path: root/50/11aab319dd5c93b3f77c1d9b63c29577832c3c

Delivery-date: Sun, 13 Jul 2025 08:49:46 -0700
Received: from mail-yb1-f188.google.com ([209.85.219.188])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDZML35Y4AIBBC5LZ7BQMGQEJKTACSA@googlegroups.com>)
	id 1uayxS-0002S2-J5
	for bitcoindev@gnusha.org; Sun, 13 Jul 2025 08:49:46 -0700
Received: by mail-yb1-f188.google.com with SMTP id 3f1490d57ef6-e81b872852bsf3972804276.1
        for <bitcoindev@gnusha.org>; Sun, 13 Jul 2025 08:49:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1752421776; x=1753026576; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=;
        b=adXIHkxDibbuGB9005xKeMiMY4QnH8WILik3gZ39RlJmPOHcJytrzvxVprqAW5XMBe
         MuiOLBcWxAHooVBBW3SjqBThvjWXJpERYWboew/vEaP8dqo7fDV47V9XPiiFxa6ISugZ
         0+AYRaosQhK8ykrkefhLHiIREIeU/Z1dVccC1bNivYSARbSD6o5QTHdhoDv+Zdnqv5qx
         5ARGIISHqPMXpE87d59tq/jNp8o9USwZ4a2eTfm9WlxTdm/EbIs29V/GQzjTO0xNQpvH
         YkvMqqK89kJ74cc6/UP+qcATUHb6fLU1xeql9Ls6Rxuu36AAAEEDPH4cytXbvl5WG5FH
         eytA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1752421776; x=1753026576; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=;
        b=Z3IIxulUZ67PYjET9Zulyr3ZIj/OV7gZsSyzjyJSc+omHExVooPJhw04KhXXFNuych
         ecMNrPqoK6/wFzyAlftyp+pgI4c8o/Itvfltm3gZ90lbB1i8CV8ulkXzoociMdTmEC1C
         glQgK8FSwRzwuz2JqMfrHuPBygcsGw3BwxOeJduCAk5lnf+nXHsckt3Sdp8r3LYIHKrK
         ST1wy7FoEqJw7j7Vwq0ZZEDlpasbreno3ypPvnsdbOAaO8Fzge5PG+VZK6MNTrF/xsRk
         9dqEcSaUi4jVIYGMPeAPErojj6jt+nkOZqOsa4B1phQz80F5LQKrWJ5zt0y5A+I/Bhug
         qjbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1752421776; x=1753026576;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=+t5NBIjfAtAum6mGkpWW0eZFFDOqGjOJTRwCEhc4aTI=;
        b=Yl1SJKY4kdmWlD5rT8qS+jkwm8q6TAybYbkzNCGKDenzPOTLNTYI9D7WIU5Il/AQuo
         6FLTR1qJTN2IkCuVM3HGIjWIx/5cZPo00gT4p2oEKG+pFz/i9e5fFElbynQ2KPBaW5wG
         zTVS6qDcEQ3klfsSdUyRjgeAETDEsjIjK5uiJDxtMWa7jG9gcmJduwSDkUu030Of/Xgt
         xNpia2RqsIeTdECxW2oXV3XZXr1YyyiLEp3FL5iMV7m33pfdKh5u4iLxUwAMM4HlYl/A
         ckw+GmDLqq6nC4OLxM2vrvnZSWXZFHKmzTox+dOZdqbfTAuDEsbo8ZY67qSY0IRZJupK
         MwAA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCXoT9x4+wZSv9oA5I9rv0qeSF1mREffbLcMaBWAcrXt5psNMBaGNhdr/IvKo0ihW0PjSfV630sRNzsT@gnusha.org
X-Gm-Message-State: AOJu0YxZoAze4/whJ7Iv2YEQlSb0JRrWzrXU8TOJSeFGGTqBhT4lV3/F
	SKM+U1VKrH+za4Tquh14F4+TK8zCS+3zTgU/0m+5b6oGH8ouL2vchaH4
X-Google-Smtp-Source: AGHT+IHN5KWArsLlStSe7BhBgqSGtk4FjIUcuHKp58DIm1mj8JbiabNu35HBmaHrAdxiiWO86hfN1Q==
X-Received: by 2002:a05:6902:4484:b0:e89:7280:bf8d with SMTP id 3f1490d57ef6-e8b85b72cb8mr10501210276.44.1752421775628;
        Sun, 13 Jul 2025 08:49:35 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZfAioSV6+7ylWgKF2BLSJSl9voAa/FUF18xUtaTMx5dRw==
Received: by 2002:a25:a02:0:b0:e84:2a56:5876 with SMTP id 3f1490d57ef6-e8b777fbfc0ls3330832276.0.-pod-prod-08-us;
 Sun, 13 Jul 2025 08:49:31 -0700 (PDT)
X-Received: by 2002:a05:690c:9a01:b0:712:e2b5:e61b with SMTP id 00721157ae682-717d78c65b9mr166197977b3.13.1752421771396;
        Sun, 13 Jul 2025 08:49:31 -0700 (PDT)
Received: by 2002:a05:690c:2e08:b0:711:63b1:720 with SMTP id 00721157ae682-718014dfe64ms7b3;
        Sun, 13 Jul 2025 08:38:14 -0700 (PDT)
X-Received: by 2002:a05:690c:4b13:b0:70e:7a67:b4c5 with SMTP id 00721157ae682-717d7a68aefmr149503497b3.36.1752421092010;
        Sun, 13 Jul 2025 08:38:12 -0700 (PDT)
Date: Sun, 13 Jul 2025 08:38:11 -0700 (PDT)
From: Or Sattath <sattath@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <f17de19d-a6f5-46b3-abcd-09c056d9bd64n@googlegroups.com>
In-Reply-To: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
References: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
Subject: [bitcoindev] Re: Against Allowing Quantum Recovery of Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_248320_934919471.1752421091483"
X-Original-Sender: sattath@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 0.0 (/)

------=_Part_248320_934919471.1752421091483
Content-Type: multipart/alternative; 
	boundary="----=_Part_248321_2076021029.1752421091483"

------=_Part_248321_2076021029.1752421091483
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Jameson Lopp presented the freeze/not-freeze dilemma. I would like to point=
=20
out that there=E2=80=99s a third approach. The main insight is that even th=
ough the=20
quantum attacker knows the digital signature private key, the attacker and=
=20
the owner are not symmetric: the owner, in most cases, knows the seed=20
(master secret key), whereas the quantum attacker does not. This approach,=
=20
which was done in collaboration with Shai Wyborski, is available here:=20
https://eprint.iacr.org/2023/362 (our work was peer reviewed and presented=
=20
here: https://www.qsmc.org/pqcsm-workshop-2023).

Our main technique is called =E2=80=9Csignature lifting=E2=80=9D: it=E2=80=
=99s a way to transform=20
an existing quantum-insecure signature scheme into a quantum-secure=20
signature scheme, while still using the old keys. This is possible whenever=
=20
the function that maps the secret key to the public key is a quantum-secure=
=20
one-way function. Informally (and there are some details under the rug that=
=20
I=E2=80=99m not getting into), the quantum-secure one-way function maps the=
 seed to=20
the public key. (Of course, the function that maps the ECDSA signing key to=
=20
the public key is not a quantum-secure one-way function. Therefore, our=20
approach does not apply to pre-2013 wallets, which did not use BIP-38.) We=
=20
use Picnic (https://dl.acm.org/doi/abs/10.1145/3133956.3133997) as the=20
underlying primitive that enables signature lifting.

The main drawback of signature lifting is that the signatures are extremely=
=20
long. To address this, we also designed an interactive way to transact,=20
using a commit-wait-reveal approach, which we called =E2=80=9CLifted Fawkes=
Coin"=20
(our main contribution over the original FawkesCoin approach by Bonneau and=
=20
Miller in https://jbonneau.com/doc/BM14-SPW-fawkescoin.pdf is that we=20
resolve the issue of transaction fees, using lifted signatures). When the=
=20
spender and the miner are honest, a transaction is roughly the same size as=
=20
today; only if one of the parties deviates from the honest protocol must=20
the long signature be added to the blockchain, and the cheating party is=20
financially penalized. The main burden of Lifted FawkesCoin is that users=
=20
who haven=E2=80=99t transitioned to quantum-secure signatures yet need to=
=20
occasionally (e.g., once a year) come online and check for fraud attempts.=
=20
I believe that even though this burden exists, it is a Pareto improvement=
=20
over both the =E2=80=9Cfreeze=E2=80=9D and =E2=80=9Cnot-freeze=E2=80=9D app=
roaches.=20

Best,
Or

On Sunday, March 16, 2025 at 5:22:16=E2=80=AFPM UTC+2 Jameson Lopp wrote:

> The quantum computing debate is heating up. There are many controversial=
=20
> aspects to this debate, including whether or not quantum computers will=
=20
> ever actually become a practical threat.
>
> I won't tread into the unanswerable question of how worried we should be=
=20
> about quantum computers. I think it's far from a crisis, but given the=20
> difficulty in changing Bitcoin it's worth starting to seriously discuss.=
=20
> Today I wish to focus on a philosophical quandary related to one of the=
=20
> decisions that would need to be made if and when we implement a quantum=
=20
> safe signature scheme.
