path: root/1e/a31f3f7d8b96f9eae1403ba36dd79fb9479d8d

Delivery-date: Sat, 07 Jun 2025 06:55:16 -0700
Received: from mail-yb1-f187.google.com ([209.85.219.187])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDI23FE35EIBBNEJSHBAMGQEAHDSGAQ@googlegroups.com>)
	id 1uNu0t-0001jm-UW
	for bitcoindev@gnusha.org; Sat, 07 Jun 2025 06:55:16 -0700
Received: by mail-yb1-f187.google.com with SMTP id 3f1490d57ef6-e812e1573ecsf3222588276.2
        for <bitcoindev@gnusha.org>; Sat, 07 Jun 2025 06:55:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=;
        b=RkUlEpHFre0+3f82GTZxk6/rFrd9RLtd3Y/hH07LsiL+RHBUVzjCkDOacnKUyUak9U
         /1Mfm68izCtNN3Hd+j6rwsMVLWRr6f+HmBvCjTag6NE5TvF+K7h4v7ln8069pAPkLV5I
         3OUBUirsoMNApI4C0HWNvy/Yw8Fn3rdTZPcgadvvHArvcVDeD9aeDnkigFPiHAqO3sks
         3Wa5u2ob0sXtRQmWPQ6A96Hi/vX2a5Xlo7h+hj8PvLcK/AEmMRKGLdqhg8SaBQdX98de
         EJaqKOqg9ZwWoc47z4P6xhiuuH/CNE5ze8Wnj1GwGRI+CgsePe3Pg3fYe08EW1+pNAy1
         8FaQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1749304506; x=1749909306; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=;
        b=aeVjJaJ65W0ngv2oiSM35+bPvzZXKfLmVCCY+5st+PRhm74xvfpG1slgse9E2luQjP
         KfR9MllX92bbd9sGqfL2ZrmotRegSrXNp2xNBGcHB8o5NwusTw2VJ5hwmmhKDWDG4Qxp
         xtVaADjsDu71tploQB9cMQEMGIUGoITvGcRlW0CIOsaGcL7h9V/G9Ns3viX+BISDwrkQ
         7D6Azg4wrfwBKOCBwqaGt7QZPtr9HRjckfccQ+ePRatoHZaMvYAHjsGCPJflBQLy5QCl
         a/3QwZhm7WNYXgPDXX6dSkSuGYj75nf9xu8X307kKes9CL9aJU52iAchNvH4zLBFwEXh
         3g3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1749304506; x=1749909306;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=9up5hq4lJvtrJoktHUw8WLn/9puCsIJYdju6zi1b7nA=;
        b=gvUm7rz99Lo/Y53SAfLQuPdjcHaH2ys7OjygBnD6F37/tfihbvi9Q/nI4e5OjkzVl2
         W1JNmxGH2idLB5/wTNsp7WpLdeoHtCefQyDEib4Lzz5SSRl8EJ/V58sDPkUgQtcD7d4p
         HX/u0bzNZd+g4LFm+4t9jGrMus2/UdR9SVOcplKB70RfPOHEI42T6/UAUVwRHuhJb0Ss
         E/H8U1bm0n5i9CLM8GQuh13tZPq14pP+IsZtmpMeRFKE58kMutGjCnAToJgnuS8lq5/n
         esC/rXuXq56j46hf7IbpV3C0qMNXSmwizRkzF+2H+xuyneHXfEfpcX14+2xZnSDW5I7e
         3DCg==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVgU7ids4L4BTmyqm2Tb66yAjT+pgUM3kZfwL+rBu2vuDWE04d3dfgoXJ/V5ljk2xtbENbF1fxsEB5M@gnusha.org
X-Gm-Message-State: AOJu0YzeM25xCRvRB9DoqJy4NEUgQJljPbIBJARZ7pGh7+kkweQsDnOx
	4P8UYLvCmE1e+94hcmyTknJKJzjMartI2+UsvsQ0Rpz2KOwHyIgRrOGW
X-Google-Smtp-Source: AGHT+IG2Br0Dp1pOKLfFwUWMTeKH6+g6IvzE/4mD7rSui0geEfrJmG0vbjo4qwNjbdBSmdRy62UWkg==
X-Received: by 2002:a05:6902:c06:b0:e7d:c9f4:ed7b with SMTP id 3f1490d57ef6-e81a227c993mr9757571276.1.1749304505627;
        Sat, 07 Jun 2025 06:55:05 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfYGfIeHbTj2cq69vkQxDWQrC35RJGZY1av3o+1sp07bg==
Received: by 2002:a25:6953:0:b0:e81:7cf7:5008 with SMTP id 3f1490d57ef6-e8188826eb1ls2611055276.0.-pod-prod-03-us;
 Sat, 07 Jun 2025 06:55:00 -0700 (PDT)
X-Received: by 2002:a05:690c:6c83:b0:6fb:b1dd:a00d with SMTP id 00721157ae682-710f771c5dfmr109416417b3.30.1749304500560;
        Sat, 07 Jun 2025 06:55:00 -0700 (PDT)
Received: by 2002:a05:690c:ed6:b0:70d:e0e5:164f with SMTP id 00721157ae682-710f8f40b91ms7b3;
        Sat, 7 Jun 2025 06:28:35 -0700 (PDT)
X-Received: by 2002:a05:690c:6f0b:b0:6fb:a696:b23b with SMTP id 00721157ae682-710f7739ae2mr99557867b3.33.1749302914045;
        Sat, 07 Jun 2025 06:28:34 -0700 (PDT)
Date: Sat, 7 Jun 2025 06:28:33 -0700 (PDT)
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <893891ea-34ec-4d60-9941-9f636be0d747n@googlegroups.com>
In-Reply-To: <ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY=@protonmail.com>
References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de>
 <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
 <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me>
 <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com>
 <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
 <ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY=@protonmail.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_18010_831844196.1749302913697"
X-Original-Sender: ekaggata@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 0.0 (/)

------=_Part_18010_831844196.1749302913697
Content-Type: multipart/alternative; 
	boundary="----=_Part_18011_501201720.1749302913697"

------=_Part_18011_501201720.1749302913697
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

> I'm not a lawyer, but if developers make a conscious decision to make a=
=20
code change that confiscates funds, even with a reasonable heads-up, I feel=
=20
like some lawyers might be tempted to make an argument that those=20
developers should be held responsible for any losses. As everyone knows,=20
Bitcoin has been under legal attacks before, and I'm not sure that anyone=
=20
would (or should) be willing to sign off on a change that might potentially=
=20
open them up to several billion dollars worth of personal responsibility -=
=20
especially if the "bonded courier" actually shows up and reveals a private=
=20
key that would have unlocked funds under the pre-QC scheme.

Coincidentally, Peter Todd has just made the same point in another=20
(apparently unrelated) thread, here:=20
https://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ

For me it's very clear, that it's not an accident that such "unexpected"=20
side effects exist. It's a feature that I'd whimsically call "ethical=20
impedance-mismatch" (the term impedance mismatch has been used in=20
computing/programming, which itself borrowed it from the real meaning, in=
=20
physics). People have a moral/ethical desire to make bitcoin function as=20
well as possible, and see a failure mode in those using it for other=20
purposes, but that line of thought clashes with the essential, basic=20
principle of censorship-resistance.

So we see technical borked-ness like failure to get accurate fee rates and=
=20
the like, from doing something (attempting to filter at p2p level) that it=
=20
is intrinsically counter to the foundational ethical, functional purpose of=
=20
the system: censorship-resistance. And then we see "cascading failures" of=
=20
the type discussed here: if the devs are working to break bitcoin's ethical=
=20
promise of censorship-resistance, then thugs^H^H politicians and lawyers,=
=20
will seek to take control of that "break" for their own purposes.

That's why I'm not against "quantum recovery" as per the title of this=20
thread. Recovery, independent of outside control, *is* bitcoin's function.=
=20
If half a million btc get spent by someone who has "recovered" in an=20
unexpected way, tough titties. If the entire system collapses because we=20
can't get our act together before 2085 (OK I know some think it's 2035, I=
=20
don't, but whatever), then it is what it is. That is a huge unknown. But=20
Bitcoin will 100% fail if confiscation of *any* type becomes a thing.

Cheers,
AdamISZ/waxwing
On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCryptologist=
 wrote:

> Hi,
>
> With the longer grace period and selective deactivation, this seems more=
=20
> sensible, but there is one elephant in the room that I haven't seen=20
> mentioned here - namely, the legal aspect. (If it was, sorry I missed it.=
)
>
> I'm not a lawyer, but if developers make a conscious decision to make a=
=20
> code change that confiscates funds, even with a reasonable heads-up, I fe=
el=20
> like some lawyers might be tempted to make an argument that those=20
> developers should be held responsible for any losses. As everyone knows,=
=20
> Bitcoin has been under legal attacks before, and I'm not sure that anyone=
=20
> would (or should) be willing to sign off on a change that might potential=
ly=20
> open them up to several billion dollars worth of personal responsibility =
-=20
> especially if the "bonded courier" actually shows up and reveals a privat=
e=20
> key that would have unlocked funds under the pre-QC scheme.
>
> The only safe-ish way I can see to do this is to have it only affect fund=
s=20
> that are very likely to be lost in the first place. So at the very least,=
=20
> it could not affect UTXOs that could potentially be encumbered with a=20
> timelock (i.e. P2SH/P2WSH), and it could only affect UTXOs that have not=
=20
> moved for a very long time (say 15-20 years).=20
>
> If quantum computers capable of practical attacks against Bitcoin are eve=
r=20
> known to actually exist, *sending*=E2=80=8B to non-PQC addresses should o=
f course=20
> be disabled immediately. But I feel that the nature of a permissionless=
=20
> system implies a large degree of self-responsibility, so if someone choos=
es=20
> to keep using non-PQC addresses even after PQC addresses have become=20
> available and practical quantum attacks are suspected to be an imminent=
=20
> danger, it's not necessarily up to the developers to tell them they can't=
,=20
> only that they really shouldn't.
>
> --
> Regards,
> ArmchairCryptologist
>
> Sent with Proton Mail <https://proton.me/mail/home> secure email.=20
>
> On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <agusti...@gmail.com>=
=20
> wrote:
>
> Hi everyone,
>
> QRAMP proposal aims to manage the quantum transition responsibly without=
=20
> disrupting Bitcoin=E2=80=99s core principles.
>
> QRAMP has three phases:
>
> 1. Allow wallets to optionally include PQC keys in Taproot outputs. This=
=20
> enables early adoption without forcing anyone.
>
> 2. Announce a soft fork to disable vulnerable scripts, with a long=20
> (~4-year) grace period. This gives ample time to migrate and avoids sudde=
n=20
> shocks.
>
> 3. Gradually deactivate vulnerable outputs based on age or inactivity.=20
> This avoids a harsh cutoff and gives time for adaptation.
>
> We can also allow exceptions via proof-of-possession, and delay=20
> restrictions on timelocked outputs to avoid harming future spenders.
>
> QRAMP is not about confiscation or control. It=E2=80=99s about aligning=
=20
> incentives, maintaining security, and offering a clear, non-coercive=20
> upgrade path.
>
> Best,
> Agustin Cruz
>
>
>
> El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvo...@gma=
il.com>=20
> escribi=C3=B3:
>
>> The difference between the ETH/ETC split though was that no one had=20
>> anything confiscated except the DAO hacker, everyone retained an identic=
al=20
>> number of tokens on each chain. The proposal for BTC is very different i=
n=20
>> that some holders will lose access to their coins during the PQ migratio=
n=20
>> under the confiscation approach. Just wanted to point that out.
>>
>> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop=
ment=20
>> Mailing List <bitco...@googlegroups.com> wrote:
>>
>>> Hey Saulo,
>>>
>>> You're right about the possibility of an ugly split. Laggards who don't=
=20
>>> move coins to PQ address schemes will be incentivized to follow any cha=
in=20
>>> where they keep their coins. But those who do migrate will be incentivi=
zed=20
>>> to follow the chain where unmigrated pre-quantum coins are frozen.=20
>>>
>>> While you're comparing this event to the ETH/ETC split, we should=20
>>> remember that ETH remained the dominant chain despite their heavy-hande=
d=20
>>> rollback. Just goes to show, confusion and face-loss is a lesser evil t=
han=20
>>> allowing an adversary to pwn the network.=20
>>>
>>> This is the free-market way to solve problems without imposing rules on=
=20
>>> everyone.
