1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
Delivery-date: Mon, 18 Aug 2025 10:12:45 -0700
Received: from mail-qt1-f190.google.com ([209.85.160.190])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDMP3YP4WUCBB755RXCQMGQEVWXBBBA@googlegroups.com>)
id 1uo3PX-0005Fp-EN
for bitcoindev@gnusha.org; Mon, 18 Aug 2025 10:12:45 -0700
Received: by mail-qt1-f190.google.com with SMTP id d75a77b69052e-4b28434045asf3404571cf.2
for <bitcoindev@gnusha.org>; Mon, 18 Aug 2025 10:12:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1755537157; x=1756141957; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:x-original-sender
:mime-version:subject:references:in-reply-to:message-id:to:from:date
:from:to:cc:subject:date:message-id:reply-to;
bh=Z4HizkJ0wUjnHLf042Tr+UbYZziaY6oFMtR61lXU/Ic=;
b=L3x/QextmhkAvbjuCJYdttd0Bak6A04Az/OEuZ3oh8K25mtwH4IksHEx9pNFAXZQsj
iDisW6H1RT3LBYurRuOdMuVL/zWDPpXYpJfptQ1z28waJRc6LsyooIJI3/OW05R7lLm4
dRQ3Pc6sg0G48c3215KVf4Y3rCXlZhd/Deyf9HQlGuYhu90tu4MO7QQ89QFOoJyHkSf8
tKi5pFyOuVFq74L75+jSsF3ylkIvlwAKC82NsbDE/JXuLaPEBdjn5vYw/l3V05XLy5bu
uNARh7NB9rYT/j/zi45ggFsbSdWfL9r/hfK6fOFGWCVz1KNw4w9o23exHv8hwfNflC1M
PieA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1755537157; x=1756141957;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:x-original-sender
:mime-version:subject:references:in-reply-to:message-id:to:from:date
:x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=Z4HizkJ0wUjnHLf042Tr+UbYZziaY6oFMtR61lXU/Ic=;
b=Qu8323bIpHLMNNJTZDiCMjwAGHGJ3ANwvC6r/MzrtYHRH/WSlMokdABX1SwJB1L3+N
2Du4mztzG5smvAFncSBgsEHgWaBf4VJ1rsc5PgwMTDuYhynA/6r+GcmMI8tVdEzryG0U
LhNZ4gb+zWiQS/y864YzeJQInk5LPMPykba3J7aRKsvhnD0MUf7b+4ADnrZd29apfTNg
4UpLWYuOYtC0YXMujK/jOwi1P24wqbFgZydNoGkQm44hL7MnoGbhpTXmiW4baFm3HfOQ
MM2JMpv0n1B3wQT6+66IRJ6WYEIMh/rpm+hlLsbjqgBskraPMKiELLXtYUMrBY23+uwZ
qlyg==
X-Forwarded-Encrypted: i=1; AJvYcCWpDItPzpJZX03tLsKyNVbcperVCsq6KiwpQIE4zXGh/o2OrYLtsTq5eLEFwTl2J2NsnhXG64etHJgL@gnusha.org
X-Gm-Message-State: AOJu0YxV5Qz8G4sKuat1ow/5cgODMrI4ze0JVnQT6l+bZ807XsfCkYPS
6f5tXVHu6hn4K9eOJzUXgeLD6fjYEmJNY0Yhw/rB6JuXkq8ojF9Z8sdp
X-Google-Smtp-Source: AGHT+IGHk1/1QflosQtPoNazbeyQJJAboromLVleJ9rHKroXRyM6TKhLzCMIFSs7B6ESYsMglMA+xw==
X-Received: by 2002:a05:622a:1a89:b0:4ae:f8f9:4716 with SMTP id d75a77b69052e-4b11e3695c7mr170374131cf.53.1755537156498;
Mon, 18 Aug 2025 10:12:36 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfkZ2gu5QYqkX7BRYIBbX6FeUBmky7ZOAnzXYmONzhMIw==
Received: by 2002:a05:622a:102:b0:4b0:9c1e:fca1 with SMTP id
d75a77b69052e-4b1099e98b9ls75802091cf.0.-pod-prod-01-us; Mon, 18 Aug 2025
10:12:31 -0700 (PDT)
X-Received: by 2002:ac8:7d4a:0:b0:4b0:69ef:e57a with SMTP id d75a77b69052e-4b11e11ffcamr176221771cf.18.1755537151017;
Mon, 18 Aug 2025 10:12:31 -0700 (PDT)
Received: by 2002:a05:690c:fd1:b0:71a:2700:7cf0 with SMTP id 00721157ae682-71c340211b2ms7b3;
Tue, 12 Aug 2025 15:47:14 -0700 (PDT)
X-Received: by 2002:a05:690c:64c6:b0:71c:414f:5b9e with SMTP id 00721157ae682-71d4e443000mr11925167b3.13.1755038833807;
Tue, 12 Aug 2025 15:47:13 -0700 (PDT)
Date: Tue, 12 Aug 2025 15:47:13 -0700 (PDT)
From: "'Bitcoin Foundation' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en@googlegroups.com>
In-Reply-To: <1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com>
References: <4d6ecde7-e959-4e6c-a0aa-867af8577151n@googlegroups.com>
<fff86606-d6ce-4319-a341-90e9c4eba49dn@googlegroups.com>
<6532d72c-fc2b-485a-9984-a9ade31e1760n@googlegroups.com>
<1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com>
Subject: Re: [bitcoindev] Re: [Draft BIP] Quantum-Resistant Transition
Framework for Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_659416_438996574.1755038833424"
X-Original-Sender: contact@bitcoin.foundation
X-Original-From: Bitcoin Foundation <contact@bitcoin.foundation>
Reply-To: Bitcoin Foundation <contact@bitcoin.foundation>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
------=_Part_659416_438996574.1755038833424
Content-Type: multipart/alternative;
boundary="----=_Part_659417_2002965497.1755038833424"
------=_Part_659417_2002965497.1755038833424
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Dear ArmchairCryptologist,
We appreciate your engagement with our quantum resistance proposal.=20
Let us address your points with additional technical context:
*NIST Reference Documentation*The referenced blog post includes a link to=
=20
NIST Internal Report 8547 (Initial Public Draft) [0], which offers critical=
=20
guidance regarding the migration to post-quantum cryptographic standards.=
=20
We strongly recommend thorough review of this document by all stakeholders=
=20
evaluating quantum-resistant solutions.
