the=20 +pre-QC scheme.</div><div><br /></div><div>Coincidentally, Peter Todd has ju= +st made the same point in another (apparently unrelated) thread, here: http= +s://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ</div><div><= +br /></div><div>For me it's very clear, that it's not an accident that such= + "unexpected" side effects exist. It's a feature that I'd whimsically call = +"ethical impedance-mismatch" (the term impedance mismatch has been used in = +computing/programming, which itself borrowed it from the real meaning, in p= +hysics). People have a moral/ethical desire to make bitcoin function as wel= +l as possible, and see a failure mode in those using it for other purposes,= + but that line of thought clashes with the essential, basic principle of ce= +nsorship-resistance.</div><div><br /></div><div>So we see technical borked-= +ness like failure to get accurate fee rates and the like, from doing someth= +ing (attempting to filter at p2p level) that it is intrinsically counter to= + the foundational ethical, functional purpose of the system: censorship-res= +istance. And then we see "cascading failures" of the type discussed here: i= +f the devs are working to break bitcoin's ethical promise of censorship-res= +istance, then thugs^H^H politicians and lawyers, will seek to take control = +of that "break" for their own purposes.</div><div><br /></div><div>That's w= +hy I'm not against "quantum recovery" as per the title of this thread. Reco= +very, independent of outside control, *is* bitcoin's function. If half a mi= +llion btc get spent by someone who has "recovered" in an unexpected way, to= +ugh titties. If the entire system collapses because we can't get our act to= +gether before 2085 (OK I know some think it's 2035, I don't, but whatever),= + then it is what it is. That is a huge unknown. But Bitcoin will 100% fail = +if confiscation of *any* type becomes a thing.</div><br /><div>Cheers,</div= +>AdamISZ/waxwing<div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail= +_attr">On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCrypt= +ologist wrote:<br/></div><blockquote class=3D"gmail_quote" style=3D"margin:= + 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;= +"><div style=3D"font-family:Arial,sans-serif;font-size:14px">Hi,</div><div = +style=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><div style= +=3D"font-family:Arial,sans-serif;font-size:14px">With the longer grace peri= +od and selective deactivation, this seems more sensible, but there is one e= +lephant in the room that I haven't seen mentioned here - namely, the le= +gal aspect. (If it was, sorry I missed it.)</div><div style=3D"font-family:= +Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,= +sans-serif;font-size:14px">I'm not a lawyer, but if developers make a c= +onscious decision to make a code change that confiscates funds, even with a= + reasonable heads-up, I feel like some lawyers might be tempted to make an = +argument that those developers should be held responsible for any losses. A= +s everyone knows, Bitcoin has been under legal attacks before, and I'm = +not sure that anyone would (or should) be willing to sign off on a change t= +hat might potentially open them up to several billion dollars worth of pers= +onal responsibility - especially if the "bonded courier" actually= + shows up and reveals a private key that would have unlocked funds under th= +e pre-QC scheme.</div><div style=3D"font-family:Arial,sans-serif;font-size:= +14px"><br></div><div style=3D"font-family:Arial,sans-serif;font-size:14px">= +The only safe-ish way I can see to do this is to have it only affect funds = +that are very likely to be lost in + the first place. So at the very least, it could not affect UTXOs that coul= +d potentially be encumbered with a timelock (i.e. P2SH/P2WSH), and it could= + only affect UTXOs that have not moved for a very long time (say 15-20 year= +s). </div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></= +div><div style=3D"font-family:Arial,sans-serif;font-size:14px">If quantum c= +omputers capable of practical attacks against Bitcoin are ever known to act= +ually exist, <b>sending</b>=E2=80=8B to non-PQC addresses should of course = +be disabled immediately. But I feel that the nature of a permissionless sys= +tem implies a large degree of self-responsibility, so if someone chooses to= + keep using non-PQC addresses even after PQC addresses have become availabl= +e and practical quantum attacks are suspected to be an imminent danger, it&= +#39;s not necessarily up to the developers to tell them they can't, onl= +y that they really shouldn't.</div><div style=3D"font-family:Arial,sans= +-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif= +;font-size:14px">--</div><div style=3D"font-family:Arial,sans-serif;font-si= +ze:14px">Regards,</div><div style=3D"font-family:Arial,sans-serif;font-size= +:14px">ArmchairCryptologist</div><div style=3D"font-family:Arial,sans-serif= +;font-size:14px"><br></div> +<div style=3D"font-family:Arial,sans-serif;font-size:14px"> + <div> + =20 + </div> + =20 + <div> + Sent with <a href=3D"https://proton.me/mail/home" target=3D"_blank"= + rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3De= +n&q=3Dhttps://proton.me/mail/home&source=3Dgmail&ust=3D17493875= +99316000&usg=3DAOvVaw3kMMWbcvOvWny9b4RVrakM">Proton Mail</a> secure ema= +il. + </div> +</div> +<div style=3D"font-family:Arial,sans-serif;font-size:14px"><br><div></div><= +/div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><div> + On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <<a href data= +-email-masked rel=3D"nofollow">agusti...@gmail.com</a>> wrote:<br> + </div></div><div style=3D"font-family:Arial,sans-serif;font-size:14= +px"><div><blockquote type=3D"cite"> + <div dir=3D"auto">Hi everyone,<div dir=3D"auto"><br></div><div = +dir=3D"auto">QRAMP proposal aims to manage the quantum transition responsib= +ly without disrupting Bitcoin=E2=80=99s core principles.</div><div dir=3D"a= +uto"><br></div><div dir=3D"auto">QRAMP has three phases:</div><div dir=3D"a= +uto"><br></div><div dir=3D"auto">1. Allow wallets to optionally include PQC= + keys in Taproot outputs. This enables early adoption without forcing anyon= +e.</div><div dir=3D"auto"><br></div><div dir=3D"auto">2. Announce a soft fo= +rk to disable vulnerable scripts, with a long (~4-year) grace period. This = +gives ample time to migrate and avoids sudden shocks.</div><div dir=3D"auto= +"><br></div><div dir=3D"auto">3. Gradually deactivate vulnerable outputs ba= +sed on age or inactivity. This avoids a harsh cutoff and gives time for ada= +ptation.</div><div dir=3D"auto"></div><div dir=3D"auto"><br></div><div dir= +=3D"auto">We can also allow exceptions via proof-of-possession, and delay r= +estrictions on timelocked outputs to avoid harming future spenders.</div><d= +iv dir=3D"auto"><br></div><div dir=3D"auto">QRAMP is not about confiscation= + or control. It=E2=80=99s about aligning incentives, maintaining security, = +and offering a clear, non-coercive upgrade path.