>>>
>>>
>>> It'd still be a free market even if quantum-vulnerable coins are frozen=
.=20
>>> The only way to test the relative value of quantum-safe vs=20
>>> quantum-vulnerable coins is to split the chain and see how the market=
=20
>>> reacts.=20
>>>
>>> IMO, the "free market way" is to give people options and let their mone=
y=20
>>> flow to where it works best. That means people should be able to choose=
=20
>>> whether they want their money to be part of a system that allows quantu=
m=20
>>> attack, or part of one which does not. I know which I would choose, but=
=20
>>> neither you nor I can make that choice for everyone.
>>>
>>> regards,
>>> conduition
>>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <
>>> agusti...@gmail.com> wrote:
>>>
>>> I=E2=80=99m against letting quantum computers scoop up funds from addre=
sses that=20
>>> don=E2=80=99t upgrade to quantum-resistant.=20
>>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up fo=
r grabs=20
>>> if people don=E2=80=99t move them, sounds fair at first. Let luck decid=
e, right?=20
>>> But I worry it=E2=80=99d turn into a mess. If quantum machines start cr=
acking keys=20
>>> and snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at ris=
k. Plenty of=20
>>> active wallets, like those on the rich list Jameson mentioned, could ge=
t=20
>>> hit too. Imagine millions of BTC flooding the market. Prices tank, trus=
t in=20
>>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerab=
le=20
>>> funds keeps that chaos in check.
>>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear=
t. If quantum tech can=20
>>> steal from you just because you didn=E2=80=99t upgrade fast enough, tha=
t promise=20
>>> feels shaky. Freezing funds after a heads-up period (say, four years)=
=20
>>> protects that idea better than letting tech giants or rogue states play=
=20
>>> vampire with our network. It also nudges people to get their act togeth=
er=20
>>> and move to safer addresses, which strengthens Bitcoin long-term.
>>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark =
a split=20
>>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look w=
orse.=20
>>> Bitcoin would seem broken, not just strict. A clear plan and enough tim=
e to=20
>>> migrate could smooth things over. History=E2=80=99s on our side too. Bi=
tcoin=E2=80=99s=20
>>> fixed bugs before, like SegWit. This feels like that, not a bailout.
>>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to =
whoever=20
>>> builds the first quantum rig. It=E2=80=99s less about coddling people a=
nd more=20
>>> about keeping Bitcoin solid for everyone. What do you all think?
>>> Cheers,
>>> Agust=C3=ADn
>>>
>>>
>>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <sa...@astrotown.de>=
 wrote:
>>>
>>>> I believe that having some entity announce the decision to freeze old=
=20
>>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value=
) than having=20
>>>> them gathered by QC. This would create another version of Bitcoin, sim=
ilar=20
>>>> to Ethereum Classic, causing confusion in the market.
>>>>
>>>> It would be better to simply implement the possibility of moving funds=
=20
>>>> to a PQC address without a deadline, allowing those who fail to do so =
to=20
>>>> rely on luck to avoid having their coins stolen. Most coins would be=
=20
>>>> migrated to PQC anyway, and in most cases, only the lost ones would re=
main=20
>>>> vulnerable. This is the free-market way to solve problems without impo=
sing=20
>>>> rules on everyone.
>>>>
>>>> Saulo Fonseca
>>>>
>>>>
>>>> On 16. Mar 2025, at 15:15, Jameson Lopp <jameso...@gmail.com> wrote:
>>>>
>>>> The quantum computing debate is heating up. There are many=20
>>>> controversial aspects to this debate, including whether or not quantum=
=20
>>>> computers will ever actually become a practical threat.
>>>>
>>>> I won't tread into the unanswerable question of how worried we should=
=20
>>>> be about quantum computers. I think it's far from a crisis, but given =
the=20
>>>> difficulty in changing Bitcoin it's worth starting to seriously discus=
s.=20
>>>> Today I wish to focus on a philosophical quandary related to one of th=
e=20
>>>> decisions that would need to be made if and when we implement a quantu=
m=20
>>>> safe signature scheme.
>>>>
>>>> Several Scenarios
>>>> Because this essay will reference game theory a fair amount, and there=
=20
>>>> are many variables at play that could change the nature of the game, I=
=20
>>>> think it's important to clarify the possible scenarios up front.
>>>>
>>>> 1. Quantum computing never materializes, never becomes a threat, and=
=20
>>>> thus everything discussed in this essay is moot.
>>>> 2. A quantum computing threat materializes suddenly and Bitcoin does=
=20
>>>> not have quantum safe signatures as part of the protocol. In this scen=
ario=20
>>>> it would likely make the points below moot because Bitcoin would be=20
>>>> fundamentally broken and it would take far too long to upgrade the=20
>>>> protocol, wallet software, and migrate user funds in order to restore=
=20
>>>> confidence in the network.
>>>> 3. Quantum computing advances slowly enough that we come to consensus=
=20
>>>> about how to upgrade Bitcoin and post quantum security has been minima=
lly=20
>>>> adopted by the time an attacker appears.
>>>> 4. Quantum computing advances slowly enough that we come to consensus=
=20
>>>> about how to upgrade Bitcoin and post quantum security has been highly=
=20
>>>> adopted by the time an attacker appears.
>>>>
>>>> For the purposes of this post, I'm envisioning being in situation 3 or=
=20
>>>> 4.
>>>>
>>>> To Freeze or not to Freeze?
>>>> I've started seeing more people weighing in on what is likely the most=
=20
>>>> contentious aspect of how a quantum resistance upgrade should be handl=
ed in=20
>>>> terms of migrating user funds. Should quantum vulnerable funds be left=
 open=20
>>>> to be swept by anyone with a sufficiently powerful quantum computer OR=
=20
>>>> should they be permanently locked?
>>>>
>>>> "I don't see why old coins should be confiscated. The better option is=
=20
>>>>> to let those with quantum computers free up old coins. While this mig=
ht=20
>>>>> have an inflationary impact on bitcoin's price, to use a turn of phra=
se,=20
>>>>> the inflation is transitory. Those with low time preference should su=
pport=20
>>>>> returning lost coins to circulation."=20
>>>>
>>>> - Hunter Beast
>>>>
>>>>
>>>> On the other hand:
>>>>
>>>> "Of course they have to be confiscated. If and when (and that's a big=
=20
>>>>> if) the existence of a cryptography-breaking QC becomes a credible th=
reat,=20
>>>>> the Bitcoin ecosystem has no other option than softforking out the ab=
ility=20
>>>>> to spend from signature schemes (including ECDSA and BIP340) that are=
=20
>>>>> vulnerable to QCs. The alternative is that millions of BTC become=20
>>>>> vulnerable to theft; I cannot see how the currency can maintain any v=
alue=20
>>>>> at all in such a setting. And this affects everyone; even those which=
=20
>>>>> diligently moved their coins to PQC-protected schemes."
>>>>> - Pieter Wuille
>>>>
>>>>
>>>> I don't think "confiscation" is the most precise term to use, as the=
=20
>>>> funds are not being seized and reassigned. Rather, what we're really=
=20
>>>> discussing would be better described as "burning" - placing the funds =
*out=20
>>>> of reach of everyone*.
>>>>
>>>> Not freezing user funds is one of Bitcoin's inviolable properties.=20
>>>> However, if quantum computing becomes a threat to Bitcoin's elliptic c=
urve=20
>>>> cryptography, *an inviolable property of Bitcoin will be violated one=
=20
>>>> way or another*.
>>>>
>>>> Fundamental Properties at Risk
>>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's=
=20
>>>> fundamental properties that give it value.=20
>>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>>>>
>>>> The particular properties in play with regard to this issue seem to be=
:
>>>>
>>>> *Censorship Resistance* - No one should have the power to prevent=20
>>>> others from using their bitcoin or interacting with the network.
>>>>
>>>> *Forward Compatibility* - changing the rules such that certain valid=
=20
>>>> transactions become invalid could undermine confidence in the protocol=
.
>>>>
>>>> *Conservatism* - Users should not be expected to be highly responsive=
=20
>>>> to system issues.
>>>>
>>>> As a result of the above principles, we have developed a strong meme=
=20
>>>> (kudos to Andreas Antonopoulos) that goes as follows:
>>>>
>>>> Not your keys, not your coins.
>>>>
>>>>
>>>> I posit that the corollary to this principle is:
>>>>
>>>> Your keys, only your coins.
>>>>
>>>>
>>>> A quantum capable entity breaks the corollary of this foundational=20
>>>> principle. We secure our bitcoin with the mathematical probabilities=
=20
>>>> related to extremely large random numbers. Your funds are only secure=
=20
>>>> because truly random large numbers should not be guessable or discover=
able=20
>>>> by anyone else in the world.
>>>>
>>>> This is the principle behind the motto *vires in numeris* - strength=
=20
>>>> in numbers. In a world with quantum enabled adversaries, this principl=
e is=20
>>>> null and void for many types of cryptography, including the elliptic c=
urve=20
>>>> digital signatures used in Bitcoin.
>>>>
>>>> Who is at Risk?
>>>> There has long been a narrative that Satoshi's coins and others from=
=20
>>>> the Satoshi era of P2PK locking scripts that exposed the public key=20
>>>> directly on the blockchain will be those that get scooped up by a quan=
tum=20
>>>> "miner." But unfortunately it's not that simple. If I had a powerful=
=20
>>>> quantum computer, which coins would I target? I'd go to the Bitcoin ri=
ch=20
>>>> list and find the wallets that have exposed their public keys due to=
=20
>>>> re-using addresses that have previously been spent from. You can easil=
y=20
>>>> find them at=20
>>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>>>>
>>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,=20
>>>> would be slightly harder to crack because they are multisig wallets. S=
o a=20
>>>> quantum attacker would need to reverse engineer 2 keys for Kraken or 3=
 for=20
>>>> Bitfinex / Tether in order to spend funds. But many are single signatu=
re.
>>>>
>>>> Point being, it's not only the really old lost BTC that are at risk to=
=20
>>>> a quantum enabled adversary, at least at time of writing. If we add a=
=20
>>>> quantum safe signature scheme, we should expect those wallets to be so=
me of=20
>>>> the first to upgrade given their incentives.
>>>>
>>>> The Ethical Dilemma: Quantifying Harm
>>>> Which decision results in the most harm?
>>>>
>>>> By making quantum vulnerable funds unspendable we potentially harm som=
e=20
>>>> Bitcoin users who were not paying attention and neglected to migrate t=
heir=20
>>>> funds to a quantum safe locking script. This violates the "conservativ=
ism"=20
>>>> principle stated earlier. On the flip side, we prevent those funds plu=
s far=20
>>>> more lost funds from falling into the hands of the few privileged folk=
s who=20
>>>> gain early access to quantum computers.
>>>>
>>>> By leaving quantum vulnerable funds available to spend, the same set o=
f=20
>>>> users who would otherwise have funds frozen are likely to see them sto=
len.=20
>>>> And many early adopters who lost their keys will eventually see their=
=20
>>>> unreachable funds scooped up by a quantum enabled adversary.
>>>>
>>>> Imagine, for example, being James Howells, who accidentally threw away=
=20
>>>> a hard drive with 8,000 BTC on it, currently worth over $600M USD. He =
has=20
>>>> spent a decade trying to retrieve it from the landfill where he knows =
it's=20
>>>> buried, but can't get permission to excavate. I suspect that, given th=
e=20
>>>> choice, he'd prefer those funds be permanently frozen rather than fall=
 into=20
>>>> someone else's possession - I know I would.
>>>>
>>>> Allowing a quantum computer to access lost funds doesn't make those=20
>>>> users any worse off than they were before, however it *would*have a=20
>>>> negative impact upon everyone who is currently holding bitcoin.
>>>>
>>>> It's prudent to expect significant economic disruption if large amount=
s=20
>>>> of coins fall into new hands. Since a quantum computer is going to hav=
e a=20
>>>> massive up front cost, expect those behind it to desire to recoup thei=
r=20
>>>> investment. We also know from experience that when someone suddenly fi=
nds=20
>>>> themselves in possession of 9+ figures worth of highly liquid assets, =
they=20
>>>> tend to diversify into other things by selling.
>>>>
>>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20
>>>> redistribution*. What we'd be allowing is for bitcoin to be=20
>>>> redistributed from those who are ignorant of quantum computers to thos=
e who=20
>>>> have won the technological race to acquire quantum computers. It's har=
d to=20
>>>> see a bright side to that scenario.
>>>>
>>>> Is Quantum Recovery Good for Anyone?
>>>>
>>>> Does quantum recovery HELP anyone? I've yet to come across an argument=
=20
>>>> that it's a net positive in any way. It certainly doesn't add any secu=
rity=20
>>>> to the network. If anything, it greatly decreases the security of the=
=20
>>>> network by allowing funds to be claimed by those who did not earn them=
.