>
> Several Scenarios
> Because this essay will reference game theory a fair amount, and there ar=
e=20
> many variables at play that could change the nature of the game, I think=
=20
> it's important to clarify the possible scenarios up front.
>
> 1. Quantum computing never materializes, never becomes a threat, and thus=
=20
> everything discussed in this essay is moot.
> 2. A quantum computing threat materializes suddenly and Bitcoin does not=
=20
> have quantum safe signatures as part of the protocol. In this scenario it=
=20
> would likely make the points below moot because Bitcoin would be=20
> fundamentally broken and it would take far too long to upgrade the=20
> protocol, wallet software, and migrate user funds in order to restore=20
> confidence in the network.
> 3. Quantum computing advances slowly enough that we come to consensus=20
> about how to upgrade Bitcoin and post quantum security has been minimally=
=20
> adopted by the time an attacker appears.
> 4. Quantum computing advances slowly enough that we come to consensus=20
> about how to upgrade Bitcoin and post quantum security has been highly=20
> adopted by the time an attacker appears.
>
> For the purposes of this post, I'm envisioning being in situation 3 or 4.
>
> To Freeze or not to Freeze?
> I've started seeing more people weighing in on what is likely the most=20
> contentious aspect of how a quantum resistance upgrade should be handled =
in=20
> terms of migrating user funds. Should quantum vulnerable funds be left op=
en=20
> to be swept by anyone with a sufficiently powerful quantum computer OR=20
> should they be permanently locked?
>
> "I don't see why old coins should be confiscated. The better option is to=
=20
>> let those with quantum computers free up old coins. While this might hav=
e=20
>> an inflationary impact on bitcoin's price, to use a turn of phrase, the=
=20
>> inflation is transitory. Those with low time preference should support=
=20
>> returning lost coins to circulation."=20
>
> - Hunter Beast
>
>
> On the other hand:
>
> "Of course they have to be confiscated. If and when (and that's a big if)=
=20
>> the existence of a cryptography-breaking QC becomes a credible threat, t=
he=20
>> Bitcoin ecosystem has no other option than softforking out the ability t=
o=20
>> spend from signature schemes (including ECDSA and BIP340) that are=20
>> vulnerable to QCs. The alternative is that millions of BTC become=20
>> vulnerable to theft; I cannot see how the currency can maintain any valu=
e=20
>> at all in such a setting. And this affects everyone; even those which=20
>> diligently moved their coins to PQC-protected schemes."
>> - Pieter Wuille
>
>
> I don't think "confiscation" is the most precise term to use, as the fund=
s=20
> are not being seized and reassigned. Rather, what we're really discussing=
=20
> would be better described as "burning" - placing the funds *out of reach=
=20
> of everyone*.
>
> Not freezing user funds is one of Bitcoin's inviolable properties.=20
> However, if quantum computing becomes a threat to Bitcoin's elliptic curv=
e=20
> cryptography, *an inviolable property of Bitcoin will be violated one way=
=20
> or another*.
>
> Fundamental Properties at Risk
> 5 years ago I attempted to comprehensively categorize all of Bitcoin's=20
> fundamental properties that give it value.=20
> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>
> The particular properties in play with regard to this issue seem to be:
>
> *Censorship Resistance* - No one should have the power to prevent others=
=20
> from using their bitcoin or interacting with the network.
>
> *Forward Compatibility* - changing the rules such that certain valid=20
> transactions become invalid could undermine confidence in the protocol.
>
> *Conservatism* - Users should not be expected to be highly responsive to=
=20
> system issues.
>
> As a result of the above principles, we have developed a strong meme=20
> (kudos to Andreas Antonopoulos) that goes as follows:
>
> Not your keys, not your coins.
>
>
> I posit that the corollary to this principle is:
>
> Your keys, only your coins.
>
>
> A quantum capable entity breaks the corollary of this foundational=20
> principle. We secure our bitcoin with the mathematical probabilities=20
> related to extremely large random numbers. Your funds are only secure=20
> because truly random large numbers should not be guessable or discoverabl=
e=20
> by anyone else in the world.
>
> This is the principle behind the motto *vires in numeris* - strength in=
=20
> numbers. In a world with quantum enabled adversaries, this principle is=
=20
> null and void for many types of cryptography, including the elliptic curv=
e=20
> digital signatures used in Bitcoin.
>
> Who is at Risk?
> There has long been a narrative that Satoshi's coins and others from the=
=20
> Satoshi era of P2PK locking scripts that exposed the public key directly =
on=20
> the blockchain will be those that get scooped up by a quantum "miner." Bu=
t=20
> unfortunately it's not that simple. If I had a powerful quantum computer,=
=20
> which coins would I target? I'd go to the Bitcoin rich list and find the=
=20
> wallets that have exposed their public keys due to re-using addresses tha=
t=20
> have previously been spent from. You can easily find them at=20
> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>
> Note that a few of these wallets, like Bitfinex / Kraken / Tether, would=
=20
> be slightly harder to crack because they are multisig wallets. So a quant=
um=20
> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfin=
ex=20
> / Tether in order to spend funds. But many are single signature.
>
> Point being, it's not only the really old lost BTC that are at risk to a=
=20
> quantum enabled adversary, at least at time of writing. If we add a quant=
um=20
> safe signature scheme, we should expect those wallets to be some of the=
=20
> first to upgrade given their incentives.
>
> The Ethical Dilemma: Quantifying Harm
> Which decision results in the most harm?
>
> By making quantum vulnerable funds unspendable we potentially harm some=
=20
> Bitcoin users who were not paying attention and neglected to migrate thei=
r=20
> funds to a quantum safe locking script. This violates the "conservativism=
"=20
> principle stated earlier. On the flip side, we prevent those funds plus f=
ar=20
> more lost funds from falling into the hands of the few privileged folks w=
ho=20
> gain early access to quantum computers.
>
> By leaving quantum vulnerable funds available to spend, the same set of=
=20
> users who would otherwise have funds frozen are likely to see them stolen=
.=20
> And many early adopters who lost their keys will eventually see their=20
> unreachable funds scooped up by a quantum enabled adversary.
>
> Imagine, for example, being James Howells, who accidentally threw away a=
=20
> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has=
=20
> spent a decade trying to retrieve it from the landfill where he knows it'=
s=20
> buried, but can't get permission to excavate. I suspect that, given the=
=20
> choice, he'd prefer those funds be permanently frozen rather than fall in=
to=20
> someone else's possession - I know I would.
>
> Allowing a quantum computer to access lost funds doesn't make those users=
=20
> any worse off than they were before, however it *would* have a negative=
=20
> impact upon everyone who is currently holding bitcoin.
>
> It's prudent to expect significant economic disruption if large amounts o=
f=20
> coins fall into new hands. Since a quantum computer is going to have a=20
> massive up front cost, expect those behind it to desire to recoup their=
=20
> investment. We also know from experience that when someone suddenly finds=
=20
> themselves in possession of 9+ figures worth of highly liquid assets, the=
y=20
> tend to diversify into other things by selling.
>
> Allowing quantum recovery of bitcoin is *tantamount to wealth=20
> redistribution*. What we'd be allowing is for bitcoin to be redistributed=
=20
> from those who are ignorant of quantum computers to those who have won th=
e=20
> technological race to acquire quantum computers. It's hard to see a brigh=
t=20
> side to that scenario.
>
> Is Quantum Recovery Good for Anyone?
>
> Does quantum recovery HELP anyone? I've yet to come across an argument=20
> that it's a net positive in any way. It certainly doesn't add any securit=
y=20
> to the network. If anything, it greatly decreases the security of the=20
> network by allowing funds to be claimed by those who did not earn them.
>
> But wait, you may be thinking, wouldn't quantum "miners" have earned thei=
r=20
> coins by all the work and resources invested in building a quantum=20
> computer? I suppose, in the same sense that a burglar earns their spoils =
by=20
> the resources they invest into surveilling targets and learning the skill=
s=20
> needed to break into buildings. What I say "earned" I mean through=20
> productive mutual trade.
>
> For example:
>
> * Investors earn BTC by trading for other currencies.
> * Merchants earn BTC by trading for goods and services.
> * Miners earn BTC by trading thermodynamic security.
> * Quantum miners don't trade anything, they are vampires feeding upon the=
=20
> system.
>
> There's no reason to believe that allowing quantum adversaries to recover=
=20
> vulnerable bitcoin will be of benefit to anyone other than the select few=
=20
> organizations that win the technological arms race to build the first suc=
h=20
> computers. Probably nation states and/or the top few largest tech compani=
es.
>
> One could certainly hope that an organization with quantum supremacy is=
=20
> benevolent and acts in a "white hat" manner to return lost coins to their=
=20
> owners, but that's incredibly optimistic and foolish to rely upon. Such a=
=20
> situation creates an insurmountable ethical dilemma of only recovering lo=
st=20
> bitcoin rather than currently owned bitcoin. There's no way to precisely=
=20
> differentiate between the two; anyone can claim to have lost their bitcoi=
n=20
> but if they have lost their keys then proving they ever had the keys=20
> becomes rather difficult. I imagine that any such white hat recovery=20
> efforts would have to rely upon attestations from trusted third parties=
=20
> like exchanges.