</div><div dir=3D"auto"><br= +></div><div dir=3D"auto">Best,</div><div dir=3D"auto">Agustin Cruz</div><di= +v dir=3D"auto"><br></div><div dir=3D"auto"><br></div></div><br><div class= +=3D"gmail_quote"><div class=3D"gmail_attr" dir=3D"ltr">El dom, 25 de may de= + 2025, 7:03=E2=80=AFp.m., Dustin Ray <<a href rel=3D"noreferrer nofollow= + noopener" data-email-masked>dustinvo...@gmail.com</a>> escribi=C3=B3:<b= +r></div><blockquote style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;p= +adding-left:1ex" class=3D"gmail_quote"><div dir=3D"auto">The difference bet= +ween the ETH/ETC split though was that no one had anything confiscated exce= +pt the DAO hacker, everyone retained an identical number of tokens on each = +chain. The proposal for BTC is very different in that some holders will los= +e access to their coins during the PQ migration under the confiscation appr= +oach. Just wanted to point that out.</div><div><br><div class=3D"gmail_quot= +e"><div class=3D"gmail_attr" dir=3D"ltr">On Sun, May 25, 2025 at 3:06=E2=80= +=AFPM 'conduition' via Bitcoin Development Mailing List <<a rel= +=3D"noreferrer nofollow noopener" href data-email-masked>bitco...@googlegro= +ups.com</a>> wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8= +ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-le= +ft-color:rgb(204,204,204)" class=3D"gmail_quote"><div style=3D"font-family:= +Arial,sans-serif;font-size:14px">Hey Saulo,</div><div style=3D"font-family:= +Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,= +sans-serif;font-size:14px">You're right about the possibility of an ugl= +y split. Laggards who don't move coins to PQ address schemes will be in= +centivized to follow any chain where they keep their coins. But those who d= +o migrate will be incentivized to follow the chain where unmigrated pre-qua= +ntum coins are frozen. </div><div style=3D"font-family:Arial,sans-serif;fon= +t-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;font-size= +:14px">While you're comparing this event to the ETH/ETC split, we shoul= +d remember that ETH remained the dominant chain despite their heavy-handed = +rollback. Just goes to show, confusion and face-loss is a lesser evil than = +allowing an adversary to pwn the network. </div><div style=3D"font-family:A= +rial,sans-serif;font-size:14px"><br></div><blockquote style=3D"border-left:= +3px solid rgb(200,200,200);padding-left:10px;border-color:rgb(200,200,200);= +color:rgb(102,102,102)"><div style=3D"font-family:Arial,sans-serif;font-siz= +e:14px">This is the free-market way to solve problems without imposing rule= +s on everyone.<br></div></blockquote><div style=3D"font-family:Arial,sans-s= +erif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;f= +ont-size:14px">It'd still be a free market even if quantum-vulnerable c= +oins are frozen. The only way to test the relative value of quantum-safe vs= + quantum-vulnerable coins is to split the chain and see how the market reac= +ts. </div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></= +div><div style=3D"font-family:Arial,sans-serif;font-size:14px">IMO, the &qu= +ot;free market way" is to give people options and let their money flow= + to where it works best. That means people should be able to choose whether= + they want their money to be part of a system that allows quantum attack, o= +r part of one which does not. I know which I would choose, but neither you = +nor I can make that choice for everyone.</div><div style=3D"font-family:Ari= +al,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,san= +s-serif;font-size:14px">regards,</div><div style=3D"font-family:Arial,sans-= +serif;font-size:14px">conduition</div><div> + On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <<a rel=3D"= +noreferrer nofollow noopener" href data-email-masked>agusti...@gmail.com</a= +>> wrote:<br> + <blockquote type=3D"cite"> + <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q= +uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t= +o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le= +aving old coins up for grabs if people don=E2=80=99t move them, sounds fair= + at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes= +s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s= + not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th= +ose on the rich list Jameson mentioned, could get hit too. Imagine millions= + of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an= +d we all feel the pain. Freezing those vulnerable funds keeps that chaos in= + check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80= +=99s heart. If quantum tech can steal from you just because you didn=E2=80= +=99t upgrade fast enough, that promise feels shaky. Freezing funds after a = +heads-up period (say, four years) protects that idea better than letting te= +ch giants or rogue states play vampire with our network. It also nudges peo= +ple to get their act together and move to safer addresses, which strengthen= +s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con= +fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu= +antum theft would look worse. Bitcoin would seem broken, not just strict. A= + clear plan and enough time to migrate could smooth things over. History=E2= +=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. = +This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul= +nerable coins locked than handed to whoever builds the first quantum rig. I= +t=E2=80=99s less about coddling people and more about keeping Bitcoin solid= + for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d= +iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On = +Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <<a rel=3D"noreferrer no= +follow noopener" href data-email-masked>sa...@astrotown.de</a>> wrote:<b= +r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex= +;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left= +-color:rgb(204,204,204)"><div dir=3D"auto"><div dir=3D"ltr"><span style=3D"= +color:rgb(0,0,0)">I believe that having some entity announce the decision t= +o freeze old UTXOs would be more damaging to Bitcoin=E2=80=99s image (and i= +ts value) than having them gathered by QC. This would create another versio= +n of Bitcoin, similar to Ethereum Classic, causing confusion in the market.= +</span><div dir=3D"ltr"><div style=3D"color:rgb(0,0,0)"><br></div><div styl= +e=3D"color:rgb(0,0,0)">It would be better to simply implement the possibili= +ty of moving funds to a PQC address without a deadline, allowing those who = +fail to do so to rely on luck to avoid having their coins stolen. Most coin= +s would be migrated to PQC anyway, and in most cases, only the lost ones wo= +uld remain vulnerable. This is the free-market way to solve problems withou= +t imposing rules on everyone.