Delivery-date: Wed, 19 Feb 2025 10:46:56 -0800
Sender: bitcoindev@googlegroups.com
Received-SPF: pass (google.com: domain of bitcoin-dev@wuille.net designates 79.135.106.25 as permitted sender) client-ip=79.135.106.25;
Date: Wed, 19 Feb 2025 17:56:07 +0000
To: Hunter Beast <hunter@surmount.systems>
From: Pieter Wuille <bitcoin-dev@wuille.net>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Proposal for Quantum-Resistant Address Migration
 Protocol (QRAMP) BIP
Message-ID: <pXZj0cBHqBVPjkNPKBjiNE1BjPHhvRp-MwPaBsQu-s6RTEL9oBJearqZE33A2yz31LNRNUpZstq_q8YMN1VsCY2vByc9w4QyTOmIRCE3BFM=@wuille.net>
In-Reply-To: <f9e233e0-9d87-4e71-9a9f-3310ea242194n@googlegroups.com>
References: <08a544fa-a29b-45c2-8303-8c5bde8598e7n@googlegroups.com> <CAC3UE4+kme2N6D_Xx8+VaH1BJnkVEfntPmnLQzaqTQfK4D5QhQ@mail.gmail.com> <CAJDmzYxJzFs=myecyMS6iJwSni1sDwUVq3kMnNGg=dK5kULRJg@mail.gmail.com> <CAC3UE4K=T8BmOeLW9s=x+TBauK+M5Z3MaSicD42+rOj_jZ2Ugw@mail.gmail.com> <CAJDmzYzUAzoCj3da-3M_ast0_+Qxf3_J1OXWf88B2D-R70pPrg@mail.gmail.com> <f9e233e0-9d87-4e71-9a9f-3310ea242194n@googlegroups.com>
Feedback-ID: 19463299:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1=_rGgU8UJFu29CXiY85dEMM1FnXVhPj3nPYsbe9La7M"
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

--b1=_rGgU8UJFu29CXiY85dEMM1FnXVhPj3nPYsbe9La7M
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wednesday, February 19th, 2025 at 11:06 AM, Hunter Beast <hunter@surmoun=
t.systems> wrote:

> I don't see why old coins should be confiscated. The better option is to =
let those with quantum computers free up old coins. While this might have a=
n inflationary impact on bitcoin's price, to use a turn of phrase, the infl=
ation is transitory. Those with low time preference should support returnin=
g lost coins to circulation.

Of course they have to be confiscated. If and when (and that's a big if) th=
e existence of a cryptography-breaking QC becomes a credible threat, the Bi=
tcoin ecosystem has no other option than softforking(*) out the ability to =
spend from signature schemes (including ECDSA and BIP340) that are vulnerab=
le to QCs. The alternative is that millions of BTC become vulnerable to the=
ft; I cannot see how the currency can maintain any value at all in such a s=
etting. And this affects everyone; even those which diligently moved their =
coins to PQC-protected schemes.

> Also, I don't see the urgency, considering the majority of coins are in e=
ither P2PKH, P2WPKH, P2SH, and P2WSH addresses. If PQC signatures aren't ad=
ded, such as with BIP-360, there will be some concern around long exposure =
attacks on P2TR coins.

There were literally millions of BTC locked in outputs whose public keys ar=
e already known to the public, long before P2TR. Either because of they're =
in P2PK outputs, because they're in hashed addresses which have been reused=
 and already using for spending, or because they're been spent in forked ch=
ains. There are likely substantially more BTC in outputs whose public keys =
are known to multiple parties (multisig, lightning channels, escrow service=
s, ...) but not to the entire world.

I certainly agree there is no urgency right now, but if (and only if) crypt=
ography-breaking QCs become a reality, the ecosystem has no choice but disa=
bling(*) the spending of coins through schemes that become broken, and need=
s to have done so before such a machine exists.

(*) There may exist ways of retaining the ability to spend coins in vulnera=
ble schemes, if they involve a PQC proof of knowledge of some additional se=
cret, e.g. the xprv the key was derived with. It's a significant complicati=
on, not and applicable to everything, but might be an option.

--
Pieter

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
pXZj0cBHqBVPjkNPKBjiNE1BjPHhvRp-MwPaBsQu-s6RTEL9oBJearqZE33A2yz31LNRNUpZstq=
_q8YMN1VsCY2vByc9w4QyTOmIRCE3BFM%3D%40wuille.net.