>>>>
>>>> But wait, you may be thinking, wouldn't quantum "miners" have earned=
=20
>>>> their coins by all the work and resources invested in building a quant=
um=20
>>>> computer? I suppose, in the same sense that a burglar earns their spoi=
ls by=20
>>>> the resources they invest into surveilling targets and learning the sk=
ills=20
>>>> needed to break into buildings. What I say "earned" I mean through=20
>>>> productive mutual trade.
>>>>
>>>> For example:
>>>>
>>>> * Investors earn BTC by trading for other currencies.
>>>> * Merchants earn BTC by trading for goods and services.
>>>> * Miners earn BTC by trading thermodynamic security.
>>>> * Quantum miners don't trade anything, they are vampires feeding upon=
=20
>>>> the system.
>>>>
>>>> There's no reason to believe that allowing quantum adversaries to=20
>>>> recover vulnerable bitcoin will be of benefit to anyone other than the=
=20
>>>> select few organizations that win the technological arms race to build=
 the=20
>>>> first such computers. Probably nation states and/or the top few larges=
t=20
>>>> tech companies.
>>>>
>>>> One could certainly hope that an organization with quantum supremacy i=
s=20
>>>> benevolent and acts in a "white hat" manner to return lost coins to th=
eir=20
>>>> owners, but that's incredibly optimistic and foolish to rely upon. Suc=
h a=20
>>>> situation creates an insurmountable ethical dilemma of only recovering=
 lost=20
>>>> bitcoin rather than currently owned bitcoin. There's no way to precise=
ly=20
>>>> differentiate between the two; anyone can claim to have lost their bit=
coin=20
>>>> but if they have lost their keys then proving they ever had the keys=
=20
>>>> becomes rather difficult. I imagine that any such white hat recovery=
=20
>>>> efforts would have to rely upon attestations from trusted third partie=
s=20
>>>> like exchanges.
>>>>
>>>> Even if the first actor with quantum supremacy is benevolent, we must=
=20
>>>> assume the technology could fall into adversarial hands and thus think=
=20
>>>> adversarially about the potential worst case outcomes. Imagine, for=20
>>>> example, that North Korea continues scooping up billions of dollars fr=
om=20
>>>> hacking crypto exchanges and decides to invest some of those proceeds =
into=20
>>>> building a quantum computer for the biggest payday ever...
>>>>
>>>> Downsides to Allowing Quantum Recovery
>>>> Let's think through an exhaustive list of pros and cons for allowing o=
r=20
>>>> preventing the seizure of funds by a quantum adversary.
>>>>
>>>> Historical Precedent
>>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair =
game" but=20
>>>> rather were treated as failures to be remediated. Treating quantum the=
ft=20
>>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al=
l rather than=20
>>>> a system that seeks to protect its users.
>>>>
>>>> Violation of Property Rights
>>>> Allowing a quantum adversary to take control of funds undermines the=
=20
>>>> fundamental principle of cryptocurrency - if you keep your keys in you=
r=20
>>>> possession, only you should be able to access your money. Bitcoin is b=
uilt=20
>>>> on the idea that private keys secure an individual=E2=80=99s assets, a=
nd=20
>>>> unauthorized access (even via advanced tech) is theft, not a legitimat=
e=20
>>>> transfer.
>>>>
>>>> Erosion of Trust in Bitcoin
>>>> If quantum attackers can exploit vulnerable addresses, confidence in=
=20
>>>> Bitcoin as a secure store of value would collapse. Users and investors=
 rely=20
>>>> on cryptographic integrity, and widespread theft could drive adoption =
away=20
>>>> from Bitcoin, destabilizing its ecosystem.
>>>>
>>>> This is essentially the counterpoint to claiming the burning of=20
>>>> vulnerable funds is a violation of property rights. While some will=20
>>>> certainly see it as such, others will find the apathy toward stopping=
=20
>>>> quantum theft to be similarly concerning.
>>>>
>>>> Unfair Advantage
>>>> Quantum attackers, likely equipped with rare and expensive technology,=
=20
>>>> would have an unjust edge over regular users who lack access to such t=
ools.=20
>>>> This creates an inequitable system where only the technologically elit=
e can=20
>>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized=
 power.
>>>>
>>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING=20
>>>> one's wealth. It's supposed to be impractically expensive for attacker=
s to=20
>>>> crack the entropy and cryptography protecting one's coins. But now we =
find=20
>>>> ourselves discussing a situation where this asymmetric advantage is=20
>>>> compromised in favor of a specific class of attackers.
>>>>
>>>> Economic Disruption
>>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=
=99s price=20
>>>> as quantum recovered funds are dumped on exchanges. This would harm al=
l=20
>>>> holders, not just those directly targeted, leading to broader financia=
l=20
>>>> chaos in the markets.
>>>>
>>>> Moral Responsibility
>>>> Permitting theft via quantum computing sets a precedent that=20
>>>> technological superiority justifies unethical behavior. This is essent=
ially=20
>>>> taking a "code is law" stance in which we refuse to admit that both co=
de=20
>>>> and laws can be modified to adapt to previously unforeseen situations.
>>>>
>>>> Burning of coins can certainly be considered a form of theft, thus I=
=20
>>>> think it's worth differentiating the two different thefts being discus=
sed:
>>>>
>>>> 1. self-enriching & likely malicious
>>>> 2. harm prevention & not necessarily malicious
>>>>
>>>> Both options lack the consent of the party whose coins are being burnt=
=20
>>>> or transferred, thus I think the simple argument that theft is immoral=
=20
>>>> becomes a wash and it's important to drill down into the details of ea=
ch.
>>>>
>>>> Incentives Drive Security
>>>> I can tell you from a decade of working in Bitcoin security - the=20
>>>> average user is lazy and is a procrastinator. If Bitcoiners are given =
a=20
>>>> "drop dead date" after which they know vulnerable funds will be burned=
,=20
>>>> this pressure accelerates the adoption of post-quantum cryptography an=
d=20
>>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgr=
ading=20
>>>> indefinitely will result in more laggards, leaving the network more ex=
posed=20
>>>> when quantum tech becomes available.
>>>>
>>>> Steel Manning
>>>> Clearly this is a complex and controversial topic, thus it's worth=20
>>>> thinking through the opposing arguments.
>>>>
>>>> Protecting Property Rights
>>>> Allowing quantum computers to take vulnerable bitcoin could potentiall=
y=20
>>>> be spun as a hard money narrative - we care so greatly about not viola=
ting=20
>>>> someone's access to their coins that we allow them to be stolen!
>>>>
>>>> But I think the flip side to the property rights narrative is that=20
>>>> burning vulnerable coins prevents said property from falling into=20
>>>> undeserving hands. If the entire Bitcoin ecosystem just stands around =
and=20
>>>> allows quantum adversaries to claim funds that rightfully belong to ot=
her=20
>>>> users, is that really a "win" in the "protecting property rights" cate=
gory?=20
>>>> It feels more like apathy to me.
>>>>
>>>> As such, I think the "protecting property rights" argument is a wash.
>>>>
>>>> Quantum Computers Won't Attack Bitcoin
>>>> There is a great deal of skepticism that sufficiently powerful quantum=
=20
>>>> computers will ever exist, so we shouldn't bother preparing for a=20
>>>> non-existent threat. Others have argued that even if such a computer w=
as=20
>>>> built, a quantum attacker would not go after bitcoin because they woul=
dn't=20
>>>> want to reveal their hand by doing so, and would instead attack other=
=20
>>>> infrastructure.
>>>>
>>>> It's quite difficult to quantify exactly how valuable attacking other=
=20
>>>> infrastructure would be. It also really depends upon when an entity ga=
ins=20
>>>> quantum supremacy and thus if by that time most of the world's systems=
 have=20
>>>> already been upgraded. While I think you could argue that certain enti=
ties=20
>>>> gaining quantum capability might not attack Bitcoin, it would only del=
ay=20
>>>> the inevitable - eventually somebody will achieve the capability who=
=20
>>>> decides to use it for such an attack.
>>>>
>>>> Quantum Attackers Would Only Steal Small Amounts
>>>> Some have argued that even if a quantum attacker targeted bitcoin,=20
>>>> they'd only go after old, likely lost P2PK outputs so as to not arouse=
=20
>>>> suspicion and cause a market panic.
>>>>
>>>> I'm not so sure about that; why go after 50 BTC at a time when you=20
>>>> could take 250,000 BTC with the same effort as 50 BTC? This is a class=
ic=20
>>>> "zero day exploit" game theory in which an attacker knows they have a=
=20
>>>> limited amount of time before someone else discovers the exploit and e=
ither=20
>>>> benefits from it or patches it. Take, for example, the recent ByBit at=
tack=20
>>>> - the highest value crypto hack of all time. Lazarus Group had comprom=
ised=20
>>>> the Safe wallet front end JavaScript app and they could have simply ha=
d it=20
>>>> reassign ownership of everyone's Safe wallets as they were interacting=
 with=20
>>>> their wallet. But instead they chose to only specifically target ByBit=
's=20
>>>> wallet with $1.5 billion in it because they wanted to maximize their=
=20
>>>> extractable value. If Lazarus had started stealing from every wallet, =
they=20
>>>> would have been discovered quickly and the Safe web app would likely h=
ave=20
>>>> been patched well before any billion dollar wallets executed the malic=
ious=20
>>>> code.
>>>>
>>>> I think the "only stealing small amounts" argument is strongest for=20
>>>> Situation #2 described earlier, where a quantum attacker arrives befor=
e=20
>>>> quantum safe cryptography has been deployed across the Bitcoin ecosyst=
em.=20
>>>> Because if it became clear that Bitcoin's cryptography was broken AND =
there=20
>>>> was nowhere safe for vulnerable users to migrate, the only logical opt=
ion=20
>>>> would be for everyone to liquidate their bitcoin as quickly as possibl=
e. As=20
>>>> such, I don't think it applies as strongly for situations in which we =
have=20
>>>> a migration path available.
>>>>
>>>> The 21 Million Coin Supply Should be in Circulation
>>>> Some folks are arguing that it's important for the "circulating /=20
>>>> spendable" supply to be as close to 21M as possible and that having a=
=20
>>>> significant portion of the supply out of circulation is somehow undesi=
rable.
>>>>
>>>> While the "21M BTC" attribute is a strong memetic narrative, I don't=
=20
>>>> think anyone has ever expected that it would all be in circulation. It=
 has=20
>>>> always been understood that many coins will be lost, and that's actual=
ly=20
>>>> part of the game theory of owning bitcoin!
>>>>
>>>> And remember, the 21M number in and of itself is not a particularly=20
>>>> important detail - it's not even mentioned in the whitepaper. What's=
=20
>>>> important is that the supply is well known and not subject to change.
>>>>
>>>> Self-Sovereignty and Personal Responsibility
>>>> Bitcoin=E2=80=99s design empowers individuals to control their own wea=
lth, free=20
>>>> from centralized intervention. This freedom comes with the burden of=
=20
>>>> securing one's private keys. If quantum computing can break obsolete=
=20
>>>> cryptography, the fault lies with users who didn't move their funds to=
=20
>>>> quantum safe locking scripts. Expecting the network to shield users fr=
om=20
>>>> their own negligence undermines the principle that you, and not a thir=
d=20
>>>> party, are accountable for your assets.
>>>>
>>>> I think this is generally a fair point that "the community" doesn't ow=
e=20
>>>> you anything in terms of helping you. I think that we do, however, nee=
d to=20
>>>> consider the incentives and game theory in play with regard to quantum=
 safe=20
>>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>>>>
>>>> Code is Law
>>>> Bitcoin operates on transparent, immutable rules embedded in its=20
>>>> protocol. If a quantum attacker uses superior technology to derive pri=
vate=20
>>>> keys from public keys, they=E2=80=99re not "hacking" the system - they=
're simply=20
>>>> following what's mathematically permissible within the current code.=
=20
>>>> Altering the protocol to stop this introduces subjective human=20
>>>> intervention, which clashes with the objective, deterministic nature o=
f=20
>>>> blockchain.
>>>>
>>>> While I tend to agree that code is law, one of the entire points of=20
>>>> laws is that they can be amended to improve their efficacy in reducing=
=20
>>>> harm. Leaning on this point seems more like a pro-ossification stance =
that=20
>>>> it's better to do nothing and allow harm to occur rather than take act=
ion=20
>>>> to stop an attack that was foreseen far in advance.