</div><div style=3D"color:rgb(0,0,0)"><br></di= +v><div style=3D"color:rgb(0,0,0)">Saulo Fonseca</div><div style=3D"color:rg= +b(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)"><br><blockquote type=3D= +"cite"><div>On 16. Mar 2025, at 15:15, Jameson Lopp <<span dir=3D"ltr"><= +a rel=3D"noreferrer nofollow noopener" href data-email-masked>jameso...@gma= +il.com</a></span>> wrote:</div><br><div><div dir=3D"ltr">The quantum com= +puting debate is heating up. There are many controversial aspects to this d= +ebate, including whether or not quantum computers will ever actually become= + a practical threat.<div><br>I won't tread into the unanswerable questi= +on of how worried we should be about quantum computers. I think it's fa= +r from a crisis, but given the difficulty in changing Bitcoin it's wort= +h starting to seriously discuss. Today I wish to focus on a philosophical q= +uandary related to one of the decisions that would need to be made if and w= +hen we implement a quantum safe signature scheme.<br><br><font style=3D"col= +or:rgb(0,0,0)" size=3D"6">Several Scenarios<br></font>Because this essay wi= +ll reference game theory a fair amount, and there are many variables at pla= +y that could change the nature of the game, I think it's important to c= +larify the possible scenarios up front.<br><br>1. Quantum computing never m= +aterializes, never becomes a threat, and thus everything discussed in this = +essay is moot.<br>2. A quantum computing threat materializes suddenly and B= +itcoin does not have quantum safe signatures as part of the protocol. In th= +is scenario it would likely make the points below moot because Bitcoin woul= +d be fundamentally broken and it would take far too long to upgrade the pro= +tocol, wallet software, and migrate user funds in order to restore confiden= +ce in the network.<br>3. Quantum computing advances slowly enough that we c= +ome to consensus about how to upgrade Bitcoin and post quantum security has= + been minimally adopted by the time an attacker appears.<br>4. Quantum comp= +uting advances slowly enough that we come to consensus about how to upgrade= + Bitcoin and post quantum security has been highly adopted by the time an a= +ttacker appears.<br><br>For the purposes of this post, I'm envisioning = +being in situation 3 or 4.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"= +6">To Freeze or not to Freeze?<br></font>I've started seeing more peopl= +e weighing in on what is likely the most contentious aspect of how a quantu= +m resistance upgrade should be handled in terms of migrating user funds. Sh= +ould quantum vulnerable funds be left open to be swept by anyone with a suf= +ficiently powerful quantum computer OR should they be permanently locked?<b= +r><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;p= +adding-left:1ex;border-left-color:rgb(204,204,204)">"I don't see w= +hy old coins should be confiscated. The better option is to let those with = +quantum computers free up old coins. While this might have an inflationary = +impact on bitcoin's price, to use a turn of phrase, the inflation is tr= +ansitory. Those with low time preference should support returning lost coin= +s to circulation." </blockquote><blockquote class=3D"gmail_quote" styl= +e=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,20= +4,204)">- Hunter Beast</blockquote><div><br></div>On the other hand:</div><= +div><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex= +;padding-left:1ex;border-left-color:rgb(204,204,204)">"Of course they = +have to be confiscated. If and when (and that's a big if) the existence= + of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosy= +stem has no other option than softforking out the ability to spend from sig= +nature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The= + alternative is that millions of BTC become vulnerable to theft; I cannot s= +ee how the currency can maintain any value at all in such a setting. And th= +is affects everyone; even those which diligently moved their coins to PQC-p= +rotected schemes."<br>- Pieter Wuille</blockquote><br>I don't thin= +k "confiscation" is the most precise term to use, as the funds ar= +e not being seized and reassigned. Rather, what we're really discussing= + would be better described as "burning" - placing the funds <b>ou= +t of reach of everyone</b>.<br><br>Not freezing user funds is one of Bitcoi= +n's inviolable properties. However, if quantum computing becomes a thre= +at to Bitcoin's elliptic curve cryptography, <b>an inviolable property = +of Bitcoin will be violated one way or another</b>.<br><br><font style=3D"c= +olor:rgb(0,0,0)" size=3D"6">Fundamental Properties at Risk<br></font>5 year= +s ago I attempted to comprehensively categorize all of Bitcoin's fundam= +ental properties that give it value. <a rel=3D"noreferrer nofollow noopener= +" href=3D"https://nakamoto.com/what-are-the-key-properties-of-bitcoin/" tar= +get=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&a= +mp;q=3Dhttps://nakamoto.com/what-are-the-key-properties-of-bitcoin/&sou= +rce=3Dgmail&ust=3D1749387599316000&usg=3DAOvVaw0iqW5fFv-B1rrwD99rTI= +o-">https://nakamoto.com/what-are-the-key-properties-of-bitcoin/<br></a><br= +>The particular properties in play with regard to this issue seem to be:<br= +><br><b>Censorship Resistance</b> - No one should have the power to prevent= + others from using their bitcoin or interacting with the network.<br><br><b= +>Forward Compatibility</b> - changing the rules such that certain valid tra= +nsactions become invalid could undermine confidence in the protocol.<br><br= +><b>Conservatism</b> - Users should not be expected to be highly responsive= + to system issues.<br><br>As a result of the above principles, we have deve= +loped a strong meme (kudos to Andreas Antonopoulos) that goes as follows:<b= +r><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;p= +adding-left:1ex;border-left-color:rgb(204,204,204)">Not your keys, not your= + coins.</blockquote><br>I posit that the corollary to this principle is:<br= +><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;pa= +dding-left:1ex;border-left-color:rgb(204,204,204)">Your keys, only your coi= +ns.</blockquote><br>A quantum capable entity breaks the corollary of this f= +oundational principle. We secure our bitcoin with the mathematical probabil= +ities related to extremely large random numbers. Your funds are only secure= + because truly random large numbers should not be guessable or discoverable= + by anyone else in the world.<br><br>This is the principle behind the motto= + <i>vires in numeris</i> - strength in numbers. In a world with quantum ena= +bled adversaries, this principle is null and void for many types of cryptog= +raphy, including the elliptic curve digital signatures used in Bitcoin.<br>= +<br><font style=3D"color:rgb(0,0,0)" size=3D"6">Who is at Risk?