--b1=_rGgU8UJFu29CXiY85dEMM1FnXVhPj3nPYsbe9La7M
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div class=3D"protonmail_signature_block protonmail_signature_block-empty" =
style=3D"font-family: Arial, sans-serif; font-size: 14px;">
    <div class=3D"protonmail_signature_block-user protonmail_signature_bloc=
k-empty">
       =20
            </div>
   =20
            <div class=3D"protonmail_signature_block-proton protonmail_sign=
ature_block-empty">
       =20
            </div>
</div>
<div style=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></div><=
div class=3D"protonmail_quote">
        On Wednesday, February 19th, 2025 at 11:06 AM, Hunter Beast &lt;hun=
ter@surmount.systems&gt; wrote:<br>
        <blockquote class=3D"protonmail_quote" type=3D"cite"><div>
            I don't see why old coins should be confiscated. The better opt=
ion is to let those with quantum computers free up old coins. While this mi=
ght have an inflationary impact on bitcoin's price, to use a turn of phrase=
, the inflation is transitory. Those with low time preference should suppor=
t returning lost coins to circulation.</div></blockquote><div style=3D"font=
-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0); backgroun=
d-color: rgb(255, 255, 255);"><br></div><div style=3D"font-family: Arial, s=
ans-serif; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255,=
 255, 255);">Of course they have to be confiscated. If and when (and that's=
 a big if) the existence of a cryptography-breaking QC becomes a credible t=
hreat, the Bitcoin ecosystem has no other option than softforking(*) out th=
e ability to spend from signature schemes (including ECDSA and BIP340) that=
 are vulnerable to QCs. The alternative is that millions of BTC become vuln=
erable to theft; I cannot see how the currency can maintain any value at al=
l in such a setting. And this affects everyone; even those which diligently=
 moved their coins to PQC-protected schemes.</div><div style=3D"font-family=
: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0); background-color=
: rgb(255, 255, 255);"><br></div><div style=3D"font-family: Arial, sans-ser=
if; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 2=
55);"><br></div><blockquote class=3D"protonmail_quote" type=3D"cite"><div>A=
lso, I don't see the urgency, considering the majority of coins are in eith=
er P2PKH, P2WPKH, P2SH, and P2WSH addresses. If PQC signatures aren't added=
, such as with BIP-360, there will be some concern around long exposure att=
acks on P2TR coins.</div></blockquote><div style=3D"font-family: Arial, san=
s-serif; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 2=
55, 255);"><br></div><div style=3D"font-family: Arial, sans-serif; font-siz=
e: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">There =
were literally millions of BTC locked in outputs whose public keys are alre=
ady known to the public, long before P2TR. Either because of they're in P2P=
K outputs, because they're in hashed addresses which have been reused and a=
lready using for spending, or because they're been spent in forked chains. =
There are likely substantially more BTC in outputs whose public keys are kn=
own to multiple parties (multisig, lightning channels, escrow services, ...=
) but not to the entire world.</div><div style=3D"font-family: Arial, sans-=
serif; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255=
, 255);"><br></div><div style=3D"font-family: Arial, sans-serif; font-size:=
 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">I certai=
nly agree there is no urgency right now, but if (and only if) cryptography-=
breaking QCs become a reality, the ecosystem has no choice but disabling(*)=
 the spending of coins through schemes that become broken, and needs to hav=
e done so before such a machine exists.</div><div style=3D"font-family: Ari=
al, sans-serif; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb=
(255, 255, 255);"><br></div><div style=3D"font-family: Arial, sans-serif; f=
ont-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"=
>(*) There may exist ways of retaining the ability to spend coins in vulner=
able schemes, if they involve a PQC proof of knowledge of some additional s=
ecret, e.g. the xprv the key was derived with. It's a significant complicat=
ion, not and applicable to everything, but might be an option.</div><div st=
yle=3D"font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0)=
; background-color: rgb(255, 255, 255);"><br></div><div style=3D"font-famil=
y: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0); background-colo=
r: rgb(255, 255, 255);">--&nbsp;<br></div><div style=3D"font-family: Arial,=
 sans-serif; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(25=
5, 255, 255);">Pieter</div><div style=3D"font-family: Arial, sans-serif; fo=
nt-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">=
<br></div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/pXZj0cBHqBVPjkNPKBjiNE1BjPHhvRp-MwPaBsQu-s6RTEL9oBJearqZE33A2yz3=
1LNRNUpZstq_q8YMN1VsCY2vByc9w4QyTOmIRCE3BFM%3D%40wuille.net?utm_medium=3Dem=
ail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoindev/pXZj0=
cBHqBVPjkNPKBjiNE1BjPHhvRp-MwPaBsQu-s6RTEL9oBJearqZE33A2yz31LNRNUpZstq_q8YM=
N1VsCY2vByc9w4QyTOmIRCE3BFM%3D%40wuille.net</a>.<br />

--b1=_rGgU8UJFu29CXiY85dEMM1FnXVhPj3nPYsbe9La7M--