Delivery-date: Mon, 18 Aug 2025 10:12:45 -0700
Date: Tue, 12 Aug 2025 15:47:13 -0700 (PDT)
From: "'Bitcoin Foundation' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en@googlegroups.com>
In-Reply-To: <1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com>
References: <4d6ecde7-e959-4e6c-a0aa-867af8577151n@googlegroups.com>
 <fff86606-d6ce-4319-a341-90e9c4eba49dn@googlegroups.com>
 <6532d72c-fc2b-485a-9984-a9ade31e1760n@googlegroups.com>
 <1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com>
Subject: Re: [bitcoindev] Re: [Draft BIP] Quantum-Resistant Transition
 Framework for Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_659416_438996574.1755038833424"
Reply-To: Bitcoin Foundation <contact@bitcoin.foundation>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

------=_Part_659416_438996574.1755038833424
Content-Type: multipart/alternative; 
	boundary="----=_Part_659417_2002965497.1755038833424"

------=_Part_659417_2002965497.1755038833424
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Dear ArmchairCryptologist,

We appreciate your engagement with our quantum resistance proposal.=20
Let us address your points with additional technical context:


*NIST Reference Documentation*The referenced blog post includes a link to=
=20
NIST Internal Report 8547 (Initial Public Draft) [0], which offers critical=
=20
guidance regarding the migration to post-quantum cryptographic standards.=
=20
We strongly recommend thorough review of this document by all stakeholders=
=20
evaluating quantum-resistant solutions.


*Pre-Quantum UTXO Sunset Policy*Regarding the migration of pre-quantum=20
UTXOs:

   - Our current draft proposes freezing these outputs around 2033
   - This timeline appears in the "Migration Path: Phased Implementation"=
=20
   section (https://quantum-resistant-bitcoin.bitcoin.foundation)
   - We explicitly designed this as an adjustable parameter
   - Based on community feedback, we're prepared to extend this sunset=20
   period beyond 2035

The proposed recovery mechanism provides optional pathways for legacy UTXOs=
=20
while maintaining network security.=20

We remain open to community input regarding the sunset period for=20
pre-quantum UTXOs. The current 2033 (block 1,327,121) proposal aligns=20
conservatively with NIST's recommendation to deprecate ECDSA by 2035 [0],=
=20
though we acknowledge reasonable arguments exist for adjusting this=20
timeline.

[0]: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 ArmchairCryptologi=
st wrote:

>
> An astute observation. To clarify the quantum computing landscape:=20
> Google's current quantum processors do not possess 50 logical qubits, and=
=20
> even if they did, this would be insufficient to compromise ECDSA - let=20
> alone RSA-2048, which would require approximately 20 million noisy physic=
al=20
> qubits for successful cryptanalysis [0].
>
>
> That paper is pretty old. There is a recent paper from a couple of months=
=20
> ago by the same author (Craig Gidney from Google Quantum AI) claiming=20
> that you could break RSA-2048 with around a million noisy qubits in about=
 a=20
> week.=20
>
> Paper: https://arxiv.org/pdf/2505.15917
> Blog post:=20
> https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.=
html
>
> I can't say for sure whether this approach can be applied to ECDSA; I hav=
e=20
> seen claims before that it has less quantum resistance than RSA-2048, but=
=20
> I'm unsure if this is still considered to be the case. And while these=20
> papers are of course largely theoretical in nature since nothing close to=
=20
> the required amount of qubits exists at this point, I haven't seen anyone=
=20
> refute these claim at this point. These is still no hard evidence I'm awa=
re=20
> of that a quantum computer capable of breaking ECDSA is inevitable, but=
=20
> given the rate of development, there could be some cause of concern.
>
> Getting post-quantum addresses designed, implemented and activated by 203=
0=20
> in accordance with the recommendations in this paper seems prudent to me,=
=20
> if this is at all possible. Deactivating inactive pre-quantum UTXOs with=
=20
> exposed public keys by 2035 should certainly be considered. But I still=
=20
> don't feel like deactivating pre-quantum UTXOs without exposed public key=
s=20
> in general is warranted, at least until a quantum computer capable of=20
> breaking public keys in the short time between they are broadcast and=20
> included in a block is known to exist - and even then, only if some=20
> scheme could be devised that still allows spending them using some=20
> additional cryptographic proof of ownership, ZKP or otherwise.
>
> --
> Best,
> ArmchairCryptologist
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com.