<br></font>T= +here has long been a narrative that Satoshi's coins and others from the= + Satoshi era of P2PK locking scripts that exposed the public key directly o= +n the blockchain will be those that get scooped up by a quantum "miner= +." But unfortunately it's not that simple. If I had a powerful qua= +ntum computer, which coins would I target? I'd go to the Bitcoin rich l= +ist and find the wallets that have exposed their public keys due to re-usin= +g addresses that have previously been spent from. You can easily find them = +at <a rel=3D"noreferrer nofollow noopener" href=3D"https://bitinfocharts.co= +m/top-100-richest-bitcoin-addresses.html" target=3D"_blank" data-saferedire= +cturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://bitinfocharts.c= +om/top-100-richest-bitcoin-addresses.html&source=3Dgmail&ust=3D1749= +387599316000&usg=3DAOvVaw1kKsE-BMLVFNYvXG--yjM_">https://bitinfocharts.= +com/top-100-richest-bitcoin-addresses.html</a><br><br>Note that a few of th= +ese wallets, like Bitfinex / Kraken / Tether, would be slightly harder to c= +rack because they are multisig wallets. So a quantum attacker would need to= + reverse engineer 2 keys for Kraken or 3 for Bitfinex / Tether in order to = +spend funds. But many are single signature.<br><br>Point being, it's no= +t only the really old lost BTC that are at risk to a quantum enabled advers= +ary, at least at time of writing. If we add a quantum safe signature scheme= +, we should expect those wallets to be some of the first to upgrade given t= +heir incentives.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">The Eth= +ical Dilemma: Quantifying Harm<br></font>Which decision results in the most= + harm?<br><br>By making quantum vulnerable funds unspendable we potentially= + harm some Bitcoin users who were not paying attention and neglected to mig= +rate their funds to a quantum safe locking script. This violates the "= +conservativism" principle stated earlier. On the flip side, we prevent= + those funds plus far more lost funds from falling into the hands of the fe= +w privileged folks who gain early access to quantum computers.<br><br>By le= +aving quantum vulnerable funds available to spend, the same set of users wh= +o would otherwise have funds frozen are likely to see them stolen. And many= + early adopters who lost their keys will eventually see their unreachable f= +unds scooped up by a quantum enabled adversary.<br><br>Imagine, for example= +, being James Howells, who accidentally threw away a hard drive with 8,000 = +BTC on it, currently worth over $600M USD. He has spent a decade trying to = +retrieve it from the landfill where he knows it's buried, but can't= + get permission to excavate. I suspect that, given the choice, he'd pre= +fer those funds be permanently frozen rather than fall into someone else= +9;s possession - I know I would.<br><br>Allowing a quantum computer to acce= +ss lost funds doesn't make those users any worse off than they were bef= +ore, however it <i>would</i>have a negative impact upon everyone who is cur= +rently holding bitcoin.<br><br>It's prudent to expect significant econo= +mic disruption if large amounts of coins fall into new hands. Since a quant= +um computer is going to have a massive up front cost, expect those behind i= +t to desire to recoup their investment. We also know from experience that w= +hen someone suddenly finds themselves in possession of 9+ figures worth of = +highly liquid assets, they tend to diversify into other things by selling.<= +br><br>Allowing quantum recovery of bitcoin is <i>tantamount to wealth redi= +stribution</i>. What we'd be allowing is for bitcoin to be redistribute= +d from those who are ignorant of quantum computers to those who have won th= +e technological race to acquire quantum computers. It's hard to see a b= +right side to that scenario.<br><br><font style=3D"color:rgb(0,0,0)" size= +=3D"6">Is Quantum Recovery Good for Anyone?</font><br><br>Does quantum reco= +very HELP anyone? I've yet to come across an argument that it's a n= +et positive in any way. It certainly doesn't add any security to the ne= +twork. If anything, it greatly decreases the security of the network by all= +owing funds to be claimed by those who did not earn them.<br><br>But wait, = +you may be thinking, wouldn't quantum "miners" have earned th= +eir coins by all the work and resources invested in building a quantum comp= +uter? I suppose, in the same sense that a burglar earns their spoils by the= + resources they invest into surveilling targets and learning the skills nee= +ded to break into buildings. What I say "earned" I mean through p= +roductive mutual trade.<br><br>For example:<br><br>* Investors earn BTC by = +trading for other currencies.<br>* Merchants earn BTC by trading for goods = +and services.<br>* Miners earn BTC by trading thermodynamic security.<br>* = +Quantum miners don't trade anything, they are vampires feeding upon the= + system.<br><br>There's no reason to believe that allowing quantum adve= +rsaries to recover vulnerable bitcoin will be of benefit to anyone other th= +an the select few organizations that win the technological arms race to bui= +ld the first such computers. Probably nation states and/or the top few larg= +est tech companies.<br><br>One could certainly hope that an organization wi= +th quantum supremacy is benevolent and acts in a "white hat" mann= +er to return lost coins to their owners, but that's incredibly optimist= +ic and foolish to rely upon. Such a situation creates an insurmountable eth= +ical dilemma of only recovering lost bitcoin rather than currently owned bi= +tcoin. There's no way to precisely differentiate between the two; anyon= +e can claim to have lost their bitcoin but if they have lost their keys the= +n proving they ever had the keys becomes rather difficult. I imagine that a= +ny such white hat recovery efforts would have to rely upon attestations fro= +m trusted third parties like exchanges.<br><br>Even if the first actor with= + quantum supremacy is benevolent, we must assume the technology could fall = +into adversarial hands and thus think adversarially about the potential wor= +st case outcomes. Imagine, for example, that North Korea continues scooping= + up billions of dollars from hacking crypto exchanges and decides to invest= + some of those proceeds into building a quantum computer for the biggest pa= +yday ever...<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">Downsides t= +o Allowing Quantum Recovery</font><br>Let's think through an exhaustive= + list of pros and cons for allowing or preventing the seizure of funds by a= + quantum adversary.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Hist= +orical Precedent</font><br>Previous protocol vulnerabilities weren=E2=80=99= +t celebrated as "fair game" but rather were treated as failures t= +o be remediated. Treating quantum theft differently risks rewriting Bitcoin= +=E2=80=99s history as a free-for-all rather than a system that seeks to pro= +tect its users.