>>>>
>>>> Technological Evolution as a Feature, Not a Bug
>>>> It's well known that cryptography tends to weaken over time and=20
>>>> eventually break. Quantum computing is just the next step in this=20
>>>> progression. Users who fail to adapt (e.g., by adopting quantum-resist=
ant=20
>>>> wallets when available) are akin to those who ignored technological=20
>>>> advancements like multisig or hardware wallets. Allowing quantum theft=
=20
>>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic,=
 punishing=20
>>>> complacency while rewarding vigilance.
>>>>
>>>> Market Signals Drive Security
>>>> If quantum attackers start stealing funds, it sends a clear signal to=
=20
>>>> the market: upgrade your security or lose everything. This pressure=20
>>>> accelerates the adoption of post-quantum cryptography and strengthens=
=20
>>>> Bitcoin long-term. Coddling vulnerable users delays this necessary=20
>>>> evolution, potentially leaving the network more exposed when quantum t=
ech=20
>>>> becomes widely accessible. Theft is a brutal but effective teacher.
>>>>
>>>> Centralized Blacklisting Power
>>>> Burning vulnerable funds requires centralized decision-making - a soft=
=20
>>>> fork to invalidate certain transactions. This sets a dangerous precede=
nt=20
>>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. =
If quantum=20
>>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The =
system must=20
>>>> remain neutral, even if it means some lose out.
>>>>
>>>> I think this could be a potential slippery slope if the proposal was t=
o=20
>>>> only burn specific addresses. Rather, I'd expect a neutral proposal to=
 burn=20
>>>> all funds in locking script types that are known to be quantum vulnera=
ble.=20
>>>> Thus, we could eliminate any subjectivity from the code.
>>>>
>>>> Fairness in Competition
>>>> Quantum attackers aren't cheating; they're using publicly available=20
>>>> physics and math. Anyone with the resources and foresight can build or=
=20
>>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a =
CPU.=20
>>>> Early adopters took risks and reaped rewards; quantum innovators are d=
oing=20
>>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has=
 never promised=20
>>>> equality of outcome - only equality of opportunity within its rules.
>>>>
>>>> I find this argument to be a mischaracterization because we're not=20
>>>> talking about CPUs. This is more akin to talking about ASICs, except e=
ach=20
>>>> ASIC costs millions if not billions of dollars. This is out of reach f=
rom=20
>>>> all but the wealthiest organizations.
>>>>
>>>> Economic Resilience
>>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20
>>>> emerged stronger. The market can absorb quantum losses, with unaffecte=
d=20
>>>> users continuing to hold and new entrants buying in at lower prices. F=
ear=20
>>>> of economic collapse overestimates the impact - the network=E2=80=99s =
antifragility=20
>>>> thrives on such challenges.
>>>>
>>>> This is a big grey area because we don't know when a quantum computer=
=20
>>>> will come online and we don't know how quickly said computers would be=
 able=20
>>>> to steal bitcoin. If, for example, the first generation of sufficientl=
y=20
>>>> powerful quantum computers were stealing less volume than the current =
block=20
>>>> reward then of course it will have minimal economic impact. But if the=
y're=20
>>>> taking thousands of BTC per day and bringing them back into circulatio=
n,=20
>>>> there will likely be a noticeable market impact as it absorbs the new=
=20
>>>> supply.
>>>>
>>>> This is where the circumstances will really matter. If a quantum=20
>>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppo=
rt=20
>>>> quantum resistant cryptography then we should expect the most valuable=
=20
>>>> active wallets will have upgraded and the juiciest target would be the=
=20
>>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has=
 been=20
>>>> dormant since 2010. In general I'd expect that the amount of BTC=20
>>>> re-entering the circulating supply would look somewhat similar to the=
=20
>>>> mining emission curve: volume would start off very high as the most=20
>>>> valuable addresses are drained and then it would fall off as quantum=
=20
>>>> computers went down the list targeting addresses with less and less BT=
C.
>>>>
>>>> Why is economic impact a factor worth considering? Miners and=20
>>>> businesses in general. More coins being liquidated will push down the=
=20
>>>> price, which will negatively impact miner revenue. Similarly, I can at=
test=20
>>>> from working in the industry for a decade, that lower prices result in=
 less=20
>>>> demand from businesses across the entire industry. As such, burning qu=
antum=20
>>>> vulnerable bitcoin is good for the entire industry.
>>>>
>>>> Practicality & Neutrality of Non-Intervention
>>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D=
 from legitimate "white=20
>>>> hat" key recovery. If someone loses their private key and a quantum=20
>>>> computer recovers it, is that stealing or reclaiming? Policing quantum=
=20
>>>> actions requires invasive assumptions about intent, which Bitcoin=E2=
=80=99s=20
>>>> trustless design can=E2=80=99t accommodate. Letting the chips fall whe=
re they may=20
>>>> avoids this mess.
>>>>
>>>> Philosophical Purity
>>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco=
mes=20
>>>> reflect preparation and skill, not sentimentality. If quantum computin=
g=20
>>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t mean=
t to be safe or fair=20
>>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose =
funds to=20
>>>> quantum attacks are casualties of liberty and their own ignorance, not=
=20
>>>> victims of injustice.
>>>>
>>>> Bitcoin's DAO Moment
>>>> This situation has some similarities to The DAO hack of an Ethereum=20
>>>> smart contract in 2016, which resulted in a fork to stop the attacker =
and=20
>>>> return funds to their original owners. The game theory is similar beca=
use=20
>>>> it's a situation where a threat is known but there's some period of ti=
me=20
>>>> before the attacker can actually execute the theft. As such, there's t=
ime=20
>>>> to mitigate the attack by changing the protocol.
>>>>
>>>> It also created a schism in the community around the true meaning of=
=20
>>>> "code is law," resulting in Ethereum Classic, which decided to allow t=
he=20
>>>> attacker to retain control of the stolen funds.
>>>>
>>>> A soft fork to burn vulnerable bitcoin could certainly result in a har=
d=20
>>>> fork if there are enough miners who reject the soft fork and continue=
=20
>>>> including transactions.
>>>>
>>>> Incentives Matter
>>>> We can wax philosophical until the cows come home, but what are the=20
>>>> actual incentives for existing Bitcoin holders regarding this decision=
?
>>>>
>>>> "Lost coins only make everyone else's coins worth slightly more. Think=
=20
>>>>> of it as a donation to everyone." - Satoshi Nakamoto
>>>>
>>>>
>>>> If true, the corollary is:
>>>>
>>>> "Quantum recovered coins only make everyone else's coins worth less.=
=20
>>>>> Think of it as a theft from everyone." - Jameson Lopp
>>>>
>>>>
>>>> Thus, assuming we get to a point where quantum resistant signatures ar=
e=20
>>>> supported within the Bitcoin protocol, what's the incentive to let=20
>>>> vulnerable coins remain spendable?
>>>>
>>>> * It's not good for the actual owners of those coins. It=20
>>>> disincentivizes owners from upgrading until perhaps it's too late.
>>>> * It's not good for the more attentive / responsible owners of coins=
=20
>>>> who have quantum secured their stash. Allowing the circulating supply =
to=20
>>>> balloon will assuredly reduce the purchasing power of all bitcoin hold=
ers.
>>>>
>>>> Forking Game Theory
>>>> From a game theory point of view, I see this as incentivizing users to=
=20
>>>> upgrade their wallets. If you disagree with the burning of vulnerable=
=20
>>>> coins, all you have to do is move your funds to a quantum safe signatu=
re=20
>>>> scheme. Point being, I don't see there being an economic majority (or =
even=20
>>>> more than a tiny minority) of users who would fight such a soft fork. =
Why=20
>>>> expend significant resources fighting a fork when you can just move yo=
ur=20
>>>> coins to a new address?
>>>>
>>>> Remember that blocking spending of certain classes of locking scripts=
=20
>>>> is a tightening of the rules - a soft fork. As such, it can be meaning=
fully=20
>>>> enacted and enforced by a mere majority of hashpower. If miners genera=
lly=20
>>>> agree that it's in their best interest to burn vulnerable coins, are o=
ther=20
>>>> users going to care enough to put in the effort to run new node softwa=
re=20
>>>> that resists the soft fork? Seems unlikely to me.
>>>>
>>>> How to Execute Burning
>>>> In order to be as objective as possible, the goal would be to announce=
=20
>>>> to the world that after a specific block height / timestamp, Bitcoin n=
odes=20
>>>> will no longer accept transactions (or blocks containing such transact=
ions)=20
>>>> that spend funds from any scripts other than the newly instituted quan=
tum=20
>>>> safe schemes.
>>>>
>>>> It could take a staggered approach to first freeze funds that are=20
>>>> susceptible to long-range attacks such as those in P2PK scripts or tho=
se=20
>>>> that exposed their public keys due to previously re-using addresses, b=
ut I=20
>>>> expect the additional complexity would drive further controversy.
>>>>
>>>> How long should the grace period be in order to give the ecosystem tim=
e=20
>>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrad=
e. We=20
>>>> can only hope that hardware wallet manufacturers are able to implement=
 post=20
>>>> quantum cryptography on their existing hardware with only a firmware u=
pdate.
>>>>
>>>> Beyond that, it will take at least 6 months worth of block space for=
=20
>>>> all users to migrate their funds, even in a best case scenario. Though=
 if=20
>>>> you exclude dust UTXOs you could probably get 95% of BTC value migrate=
d in=20
>>>> 1 month. Of course this is a highly optimistic situation where everyon=
e is=20
>>>> completely focused on migrations - in reality it will take far longer.
>>>>
>>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20
>>>> conservatism it would be preferable to allow a 4 year migration window=
. In=20
>>>> the meantime, mining pools could coordinate emergency soft forking log=
ic=20
>>>> such that if quantum attackers materialized, they could accelerate the=
=20
>>>> countdown to the quantum vulnerable funds burn.
>>>>
>>>> Random Tangential Benefits
>>>> On the plus side, burning all quantum vulnerable bitcoin would allow u=
s=20
>>>> to prune all of those UTXOs out of the UTXO set, which would also clea=
n up=20
>>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even=
 been=20
>>>> a recent proposal for how to incentivize cleaning them up.
>>>>
>>>> We should also expect that incentivizing migration of the entire UTXO=
=20
>>>> set will create substantial demand for block space that will sustain a=
 fee=20
>>>> market for a fairly lengthy amount of time.
>>>>
>>>> In Summary
>>>> While the moral quandary of violating any of Bitcoin's inviolable=20
>>>> properties can make this a very complex issue to discuss, the game the=
ory=20
>>>> and incentives between burning vulnerable coins versus allowing them t=
o be=20
>>>> claimed by entities with quantum supremacy appears to be a much simple=
r=20
>>>> issue.
>>>>
>>>> I, for one, am not interested in rewarding quantum capable entities by=
=20
>>>> inflating the circulating money supply just because some people lost t=
heir=20
>>>> keys long ago and some laggards are not upgrading their bitcoin wallet=
's=20
>>>> security.
>>>>
>>>> We can hope that this scenario never comes to pass, but hope is not a=
=20
>>>> strategy.
>>>>
>>>> I welcome your feedback upon any of the above points, and contribution=
=20
>>>> of any arguments I failed to consider.
>>>>
>>>> --=20
>>>> You received this message because you are subscribed to the Google=20
>>>> Groups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>>> an email to bitcoindev+...@googlegroups.com.
>>>> To view this discussion visit=20
>>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq=
8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
>>>> .
>>>>
>>>> --=20
>>>> You received this message because you are subscribed to the Google=20
>>>> Groups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>>> an email to bitcoindev+...@googlegroups.com.
>>>> To view this discussion visit=20
>>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4=
D9D2B732364%40astrotown.de
>>>> .
>>>
>>>
>>>> --=20
>>> You received this message because you are subscribed to the Google=20
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>> an email to bitcoindev+...@googlegroups.com.
>>> To view this discussion visit=20
>>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br=
6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com
>>> .
>>>
>>>
>>> --=20
>>> You received this message because you are subscribed to the Google=20
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>> an email to bitcoindev+...@googlegroups.com.
>>> To view this discussion visit=20
>>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf=
XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL=
miCJOY%3D%40proton.me
>>> .
>>>
>> --=20
> You received this message because you are subscribed to the Google Groups=
=20
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
=20
> email to bitcoindev+...@googlegroups.com.
>
> To view this discussion visit=20
> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C=
-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com
> .
>
>
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com.