>
> Even if the first actor with quantum supremacy is benevolent, we must=20
> assume the technology could fall into adversarial hands and thus think=20
> adversarially about the potential worst case outcomes. Imagine, for=20
> example, that North Korea continues scooping up billions of dollars from=
=20
> hacking crypto exchanges and decides to invest some of those proceeds int=
o=20
> building a quantum computer for the biggest payday ever...
>
> Downsides to Allowing Quantum Recovery
> Let's think through an exhaustive list of pros and cons for allowing or=
=20
> preventing the seizure of funds by a quantum adversary.
>
> Historical Precedent
> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam=
e" but=20
> rather were treated as failures to be remediated. Treating quantum theft=
=20
> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all r=
ather than=20
> a system that seeks to protect its users.
>
> Violation of Property Rights
> Allowing a quantum adversary to take control of funds undermines the=20
> fundamental principle of cryptocurrency - if you keep your keys in your=
=20
> possession, only you should be able to access your money. Bitcoin is buil=
t=20
> on the idea that private keys secure an individual=E2=80=99s assets, and=
=20
> unauthorized access (even via advanced tech) is theft, not a legitimate=
=20
> transfer.
>
> Erosion of Trust in Bitcoin
> If quantum attackers can exploit vulnerable addresses, confidence in=20
> Bitcoin as a secure store of value would collapse. Users and investors re=
ly=20
> on cryptographic integrity, and widespread theft could drive adoption awa=
y=20
> from Bitcoin, destabilizing its ecosystem.
>
> This is essentially the counterpoint to claiming the burning of vulnerabl=
e=20
> funds is a violation of property rights. While some will certainly see it=
=20
> as such, others will find the apathy toward stopping quantum theft to be=
=20
> similarly concerning.
>
> Unfair Advantage
> Quantum attackers, likely equipped with rare and expensive technology,=20
> would have an unjust edge over regular users who lack access to such tool=
s.=20
> This creates an inequitable system where only the technologically elite c=
an=20
> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized po=
wer.
>
> Bitcoin is designed to create an asymmetric advantage for DEFENDING one's=
=20
> wealth. It's supposed to be impractically expensive for attackers to crac=
k=20
> the entropy and cryptography protecting one's coins. But now we find=20
> ourselves discussing a situation where this asymmetric advantage is=20
> compromised in favor of a specific class of attackers.
>
> Economic Disruption
> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s=
 price as=20
> quantum recovered funds are dumped on exchanges. This would harm all=20
> holders, not just those directly targeted, leading to broader financial=
=20
> chaos in the markets.
>
> Moral Responsibility
> Permitting theft via quantum computing sets a precedent that technologica=
l=20
> superiority justifies unethical behavior. This is essentially taking a=20
> "code is law" stance in which we refuse to admit that both code and laws=
=20
> can be modified to adapt to previously unforeseen situations.
>
> Burning of coins can certainly be considered a form of theft, thus I thin=
k=20
> it's worth differentiating the two different thefts being discussed:
>
> 1. self-enriching & likely malicious
> 2. harm prevention & not necessarily malicious
>
> Both options lack the consent of the party whose coins are being burnt or=
=20
> transferred, thus I think the simple argument that theft is immoral becom=
es=20
> a wash and it's important to drill down into the details of each.
>
> Incentives Drive Security
> I can tell you from a decade of working in Bitcoin security - the average=
=20
> user is lazy and is a procrastinator. If Bitcoiners are given a "drop dea=
d=20
> date" after which they know vulnerable funds will be burned, this pressur=
e=20
> accelerates the adoption of post-quantum cryptography and strengthens=20
> Bitcoin long-term. Allowing vulnerable users to delay upgrading=20
> indefinitely will result in more laggards, leaving the network more expos=
ed=20
> when quantum tech becomes available.
>
> Steel Manning
> Clearly this is a complex and controversial topic, thus it's worth=20
> thinking through the opposing arguments.
>
> Protecting Property Rights
> Allowing quantum computers to take vulnerable bitcoin could potentially b=
e=20
> spun as a hard money narrative - we care so greatly about not violating=
=20
> someone's access to their coins that we allow them to be stolen!
>
> But I think the flip side to the property rights narrative is that burnin=
g=20
> vulnerable coins prevents said property from falling into undeserving=20
> hands. If the entire Bitcoin ecosystem just stands around and allows=20
> quantum adversaries to claim funds that rightfully belong to other users,=
=20
> is that really a "win" in the "protecting property rights" category? It=
=20
> feels more like apathy to me.
>
> As such, I think the "protecting property rights" argument is a wash.
>
> Quantum Computers Won't Attack Bitcoin
> There is a great deal of skepticism that sufficiently powerful quantum=20
> computers will ever exist, so we shouldn't bother preparing for a=20
> non-existent threat. Others have argued that even if such a computer was=
=20
> built, a quantum attacker would not go after bitcoin because they wouldn'=
t=20
> want to reveal their hand by doing so, and would instead attack other=20
> infrastructure.
>
> It's quite difficult to quantify exactly how valuable attacking other=20
> infrastructure would be. It also really depends upon when an entity gains=
=20
> quantum supremacy and thus if by that time most of the world's systems ha=
ve=20
> already been upgraded. While I think you could argue that certain entitie=
s=20
> gaining quantum capability might not attack Bitcoin, it would only delay=
=20
> the inevitable - eventually somebody will achieve the capability who=20
> decides to use it for such an attack.
>
> Quantum Attackers Would Only Steal Small Amounts
> Some have argued that even if a quantum attacker targeted bitcoin, they'd=
=20
> only go after old, likely lost P2PK outputs so as to not arouse suspicion=
=20
> and cause a market panic.
>
> I'm not so sure about that; why go after 50 BTC at a time when you could=
=20
> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero=
=20
> day exploit" game theory in which an attacker knows they have a limited=
=20
> amount of time before someone else discovers the exploit and either=20
> benefits from it or patches it. Take, for example, the recent ByBit attac=
k=20
> - the highest value crypto hack of all time. Lazarus Group had compromise=
d=20
> the Safe wallet front end JavaScript app and they could have simply had i=
t=20
> reassign ownership of everyone's Safe wallets as they were interacting wi=
th=20
> their wallet. But instead they chose to only specifically target ByBit's=
=20
> wallet with $1.5 billion in it because they wanted to maximize their=20
> extractable value. If Lazarus had started stealing from every wallet, the=
y=20
> would have been discovered quickly and the Safe web app would likely have=
=20
> been patched well before any billion dollar wallets executed the maliciou=
s=20
> code.
>
> I think the "only stealing small amounts" argument is strongest for=20
> Situation #2 described earlier, where a quantum attacker arrives before=
=20
> quantum safe cryptography has been deployed across the Bitcoin ecosystem.=
=20
> Because if it became clear that Bitcoin's cryptography was broken AND the=
re=20
> was nowhere safe for vulnerable users to migrate, the only logical option=
=20
> would be for everyone to liquidate their bitcoin as quickly as possible. =
As=20
> such, I don't think it applies as strongly for situations in which we hav=
e=20
> a migration path available.
>
> The 21 Million Coin Supply Should be in Circulation
> Some folks are arguing that it's important for the "circulating /=20
> spendable" supply to be as close to 21M as possible and that having a=20
> significant portion of the supply out of circulation is somehow undesirab=
le.
>
> While the "21M BTC" attribute is a strong memetic narrative, I don't thin=
k=20
> anyone has ever expected that it would all be in circulation. It has alwa=
ys=20
> been understood that many coins will be lost, and that's actually part of=
=20
> the game theory of owning bitcoin!
>
> And remember, the 21M number in and of itself is not a particularly=20
> important detail - it's not even mentioned in the whitepaper. What's=20
> important is that the supply is well known and not subject to change.
>
> Self-Sovereignty and Personal Responsibility
> Bitcoin=E2=80=99s design empowers individuals to control their own wealth=
, free=20
> from centralized intervention. This freedom comes with the burden of=20
> securing one's private keys. If quantum computing can break obsolete=20
> cryptography, the fault lies with users who didn't move their funds to=20
> quantum safe locking scripts. Expecting the network to shield users from=
=20
> their own negligence undermines the principle that you, and not a third=
=20
> party, are accountable for your assets.
>
> I think this is generally a fair point that "the community" doesn't owe=
=20
> you anything in terms of helping you. I think that we do, however, need t=
o=20
> consider the incentives and game theory in play with regard to quantum sa=
fe=20
> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>
> Code is Law
> Bitcoin operates on transparent, immutable rules embedded in its protocol=
.=20
> If a quantum attacker uses superior technology to derive private keys fro=
m=20
> public keys, they=E2=80=99re not "hacking" the system - they're simply fo=
llowing=20
> what's mathematically permissible within the current code. Altering the=
=20
> protocol to stop this introduces subjective human intervention, which=20
> clashes with the objective, deterministic nature of blockchain.
>
> While I tend to agree that code is law, one of the entire points of laws=
=20
> is that they can be amended to improve their efficacy in reducing harm.=
=20
> Leaning on this point seems more like a pro-ossification stance that it's=
=20
> better to do nothing and allow harm to occur rather than take action to=
=20
> stop an attack that was foreseen far in advance.