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Violatio= +n of Property Rights</font><br>Allowing a quantum adversary to take control= + of funds undermines the fundamental principle of cryptocurrency - if you k= +eep your keys in your possession, only you should be able to access your mo= +ney. Bitcoin is built on the idea that private keys secure an individual=E2= +=80=99s assets, and unauthorized access (even via advanced tech) is theft, = +not a legitimate transfer.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"= +4">Erosion of Trust in Bitcoin</font><br>If quantum attackers can exploit v= +ulnerable addresses, confidence in Bitcoin as a secure store of value would= + collapse. Users and investors rely on cryptographic integrity, and widespr= +ead theft could drive adoption away from Bitcoin, destabilizing its ecosyst= +em.<br><br>This is essentially the counterpoint to claiming the burning of = +vulnerable funds is a violation of property rights. While some will certain= +ly see it as such, others will find the apathy toward stopping quantum thef= +t to be similarly concerning.<br><br><font style=3D"color:rgb(0,0,0)" size= +=3D"4">Unfair Advantage</font><br>Quantum attackers, likely equipped with r= +are and expensive technology, would have an unjust edge over regular users = +who lack access to such tools. This creates an inequitable system where onl= +y the technologically elite can exploit others, contradicting Bitcoin=E2=80= +=99s ethos of decentralized power.<br><br>Bitcoin is designed to create an = +asymmetric advantage for DEFENDING one's wealth. It's supposed to b= +e impractically expensive for attackers to crack the entropy and cryptograp= +hy protecting one's coins. But now we find ourselves discussing a situa= +tion where this asymmetric advantage is compromised in favor of a specific = +class of attackers.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Econ= +omic Disruption</font><br>Large-scale theft from vulnerable addresses could= + crash Bitcoin=E2=80=99s price as quantum recovered funds are dumped on exc= +hanges. This would harm all holders, not just those directly targeted, lead= +ing to broader financial chaos in the markets.<br><br><font style=3D"color:= +rgb(0,0,0)" size=3D"4">Moral Responsibility</font><br>Permitting theft via = +quantum computing sets a precedent that technological superiority justifies= + unethical behavior. This is essentially taking a "code is law" s= +tance in which we refuse to admit that both code and laws can be modified t= +o adapt to previously unforeseen situations.<br><br>Burning of coins can ce= +rtainly be considered a form of theft, thus I think it's worth differen= +tiating the two different thefts being discussed:<br><br>1. self-enriching = +& likely malicious<br>2. harm prevention & not necessarily maliciou= +s<br><br>Both options lack the consent of the party whose coins are being b= +urnt or transferred, thus I think the simple argument that theft is immoral= + becomes a wash and it's important to drill down into the details of ea= +ch.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Incentives Drive Sec= +urity</font><br>I can tell you from a decade of working in Bitcoin security= + - the average user is lazy and is a procrastinator. If Bitcoiners are give= +n a "drop dead date" after which they know vulnerable funds will = +be burned, this pressure accelerates the adoption of post-quantum cryptogra= +phy and strengthens Bitcoin long-term. Allowing vulnerable users to delay u= +pgrading indefinitely will result in more laggards, leaving the network mor= +e exposed when quantum tech becomes available.<br><br><font style=3D"color:= +rgb(0,0,0)" size=3D"6">Steel Manning<br></font>Clearly this is a complex an= +d controversial topic, thus it's worth thinking through the opposing ar= +guments.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Protecting Prop= +erty Rights</font><br>Allowing quantum computers to take vulnerable bitcoin= + could potentially be spun as a hard money narrative - we care so greatly a= +bout not violating someone's access to their coins that we allow them t= +o be stolen!<br><br>But I think the flip side to the property rights narrat= +ive is that burning vulnerable coins prevents said property from falling in= +to undeserving hands. If the entire Bitcoin ecosystem just stands around an= +d allows quantum adversaries to claim funds that rightfully belong to other= + users, is that really a "win" in the "protecting property r= +ights" category? It feels more like apathy to me.<br><br>As such, I th= +ink the "protecting property rights" argument is a wash.<br><br><= +font style=3D"color:rgb(0,0,0)" size=3D"4">Quantum Computers Won't Atta= +ck Bitcoin</font><br>There is a great deal of skepticism that sufficiently = +powerful quantum computers will ever exist, so we shouldn't bother prep= +aring for a non-existent threat. Others have argued that even if such a com= +puter was built, a quantum attacker would not go after bitcoin because they= + wouldn't want to reveal their hand by doing so, and would instead atta= +ck other infrastructure.<br><br>It's quite difficult to quantify exactl= +y how valuable attacking other infrastructure would be. It also really depe= +nds upon when an entity gains quantum supremacy and thus if by that time mo= +st of the world's systems have already been upgraded. While I think you= + could argue that certain entities gaining quantum capability might not att= +ack Bitcoin, it would only delay the inevitable - eventually somebody will = +achieve the capability who decides to use it for such an attack.<br><br><fo= +nt style=3D"color:rgb(0,0,0)" size=3D"4">Quantum Attackers Would Only Steal= + Small Amounts</font><br>Some have argued that even if a quantum attacker t= +argeted bitcoin, they'd only go after old, likely lost P2PK outputs so = +as to not arouse suspicion and cause a market panic.<br><br>I'm not so = +sure about that; why go after 50 BTC at a time when you could take 250,000 = +BTC with the same effort as 50 BTC? This is a classic "zero day exploi= +t" game theory in which an attacker knows they have a limited amount o= +f time before someone else discovers the exploit and either benefits from i= +t or patches it. Take, for example, the recent ByBit attack - the highest v= +alue crypto hack of all time. Lazarus Group had compromised the Safe wallet= + front end JavaScript app and they could have simply had it reassign owners= +hip of everyone's Safe wallets as they were interacting with their wall= +et. But instead they chose to only specifically target ByBit's wallet w= +ith $1.5 billion in it because they wanted to maximize their extractable va= +lue. If Lazarus had started stealing from every wallet, they would have bee= +n discovered quickly and the Safe web app would likely have been patched we= +ll before any billion dollar wallets executed the malicious code.