------=_Part_18011_501201720.1749302913697
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div>&gt; I'm not a lawyer, but if developers make a conscious decision to =
make a=20
code change that confiscates funds, even with a reasonable heads-up, I=20
feel like some lawyers might be tempted to make an argument that those=20
developers should be held responsible for any losses. As everyone knows,
 Bitcoin has been under legal attacks before, and I'm not sure that=20
anyone would (or should) be willing to sign off on a change that might=20
potentially open them up to several billion dollars worth of personal=20
responsibility - especially if the "bonded courier" actually shows up=20
and reveals a private key that would have unlocked funds under the=20
pre-QC scheme.</div><div><br /></div><div>Coincidentally, Peter Todd has ju=
st made the same point in another (apparently unrelated) thread, here: http=
s://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ</div><div><=
br /></div><div>For me it's very clear, that it's not an accident that such=
 "unexpected" side effects exist. It's a feature that I'd whimsically call =
"ethical impedance-mismatch" (the term impedance mismatch has been used in =
computing/programming, which itself borrowed it from the real meaning, in p=
hysics). People have a moral/ethical desire to make bitcoin function as wel=
l as possible, and see a failure mode in those using it for other purposes,=
 but that line of thought clashes with the essential, basic principle of ce=
nsorship-resistance.</div><div><br /></div><div>So we see technical borked-=
ness like failure to get accurate fee rates and the like, from doing someth=
ing (attempting to filter at p2p level) that it is intrinsically counter to=
 the foundational ethical, functional purpose of the system: censorship-res=
istance. And then we see "cascading failures" of the type discussed here: i=
f the devs are working to break bitcoin's ethical promise of censorship-res=
istance, then thugs^H^H politicians and lawyers, will seek to take control =
of that "break" for their own purposes.</div><div><br /></div><div>That's w=
hy I'm not against "quantum recovery" as per the title of this thread. Reco=
very, independent of outside control, *is* bitcoin's function. If half a mi=
llion btc get spent by someone who has "recovered" in an unexpected way, to=
ugh titties. If the entire system collapses because we can't get our act to=
gether before 2085 (OK I know some think it's 2035, I don't, but whatever),=
 then it is what it is. That is a huge unknown. But Bitcoin will 100% fail =
if confiscation of *any* type becomes a thing.</div><br /><div>Cheers,</div=
>AdamISZ/waxwing<div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail=
_attr">On Wednesday, June 4, 2025 at 4:56:53=E2=80=AFAM UTC-3 ArmchairCrypt=
ologist wrote:<br/></div><blockquote class=3D"gmail_quote" style=3D"margin:=
 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;=
"><div style=3D"font-family:Arial,sans-serif;font-size:14px">Hi,</div><div =
style=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><div style=
=3D"font-family:Arial,sans-serif;font-size:14px">With the longer grace peri=
od and selective deactivation, this seems more sensible, but there is one e=
lephant in the room that I haven&#39;t seen mentioned here - namely, the le=
gal aspect. (If it was, sorry I missed it.)</div><div style=3D"font-family:=
Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,=
sans-serif;font-size:14px">I&#39;m not a lawyer, but if developers make a c=
onscious decision to make a code change that confiscates funds, even with a=
 reasonable heads-up, I feel like some lawyers might be tempted to make an =
argument that those developers should be held responsible for any losses. A=
s everyone knows, Bitcoin has been under legal attacks before, and I&#39;m =
not sure that anyone would (or should) be willing to sign off on a change t=
hat might potentially open them up to several billion dollars worth of pers=
onal responsibility - especially if the &quot;bonded courier&quot; actually=
 shows up and reveals a private key that would have unlocked funds under th=
e pre-QC scheme.</div><div style=3D"font-family:Arial,sans-serif;font-size:=
14px"><br></div><div style=3D"font-family:Arial,sans-serif;font-size:14px">=
The only safe-ish way I can see to do this is to have it only affect funds =
that are very likely to be lost in
 the first place. So at the very least, it could not affect UTXOs that coul=
d potentially be encumbered with a timelock (i.e. P2SH/P2WSH), and it could=
 only affect UTXOs that have not moved for a very long time (say 15-20 year=
s). </div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></=
div><div style=3D"font-family:Arial,sans-serif;font-size:14px">If quantum c=
omputers capable of practical attacks against Bitcoin are ever known to act=
ually exist, <b>sending</b>=E2=80=8B to non-PQC addresses should of course =
be disabled immediately. But I feel that the nature of a permissionless sys=
tem implies a large degree of self-responsibility, so if someone chooses to=
 keep using non-PQC addresses even after PQC addresses have become availabl=
e and practical quantum attacks are suspected to be an imminent danger, it&=
#39;s not necessarily up to the developers to tell them they can&#39;t, onl=
y that they really shouldn&#39;t.</div><div style=3D"font-family:Arial,sans=
-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif=
;font-size:14px">--</div><div style=3D"font-family:Arial,sans-serif;font-si=
ze:14px">Regards,</div><div style=3D"font-family:Arial,sans-serif;font-size=
:14px">ArmchairCryptologist</div><div style=3D"font-family:Arial,sans-serif=
;font-size:14px"><br></div>
<div style=3D"font-family:Arial,sans-serif;font-size:14px">
    <div>
       =20
            </div>
   =20
            <div>
        Sent with <a href=3D"https://proton.me/mail/home" target=3D"_blank"=
 rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3De=
n&amp;q=3Dhttps://proton.me/mail/home&amp;source=3Dgmail&amp;ust=3D17493875=
99316000&amp;usg=3DAOvVaw3kMMWbcvOvWny9b4RVrakM">Proton Mail</a> secure ema=
il.
    </div>
</div>
<div style=3D"font-family:Arial,sans-serif;font-size:14px"><br><div></div><=
/div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><div>
        On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz &lt;<a href data=
-email-masked rel=3D"nofollow">agusti...@gmail.com</a>&gt; wrote:<br>
        </div></div><div style=3D"font-family:Arial,sans-serif;font-size:14=
px"><div><blockquote type=3D"cite">
            <div dir=3D"auto">Hi everyone,<div dir=3D"auto"><br></div><div =
dir=3D"auto">QRAMP proposal aims to manage the quantum transition responsib=
ly without disrupting Bitcoin=E2=80=99s core principles.</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">QRAMP has three phases:</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">1. Allow wallets to optionally include PQC=
 keys in Taproot outputs. This enables early adoption without forcing anyon=
e.</div><div dir=3D"auto"><br></div><div dir=3D"auto">2. Announce a soft fo=
rk to disable vulnerable scripts, with a long (~4-year) grace period. This =
gives ample time to migrate and avoids sudden shocks.</div><div dir=3D"auto=
"><br></div><div dir=3D"auto">3. Gradually deactivate vulnerable outputs ba=
sed on age or inactivity. This avoids a harsh cutoff and gives time for ada=
ptation.</div><div dir=3D"auto"></div><div dir=3D"auto"><br></div><div dir=
=3D"auto">We can also allow exceptions via proof-of-possession, and delay r=
estrictions on timelocked outputs to avoid harming future spenders.</div><d=
iv dir=3D"auto"><br></div><div dir=3D"auto">QRAMP is not about confiscation=
 or control. It=E2=80=99s about aligning incentives, maintaining security, =
and offering a clear, non-coercive upgrade path.</div><div dir=3D"auto"><br=
></div><div dir=3D"auto">Best,</div><div dir=3D"auto">Agustin Cruz</div><di=
v dir=3D"auto"><br></div><div dir=3D"auto"><br></div></div><br><div class=
=3D"gmail_quote"><div class=3D"gmail_attr" dir=3D"ltr">El dom, 25 de may de=
 2025, 7:03=E2=80=AFp.m., Dustin Ray &lt;<a href rel=3D"noreferrer nofollow=
 noopener" data-email-masked>dustinvo...@gmail.com</a>&gt; escribi=C3=B3:<b=
r></div><blockquote style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;p=
adding-left:1ex" class=3D"gmail_quote"><div dir=3D"auto">The difference bet=
ween the ETH/ETC split though was that no one had anything confiscated exce=
pt the DAO hacker, everyone retained an identical number of tokens on each =
chain. The proposal for BTC is very different in that some holders will los=
e access to their coins during the PQ migration under the confiscation appr=
oach. Just wanted to point that out.</div><div><br><div class=3D"gmail_quot=
e"><div class=3D"gmail_attr" dir=3D"ltr">On Sun, May 25, 2025 at 3:06=E2=80=
=AFPM &#39;conduition&#39; via Bitcoin Development Mailing List &lt;<a rel=
=3D"noreferrer nofollow noopener" href data-email-masked>bitco...@googlegro=
ups.com</a>&gt; wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8=
ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-le=
ft-color:rgb(204,204,204)" class=3D"gmail_quote"><div style=3D"font-family:=
Arial,sans-serif;font-size:14px">Hey Saulo,</div><div style=3D"font-family:=
Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,=
sans-serif;font-size:14px">You&#39;re right about the possibility of an ugl=
y split. Laggards who don&#39;t move coins to PQ address schemes will be in=
centivized to follow any chain where they keep their coins. But those who d=
o migrate will be incentivized to follow the chain where unmigrated pre-qua=
ntum coins are frozen. </div><div style=3D"font-family:Arial,sans-serif;fon=
t-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;font-size=
:14px">While you&#39;re comparing this event to the ETH/ETC split, we shoul=
d remember that ETH remained the dominant chain despite their heavy-handed =
rollback. Just goes to show, confusion and face-loss is a lesser evil than =
allowing an adversary to pwn the network. </div><div style=3D"font-family:A=
rial,sans-serif;font-size:14px"><br></div><blockquote style=3D"border-left:=
3px solid rgb(200,200,200);padding-left:10px;border-color:rgb(200,200,200);=
color:rgb(102,102,102)"><div style=3D"font-family:Arial,sans-serif;font-siz=
e:14px">This is the free-market way to solve problems without imposing rule=
s on everyone.<br></div></blockquote><div style=3D"font-family:Arial,sans-s=
erif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;f=
ont-size:14px">It&#39;d still be a free market even if quantum-vulnerable c=
oins are frozen. The only way to test the relative value of quantum-safe vs=
 quantum-vulnerable coins is to split the chain and see how the market reac=
ts. </div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></=
div><div style=3D"font-family:Arial,sans-serif;font-size:14px">IMO, the &qu=
ot;free market way&quot; is to give people options and let their money flow=
 to where it works best. That means people should be able to choose whether=
 they want their money to be part of a system that allows quantum attack, o=
r part of one which does not. I know which I would choose, but neither you =
nor I can make that choice for everyone.</div><div style=3D"font-family:Ari=
al,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,san=
s-serif;font-size:14px">regards,</div><div style=3D"font-family:Arial,sans-=
serif;font-size:14px">conduition</div><div>
        On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz &lt;<a rel=3D"=
noreferrer nofollow noopener" href data-email-masked>agusti...@gmail.com</a=
>&gt; wrote:<br>
        <blockquote type=3D"cite">
            <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q=
uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t=
o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le=
aving old coins up for grabs if people don=E2=80=99t move them, sounds fair=
 at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes=
s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s=
 not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th=
ose on the rich list Jameson mentioned, could get hit too. Imagine millions=
 of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an=
d we all feel the pain. Freezing those vulnerable funds keeps that chaos in=
 check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=
=99s heart. If quantum tech can steal from you just because you didn=E2=80=
=99t upgrade fast enough, that promise feels shaky. Freezing funds after a =
heads-up period (say, four years) protects that idea better than letting te=
ch giants or rogue states play vampire with our network. It also nudges peo=
ple to get their act together and move to safer addresses, which strengthen=
s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con=
fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu=
antum theft would look worse. Bitcoin would seem broken, not just strict. A=
 clear plan and enough time to migrate could smooth things over. History=E2=
=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. =
This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul=
nerable coins locked than handed to whoever builds the first quantum rig. I=
t=E2=80=99s less about coddling people and more about keeping Bitcoin solid=
 for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<a rel=3D"noreferrer no=
follow noopener" href data-email-masked>sa...@astrotown.de</a>&gt; wrote:<b=
r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left-width:1px;border-left-style:solid;padding-left:1ex;border-left=
-color:rgb(204,204,204)"><div dir=3D"auto"><div dir=3D"ltr"><span style=3D"=
color:rgb(0,0,0)">I believe that having some entity announce the decision t=
o freeze old UTXOs would be more damaging to Bitcoin=E2=80=99s image (and i=