>
> Technological Evolution as a Feature, Not a Bug
> It's well known that cryptography tends to weaken over time and eventuall=
y=20
> break. Quantum computing is just the next step in this progression. Users=
=20
> who fail to adapt (e.g., by adopting quantum-resistant wallets when=20
> available) are akin to those who ignored technological advancements like=
=20
> multisig or hardware wallets. Allowing quantum theft incentivizes=20
> innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing compl=
acency=20
> while rewarding vigilance.
>
> Market Signals Drive Security
> If quantum attackers start stealing funds, it sends a clear signal to the=
=20
> market: upgrade your security or lose everything. This pressure accelerat=
es=20
> the adoption of post-quantum cryptography and strengthens Bitcoin=20
> long-term. Coddling vulnerable users delays this necessary evolution,=20
> potentially leaving the network more exposed when quantum tech becomes=20
> widely accessible. Theft is a brutal but effective teacher.
>
> Centralized Blacklisting Power
> Burning vulnerable funds requires centralized decision-making - a soft=20
> fork to invalidate certain transactions. This sets a dangerous precedent=
=20
> for future interventions, eroding Bitcoin=E2=80=99s decentralization. If =
quantum=20
> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sys=
tem must=20
> remain neutral, even if it means some lose out.
>
> I think this could be a potential slippery slope if the proposal was to=
=20
> only burn specific addresses. Rather, I'd expect a neutral proposal to bu=
rn=20
> all funds in locking script types that are known to be quantum vulnerable=
.=20
> Thus, we could eliminate any subjectivity from the code.
>
> Fairness in Competition
> Quantum attackers aren't cheating; they're using publicly available=20
> physics and math. Anyone with the resources and foresight can build or=20
> access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU=
.=20
> Early adopters took risks and reaped rewards; quantum innovators are doin=
g=20
> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne=
ver promised=20
> equality of outcome - only equality of opportunity within its rules.
>
> I find this argument to be a mischaracterization because we're not talkin=
g=20
> about CPUs. This is more akin to talking about ASICs, except each ASIC=20
> costs millions if not billions of dollars. This is out of reach from all=
=20
> but the wealthiest organizations.
>
> Economic Resilience
> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20
> emerged stronger. The market can absorb quantum losses, with unaffected=
=20
> users continuing to hold and new entrants buying in at lower prices. Fear=
=20
> of economic collapse overestimates the impact - the network=E2=80=99s ant=
ifragility=20
> thrives on such challenges.
>
> This is a big grey area because we don't know when a quantum computer wil=
l=20
> come online and we don't know how quickly said computers would be able to=
=20
> steal bitcoin. If, for example, the first generation of sufficiently=20
> powerful quantum computers were stealing less volume than the current blo=
ck=20
> reward then of course it will have minimal economic impact. But if they'r=
e=20
> taking thousands of BTC per day and bringing them back into circulation,=
=20
> there will likely be a noticeable market impact as it absorbs the new=20
> supply.
>
> This is where the circumstances will really matter. If a quantum attacker=
=20
> appears AFTER the Bitcoin protocol has been upgraded to support quantum=
=20
> resistant cryptography then we should expect the most valuable active=20
> wallets will have upgraded and the juiciest target would be the 31,000 BT=
C=20
> in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant=
=20
> since 2010. In general I'd expect that the amount of BTC re-entering the=
=20
> circulating supply would look somewhat similar to the mining emission=20
> curve: volume would start off very high as the most valuable addresses ar=
e=20
> drained and then it would fall off as quantum computers went down the lis=
t=20
> targeting addresses with less and less BTC.
>
> Why is economic impact a factor worth considering? Miners and businesses=
=20
> in general. More coins being liquidated will push down the price, which=
=20
> will negatively impact miner revenue. Similarly, I can attest from workin=
g=20
> in the industry for a decade, that lower prices result in less demand fro=
m=20
> businesses across the entire industry. As such, burning quantum vulnerabl=
e=20
> bitcoin is good for the entire industry.
>
> Practicality & Neutrality of Non-Intervention
> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D fr=
om legitimate "white hat"=20
> key recovery. If someone loses their private key and a quantum computer=
=20
> recovers it, is that stealing or reclaiming? Policing quantum actions=20
> requires invasive assumptions about intent, which Bitcoin=E2=80=99s trust=
less=20
> design can=E2=80=99t accommodate. Letting the chips fall where they may a=
voids this=20
> mess.
>
> Philosophical Purity
> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes=
 reflect=20
> preparation and skill, not sentimentality. If quantum computing upends th=
e=20
> game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe o=
r fair in a=20
> nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds to=
 quantum=20
> attacks are casualties of liberty and their own ignorance, not victims of=
=20
> injustice.
>
> Bitcoin's DAO Moment
> This situation has some similarities to The DAO hack of an Ethereum smart=
=20
> contract in 2016, which resulted in a fork to stop the attacker and retur=
n=20
> funds to their original owners. The game theory is similar because it's a=
=20
> situation where a threat is known but there's some period of time before=
=20
> the attacker can actually execute the theft. As such, there's time to=20
> mitigate the attack by changing the protocol.
>
> It also created a schism in the community around the true meaning of "cod=
e=20
> is law," resulting in Ethereum Classic, which decided to allow the attack=
er=20
> to retain control of the stolen funds.
>
> A soft fork to burn vulnerable bitcoin could certainly result in a hard=
=20
> fork if there are enough miners who reject the soft fork and continue=20
> including transactions.
>
> Incentives Matter
> We can wax philosophical until the cows come home, but what are the actua=
l=20
> incentives for existing Bitcoin holders regarding this decision?
>
> "Lost coins only make everyone else's coins worth slightly more. Think of=
=20
>> it as a donation to everyone." - Satoshi Nakamoto
>
>
> If true, the corollary is:
>
> "Quantum recovered coins only make everyone else's coins worth less. Thin=
k=20
>> of it as a theft from everyone." - Jameson Lopp
>
>
> Thus, assuming we get to a point where quantum resistant signatures are=
=20
> supported within the Bitcoin protocol, what's the incentive to let=20
> vulnerable coins remain spendable?
>
> * It's not good for the actual owners of those coins. It disincentivizes=
=20
> owners from upgrading until perhaps it's too late.
> * It's not good for the more attentive / responsible owners of coins who=
=20
> have quantum secured their stash. Allowing the circulating supply to=20
> balloon will assuredly reduce the purchasing power of all bitcoin holders=
.
>
> Forking Game Theory
> From a game theory point of view, I see this as incentivizing users to=20
> upgrade their wallets. If you disagree with the burning of vulnerable=20
> coins, all you have to do is move your funds to a quantum safe signature=
=20
> scheme. Point being, I don't see there being an economic majority (or eve=
n=20
> more than a tiny minority) of users who would fight such a soft fork. Why=
=20
> expend significant resources fighting a fork when you can just move your=
=20
> coins to a new address?
>
> Remember that blocking spending of certain classes of locking scripts is =
a=20
> tightening of the rules - a soft fork. As such, it can be meaningfully=20
> enacted and enforced by a mere majority of hashpower. If miners generally=
=20
> agree that it's in their best interest to burn vulnerable coins, are othe=
r=20
> users going to care enough to put in the effort to run new node software=
=20
> that resists the soft fork? Seems unlikely to me.
>
> How to Execute Burning
> In order to be as objective as possible, the goal would be to announce to=
=20
> the world that after a specific block height / timestamp, Bitcoin nodes=
=20
> will no longer accept transactions (or blocks containing such transaction=
s)=20
> that spend funds from any scripts other than the newly instituted quantum=
=20
> safe schemes.
>
> It could take a staggered approach to first freeze funds that are=20
> susceptible to long-range attacks such as those in P2PK scripts or those=
=20
> that exposed their public keys due to previously re-using addresses, but =
I=20
> expect the additional complexity would drive further controversy.
>
> How long should the grace period be in order to give the ecosystem time t=
o=20
> upgrade? I'd say a minimum of 1 year for software wallets to upgrade. We=
=20
> can only hope that hardware wallet manufacturers are able to implement po=
st=20
> quantum cryptography on their existing hardware with only a firmware upda=
te.
>
> Beyond that, it will take at least 6 months worth of block space for all=
=20
> users to migrate their funds, even in a best case scenario. Though if you=
=20
> exclude dust UTXOs you could probably get 95% of BTC value migrated in 1=
=20
> month. Of course this is a highly optimistic situation where everyone is=
=20
> completely focused on migrations - in reality it will take far longer.
>
> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20
> conservatism it would be preferable to allow a 4 year migration window. I=
n=20
> the meantime, mining pools could coordinate emergency soft forking logic=
=20
> such that if quantum attackers materialized, they could accelerate the=20
> countdown to the quantum vulnerable funds burn.
>
> Random Tangential Benefits
> On the plus side, burning all quantum vulnerable bitcoin would allow us t=
o=20
> prune all of those UTXOs out of the UTXO set, which would also clean up a=
=20
> lot of dust. Dust UTXOs are a bit of an annoyance and there has even been=
 a=20
> recent proposal for how to incentivize cleaning them up.