<br><br>I = +think the "only stealing small amounts" argument is strongest for= + Situation #2 described earlier, where a quantum attacker arrives before qu= +antum safe cryptography has been deployed across the Bitcoin ecosystem. Bec= +ause if it became clear that Bitcoin's cryptography was broken AND ther= +e was nowhere safe for vulnerable users to migrate, the only logical option= + would be for everyone to liquidate their bitcoin as quickly as possible. A= +s such, I don't think it applies as strongly for situations in which we= + have a migration path available.<br><br><font style=3D"color:rgb(0,0,0)" s= +ize=3D"4">The 21 Million Coin Supply Should be in Circulation</font><br>Som= +e folks are arguing that it's important for the "circulating / spe= +ndable" supply to be as close to 21M as possible and that having a sig= +nificant portion of the supply out of circulation is somehow undesirable.<b= +r><br>While the "21M BTC" attribute is a strong memetic narrative= +, I don't think anyone has ever expected that it would all be in circul= +ation. It has always been understood that many coins will be lost, and that= +'s actually part of the game theory of owning bitcoin!<br><br>And remem= +ber, the 21M number in and of itself is not a particularly important detail= + - it's not even mentioned in the whitepaper. What's important is t= +hat the supply is well known and not subject to change.<br><br><font style= +=3D"color:rgb(0,0,0)" size=3D"4">Self-Sovereignty and Personal Responsibili= +ty</font><br>Bitcoin=E2=80=99s design empowers individuals to control their= + own wealth, free from centralized intervention. This freedom comes with th= +e burden of securing one's private keys. If quantum computing can break= + obsolete cryptography, the fault lies with users who didn't move their= + funds to quantum safe locking scripts. Expecting the network to shield use= +rs from their own negligence undermines the principle that you, and not a t= +hird party, are accountable for your assets.<br><br>I think this is general= +ly a fair point that "the community" doesn't owe you anything= + in terms of helping you. I think that we do, however, need to consider the= + incentives and game theory in play with regard to quantum safe Bitcoiners = +vs quantum vulnerable Bitcoiners. More on that later.<br><br><font style=3D= +"color:rgb(0,0,0)" size=3D"4">Code is Law</font><br>Bitcoin operates on tra= +nsparent, immutable rules embedded in its protocol. If a quantum attacker u= +ses superior technology to derive private keys from public keys, they=E2=80= +=99re not "hacking" the system - they're simply following wha= +t's mathematically permissible within the current code. Altering the pr= +otocol to stop this introduces subjective human intervention, which clashes= + with the objective, deterministic nature of blockchain.<br><br>While I ten= +d to agree that code is law, one of the entire points of laws is that they = +can be amended to improve their efficacy in reducing harm. Leaning on this = +point seems more like a pro-ossification stance that it's better to do = +nothing and allow harm to occur rather than take action to stop an attack t= +hat was foreseen far in advance.<br><br><font style=3D"color:rgb(0,0,0)" si= +ze=3D"4">Technological Evolution as a Feature, Not a Bug</font><br>It's= + well known that cryptography tends to weaken over time and eventually brea= +k. Quantum computing is just the next step in this progression. Users who f= +ail to adapt (e.g., by adopting quantum-resistant wallets when available) a= +re akin to those who ignored technological advancements like multisig or ha= +rdware wallets. Allowing quantum theft incentivizes innovation and keeps Bi= +tcoin=E2=80=99s ecosystem dynamic, punishing complacency while rewarding vi= +gilance.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Market Signals = +Drive Security</font><br>If quantum attackers start stealing funds, it send= +s a clear signal to the market: upgrade your security or lose everything. T= +his pressure accelerates the adoption of post-quantum cryptography and stre= +ngthens Bitcoin long-term. Coddling vulnerable users delays this necessary = +evolution, potentially leaving the network more exposed when quantum tech b= +ecomes widely accessible. Theft is a brutal but effective teacher.<br><br><= +font style=3D"color:rgb(0,0,0)" size=3D"4">Centralized Blacklisting Power</= +font><br>Burning vulnerable funds requires centralized decision-making - a = +soft fork to invalidate certain transactions. This sets a dangerous precede= +nt for future interventions, eroding Bitcoin=E2=80=99s decentralization. If= + quantum theft is blocked, what=E2=80=99s next - reversing exchange hacks? = +The system must remain neutral, even if it means some lose out.<br><br>I th= +ink this could be a potential slippery slope if the proposal was to only bu= +rn specific addresses. Rather, I'd expect a neutral proposal to burn al= +l funds in locking script types that are known to be quantum vulnerable. Th= +us, we could eliminate any subjectivity from the code.<br><br><font style= +=3D"color:rgb(0,0,0)" size=3D"4">Fairness in Competition</font><br>Quantum = +attackers aren't cheating; they're using publicly available physics= + and math. Anyone with the resources and foresight can build or access quan= +tum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early adopt= +ers took risks and reaped rewards; quantum innovators are doing the same. C= +alling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never promised = +equality of outcome - only equality of opportunity within its rules.<br><br= +>I find this argument to be a mischaracterization because we're not tal= +king about CPUs. This is more akin to talking about ASICs, except each ASIC= + costs millions if not billions of dollars. This is out of reach from all b= +ut the wealthiest organizations.<br><br><font style=3D"color:rgb(0,0,0)" si= +ze=3D"4">Economic Resilience</font><br>Bitcoin has weathered thefts before = +(MTGOX, Bitfinex, FTX, etc) and emerged stronger. The market can absorb qua= +ntum losses, with unaffected users continuing to hold and new entrants buyi= +ng in at lower prices. Fear of economic collapse overestimates the impact -= + the network=E2=80=99s antifragility thrives on such challenges.<br><br>Thi= +s is a big grey area because we don't know when a quantum computer will= + come online and we don't know how quickly said computers would be able= + to steal bitcoin. If, for example, the first generation of sufficiently po= +werful quantum computers were stealing less volume than the current block r= +eward then of course it will have minimal economic impact. But if they'= +re taking thousands of BTC per day and bringing them back into circulation,= + there will likely be a noticeable market impact as it absorbs the new supp= +ly.