ts value) than having them gathered by QC. This would create another versio=
n of Bitcoin, similar to Ethereum Classic, causing confusion in the market.=
</span><div dir=3D"ltr"><div style=3D"color:rgb(0,0,0)"><br></div><div styl=
e=3D"color:rgb(0,0,0)">It would be better to simply implement the possibili=
ty of moving funds to a PQC address without a deadline, allowing those who =
fail to do so to rely on luck to avoid having their coins stolen. Most coin=
s would be migrated to PQC anyway, and in most cases, only the lost ones wo=
uld remain vulnerable. This is the free-market way to solve problems withou=
t imposing rules on everyone.</div><div style=3D"color:rgb(0,0,0)"><br></di=
v><div style=3D"color:rgb(0,0,0)">Saulo Fonseca</div><div style=3D"color:rg=
b(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)"><br><blockquote type=3D=
"cite"><div>On 16. Mar 2025, at 15:15, Jameson Lopp &lt;<span dir=3D"ltr"><=
a rel=3D"noreferrer nofollow noopener" href data-email-masked>jameso...@gma=
il.com</a></span>&gt; wrote:</div><br><div><div dir=3D"ltr">The quantum com=
puting debate is heating up. There are many controversial aspects to this d=
ebate, including whether or not quantum computers will ever actually become=
 a practical threat.<div><br>I won&#39;t tread into the unanswerable questi=
on of how worried we should be about quantum computers. I think it&#39;s fa=
r from a crisis, but given the difficulty in changing Bitcoin it&#39;s wort=
h starting to seriously discuss. Today I wish to focus on a philosophical q=
uandary related to one of the decisions that would need to be made if and w=
hen we implement a quantum safe signature scheme.<br><br><font style=3D"col=
or:rgb(0,0,0)" size=3D"6">Several Scenarios<br></font>Because this essay wi=
ll reference game theory a fair amount, and there are many variables at pla=
y that could change the nature of the game, I think it&#39;s important to c=
larify the possible scenarios up front.<br><br>1. Quantum computing never m=
aterializes, never becomes a threat, and thus everything discussed in this =
essay is moot.<br>2. A quantum computing threat materializes suddenly and B=
itcoin does not have quantum safe signatures as part of the protocol. In th=
is scenario it would likely make the points below moot because Bitcoin woul=
d be fundamentally broken and it would take far too long to upgrade the pro=
tocol, wallet software, and migrate user funds in order to restore confiden=
ce in the network.<br>3. Quantum computing advances slowly enough that we c=
ome to consensus about how to upgrade Bitcoin and post quantum security has=
 been minimally adopted by the time an attacker appears.<br>4. Quantum comp=
uting advances slowly enough that we come to consensus about how to upgrade=
 Bitcoin and post quantum security has been highly adopted by the time an a=
ttacker appears.<br><br>For the purposes of this post, I&#39;m envisioning =
being in situation 3 or 4.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"=
6">To Freeze or not to Freeze?<br></font>I&#39;ve started seeing more peopl=
e weighing in on what is likely the most contentious aspect of how a quantu=
m resistance upgrade should be handled in terms of migrating user funds. Sh=
ould quantum vulnerable funds be left open to be swept by anyone with a suf=
ficiently powerful quantum computer OR should they be permanently locked?<b=
r><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;p=
adding-left:1ex;border-left-color:rgb(204,204,204)">&quot;I don&#39;t see w=
hy old coins should be confiscated. The better option is to let those with =
quantum computers free up old coins. While this might have an inflationary =
impact on bitcoin&#39;s price, to use a turn of phrase, the inflation is tr=
ansitory. Those with low time preference should support returning lost coin=
s to circulation.&quot; </blockquote><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,20=
4,204)">- Hunter Beast</blockquote><div><br></div>On the other hand:</div><=
div><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;padding-left:1ex;border-left-color:rgb(204,204,204)">&quot;Of course they =
have to be confiscated. If and when (and that&#39;s a big if) the existence=
 of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosy=
stem has no other option than softforking out the ability to spend from sig=
nature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The=
 alternative is that millions of BTC become vulnerable to theft; I cannot s=
ee how the currency can maintain any value at all in such a setting. And th=
is affects everyone; even those which diligently moved their coins to PQC-p=
rotected schemes.&quot;<br>- Pieter Wuille</blockquote><br>I don&#39;t thin=
k &quot;confiscation&quot; is the most precise term to use, as the funds ar=
e not being seized and reassigned. Rather, what we&#39;re really discussing=
 would be better described as &quot;burning&quot; - placing the funds <b>ou=
t of reach of everyone</b>.<br><br>Not freezing user funds is one of Bitcoi=
n&#39;s inviolable properties. However, if quantum computing becomes a thre=
at to Bitcoin&#39;s elliptic curve cryptography, <b>an inviolable property =
of Bitcoin will be violated one way or another</b>.<br><br><font style=3D"c=
olor:rgb(0,0,0)" size=3D"6">Fundamental Properties at Risk<br></font>5 year=
s ago I attempted to comprehensively categorize all of Bitcoin&#39;s fundam=
ental properties that give it value. <a rel=3D"noreferrer nofollow noopener=
" href=3D"https://nakamoto.com/what-are-the-key-properties-of-bitcoin/" tar=
get=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&a=
mp;q=3Dhttps://nakamoto.com/what-are-the-key-properties-of-bitcoin/&amp;sou=
rce=3Dgmail&amp;ust=3D1749387599316000&amp;usg=3DAOvVaw0iqW5fFv-B1rrwD99rTI=
o-">https://nakamoto.com/what-are-the-key-properties-of-bitcoin/<br></a><br=
>The particular properties in play with regard to this issue seem to be:<br=
><br><b>Censorship Resistance</b> - No one should have the power to prevent=
 others from using their bitcoin or interacting with the network.<br><br><b=
>Forward Compatibility</b> - changing the rules such that certain valid tra=
nsactions become invalid could undermine confidence in the protocol.<br><br=
><b>Conservatism</b> - Users should not be expected to be highly responsive=
 to system issues.<br><br>As a result of the above principles, we have deve=
loped a strong meme (kudos to Andreas Antonopoulos) that goes as follows:<b=
r><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;p=
adding-left:1ex;border-left-color:rgb(204,204,204)">Not your keys, not your=
 coins.</blockquote><br>I posit that the corollary to this principle is:<br=
><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;pa=
dding-left:1ex;border-left-color:rgb(204,204,204)">Your keys, only your coi=
ns.</blockquote><br>A quantum capable entity breaks the corollary of this f=
oundational principle. We secure our bitcoin with the mathematical probabil=
ities related to extremely large random numbers. Your funds are only secure=
 because truly random large numbers should not be guessable or discoverable=
 by anyone else in the world.<br><br>This is the principle behind the motto=
 <i>vires in numeris</i> - strength in numbers. In a world with quantum ena=
bled adversaries, this principle is null and void for many types of cryptog=
raphy, including the elliptic curve digital signatures used in Bitcoin.<br>=
<br><font style=3D"color:rgb(0,0,0)" size=3D"6">Who is at Risk?<br></font>T=
here has long been a narrative that Satoshi&#39;s coins and others from the=
 Satoshi era of P2PK locking scripts that exposed the public key directly o=
n the blockchain will be those that get scooped up by a quantum &quot;miner=
.&quot; But unfortunately it&#39;s not that simple. If I had a powerful qua=
ntum computer, which coins would I target? I&#39;d go to the Bitcoin rich l=
ist and find the wallets that have exposed their public keys due to re-usin=
g addresses that have previously been spent from. You can easily find them =
at <a rel=3D"noreferrer nofollow noopener" href=3D"https://bitinfocharts.co=
m/top-100-richest-bitcoin-addresses.html" target=3D"_blank" data-saferedire=
cturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://bitinfocharts.c=
om/top-100-richest-bitcoin-addresses.html&amp;source=3Dgmail&amp;ust=3D1749=
387599316000&amp;usg=3DAOvVaw1kKsE-BMLVFNYvXG--yjM_">https://bitinfocharts.=
com/top-100-richest-bitcoin-addresses.html</a><br><br>Note that a few of th=
ese wallets, like Bitfinex / Kraken / Tether, would be slightly harder to c=
rack because they are multisig wallets. So a quantum attacker would need to=
 reverse engineer 2 keys for Kraken or 3 for Bitfinex / Tether in order to =
spend funds. But many are single signature.<br><br>Point being, it&#39;s no=
t only the really old lost BTC that are at risk to a quantum enabled advers=
ary, at least at time of writing. If we add a quantum safe signature scheme=
, we should expect those wallets to be some of the first to upgrade given t=
heir incentives.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">The Eth=
ical Dilemma: Quantifying Harm<br></font>Which decision results in the most=
 harm?<br><br>By making quantum vulnerable funds unspendable we potentially=
 harm some Bitcoin users who were not paying attention and neglected to mig=
rate their funds to a quantum safe locking script. This violates the &quot;=
conservativism&quot; principle stated earlier. On the flip side, we prevent=
 those funds plus far more lost funds from falling into the hands of the fe=
w privileged folks who gain early access to quantum computers.<br><br>By le=
aving quantum vulnerable funds available to spend, the same set of users wh=
o would otherwise have funds frozen are likely to see them stolen. And many=
 early adopters who lost their keys will eventually see their unreachable f=
unds scooped up by a quantum enabled adversary.<br><br>Imagine, for example=
, being James Howells, who accidentally threw away a hard drive with 8,000 =
BTC on it, currently worth over $600M USD. He has spent a decade trying to =
retrieve it from the landfill where he knows it&#39;s buried, but can&#39;t=
 get permission to excavate. I suspect that, given the choice, he&#39;d pre=
fer those funds be permanently frozen rather than fall into someone else&#3=
9;s possession - I know I would.<br><br>Allowing a quantum computer to acce=
ss lost funds doesn&#39;t make those users any worse off than they were bef=
ore, however it <i>would</i>have a negative impact upon everyone who is cur=
rently holding bitcoin.<br><br>It&#39;s prudent to expect significant econo=
mic disruption if large amounts of coins fall into new hands. Since a quant=
um computer is going to have a massive up front cost, expect those behind i=
t to desire to recoup their investment. We also know from experience that w=
hen someone suddenly finds themselves in possession of 9+ figures worth of =
highly liquid assets, they tend to diversify into other things by selling.<=
br><br>Allowing quantum recovery of bitcoin is <i>tantamount to wealth redi=
stribution</i>. What we&#39;d be allowing is for bitcoin to be redistribute=
d from those who are ignorant of quantum computers to those who have won th=
e technological race to acquire quantum computers. It&#39;s hard to see a b=
right side to that scenario.<br><br><font style=3D"color:rgb(0,0,0)" size=
=3D"6">Is Quantum Recovery Good for Anyone?</font><br><br>Does quantum reco=
very HELP anyone? I&#39;ve yet to come across an argument that it&#39;s a n=
et positive in any way. It certainly doesn&#39;t add any security to the ne=
twork. If anything, it greatly decreases the security of the network by all=
owing funds to be claimed by those who did not earn them.<br><br>But wait, =
you may be thinking, wouldn&#39;t quantum &quot;miners&quot; have earned th=
eir coins by all the work and resources invested in building a quantum comp=
uter? I suppose, in the same sense that a burglar earns their spoils by the=
 resources they invest into surveilling targets and learning the skills nee=
ded to break into buildings. What I say &quot;earned&quot; I mean through p=
roductive mutual trade.<br><br>For example:<br><br>* Investors earn BTC by =
trading for other currencies.<br>* Merchants earn BTC by trading for goods =
and services.<br>* Miners earn BTC by trading thermodynamic security.<br>* =
Quantum miners don&#39;t trade anything, they are vampires feeding upon the=
 system.<br><br>There&#39;s no reason to believe that allowing quantum adve=
rsaries to recover vulnerable bitcoin will be of benefit to anyone other th=
an the select few organizations that win the technological arms race to bui=
ld the first such computers. Probably nation states and/or the top few larg=
est tech companies.<br><br>One could certainly hope that an organization wi=
th quantum supremacy is benevolent and acts in a &quot;white hat&quot; mann=
er to return lost coins to their owners, but that&#39;s incredibly optimist=
ic and foolish to rely upon. Such a situation creates an insurmountable eth=
ical dilemma of only recovering lost bitcoin rather than currently owned bi=
tcoin. There&#39;s no way to precisely differentiate between the two; anyon=
e can claim to have lost their bitcoin but if they have lost their keys the=
n proving they ever had the keys becomes rather difficult. I imagine that a=
ny such white hat recovery efforts would have to rely upon attestations fro=
m trusted third parties like exchanges.<br><br>Even if the first actor with=
 quantum supremacy is benevolent, we must assume the technology could fall =
into adversarial hands and thus think adversarially about the potential wor=
st case outcomes. Imagine, for example, that North Korea continues scooping=