>
> We should also expect that incentivizing migration of the entire UTXO set=
=20
> will create substantial demand for block space that will sustain a fee=20
> market for a fairly lengthy amount of time.
>
> In Summary
> While the moral quandary of violating any of Bitcoin's inviolable=20
> properties can make this a very complex issue to discuss, the game theory=
=20
> and incentives between burning vulnerable coins versus allowing them to b=
e=20
> claimed by entities with quantum supremacy appears to be a much simpler=
=20
> issue.
>
> I, for one, am not interested in rewarding quantum capable entities by=20
> inflating the circulating money supply just because some people lost thei=
r=20
> keys long ago and some laggards are not upgrading their bitcoin wallet's=
=20
> security.
>
> We can hope that this scenario never comes to pass, but hope is not a=20
> strategy.
>
> I welcome your feedback upon any of the above points, and contribution of=
=20
> any arguments I failed to consider.
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com.

------=_Part_248321_2076021029.1752421091483
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div style=3D"color: rgb(34, 34, 34); font-family: Arial, Helvetica, sans-s=
erif; font-size: small;">Hi,<br /><br />Jameson Lopp presented the freeze/n=
ot-freeze dilemma. I would like to point out that there=E2=80=99s a third a=
pproach. The main insight is that even though the quantum attacker knows th=
e digital signature private key, the attacker and the owner are not symmetr=
ic: the owner, in most cases, knows the seed (master secret key), whereas t=
he quantum attacker does not. This approach, which was done in collaboratio=
n with Shai Wyborski, is available here:=C2=A0<a href=3D"https://eprint.iac=
r.org/2023/362" target=3D"_blank" style=3D"color: rgb(17, 85, 204);">https:=
//eprint.iacr.org/2023/362</a>=C2=A0(our work was peer reviewed and present=
ed here:=C2=A0<a href=3D"https://www.qsmc.org/pqcsm-workshop-2023" target=
=3D"_blank" style=3D"color: rgb(17, 85, 204);">https://www.qsmc.org/pqcsm-w=
orkshop-2023</a>).<br /><br />Our main technique is called =E2=80=9Csignatu=
re lifting=E2=80=9D: it=E2=80=99s a way to transform an existing quantum-in=
secure signature scheme into a quantum-secure signature scheme, while still=
 using the old keys. This is possible whenever the function that maps the s=
ecret key to the public key is a quantum-secure one-way function. Informall=
y (and there are some details under the rug that I=E2=80=99m not getting in=
to), the quantum-secure one-way function maps the seed to the public key. (=
Of course, the function that maps the ECDSA signing key to the public key i=
s not a quantum-secure one-way function. Therefore, our approach does not a=
pply to pre-2013 wallets, which did not use BIP-38.) We use Picnic (<a href=
=3D"https://dl.acm.org/doi/abs/10.1145/3133956.3133997" target=3D"_blank" s=
tyle=3D"color: rgb(17, 85, 204);">https://dl.acm.org/doi/abs/10.1145/313395=
6.3133997</a>) as the underlying primitive that enables signature lifting.<=
br /><br />The main drawback of signature lifting is that the signatures ar=
e extremely long. To address this, we also designed an interactive way to t=
ransact, using a commit-wait-reveal approach, which we called =E2=80=9CLift=
ed FawkesCoin" (our main contribution over the original FawkesCoin approach=
 by Bonneau and Miller in=C2=A0<a href=3D"https://jbonneau.com/doc/BM14-SPW=
-fawkescoin.pdf" target=3D"_blank" style=3D"color: rgb(17, 85, 204);">https=
://jbonneau.com/doc/BM14-SPW-fawkescoin.pdf</a>=C2=A0is that we resolve the=
 issue of transaction fees, using lifted signatures). When the spender and =
the miner are honest, a transaction is roughly the same size as today; only=
 if one of the parties deviates from the honest protocol must the long sign=
ature be added to the blockchain, and the cheating party is financially pen=
alized. The main burden of Lifted FawkesCoin is that users who haven=E2=80=
=99t transitioned to quantum-secure signatures yet need to occasionally (e.=
g., once a year) come online and check for fraud attempts. I believe that e=
ven though this burden exists, it is a Pareto improvement over both the =E2=
=80=9Cfreeze=E2=80=9D and =E2=80=9Cnot-freeze=E2=80=9D approaches.=C2=A0</d=
iv><div style=3D"color: rgb(34, 34, 34); font-family: Arial, Helvetica, san=
s-serif; font-size: small;"><br />Best,<br />Or</div><br /><div class=3D"gm=
ail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Sunday, March 16, 2025=
 at 5:22:16=E2=80=AFPM UTC+2 Jameson Lopp wrote:<br/></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(=
204, 204, 204); padding-left: 1ex;"><div dir=3D"ltr">The quantum computing =
debate is heating up. There are many controversial aspects to this debate, =
including whether or not quantum computers will ever actually become a prac=
tical threat.<div><br>I won&#39;t tread into the unanswerable question of h=
ow worried we should be about quantum computers. I think it&#39;s far from =
a crisis, but given the difficulty in changing Bitcoin it&#39;s worth start=
ing to seriously discuss. Today I wish to focus on a philosophical quandary=
 related to one of the decisions that would need to be made if and when we =
implement a quantum safe signature scheme.<br><br><font size=3D"6">Several =
Scenarios<br></font>Because this essay will reference game theory a fair am=
ount, and there are many variables at play that could change the nature of =
the game, I think it&#39;s important to clarify the possible scenarios up f=
ront.<br><br>1. Quantum computing never materializes, never becomes a threa=
t, and thus everything discussed in this essay is moot.<br>2. A quantum com=
puting threat materializes suddenly and Bitcoin does not have quantum safe =
signatures as part of the protocol. In this scenario it would likely make t=
he points below moot because Bitcoin would be fundamentally broken and it w=
ould take far too long to upgrade the protocol, wallet software, and migrat=
e user funds in order to restore confidence in the network.<br>3. Quantum c=
omputing advances slowly enough that we come to consensus about how to upgr=
ade Bitcoin and post quantum security has been minimally adopted by the tim=
e an attacker appears.<br>4. Quantum computing advances slowly enough that =
we come to consensus about how to upgrade Bitcoin and post quantum security=
 has been highly adopted by the time an attacker appears.<br><br>For the pu=
rposes of this post, I&#39;m envisioning being in situation 3 or 4.<br><br>=
<font size=3D"6">To Freeze or not to Freeze?<br></font>I&#39;ve started see=
ing more people weighing in on what is likely the most contentious aspect o=
f how a quantum resistance upgrade should be handled in terms of migrating =
user funds. Should quantum vulnerable funds be left open to be swept by any=
one with a sufficiently powerful quantum computer OR should they be permane=
ntly locked?<br><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0=
px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">&quot=
;I don&#39;t see why old coins should be confiscated. The better option is =
to let those with quantum computers free up old coins. While this might hav=
e an inflationary impact on bitcoin&#39;s price, to use a turn of phrase, t=
he inflation is transitory. Those with low time preference should support r=
eturning lost coins to circulation.&quot;=C2=A0</blockquote><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">- Hunter Beast</blockquote><div><br></di=
v>On the other hand:</div><div><br><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">&quot;Of course they have to be confiscated. If and when (and th=
at&#39;s a big if) the existence of a cryptography-breaking QC becomes a cr=
edible threat, the Bitcoin ecosystem has no other option than softforking o=
ut the ability to spend from signature schemes (including ECDSA and BIP340)=
 that are vulnerable to QCs. The alternative is that millions of BTC become=
 vulnerable to theft; I cannot see how the currency can maintain any value =
at all in such a setting. And this affects everyone; even those which dilig=
ently moved their coins to PQC-protected schemes.&quot;<br>- Pieter Wuille<=
/blockquote><br>I don&#39;t think &quot;confiscation&quot; is the most prec=
ise term to use, as the funds are not being seized and reassigned. Rather, =
what we&#39;re really discussing would be better described as &quot;burning=
&quot; - placing the funds <b>out of reach of everyone</b>.<br><br>Not free=
zing user funds is one of Bitcoin&#39;s inviolable properties. However, if =
quantum computing becomes a threat to Bitcoin&#39;s elliptic curve cryptogr=
aphy, <b>an inviolable property of Bitcoin will be violated one way or anot=
her</b>.<br><br><font size=3D"6">Fundamental Properties at Risk<br></font>5=
 years ago I attempted to comprehensively categorize all of Bitcoin&#39;s f=
undamental properties that give it value. <a href=3D"https://nakamoto.com/w=
hat-are-the-key-properties-of-bitcoin/" target=3D"_blank" rel=3D"nofollow" =
data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://=
nakamoto.com/what-are-the-key-properties-of-bitcoin/&amp;source=3Dgmail&amp=
;ust=3D1752507182310000&amp;usg=3DAOvVaw2WXOREjeNe8DXRkOJ4tzen">https://nak=
amoto.com/what-are-the-key-properties-of-bitcoin/<br></a><br>The particular=
 properties in play with regard to this issue seem to be:<br><br><b>Censors=
hip Resistance</b> - No one should have the power to prevent others from us=
ing their bitcoin or interacting with the network.<br><br><b>Forward Compat=
ibility</b> - changing the rules such that certain valid transactions becom=
e invalid could undermine confidence in the protocol.<br><br><b>Conservatis=
m</b> - Users should not be expected to be highly responsive to system issu=
es.<br><br>As a result of the above principles, we have developed a strong =