<br><br>This is where the circumstances will really matter. If a quantum= + attacker appears AFTER the Bitcoin protocol has been upgraded to support q= +uantum resistant cryptography then we should expect the most valuable activ= +e wallets will have upgraded and the juiciest target would be the 31,000 BT= +C in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant = +since 2010. In general I'd expect that the amount of BTC re-entering th= +e circulating supply would look somewhat similar to the mining emission cur= +ve: volume would start off very high as the most valuable addresses are dra= +ined and then it would fall off as quantum computers went down the list tar= +geting addresses with less and less BTC.<br><br>Why is economic impact a fa= +ctor worth considering? Miners and businesses in general. More coins being = +liquidated will push down the price, which will negatively impact miner rev= +enue. Similarly, I can attest from working in the industry for a decade, th= +at lower prices result in less demand from businesses across the entire ind= +ustry. As such, burning quantum vulnerable bitcoin is good for the entire i= +ndustry.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Practicality &a= +mp; Neutrality of Non-Intervention</font><br>There=E2=80=99s no reliable wa= +y to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate "white hat&qu= +ot; key recovery. If someone loses their private key and a quantum computer= + recovers it, is that stealing or reclaiming? Policing quantum actions requ= +ires invasive assumptions about intent, which Bitcoin=E2=80=99s trustless d= +esign can=E2=80=99t accommodate. Letting the chips fall where they may avoi= +ds this mess.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Philosophi= +cal Purity</font><br>Bitcoin rejects bailouts. It=E2=80=99s a cold, hard sy= +stem where outcomes reflect preparation and skill, not sentimentality. If q= +uantum computing upends the game, that=E2=80=99s the point - Bitcoin isn=E2= +=80=99t meant to be safe or fair in a nanny-state sense; it=E2=80=99s meant= + to be free. Users who lose funds to quantum attacks are casualties of libe= +rty and their own ignorance, not victims of injustice.<br><br><font style= +=3D"color:rgb(0,0,0)" size=3D"6">Bitcoin's DAO Moment</font><br>This si= +tuation has some similarities to The DAO hack of an Ethereum smart contract= + in 2016, which resulted in a fork to stop the attacker and return funds to= + their original owners. The game theory is similar because it's a situa= +tion where a threat is known but there's some period of time before the= + attacker can actually execute the theft. As such, there's time to miti= +gate the attack by changing the protocol.<br><br>It also created a schism i= +n the community around the true meaning of "code is law," resulti= +ng in Ethereum Classic, which decided to allow the attacker to retain contr= +ol of the stolen funds.<br><br>A soft fork to burn vulnerable bitcoin could= + certainly result in a hard fork if there are enough miners who reject the = +soft fork and continue including transactions.<br><br><font style=3D"color:= +rgb(0,0,0)" size=3D"6">Incentives Matter</font><br>We can wax philosophical= + until the cows come home, but what are the actual incentives for existing = +Bitcoin holders regarding this decision?<br><br><blockquote class=3D"gmail_= +quote" style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color= +:rgb(204,204,204)">"Lost coins only make everyone else's coins wor= +th slightly more. Think of it as a donation to everyone." - Satoshi Na= +kamoto</blockquote><br>If true, the corollary is:<br><br><blockquote class= +=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-= +left-color:rgb(204,204,204)">"Quantum recovered coins only make everyo= +ne else's coins worth less. Think of it as a theft from everyone."= + - Jameson Lopp</blockquote><br>Thus, assuming we get to a point where quan= +tum resistant signatures are supported within the Bitcoin protocol, what= +9;s the incentive to let vulnerable coins remain spendable?<br><br>* It'= +;s not good for the actual owners of those coins. It disincentivizes owners= + from upgrading until perhaps it's too late.<br>* It's not good for= + the more attentive / responsible owners of coins who have quantum secured = +their stash. Allowing the circulating supply to balloon will assuredly redu= +ce the purchasing power of all bitcoin holders.<br><br><font style=3D"color= +:rgb(0,0,0)" size=3D"6">Forking Game Theory</font><br>From a game theory po= +int of view, I see this as incentivizing users to upgrade their wallets. If= + you disagree with the burning of vulnerable coins, all you have to do is m= +ove your funds to a quantum safe signature scheme. Point being, I don't= + see there being an economic majority (or even more than a tiny minority) o= +f users who would fight such a soft fork. Why expend significant resources = +fighting a fork when you can just move your coins to a new address?<br><br>= +Remember that blocking spending of certain classes of locking scripts is a = +tightening of the rules - a soft fork. As such, it can be meaningfully enac= +ted and enforced by a mere majority of hashpower. If miners generally agree= + that it's in their best interest to burn vulnerable coins, are other u= +sers going to care enough to put in the effort to run new node software tha= +t resists the soft fork? Seems unlikely to me.<br><br><font style=3D"color:= +rgb(0,0,0)" size=3D"6">How to Execute Burning</font><br>In order to be as o= +bjective as possible, the goal would be to announce to the world that after= + a specific block height / timestamp, Bitcoin nodes will no longer accept t= +ransactions (or blocks containing such transactions) that spend funds from = +any scripts other than the newly instituted quantum safe schemes.<br><br>It= + could take a staggered approach to first freeze funds that are susceptible= + to long-range attacks such as those in P2PK scripts or those that exposed = +their public keys due to previously re-using addresses, but I expect the ad= +ditional complexity would drive further controversy.<br><br>How long should= + the grace period be in order to give the ecosystem time to upgrade? I'= +d say a minimum of 1 year for software wallets to upgrade. We can only hope= + that hardware wallet manufacturers are able to implement post quantum cryp= +tography on their existing hardware with only a firmware update.<br><br>Bey= +ond that, it will take at least 6 months worth of block space for all users= + to migrate their funds, even in a best case scenario. Though if you exclud= +e dust UTXOs you could probably get 95% of BTC value migrated in 1 month. O= +f course this is a highly optimistic situation where everyone is completely= + focused on migrations - in reality it will take far longer.<br><br>Regardl= +ess, I'd think that in order to reasonably uphold Bitcoin's conserv= +atism it would be preferable to allow a 4 year migration window. In the mea= +ntime, mining pools could coordinate emergency soft forking logic such that= + if quantum attackers materialized, they could accelerate the countdown to = +the quantum vulnerable funds burn.