 up billions of dollars from hacking crypto exchanges and decides to invest=
 some of those proceeds into building a quantum computer for the biggest pa=
yday ever...<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">Downsides t=
o Allowing Quantum Recovery</font><br>Let&#39;s think through an exhaustive=
 list of pros and cons for allowing or preventing the seizure of funds by a=
 quantum adversary.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Hist=
orical Precedent</font><br>Previous protocol vulnerabilities weren=E2=80=99=
t celebrated as &quot;fair game&quot; but rather were treated as failures t=
o be remediated. Treating quantum theft differently risks rewriting Bitcoin=
=E2=80=99s history as a free-for-all rather than a system that seeks to pro=
tect its users.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Violatio=
n of Property Rights</font><br>Allowing a quantum adversary to take control=
 of funds undermines the fundamental principle of cryptocurrency - if you k=
eep your keys in your possession, only you should be able to access your mo=
ney. Bitcoin is built on the idea that private keys secure an individual=E2=
=80=99s assets, and unauthorized access (even via advanced tech) is theft, =
not a legitimate transfer.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"=
4">Erosion of Trust in Bitcoin</font><br>If quantum attackers can exploit v=
ulnerable addresses, confidence in Bitcoin as a secure store of value would=
 collapse. Users and investors rely on cryptographic integrity, and widespr=
ead theft could drive adoption away from Bitcoin, destabilizing its ecosyst=
em.<br><br>This is essentially the counterpoint to claiming the burning of =
vulnerable funds is a violation of property rights. While some will certain=
ly see it as such, others will find the apathy toward stopping quantum thef=
t to be similarly concerning.<br><br><font style=3D"color:rgb(0,0,0)" size=
=3D"4">Unfair Advantage</font><br>Quantum attackers, likely equipped with r=
are and expensive technology, would have an unjust edge over regular users =
who lack access to such tools. This creates an inequitable system where onl=
y the technologically elite can exploit others, contradicting Bitcoin=E2=80=
=99s ethos of decentralized power.<br><br>Bitcoin is designed to create an =
asymmetric advantage for DEFENDING one&#39;s wealth. It&#39;s supposed to b=
e impractically expensive for attackers to crack the entropy and cryptograp=
hy protecting one&#39;s coins. But now we find ourselves discussing a situa=
tion where this asymmetric advantage is compromised in favor of a specific =
class of attackers.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Econ=
omic Disruption</font><br>Large-scale theft from vulnerable addresses could=
 crash Bitcoin=E2=80=99s price as quantum recovered funds are dumped on exc=
hanges. This would harm all holders, not just those directly targeted, lead=
ing to broader financial chaos in the markets.<br><br><font style=3D"color:=
rgb(0,0,0)" size=3D"4">Moral Responsibility</font><br>Permitting theft via =
quantum computing sets a precedent that technological superiority justifies=
 unethical behavior. This is essentially taking a &quot;code is law&quot; s=
tance in which we refuse to admit that both code and laws can be modified t=
o adapt to previously unforeseen situations.<br><br>Burning of coins can ce=
rtainly be considered a form of theft, thus I think it&#39;s worth differen=
tiating the two different thefts being discussed:<br><br>1. self-enriching =
&amp; likely malicious<br>2. harm prevention &amp; not necessarily maliciou=
s<br><br>Both options lack the consent of the party whose coins are being b=
urnt or transferred, thus I think the simple argument that theft is immoral=
 becomes a wash and it&#39;s important to drill down into the details of ea=
ch.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Incentives Drive Sec=
urity</font><br>I can tell you from a decade of working in Bitcoin security=
 - the average user is lazy and is a procrastinator. If Bitcoiners are give=
n a &quot;drop dead date&quot; after which they know vulnerable funds will =
be burned, this pressure accelerates the adoption of post-quantum cryptogra=
phy and strengthens Bitcoin long-term. Allowing vulnerable users to delay u=
pgrading indefinitely will result in more laggards, leaving the network mor=
e exposed when quantum tech becomes available.<br><br><font style=3D"color:=
rgb(0,0,0)" size=3D"6">Steel Manning<br></font>Clearly this is a complex an=
d controversial topic, thus it&#39;s worth thinking through the opposing ar=
guments.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Protecting Prop=
erty Rights</font><br>Allowing quantum computers to take vulnerable bitcoin=
 could potentially be spun as a hard money narrative - we care so greatly a=
bout not violating someone&#39;s access to their coins that we allow them t=
o be stolen!<br><br>But I think the flip side to the property rights narrat=
ive is that burning vulnerable coins prevents said property from falling in=
to undeserving hands. If the entire Bitcoin ecosystem just stands around an=
d allows quantum adversaries to claim funds that rightfully belong to other=
 users, is that really a &quot;win&quot; in the &quot;protecting property r=
ights&quot; category? It feels more like apathy to me.<br><br>As such, I th=
ink the &quot;protecting property rights&quot; argument is a wash.<br><br><=
font style=3D"color:rgb(0,0,0)" size=3D"4">Quantum Computers Won&#39;t Atta=
ck Bitcoin</font><br>There is a great deal of skepticism that sufficiently =
powerful quantum computers will ever exist, so we shouldn&#39;t bother prep=
aring for a non-existent threat. Others have argued that even if such a com=
puter was built, a quantum attacker would not go after bitcoin because they=
 wouldn&#39;t want to reveal their hand by doing so, and would instead atta=
ck other infrastructure.<br><br>It&#39;s quite difficult to quantify exactl=
y how valuable attacking other infrastructure would be. It also really depe=
nds upon when an entity gains quantum supremacy and thus if by that time mo=
st of the world&#39;s systems have already been upgraded. While I think you=
 could argue that certain entities gaining quantum capability might not att=
ack Bitcoin, it would only delay the inevitable - eventually somebody will =
achieve the capability who decides to use it for such an attack.<br><br><fo=
nt style=3D"color:rgb(0,0,0)" size=3D"4">Quantum Attackers Would Only Steal=
 Small Amounts</font><br>Some have argued that even if a quantum attacker t=
argeted bitcoin, they&#39;d only go after old, likely lost P2PK outputs so =
as to not arouse suspicion and cause a market panic.<br><br>I&#39;m not so =
sure about that; why go after 50 BTC at a time when you could take 250,000 =
BTC with the same effort as 50 BTC? This is a classic &quot;zero day exploi=
t&quot; game theory in which an attacker knows they have a limited amount o=
f time before someone else discovers the exploit and either benefits from i=
t or patches it. Take, for example, the recent ByBit attack - the highest v=
alue crypto hack of all time. Lazarus Group had compromised the Safe wallet=
 front end JavaScript app and they could have simply had it reassign owners=
hip of everyone&#39;s Safe wallets as they were interacting with their wall=
et. But instead they chose to only specifically target ByBit&#39;s wallet w=
ith $1.5 billion in it because they wanted to maximize their extractable va=
lue. If Lazarus had started stealing from every wallet, they would have bee=
n discovered quickly and the Safe web app would likely have been patched we=
ll before any billion dollar wallets executed the malicious code.<br><br>I =
think the &quot;only stealing small amounts&quot; argument is strongest for=
 Situation #2 described earlier, where a quantum attacker arrives before qu=
antum safe cryptography has been deployed across the Bitcoin ecosystem. Bec=
ause if it became clear that Bitcoin&#39;s cryptography was broken AND ther=
e was nowhere safe for vulnerable users to migrate, the only logical option=
 would be for everyone to liquidate their bitcoin as quickly as possible. A=
s such, I don&#39;t think it applies as strongly for situations in which we=
 have a migration path available.<br><br><font style=3D"color:rgb(0,0,0)" s=
ize=3D"4">The 21 Million Coin Supply Should be in Circulation</font><br>Som=
e folks are arguing that it&#39;s important for the &quot;circulating / spe=
ndable&quot; supply to be as close to 21M as possible and that having a sig=
nificant portion of the supply out of circulation is somehow undesirable.<b=
r><br>While the &quot;21M BTC&quot; attribute is a strong memetic narrative=
, I don&#39;t think anyone has ever expected that it would all be in circul=
ation. It has always been understood that many coins will be lost, and that=
&#39;s actually part of the game theory of owning bitcoin!<br><br>And remem=
ber, the 21M number in and of itself is not a particularly important detail=
 - it&#39;s not even mentioned in the whitepaper. What&#39;s important is t=
hat the supply is well known and not subject to change.<br><br><font style=
=3D"color:rgb(0,0,0)" size=3D"4">Self-Sovereignty and Personal Responsibili=
ty</font><br>Bitcoin=E2=80=99s design empowers individuals to control their=
 own wealth, free from centralized intervention. This freedom comes with th=
e burden of securing one&#39;s private keys. If quantum computing can break=
 obsolete cryptography, the fault lies with users who didn&#39;t move their=
 funds to quantum safe locking scripts. Expecting the network to shield use=
rs from their own negligence undermines the principle that you, and not a t=
hird party, are accountable for your assets.<br><br>I think this is general=
ly a fair point that &quot;the community&quot; doesn&#39;t owe you anything=
 in terms of helping you. I think that we do, however, need to consider the=
 incentives and game theory in play with regard to quantum safe Bitcoiners =
vs quantum vulnerable Bitcoiners. More on that later.<br><br><font style=3D=
"color:rgb(0,0,0)" size=3D"4">Code is Law</font><br>Bitcoin operates on tra=
nsparent, immutable rules embedded in its protocol. If a quantum attacker u=
ses superior technology to derive private keys from public keys, they=E2=80=
=99re not &quot;hacking&quot; the system - they&#39;re simply following wha=
t&#39;s mathematically permissible within the current code. Altering the pr=
otocol to stop this introduces subjective human intervention, which clashes=
 with the objective, deterministic nature of blockchain.<br><br>While I ten=
d to agree that code is law, one of the entire points of laws is that they =
can be amended to improve their efficacy in reducing harm. Leaning on this =
point seems more like a pro-ossification stance that it&#39;s better to do =
nothing and allow harm to occur rather than take action to stop an attack t=
hat was foreseen far in advance.<br><br><font style=3D"color:rgb(0,0,0)" si=
ze=3D"4">Technological Evolution as a Feature, Not a Bug</font><br>It&#39;s=
 well known that cryptography tends to weaken over time and eventually brea=
k. Quantum computing is just the next step in this progression. Users who f=
ail to adapt (e.g., by adopting quantum-resistant wallets when available) a=
re akin to those who ignored technological advancements like multisig or ha=
rdware wallets. Allowing quantum theft incentivizes innovation and keeps Bi=
tcoin=E2=80=99s ecosystem dynamic, punishing complacency while rewarding vi=
gilance.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Market Signals =
Drive Security</font><br>If quantum attackers start stealing funds, it send=
s a clear signal to the market: upgrade your security or lose everything. T=
his pressure accelerates the adoption of post-quantum cryptography and stre=
ngthens Bitcoin long-term. Coddling vulnerable users delays this necessary =
evolution, potentially leaving the network more exposed when quantum tech b=
ecomes widely accessible. Theft is a brutal but effective teacher.<br><br><=
font style=3D"color:rgb(0,0,0)" size=3D"4">Centralized Blacklisting Power</=
font><br>Burning vulnerable funds requires centralized decision-making - a =
soft fork to invalidate certain transactions. This sets a dangerous precede=
nt for future interventions, eroding Bitcoin=E2=80=99s decentralization. If=
 quantum theft is blocked, what=E2=80=99s next - reversing exchange hacks? =
The system must remain neutral, even if it means some lose out.<br><br>I th=
ink this could be a potential slippery slope if the proposal was to only bu=
rn specific addresses. Rather, I&#39;d expect a neutral proposal to burn al=
l funds in locking script types that are known to be quantum vulnerable. Th=
us, we could eliminate any subjectivity from the code.<br><br><font style=
=3D"color:rgb(0,0,0)" size=3D"4">Fairness in Competition</font><br>Quantum =
attackers aren&#39;t cheating; they&#39;re using publicly available physics=
 and math. Anyone with the resources and foresight can build or access quan=
tum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early adopt=
ers took risks and reaped rewards; quantum innovators are doing the same. C=
alling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never promised =
equality of outcome - only equality of opportunity within its rules.<br><br=
>I find this argument to be a mischaracterization because we&#39;re not tal=
king about CPUs. This is more akin to talking about ASICs, except each ASIC=
 costs millions if not billions of dollars. This is out of reach from all b=
ut the wealthiest organizations.<br><br><font style=3D"color:rgb(0,0,0)" si=
ze=3D"4">Economic Resilience</font><br>Bitcoin has weathered thefts before =