*Pre-Quantum UTXO Sunset Policy*Regarding the migration of pre-quantum=20
UTXOs:
- Our current draft proposes freezing these outputs around 2033
- This timeline appears in the "Migration Path: Phased Implementation"=
=20
section (https://quantum-resistant-bitcoin.bitcoin.foundation)
- We explicitly designed this as an adjustable parameter
- Based on community feedback, we're prepared to extend this sunset=20
period beyond 2035
The proposed recovery mechanism provides optional pathways for legacy UTXOs=
=20
while maintaining network security.=20
We remain open to community input regarding the sunset period for=20
pre-quantum UTXOs. The current 2033 (block 1,327,121) proposal aligns=20
conservatively with NIST's recommendation to deprecate ECDSA by 2035 [0],=
=20
though we acknowledge reasonable arguments exist for adjusting this=20
timeline.
[0]: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 ArmchairCryptologi=
st wrote:
>
> An astute observation. To clarify the quantum computing landscape:=20
> Google's current quantum processors do not possess 50 logical qubits, and=
=20
> even if they did, this would be insufficient to compromise ECDSA - let=20
> alone RSA-2048, which would require approximately 20 million noisy physic=
al=20
> qubits for successful cryptanalysis [0].
>
>
> That paper is pretty old. There is a recent paper from a couple of months=
=20
> ago by the same author (Craig Gidney from Google Quantum AI) claiming=20
> that you could break RSA-2048 with around a million noisy qubits in about=
a=20
> week.=20
>
> Paper: https://arxiv.org/pdf/2505.15917
> Blog post:=20
> https://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.=
html
>
> I can't say for sure whether this approach can be applied to ECDSA; I hav=
e=20
> seen claims before that it has less quantum resistance than RSA-2048, but=
=20
> I'm unsure if this is still considered to be the case. And while these=20
> papers are of course largely theoretical in nature since nothing close to=
=20
> the required amount of qubits exists at this point, I haven't seen anyone=
=20
> refute these claim at this point. These is still no hard evidence I'm awa=
re=20
> of that a quantum computer capable of breaking ECDSA is inevitable, but=
=20
> given the rate of development, there could be some cause of concern.
>
> Getting post-quantum addresses designed, implemented and activated by 203=
0=20
> in accordance with the recommendations in this paper seems prudent to me,=
=20
> if this is at all possible. Deactivating inactive pre-quantum UTXOs with=
=20
> exposed public keys by 2035 should certainly be considered. But I still=
=20
> don't feel like deactivating pre-quantum UTXOs without exposed public key=
s=20
> in general is warranted, at least until a quantum computer capable of=20
> breaking public keys in the short time between they are broadcast and=20
> included in a block is known to exist - and even then, only if some=20
> scheme could be devised that still allows spending them using some=20
> additional cryptographic proof of ownership, ZKP or otherwise.
>
> --
> Best,
> ArmchairCryptologist
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com.