meme (kudos to Andreas Antonopoulos) that goes as follows:<br><br><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">Not your keys, not your coins.</bl=
ockquote><br>I posit that the corollary to this principle is:<br><br><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1=
px solid rgb(204,204,204);padding-left:1ex">Your keys, only your coins.</bl=
ockquote><br>A quantum capable entity breaks the corollary of this foundati=
onal principle. We secure our bitcoin with the mathematical probabilities r=
elated to extremely large random numbers. Your funds are only secure becaus=
e truly random large numbers should not be guessable or discoverable by any=
one else in the world.<br><br>This is the principle behind the motto <i>vir=
es in numeris</i> - strength in numbers. In a world with quantum enabled ad=
versaries, this principle is null and void for many types of cryptography, =
including the elliptic curve digital signatures used in Bitcoin.<br><br><fo=
nt size=3D"6">Who is at Risk?<br></font>There has long been a narrative tha=
t Satoshi&#39;s coins and others from the Satoshi era of P2PK locking scrip=
ts that exposed the public key directly on the blockchain will be those tha=
t get scooped up by a quantum &quot;miner.&quot; But unfortunately it&#39;s=
 not that simple. If I had a powerful quantum computer, which coins would I=
 target? I&#39;d go to the Bitcoin rich list and find the wallets that have=
 exposed their public keys due to re-using addresses that have previously b=
een spent from. You can easily find them at <a href=3D"https://bitinfochart=
s.com/top-100-richest-bitcoin-addresses.html" target=3D"_blank" rel=3D"nofo=
llow" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dht=
tps://bitinfocharts.com/top-100-richest-bitcoin-addresses.html&amp;source=
=3Dgmail&amp;ust=3D1752507182310000&amp;usg=3DAOvVaw0X5eLgtSvk1Q4u9vUoOTrR"=
>https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html</a><br><b=
r>Note that a few of these wallets, like Bitfinex / Kraken / Tether, would =
be slightly harder to crack because they are multisig wallets. So a quantum=
 attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfine=
x / Tether in order to spend funds. But many are single signature.<br><br>P=
oint being, it&#39;s not only the really old lost BTC that are at risk to a=
 quantum enabled adversary, at least at time of writing. If we add a quantu=
m safe signature scheme, we should expect those wallets to be some of the f=
irst to upgrade given their incentives.<br><br><font size=3D"6">The Ethical=
 Dilemma: Quantifying Harm<br></font>Which decision results in the most har=
m?<br><br>By making quantum vulnerable funds unspendable we potentially har=
m some Bitcoin users who were not paying attention and neglected to migrate=
 their funds to a quantum safe locking script. This violates the &quot;cons=
ervativism&quot; principle stated earlier. On the flip side, we prevent tho=
se funds plus far more lost funds from falling into the hands of the few pr=
ivileged folks who gain early access to quantum computers.<br><br>By leavin=
g quantum vulnerable funds available to spend, the same set of users who wo=
uld otherwise have funds frozen are likely to see them stolen. And many ear=
ly adopters who lost their keys will eventually see their unreachable funds=
 scooped up by a quantum enabled adversary.<br><br>Imagine, for example, be=
ing James Howells, who accidentally threw away a hard drive with 8,000 BTC =
on it, currently worth over $600M USD. He has spent a decade trying to retr=
ieve it from the landfill where he knows it&#39;s buried, but can&#39;t get=
 permission to excavate. I suspect that, given the choice, he&#39;d prefer =
those funds be permanently frozen rather than fall into someone else&#39;s =
possession - I know I would.<br><br>Allowing a quantum computer to access l=
ost funds doesn&#39;t make those users any worse off than they were before,=
 however it <i>would</i> have a negative impact upon everyone who is curren=
tly holding bitcoin.<br><br>It&#39;s prudent to expect significant economic=
 disruption if large amounts of coins fall into new hands. Since a quantum =
computer is going to have a massive up front cost, expect those behind it t=
o desire to recoup their investment. We also know from experience that when=
 someone suddenly finds themselves in possession of 9+ figures worth of hig=
hly liquid assets, they tend to diversify into other things by selling.<br>=
<br>Allowing quantum recovery of bitcoin is <i>tantamount to wealth redistr=
ibution</i>. What we&#39;d be allowing is for bitcoin to be redistributed f=
rom those who are ignorant of quantum computers to those who have won the t=
echnological race to acquire quantum computers. It&#39;s hard to see a brig=
ht side to that scenario.<br><br><font size=3D"6">Is Quantum Recovery Good =
for Anyone?</font><br><br>Does quantum recovery HELP anyone? I&#39;ve yet t=
o come across an argument that it&#39;s a net positive in any way. It certa=
inly doesn&#39;t add any security to the network. If anything, it greatly d=
ecreases the security of the network by allowing funds to be claimed by tho=
se who did not earn them.<br><br>But wait, you may be thinking, wouldn&#39;=
t quantum &quot;miners&quot; have earned their coins by all the work and re=
sources invested in building a quantum computer? I suppose, in the same sen=
se that a burglar earns their spoils by the resources they invest into surv=
eilling targets and learning the skills needed to break into buildings. Wha=
t I say &quot;earned&quot; I mean through productive mutual trade.<br><br>F=
or example:<br><br>* Investors earn BTC by trading for other currencies.<br=
>* Merchants earn BTC by trading for goods and services.<br>* Miners earn B=
TC by trading thermodynamic security.<br>* Quantum miners don&#39;t trade a=
nything, they are vampires feeding upon the system.<br><br>There&#39;s no r=
eason to believe that allowing quantum adversaries to recover vulnerable bi=
tcoin will be of benefit to anyone other than the select few organizations =
that win the technological arms race to build the first such computers. Pro=
bably nation states and/or the top few largest tech companies.<br><br>One c=
ould certainly hope that an organization with quantum supremacy is benevole=
nt and acts in a &quot;white hat&quot; manner to return lost coins to their=
 owners, but that&#39;s incredibly optimistic and foolish to rely upon. Suc=
h a situation creates an insurmountable ethical dilemma of only recovering =
lost bitcoin rather than currently owned bitcoin. There&#39;s no way to pre=
cisely differentiate between the two; anyone can claim to have lost their b=
itcoin but if they have lost their keys then proving they ever had the keys=
 becomes rather difficult. I imagine that any such white hat recovery effor=
ts would have to rely upon attestations from trusted third parties like exc=
hanges.<br><br>Even if the first actor with quantum supremacy is benevolent=
, we must assume the technology could fall into adversarial hands and thus =
think adversarially about the potential worst case outcomes. Imagine, for e=
xample, that North Korea continues scooping up billions of dollars from hac=
king crypto exchanges and decides to invest some of those proceeds into bui=
lding a quantum computer for the biggest payday ever...<br><br><font size=
=3D"6">Downsides to Allowing Quantum Recovery</font><br>Let&#39;s think thr=
ough an exhaustive list of pros and cons for allowing or preventing the sei=
zure of funds by a quantum adversary.<br><br><font size=3D"4">Historical Pr=
ecedent</font><br>Previous protocol vulnerabilities weren=E2=80=99t celebra=
ted as &quot;fair game&quot; but rather were treated as failures to be reme=
diated. Treating quantum theft differently risks rewriting Bitcoin=E2=80=99=
s history as a free-for-all rather than a system that seeks to protect its =
users.<br><br><font size=3D"4">Violation of Property Rights</font><br>Allow=
ing a quantum adversary to take control of funds undermines the fundamental=
 principle of cryptocurrency - if you keep your keys in your possession, on=
ly you should be able to access your money. Bitcoin is built on the idea th=
at private keys secure an individual=E2=80=99s assets, and unauthorized acc=
ess (even via advanced tech) is theft, not a legitimate transfer.<br><br><f=
ont size=3D"4">Erosion of Trust in Bitcoin</font><br>If quantum attackers c=
an exploit vulnerable addresses, confidence in Bitcoin as a secure store of=
 value would collapse. Users and investors rely on cryptographic integrity,=
 and widespread theft could drive adoption away from Bitcoin, destabilizing=
 its ecosystem.<br><br>This is essentially the counterpoint to claiming the=
 burning of vulnerable funds is a violation of property rights. While some =
will certainly see it as such, others will find the apathy toward stopping =
quantum theft to be similarly concerning.<br><br><font size=3D"4">Unfair Ad=
vantage</font><br>Quantum attackers, likely equipped with rare and expensiv=
e technology, would have an unjust edge over regular users who lack access =
to such tools. This creates an inequitable system where only the technologi=
cally elite can exploit others, contradicting Bitcoin=E2=80=99s ethos of de=
centralized power.<br><br>Bitcoin is designed to create an asymmetric advan=
tage for DEFENDING one&#39;s wealth. It&#39;s supposed to be impractically =
expensive for attackers to crack the entropy and cryptography protecting on=
e&#39;s coins. But now we find ourselves discussing a situation where this =
asymmetric advantage is compromised in favor of a specific class of attacke=
rs.<br><br><font size=3D"4">Economic Disruption</font><br>Large-scale theft=
 from vulnerable addresses could crash Bitcoin=E2=80=99s price as quantum r=
ecovered funds are dumped on exchanges. This would harm all holders, not ju=