(MTGOX, Bitfinex, FTX, etc) and emerged stronger. The market can absorb qua=
ntum losses, with unaffected users continuing to hold and new entrants buyi=
ng in at lower prices. Fear of economic collapse overestimates the impact -=
 the network=E2=80=99s antifragility thrives on such challenges.<br><br>Thi=
s is a big grey area because we don&#39;t know when a quantum computer will=
 come online and we don&#39;t know how quickly said computers would be able=
 to steal bitcoin. If, for example, the first generation of sufficiently po=
werful quantum computers were stealing less volume than the current block r=
eward then of course it will have minimal economic impact. But if they&#39;=
re taking thousands of BTC per day and bringing them back into circulation,=
 there will likely be a noticeable market impact as it absorbs the new supp=
ly.<br><br>This is where the circumstances will really matter. If a quantum=
 attacker appears AFTER the Bitcoin protocol has been upgraded to support q=
uantum resistant cryptography then we should expect the most valuable activ=
e wallets will have upgraded and the juiciest target would be the 31,000 BT=
C in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant =
since 2010. In general I&#39;d expect that the amount of BTC re-entering th=
e circulating supply would look somewhat similar to the mining emission cur=
ve: volume would start off very high as the most valuable addresses are dra=
ined and then it would fall off as quantum computers went down the list tar=
geting addresses with less and less BTC.<br><br>Why is economic impact a fa=
ctor worth considering? Miners and businesses in general. More coins being =
liquidated will push down the price, which will negatively impact miner rev=
enue. Similarly, I can attest from working in the industry for a decade, th=
at lower prices result in less demand from businesses across the entire ind=
ustry. As such, burning quantum vulnerable bitcoin is good for the entire i=
ndustry.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Practicality &a=
mp; Neutrality of Non-Intervention</font><br>There=E2=80=99s no reliable wa=
y to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate &quot;white hat&qu=
ot; key recovery. If someone loses their private key and a quantum computer=
 recovers it, is that stealing or reclaiming? Policing quantum actions requ=
ires invasive assumptions about intent, which Bitcoin=E2=80=99s trustless d=
esign can=E2=80=99t accommodate. Letting the chips fall where they may avoi=
ds this mess.<br><br><font style=3D"color:rgb(0,0,0)" size=3D"4">Philosophi=
cal Purity</font><br>Bitcoin rejects bailouts. It=E2=80=99s a cold, hard sy=
stem where outcomes reflect preparation and skill, not sentimentality. If q=
uantum computing upends the game, that=E2=80=99s the point - Bitcoin isn=E2=
=80=99t meant to be safe or fair in a nanny-state sense; it=E2=80=99s meant=
 to be free. Users who lose funds to quantum attacks are casualties of libe=
rty and their own ignorance, not victims of injustice.<br><br><font style=
=3D"color:rgb(0,0,0)" size=3D"6">Bitcoin&#39;s DAO Moment</font><br>This si=
tuation has some similarities to The DAO hack of an Ethereum smart contract=
 in 2016, which resulted in a fork to stop the attacker and return funds to=
 their original owners. The game theory is similar because it&#39;s a situa=
tion where a threat is known but there&#39;s some period of time before the=
 attacker can actually execute the theft. As such, there&#39;s time to miti=
gate the attack by changing the protocol.<br><br>It also created a schism i=
n the community around the true meaning of &quot;code is law,&quot; resulti=
ng in Ethereum Classic, which decided to allow the attacker to retain contr=
ol of the stolen funds.<br><br>A soft fork to burn vulnerable bitcoin could=
 certainly result in a hard fork if there are enough miners who reject the =
soft fork and continue including transactions.<br><br><font style=3D"color:=
rgb(0,0,0)" size=3D"6">Incentives Matter</font><br>We can wax philosophical=
 until the cows come home, but what are the actual incentives for existing =
Bitcoin holders regarding this decision?<br><br><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color=
:rgb(204,204,204)">&quot;Lost coins only make everyone else&#39;s coins wor=
th slightly more. Think of it as a donation to everyone.&quot; - Satoshi Na=
kamoto</blockquote><br>If true, the corollary is:<br><br><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-=
left-color:rgb(204,204,204)">&quot;Quantum recovered coins only make everyo=
ne else&#39;s coins worth less. Think of it as a theft from everyone.&quot;=
 - Jameson Lopp</blockquote><br>Thus, assuming we get to a point where quan=
tum resistant signatures are supported within the Bitcoin protocol, what&#3=
9;s the incentive to let vulnerable coins remain spendable?<br><br>* It&#39=
;s not good for the actual owners of those coins. It disincentivizes owners=
 from upgrading until perhaps it&#39;s too late.<br>* It&#39;s not good for=
 the more attentive / responsible owners of coins who have quantum secured =
their stash. Allowing the circulating supply to balloon will assuredly redu=
ce the purchasing power of all bitcoin holders.<br><br><font style=3D"color=
:rgb(0,0,0)" size=3D"6">Forking Game Theory</font><br>From a game theory po=
int of view, I see this as incentivizing users to upgrade their wallets. If=
 you disagree with the burning of vulnerable coins, all you have to do is m=
ove your funds to a quantum safe signature scheme. Point being, I don&#39;t=
 see there being an economic majority (or even more than a tiny minority) o=
f users who would fight such a soft fork. Why expend significant resources =
fighting a fork when you can just move your coins to a new address?<br><br>=
Remember that blocking spending of certain classes of locking scripts is a =
tightening of the rules - a soft fork. As such, it can be meaningfully enac=
ted and enforced by a mere majority of hashpower. If miners generally agree=
 that it&#39;s in their best interest to burn vulnerable coins, are other u=
sers going to care enough to put in the effort to run new node software tha=
t resists the soft fork? Seems unlikely to me.<br><br><font style=3D"color:=
rgb(0,0,0)" size=3D"6">How to Execute Burning</font><br>In order to be as o=
bjective as possible, the goal would be to announce to the world that after=
 a specific block height / timestamp, Bitcoin nodes will no longer accept t=
ransactions (or blocks containing such transactions) that spend funds from =
any scripts other than the newly instituted quantum safe schemes.<br><br>It=
 could take a staggered approach to first freeze funds that are susceptible=
 to long-range attacks such as those in P2PK scripts or those that exposed =
their public keys due to previously re-using addresses, but I expect the ad=
ditional complexity would drive further controversy.<br><br>How long should=
 the grace period be in order to give the ecosystem time to upgrade? I&#39;=
d say a minimum of 1 year for software wallets to upgrade. We can only hope=
 that hardware wallet manufacturers are able to implement post quantum cryp=
tography on their existing hardware with only a firmware update.<br><br>Bey=
ond that, it will take at least 6 months worth of block space for all users=
 to migrate their funds, even in a best case scenario. Though if you exclud=
e dust UTXOs you could probably get 95% of BTC value migrated in 1 month. O=
f course this is a highly optimistic situation where everyone is completely=
 focused on migrations - in reality it will take far longer.<br><br>Regardl=
ess, I&#39;d think that in order to reasonably uphold Bitcoin&#39;s conserv=
atism it would be preferable to allow a 4 year migration window. In the mea=
ntime, mining pools could coordinate emergency soft forking logic such that=
 if quantum attackers materialized, they could accelerate the countdown to =
the quantum vulnerable funds burn.<br><br><font style=3D"color:rgb(0,0,0)" =
size=3D"6">Random Tangential Benefits</font><br>On the plus side, burning a=
ll quantum vulnerable bitcoin would allow us to prune all of those UTXOs ou=
t of the UTXO set, which would also clean up a lot of dust. Dust UTXOs are =
a bit of an annoyance and there has even been a recent proposal for how to =
incentivize cleaning them up.<br><br>We should also expect that incentivizi=
ng migration of the entire UTXO set will create substantial demand for bloc=
k space that will sustain a fee market for a fairly lengthy amount of time.=
<br><br><font style=3D"color:rgb(0,0,0)" size=3D"6">In Summary</font><br>Wh=
ile the moral quandary of violating any of Bitcoin&#39;s inviolable propert=
ies can make this a very complex issue to discuss, the game theory and ince=
ntives between burning vulnerable coins versus allowing them to be claimed =
by entities with quantum supremacy appears to be a much simpler issue.<br><=
br>I, for one, am not interested in rewarding quantum capable entities by i=
nflating the circulating money supply just because some people lost their k=
eys long ago and some laggards are not upgrading their bitcoin wallet&#39;s=
 security.<br><br>We can hope that this scenario never comes to pass, but h=
ope is not a strategy.<br><br>I welcome your feedback upon any of the above=
 points, and contribution of any arguments I failed to consider.</div></div=
><div><br></div>-- <br>You received this message because you are subscribed=
 to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<b=
r>To unsubscribe from this group and stop receiving emails from it, send an=
 email to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bi=
tcoindev+...@googlegroups.com</a>.<br>To view this discussion visit <a rel=
=3D"noreferrer nofollow noopener" href=3D"https://groups.google.com/d/msgid=
/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40m=
ail.gmail.com" target=3D"_blank" data-saferedirecturl=3D"https://www.google=
.com/url?hl=3Den&amp;q=3Dhttps://groups.google.com/d/msgid/bitcoindev/CADL_=
X_cF%253DUKVa7CitXReMq8nA_4RadCF%253D%253DkU4YG%252B0GYN97P6hQ%2540mail.gma=
il.com&amp;source=3Dgmail&amp;ust=3D1749387599317000&amp;usg=3DAOvVaw1nWmtN=
HWj25mhraYVZS_Xy">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3D=
UKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div>=
</blockquote></div><div dir=3D"ltr"></div></div></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc=
oindev+...@googlegroups.com</a>.<br>
To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href=
=3D"https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D=
9D2B732364%40astrotown.de" target=3D"_blank" data-saferedirecturl=3D"https:=
//www.google.com/url?hl=3Den&amp;q=3Dhttps://groups.google.com/d/msgid/bitc=
oindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%2540astrotown.de&amp;source=3Dg=
mail&amp;ust=3D1749387599317000&amp;usg=3DAOvVaw2PR2vuTOZH_Ek_t4GgnuJJ">htt=
ps://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732=
364%40astrotown.de</a>.</blockquote></div></div></blockquote></div><div><bl=
ockquote type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_quote"><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-wid=
th:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,2=
04,204)"><br>
</blockquote></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc=
oindev+...@googlegroups.com</a>.<br>
To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href=
=3D"https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br=
6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com" target=3D"_blank" data-sa=
feredirecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://groups.=
google.com/d/msgid/bitcoindev/CAJDmzYxw%252BmXQKjS%252Bh%252Br6mCoe1rwWUpa_=
yZDwmwx6U_eO5JhZLg%2540mail.gmail.com&amp;source=3Dgmail&amp;ust=3D17493875=
99317000&amp;usg=3DAOvVaw0HJzgCo9hLdARu_fL6UDUf">https://groups.google.com/=
d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZL=
g%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a rel=3D"noreferrer nofollow noopener" href data-email-masked>bitc=
oindev+...@googlegroups.com</a>.<br>
To view this discussion visit <a rel=3D"noreferrer nofollow noopener" href=
=3D"https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf=
XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL=
miCJOY%3D%40proton.me" target=3D"_blank" data-saferedirecturl=3D"https://ww=
w.google.com/url?hl=3Den&amp;q=3Dhttps://groups.google.com/d/msgid/bitcoind=
ev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8Ras=
O7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%253D%2540proton.me&amp;source=3Dgmail&a=
mp;ust=3D1749387599317000&amp;usg=3DAOvVaw1WeDdjOHiNYWK_U17-OcRr">https://g=
roups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZu=
GLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40p=
roton.me</a>.<br>
</blockquote></div></div>
</blockquote></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href rel=3D"noreferrer nofollow noopener" data-email-masked>bitc=
oindev+...@googlegroups.com</a>.<br></blockquote></div></div><div style=3D"=
font-family:Arial,sans-serif;font-size:14px"><div><blockquote type=3D"cite"=
>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail=
.com" rel=3D"noreferrer nofollow noopener" target=3D"_blank" data-saferedir=
ecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://groups.google.=
com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%=
2540mail.gmail.com&amp;source=3Dgmail&amp;ust=3D1749387599317000&amp;usg=3D=
AOvVaw20sKcGYqK1w1lbqEinULpJ">https://groups.google.com/d/msgid/bitcoindev/=
CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com</a>.<b=
r>

        </blockquote><br>
    </div></div></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com</a>.<br />

------=_Part_18011_501201720.1749302913697--

------=_Part_18010_831844196.1749302913697--