------=_Part_659417_2002965497.1755038833424
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Dear ArmchairCryptologist,<br /><br />We appreciate your engagement with ou=
r quantum resistance proposal. <br />Let us address your points with additi=
onal technical context:<br /><br /><b>NIST Reference Documentation<br /></b=
>The referenced blog post includes a link to NIST Internal Report 8547 (Ini=
tial Public Draft) [0], which offers critical guidance regarding the migrat=
ion to post-quantum cryptographic standards. We strongly recommend thorough=
review of this document by all stakeholders evaluating quantum-resistant s=
olutions.<br /><br /><b>Pre-Quantum UTXO Sunset Policy<br /></b>Regarding t=
he migration of pre-quantum UTXOs:<br /><ul><li>Our current draft proposes =
freezing these outputs around 2033</li><li>This timeline appears in the "Mi=
gration Path: Phased Implementation" section (<a href=3D"https://quantum-re=
sistant-bitcoin.bitcoin.foundation/">https://quantum-resistant-bitcoin.bitc=
oin.foundation</a>)</li><li>We explicitly designed this as an adjustable pa=
rameter</li><li>Based on community feedback, we're prepared to extend this =
sunset period beyond 2035</li></ul>The proposed recovery mechanism provides=
optional pathways for legacy UTXOs while maintaining network security. <br=
/><br />We remain open to community input regarding the sunset period for =
pre-quantum UTXOs. The current 2033 (block=C2=A01,327,121) proposal aligns =
conservatively with NIST's recommendation to deprecate ECDSA by 2035 [0], t=
hough we acknowledge reasonable arguments exist for adjusting this timeline=
.<br /><br />[0]:=C2=A0<a href=3D"https://nvlpubs.nist.gov/nistpubs/ir/2024=
/NIST.IR.8547.ipd.pdf">https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.85=
47.ipd.pdf</a><br /><br /><div class=3D"gmail_quote"><div dir=3D"auto" clas=
s=3D"gmail_attr">On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 A=
rmchairCryptologist wrote:<br/></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); paddin=
g-left: 1ex;"><div style=3D"font-family:Arial,sans-serif;font-size:14px"><d=
iv><br>
<blockquote type=3D"cite">
=20
An astute observation. To clarify the quantum computing landscape:
Google's current quantum processors do not possess 50 logical qubits,
and even if they did, this would be insufficient to compromise ECDSA -
let alone RSA-2048, which would require approximately 20 million noisy
physical qubits for successful cryptanalysis [0].<br></blockquote><div><br>=
</div></div></div><div style=3D"font-family:Arial,sans-serif;font-size:14px=
"><div><div><span>That paper is pretty old. There is a recent paper from a =
couple of months ago by the same author (<span>Craig Gidney</span>=C2=A0fro=
m=C2=A0<span>Google Quantum AI</span>) claiming that you could break RSA-20=
48 with around a million noisy qubits in about a week.=C2=A0<span><br></spa=
n></span><div><span><br></span></div><div><span>Paper:=C2=A0<a rel=3D"noref=
errer nofollow noopener" href=3D"https://arxiv.org/pdf/2505.15917" target=
=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&=
q=3Dhttps://arxiv.org/pdf/2505.15917&source=3Dgmail&ust=3D175512041=
5626000&usg=3DAOvVaw0MylOCi7Vj18oGqMIysEkm">https://arxiv.org/pdf/2505.=
15917</a><br></span></div><div>Blog post:=C2=A0<span><a rel=3D"noreferrer n=
ofollow noopener" href=3D"https://security.googleblog.com/2025/05/tracking-=
cost-of-quantum-factori.html" target=3D"_blank" data-saferedirecturl=3D"htt=
ps://www.google.com/url?hl=3Den&q=3Dhttps://security.googleblog.com/202=
5/05/tracking-cost-of-quantum-factori.html&source=3Dgmail&ust=3D175=
5120415626000&usg=3DAOvVaw18LTcm1cvGv33DpU2hOmtI">https://security.goog=
leblog.com/2025/05/tracking-cost-of-quantum-factori.html</a></span></div><d=
iv><br></div><div>I
can't say for sure whether this approach can be applied to=20
ECDSA; I have seen claims before that it has less quantum resistance than R=
SA-2048, but I'm unsure if this is still considered to be the case. And=
while these papers are of course largely theoretical in nature=20
since nothing close to the required amount of qubits exists at this=20
point, I haven't seen anyone refute these claim at this point. These is=
still no hard evidence I'm aware of that a quantum computer capable of=
breaking ECDSA is inevitable, but given the rate of development, there cou=
ld be some cause of concern.</div><div><br></div><div><span>Getting post-qu=
antum addresses designed, implemented and activated by 2030 in accordance w=
ith the recommendations in this paper seems prudent to me, if this is at al=
l possible. Deactivating inactive=C2=A0<span>pre-quantum </span>UTXOs with =
exposed public keys by 2035 should certainly be considered. But I still don=
't feel like deactivating pre-quantum UTXOs without exposed public keys=
in general is warranted, at least until a quantum computer capable of brea=
king public keys in the short time between they are broadcast and included =
in a block=C2=A0<span>is known to exist</span>=C2=A0- and even then, only i=
f some scheme could be devised that still allows spending them using some a=
dditional cryptographic proof of ownership, ZKP or otherwise.</span></div><=
div><span><br></span></div><div><span>--</span></div><div><span>Best,</span=
></div><div><span>ArmchairCryptologist</span></div></div></div></div></bloc=
kquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com</a>.<br />
------=_Part_659417_2002965497.1755038833424--
------=_Part_659416_438996574.1755038833424--
|