st those directly targeted, leading to broader financial chaos in the marke=
ts.<br><br><font size=3D"4">Moral Responsibility</font><br>Permitting theft=
 via quantum computing sets a precedent that technological superiority just=
ifies unethical behavior. This is essentially taking a &quot;code is law&qu=
ot; stance in which we refuse to admit that both code and laws can be modif=
ied to adapt to previously unforeseen situations.<br><br>Burning of coins c=
an certainly be considered a form of theft, thus I think it&#39;s worth dif=
ferentiating the two different thefts being discussed:<br><br>1. self-enric=
hing &amp; likely malicious<br>2. harm prevention &amp; not necessarily mal=
icious<br><br>Both options lack the consent of the party whose coins are be=
ing burnt or transferred, thus I think the simple argument that theft is im=
moral becomes a wash and it&#39;s important to drill down into the details =
of each.<br><br><font size=3D"4">Incentives Drive Security</font><br>I can =
tell you from a decade of working in Bitcoin security - the average user is=
 lazy and is a procrastinator. If Bitcoiners are given a &quot;drop dead da=
te&quot; after which they know vulnerable funds will be burned, this pressu=
re accelerates the adoption of post-quantum cryptography and strengthens Bi=
tcoin long-term. Allowing vulnerable users to delay upgrading indefinitely =
will result in more laggards, leaving the network more exposed when quantum=
 tech becomes available.<br><br><font size=3D"6">Steel Manning<br></font>Cl=
early this is a complex and controversial topic, thus it&#39;s worth thinki=
ng through the opposing arguments.<br><br><font size=3D"4">Protecting Prope=
rty Rights</font><br>Allowing quantum computers to take vulnerable bitcoin =
could potentially be spun as a hard money narrative - we care so greatly ab=
out not violating someone&#39;s access to their coins that we allow them to=
 be stolen!<br><br>But I think the flip side to the property rights narrati=
ve is that burning vulnerable coins prevents said property from falling int=
o undeserving hands. If the entire Bitcoin ecosystem just stands around and=
 allows quantum adversaries to claim funds that rightfully belong to other =
users, is that really a &quot;win&quot; in the &quot;protecting property ri=
ghts&quot; category? It feels more like apathy to me.<br><br>As such, I thi=
nk the &quot;protecting property rights&quot; argument is a wash.<br><br><f=
ont size=3D"4">Quantum Computers Won&#39;t Attack Bitcoin</font><br>There i=
s a great deal of skepticism that sufficiently powerful quantum computers w=
ill ever exist, so we shouldn&#39;t bother preparing for a non-existent thr=
eat. Others have argued that even if such a computer was built, a quantum a=
ttacker would not go after bitcoin because they wouldn&#39;t want to reveal=
 their hand by doing so, and would instead attack other infrastructure.<br>=
<br>It&#39;s quite difficult to quantify exactly how valuable attacking oth=
er infrastructure would be. It also really depends upon when an entity gain=
s quantum supremacy and thus if by that time most of the world&#39;s system=
s have already been upgraded. While I think you could argue that certain en=
tities gaining quantum capability might not attack Bitcoin, it would only d=
elay the inevitable - eventually somebody will achieve the capability who d=
ecides to use it for such an attack.<br><br><font size=3D"4">Quantum Attack=
ers Would Only Steal Small Amounts</font><br>Some have argued that even if =
a quantum attacker targeted bitcoin, they&#39;d only go after old, likely l=
ost P2PK outputs so as to not arouse suspicion and cause a market panic.<br=
><br>I&#39;m not so sure about that; why go after 50 BTC at a time when you=
 could take 250,000 BTC with the same effort as 50 BTC? This is a classic &=
quot;zero day exploit&quot; game theory in which an attacker knows they hav=
e a limited amount of time before someone else discovers the exploit and ei=
ther benefits from it or patches it. Take, for example, the recent ByBit at=
tack - the highest value crypto hack of all time. Lazarus Group had comprom=
ised the Safe wallet front end JavaScript app and they could have simply ha=
d it reassign ownership of everyone&#39;s Safe wallets as they were interac=
ting with their wallet. But instead they chose to only specifically target =
ByBit&#39;s wallet with $1.5 billion in it because they wanted to maximize =
their extractable value. If Lazarus had started stealing from every wallet,=
 they would have been discovered quickly and the Safe web app would likely =
have been patched well before any billion dollar wallets executed the malic=
ious code.<br><br>I think the &quot;only stealing small amounts&quot; argum=
ent is strongest for Situation #2 described earlier, where a quantum attack=
er arrives before quantum safe cryptography has been deployed across the Bi=
tcoin ecosystem. Because if it became clear that Bitcoin&#39;s cryptography=
 was broken AND there was nowhere safe for vulnerable users to migrate, the=
 only logical option would be for everyone to liquidate their bitcoin as qu=
ickly as possible. As such, I don&#39;t think it applies as strongly for si=
tuations in which we have a migration path available.<br><br><font size=3D"=
4">The 21 Million Coin Supply Should be in Circulation</font><br>Some folks=
 are arguing that it&#39;s important for the &quot;circulating / spendable&=
quot; supply to be as close to 21M as possible and that having a significan=
t portion of the supply out of circulation is somehow undesirable.<br><br>W=
hile the &quot;21M BTC&quot; attribute is a strong memetic narrative, I don=
&#39;t think anyone has ever expected that it would all be in circulation. =
It has always been understood that many coins will be lost, and that&#39;s =
actually part of the game theory of owning bitcoin!<br><br>And remember, th=
e 21M number in and of itself is not a particularly important detail - it&#=
39;s not even mentioned in the whitepaper. What&#39;s important is that the=
 supply is well known and not subject to change.<br><br><font size=3D"4">Se=
lf-Sovereignty and Personal Responsibility</font><br>Bitcoin=E2=80=99s desi=
gn empowers individuals to control their own wealth, free from centralized =
intervention. This freedom comes with the burden of securing one&#39;s priv=
ate keys. If quantum computing can break obsolete cryptography, the fault l=
ies with users who didn&#39;t move their funds to quantum safe locking scri=
pts. Expecting the network to shield users from their own negligence underm=
ines the principle that you, and not a third party, are accountable for you=
r assets.<br><br>I think this is generally a fair point that &quot;the comm=
unity&quot; doesn&#39;t owe you anything in terms of helping you. I think t=
hat we do, however, need to consider the incentives and game theory in play=
 with regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners. M=
ore on that later.<br><br><font size=3D"4">Code is Law</font><br>Bitcoin op=
erates on transparent, immutable rules embedded in its protocol. If a quant=
um attacker uses superior technology to derive private keys from public key=
s, they=E2=80=99re not &quot;hacking&quot; the system - they&#39;re simply =
following what&#39;s mathematically permissible within the current code. Al=
tering the protocol to stop this introduces subjective human intervention, =
which clashes with the objective, deterministic nature of blockchain.<br><b=
r>While I tend to agree that code is law, one of the entire points of laws =
is that they can be amended to improve their efficacy in reducing harm. Lea=
ning on this point seems more like a pro-ossification stance that it&#39;s =
better to do nothing and allow harm to occur rather than take action to sto=
p an attack that was foreseen far in advance.<br><br><font size=3D"4">Techn=
ological Evolution as a Feature, Not a Bug</font><br>It&#39;s well known th=
at cryptography tends to weaken over time and eventually break. Quantum com=
puting is just the next step in this progression. Users who fail to adapt (=
e.g., by adopting quantum-resistant wallets when available) are akin to tho=
se who ignored technological advancements like multisig or hardware wallets=
. Allowing quantum theft incentivizes innovation and keeps Bitcoin=E2=80=99=
s ecosystem dynamic, punishing complacency while rewarding vigilance.<br><b=
r><font size=3D"4">Market Signals Drive Security</font><br>If quantum attac=
kers start stealing funds, it sends a clear signal to the market: upgrade y=
our security or lose everything. This pressure accelerates the adoption of =
post-quantum cryptography and strengthens Bitcoin long-term. Coddling vulne=
rable users delays this necessary evolution, potentially leaving the networ=
k more exposed when quantum tech becomes widely accessible. Theft is a brut=
al but effective teacher.<br><br><font size=3D"4">Centralized Blacklisting =
Power</font><br>Burning vulnerable funds requires centralized decision-maki=
ng - a soft fork to invalidate certain transactions. This sets a dangerous =
precedent for future interventions, eroding Bitcoin=E2=80=99s decentralizat=
ion. If quantum theft is blocked, what=E2=80=99s next - reversing exchange =
hacks? The system must remain neutral, even if it means some lose out.<br><=
br>I think this could be a potential slippery slope if the proposal was to =
only burn specific addresses. Rather, I&#39;d expect a neutral proposal to =
burn all funds in locking script types that are known to be quantum vulnera=
ble. Thus, we could eliminate any subjectivity from the code.<br><br><font =
size=3D"4">Fairness in Competition</font><br>Quantum attackers aren&#39;t c=
heating; they&#39;re using publicly available physics and math. Anyone with=
 the resources and foresight can build or access quantum tech, just as anyo=
ne could mine Bitcoin in 2009 with a CPU. Early adopters took risks and rea=