<br><br><font style=3D"color:rgb(0,0,0)" = +size=3D"6">Random Tangential Benefits</font><br>On the plus side, burning a= +ll quantum vulnerable bitcoin would allow us to prune all of those UTXOs ou= +t of the UTXO set, which would also clean up a lot of dust. Dust UTXOs are = +a bit of an annoyance and there has even been a recent proposal for how to = +incentivize cleaning them up.<br><br>We should also expect that incentivizi= +ng migration of the entire UTXO set will create substantial demand for bloc= +k space that will sustain a fee market for a fairly lengthy amount of time.= +<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">In Summary</font><br>Wh= +ile the moral quandary of violating any of Bitcoin's inviolable propert= +ies can make this a very complex issue to discuss, the game theory and ince= +ntives between burning vulnerable coins versus allowing them to be claimed = +by entities with quantum supremacy appears to be a much simpler issue.<br><= +br>I, for one, am not interested in rewarding quantum capable entities by i= +nflating the circulating money supply just because some people lost their k= +eys long ago and some laggards are not upgrading their bitcoin wallet's= + security.<br><br>We can hope that this scenario never comes to pass, but h= +ope is not a strategy.<br><br>I welcome your feedback upon any of the above= + points, and contribution of any arguments I failed to consider.</div></div= +><div><br></div>-- <br>You received this message because you are subscribed= + to the Google Groups "Bitcoin Development Mailing List" group.<b= +r>To unsubscribe from this group and stop receiving emails from it, send an= + email to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bi= +tcoindev+...@googlegroups.com</a>.<br>To view this discussion visit <a rel= +=3D"noreferrer nofollow noopener" href=3D"https://groups.google.com/d/msgid= +/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40m= +ail.gmail.com" target=3D"_blank" data-saferedirecturl=3D"https://www.google= +.com/url?hl=3Den&q=3Dhttps://groups.google.com/d/msgid/bitcoindev/CADL_= +X_cF%253DUKVa7CitXReMq8nA_4RadCF%253D%253DkU4YG%252B0GYN97P6hQ%2540mail.gma= +il.com&source=3Dgmail&ust=3D1749387599317000&usg=3DAOvVaw1nWmtN= +HWj25mhraYVZS_Xy">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3D= +UKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div>= +</blockquote></div><div dir=3D"ltr"></div></div></div></div> + +<p></p> + +-- <br> +You received this message because you are subscribed to the Google Groups &= +quot;Bitcoin Development Mailing List" group.<br> +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc= +oindev+...@googlegroups.com</a>.<br> +To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href= +=3D"https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D= +9D2B732364%40astrotown.de" target=3D"_blank" data-saferedirecturl=3D"https:= +//www.google.com/url?hl=3Den&q=3Dhttps://groups.google.com/d/msgid/bitc= +oindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%2540astrotown.de&source=3Dg= +mail&ust=3D1749387599317000&usg=3DAOvVaw2PR2vuTOZH_Ek_t4GgnuJJ">htt= +ps://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732= +364%40astrotown.de</a>.</blockquote></div></div></blockquote></div><div><bl= +ockquote type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_quote"><blockqu= +ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-wid= +th:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,2= +04,204)"><br> +</blockquote></div></div> + +<p></p> + +-- <br> +You received this message because you are subscribed to the Google Groups &= +quot;Bitcoin Development Mailing List" group.<br> +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc= +oindev+...@googlegroups.com</a>.<br> +To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href= +=3D"https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br= +6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com" target=3D"_blank" data-sa= +feredirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://groups.= +google.com/d/msgid/bitcoindev/CAJDmzYxw%252BmXQKjS%252Bh%252Br6mCoe1rwWUpa_= +yZDwmwx6U_eO5JhZLg%2540mail.gmail.com&source=3Dgmail&ust=3D17493875= +99317000&usg=3DAOvVaw0HJzgCo9hLdARu_fL6UDUf">https://groups.google.com/= +d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZL= +g%40mail.gmail.com</a>.<br> + + </blockquote><br> + </div> + +<p></p> + +-- <br> +You received this message because you are subscribed to the Google Groups &= +quot;Bitcoin Development Mailing List" group.<br> +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc= +oindev+...@googlegroups.com</a>.<br> +To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href= +=3D"https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf= +XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL= +miCJOY%3D%40proton.me" target=3D"_blank" data-saferedirecturl=3D"https://ww= +w.google.com/url?hl=3Den&q=3Dhttps://groups.google.com/d/msgid/bitcoind= +ev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8Ras= +O7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%253D%2540proton.me&source=3Dgmail&a= +mp;ust=3D1749387599317000&usg=3DAOvVaw1WeDdjOHiNYWK_U17-OcRr">https://g= +roups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZu= +GLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40p= +roton.me</a>.<br> +</blockquote></div></div> +</blockquote></div> + +<p></p> + +-- <br> +You received this message because you are subscribed to the Google Groups &= +quot;Bitcoin Development Mailing List" group.<br> +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to <a href rel=3D"noreferrer nofollow noopener" data-email-masked>bitc= +oindev+...@googlegroups.com</a>.<br></blockquote></div></div><div style=3D"= +font-family:Arial,sans-serif;font-size:14px"><div><blockquote type=3D"cite"= +> +To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/= +bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail= +.com" rel=3D"noreferrer nofollow noopener" target=3D"_blank" data-saferedir= +ecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://groups.google.= +com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%= +2540mail.gmail.com&source=3Dgmail&ust=3D1749387599317000&usg=3D= +AOvVaw20sKcGYqK1w1lbqEinULpJ">https://groups.google.com/d/msgid/bitcoindev/= +CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com</a>.<b= +r> + + </blockquote><br> + </div></div></blockquote></div> + +<p></p> + +-- <br /> +You received this message because you are subscribed to the Google Groups &= +quot;Bitcoin Development Mailing List" group.<br /> +To unsubscribe from this group and stop receiving emails from it, send an e= +mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind= +ev+unsubscribe@googlegroups.com</a>.<br /> +To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/= +bitcoindev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com?utm_med= +ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind= +ev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com</a>.<br /> + +------=_Part_18011_501201720.1749302913697-- + +------=_Part_18010_831844196.1749302913697-- + |