------=_Part_659417_2002965497.1755038833424
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Dear ArmchairCryptologist,<br /><br />We appreciate your engagement with ou=
r quantum resistance proposal. <br />Let us address your points with additi=
onal technical context:<br /><br /><b>NIST Reference Documentation<br /></b=
>The referenced blog post includes a link to NIST Internal Report 8547 (Ini=
tial Public Draft) [0], which offers critical guidance regarding the migrat=
ion to post-quantum cryptographic standards. We strongly recommend thorough=
 review of this document by all stakeholders evaluating quantum-resistant s=
olutions.<br /><br /><b>Pre-Quantum UTXO Sunset Policy<br /></b>Regarding t=
he migration of pre-quantum UTXOs:<br /><ul><li>Our current draft proposes =
freezing these outputs around 2033</li><li>This timeline appears in the "Mi=
gration Path: Phased Implementation" section (<a href=3D"https://quantum-re=
sistant-bitcoin.bitcoin.foundation/">https://quantum-resistant-bitcoin.bitc=
oin.foundation</a>)</li><li>We explicitly designed this as an adjustable pa=
rameter</li><li>Based on community feedback, we're prepared to extend this =
sunset period beyond 2035</li></ul>The proposed recovery mechanism provides=
 optional pathways for legacy UTXOs while maintaining network security. <br=
 /><br />We remain open to community input regarding the sunset period for =
pre-quantum UTXOs. The current 2033 (block=C2=A01,327,121) proposal aligns =
conservatively with NIST's recommendation to deprecate ECDSA by 2035 [0], t=
hough we acknowledge reasonable arguments exist for adjusting this timeline=
.<br /><br />[0]:=C2=A0<a href=3D"https://nvlpubs.nist.gov/nistpubs/ir/2024=
/NIST.IR.8547.ipd.pdf">https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.85=
47.ipd.pdf</a><br /><br /><div class=3D"gmail_quote"><div dir=3D"auto" clas=
s=3D"gmail_attr">On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 A=
rmchairCryptologist wrote:<br/></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); paddin=
g-left: 1ex;"><div style=3D"font-family:Arial,sans-serif;font-size:14px"><d=
iv><br>
        <blockquote type=3D"cite">
           =20
An astute observation. To clarify the quantum computing landscape:
Google&#39;s current quantum processors do not possess 50 logical qubits,
and even if they did, this would be insufficient to compromise ECDSA -
let alone RSA-2048, which would require approximately 20 million noisy
physical qubits for successful cryptanalysis [0].<br></blockquote><div><br>=
</div></div></div><div style=3D"font-family:Arial,sans-serif;font-size:14px=
"><div><div><span>That paper is pretty old. There is a recent paper from a =
couple of months ago by the same author (<span>Craig Gidney</span>=C2=A0fro=
m=C2=A0<span>Google Quantum AI</span>) claiming that you could break RSA-20=
48 with around a million noisy qubits in about a week.=C2=A0<span><br></spa=
n></span><div><span><br></span></div><div><span>Paper:=C2=A0<a rel=3D"noref=
errer nofollow noopener" href=3D"https://arxiv.org/pdf/2505.15917" target=
=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&amp;=
q=3Dhttps://arxiv.org/pdf/2505.15917&amp;source=3Dgmail&amp;ust=3D175512041=
5626000&amp;usg=3DAOvVaw0MylOCi7Vj18oGqMIysEkm">https://arxiv.org/pdf/2505.=
15917</a><br></span></div><div>Blog post:=C2=A0<span><a rel=3D"noreferrer n=
ofollow noopener" href=3D"https://security.googleblog.com/2025/05/tracking-=
cost-of-quantum-factori.html" target=3D"_blank" data-saferedirecturl=3D"htt=
ps://www.google.com/url?hl=3Den&amp;q=3Dhttps://security.googleblog.com/202=
5/05/tracking-cost-of-quantum-factori.html&amp;source=3Dgmail&amp;ust=3D175=
5120415626000&amp;usg=3DAOvVaw18LTcm1cvGv33DpU2hOmtI">https://security.goog=
leblog.com/2025/05/tracking-cost-of-quantum-factori.html</a></span></div><d=
iv><br></div><div>I
 can&#39;t say for sure whether this approach can be applied to=20
ECDSA; I have seen claims before that it has less quantum resistance than R=
SA-2048, but I&#39;m unsure if this is still considered to be the case. And=
 while these papers are of course largely theoretical in nature=20
since nothing close to the required amount of qubits exists at this=20
point, I haven&#39;t seen anyone refute these claim at this point. These is=
 still no hard evidence I&#39;m aware of that a quantum computer capable of=
 breaking ECDSA is inevitable, but given the rate of development, there cou=
ld be some cause of concern.</div><div><br></div><div><span>Getting post-qu=
antum addresses designed, implemented and activated by 2030 in accordance w=
ith the recommendations in this paper seems prudent to me, if this is at al=
l possible. Deactivating inactive=C2=A0<span>pre-quantum </span>UTXOs with =
exposed public keys by 2035 should certainly be considered. But I still don=
&#39;t feel like deactivating pre-quantum UTXOs without exposed public keys=
 in general is warranted, at least until a quantum computer capable of brea=
king public keys in the short time between they are broadcast and included =
in a block=C2=A0<span>is known to exist</span>=C2=A0- and even then, only i=
f some scheme could be devised that still allows spending them using some a=
dditional cryptographic proof of ownership, ZKP or otherwise.</span></div><=
div><span><br></span></div><div><span>--</span></div><div><span>Best,</span=
></div><div><span>ArmchairCryptologist</span></div></div></div></div></bloc=
kquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com</a>.<br />

------=_Part_659417_2002965497.1755038833424--

------=_Part_659416_438996574.1755038833424--