ped rewards; quantum innovators are doing the same. Calling it =E2=80=9Cunf=
air=E2=80=9D ignores that Bitcoin has never promised equality of outcome - =
only equality of opportunity within its rules.<br><br>I find this argument =
to be a mischaracterization because we&#39;re not talking about CPUs. This =
is more akin to talking about ASICs, except each ASIC costs millions if not=
 billions of dollars. This is out of reach from all but the wealthiest orga=
nizations.<br><br><font size=3D"4">Economic Resilience</font><br>Bitcoin ha=
s weathered thefts before (MTGOX, Bitfinex, FTX, etc) and emerged stronger.=
 The market can absorb quantum losses, with unaffected users continuing to =
hold and new entrants buying in at lower prices. Fear of economic collapse =
overestimates the impact - the network=E2=80=99s antifragility thrives on s=
uch challenges.<br><br>This is a big grey area because we don&#39;t know wh=
en a quantum computer will come online and we don&#39;t know how quickly sa=
id computers would be able to steal bitcoin. If, for example, the first gen=
eration of sufficiently powerful quantum computers were stealing less volum=
e than the current block reward then of course it will have minimal economi=
c impact. But if they&#39;re taking thousands of BTC per day and bringing t=
hem back into circulation, there will likely be a noticeable market impact =
as it absorbs the new supply.<br><br>This is where the circumstances will r=
eally matter. If a quantum attacker appears AFTER the Bitcoin protocol has =
been upgraded to support quantum resistant cryptography then we should expe=
ct the most valuable active wallets will have upgraded and the juiciest tar=
get would be the 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1=
dr which has been dormant since 2010. In general I&#39;d expect that the am=
ount of BTC re-entering the circulating supply would look somewhat similar =
to the mining emission curve: volume would start off very high as the most =
valuable addresses are drained and then it would fall off as quantum comput=
ers went down the list targeting addresses with less and less BTC.<br><br>W=
hy is economic impact a factor worth considering? Miners and businesses in =
general. More coins being liquidated will push down the price, which will n=
egatively impact miner revenue. Similarly, I can attest from working in the=
 industry for a decade, that lower prices result in less demand from busine=
sses across the entire industry. As such, burning quantum vulnerable bitcoi=
n is good for the entire industry.<br><br><font size=3D"4">Practicality &am=
p; Neutrality of Non-Intervention</font><br>There=E2=80=99s no reliable way=
 to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate &quot;white hat&quo=
t; key recovery. If someone loses their private key and a quantum computer =
recovers it, is that stealing or reclaiming? Policing quantum actions requi=
res invasive assumptions about intent, which Bitcoin=E2=80=99s trustless de=
sign can=E2=80=99t accommodate. Letting the chips fall where they may avoid=
s this mess.<br><br><font size=3D"4">Philosophical Purity</font><br>Bitcoin=
 rejects bailouts. It=E2=80=99s a cold, hard system where outcomes reflect =
preparation and skill, not sentimentality. If quantum computing upends the =
game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe or =
fair in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose =
funds to quantum attacks are casualties of liberty and their own ignorance,=
 not victims of injustice.<br><br><font size=3D"6">Bitcoin&#39;s DAO Moment=
</font><br>This situation has some similarities to The DAO hack of an Ether=
eum smart contract in 2016, which resulted in a fork to stop the attacker a=
nd return funds to their original owners. The game theory is similar becaus=
e it&#39;s a situation where a threat is known but there&#39;s some period =
of time before the attacker can actually execute the theft. As such, there&=
#39;s time to mitigate the attack by changing the protocol.<br><br>It also =
created a schism in the community around the true meaning of &quot;code is =
law,&quot; resulting in Ethereum Classic, which decided to allow the attack=
er to retain control of the stolen funds.<br><br>A soft fork to burn vulner=
able bitcoin could certainly result in a hard fork if there are enough mine=
rs who reject the soft fork and continue including transactions.<br><br><fo=
nt size=3D"6">Incentives Matter</font><br>We can wax philosophical until th=
e cows come home, but what are the actual incentives for existing Bitcoin h=
olders regarding this decision?<br><br><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padd=
ing-left:1ex">&quot;Lost coins only make everyone else&#39;s coins worth sl=
ightly more. Think of it as a donation to everyone.&quot; - Satoshi Nakamot=
o</blockquote><br>If true, the corollary is:<br><br><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,=
204,204);padding-left:1ex">&quot;Quantum recovered coins only make everyone=
 else&#39;s coins worth less. Think of it as a theft from everyone.&quot; -=
 Jameson Lopp</blockquote><br>Thus, assuming we get to a point where quantu=
m resistant signatures are supported within the Bitcoin protocol, what&#39;=
s the incentive to let vulnerable coins remain spendable?<br><br>* It&#39;s=
 not good for the actual owners of those coins. It disincentivizes owners f=
rom upgrading until perhaps it&#39;s too late.<br>* It&#39;s not good for t=
he more attentive / responsible owners of coins who have quantum secured th=
eir stash. Allowing the circulating supply to balloon will assuredly reduce=
 the purchasing power of all bitcoin holders.<br><br><font size=3D"6">Forki=
ng Game Theory</font><br>From a game theory point of view, I see this as in=
centivizing users to upgrade their wallets. If you disagree with the burnin=
g of vulnerable coins, all you have to do is move your funds to a quantum s=
afe signature scheme. Point being, I don&#39;t see there being an economic =
majority (or even more than a tiny minority) of users who would fight such =
a soft fork. Why expend significant resources fighting a fork when you can =
just move your coins to a new address?<br><br>Remember that blocking spendi=
ng of certain classes of locking scripts is a tightening of the rules - a s=
oft fork. As such, it can be meaningfully enacted and enforced by a mere ma=
jority of hashpower. If miners generally agree that it&#39;s in their best =
interest to burn vulnerable coins, are other users going to care enough to =
put in the effort to run new node software that resists the soft fork? Seem=
s unlikely to me.<br><br><font size=3D"6">How to Execute Burning</font><br>=
In order to be as objective as possible, the goal would be to announce to t=
he world that after a specific block height / timestamp, Bitcoin nodes will=
 no longer accept transactions (or blocks containing such transactions) tha=
t spend funds from any scripts other than the newly instituted quantum safe=
 schemes.<br><br>It could take a staggered approach to first freeze funds t=
hat are susceptible to long-range attacks such as those in P2PK scripts or =
those that exposed their public keys due to previously re-using addresses, =
but I expect the additional complexity would drive further controversy.<br>=
<br>How long should the grace period be in order to give the ecosystem time=
 to upgrade? I&#39;d say a minimum of 1 year for software wallets to upgrad=
e. We can only hope that hardware wallet manufacturers are able to implemen=
t post quantum cryptography on their existing hardware with only a firmware=
 update.<br><br>Beyond that, it will take at least 6 months worth of block =
space for all users to migrate their funds, even in a best case scenario. T=
hough if you exclude dust UTXOs you could probably get 95% of BTC value mig=
rated in 1 month. Of course this is a highly optimistic situation where eve=
ryone is completely focused on migrations - in reality it will take far lon=
ger.<br><br>Regardless, I&#39;d think that in order to reasonably uphold Bi=
tcoin&#39;s conservatism it would be preferable to allow a 4 year migration=
 window. In the meantime, mining pools could coordinate emergency soft fork=
ing logic such that if quantum attackers materialized, they could accelerat=
e the countdown to the quantum vulnerable funds burn.<br><br><font size=3D"=
6">Random Tangential Benefits</font><br>On the plus side, burning all quant=
um vulnerable bitcoin would allow us to prune all of those UTXOs out of the=
 UTXO set, which would also clean up a lot of dust. Dust UTXOs are a bit of=
 an annoyance and there has even been a recent proposal for how to incentiv=
ize cleaning them up.<br><br>We should also expect that incentivizing migra=
tion of the entire UTXO set will create substantial demand for block space =
that will sustain a fee market for a fairly lengthy amount of time.<br><br>=
<font size=3D"6">In Summary</font><br>While the moral quandary of violating=
 any of Bitcoin&#39;s inviolable properties can make this a very complex is=
sue to discuss, the game theory and incentives between burning vulnerable c=
oins versus allowing them to be claimed by entities with quantum supremacy =
appears to be a much simpler issue.<br><br>I, for one, am not interested in=
 rewarding quantum capable entities by inflating the circulating money supp=
ly just because some people lost their keys long ago and some laggards are =
not upgrading their bitcoin wallet&#39;s security.<br><br>We can hope that =
this scenario never comes to pass, but hope is not a strategy.<br><br>I wel=
come your feedback upon any of the above points, and contribution of any ar=
guments I failed to consider.</div></div>
</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com</a>.<br />

------=_Part_248321_2076021029.1752421091483--

------=_Part_248320_934919471.1752421091483--