1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
|
Delivery-date: Wed, 20 Aug 2025 17:07:37 -0700
Received: from mail-qv1-f59.google.com ([209.85.219.59])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABBPWGTHCQMGQEAMZMZAQ@googlegroups.com>)
id 1uosq8-0008Ct-Kg
for bitcoindev@gnusha.org; Wed, 20 Aug 2025 17:07:37 -0700
Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-70d7c7e9735sf22944576d6.3
for <bitcoindev@gnusha.org>; Wed, 20 Aug 2025 17:07:36 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1755734850; cv=pass;
d=google.com; s=arc-20240605;
b=bcBn5V6AywGGmgs+kK3K4Zs2p1rDm55vKyfkp1RRnqbMNWpf1ynGQY0uaAqmXaDW5h
TmMwZeGRMg5B1CspB42P/3ytq6s877RkVLNhmE6nJBbTIS6eDiGGQh3Irvbsik5CfRlU
I5u7f/spyNhJ8lpdQcuFtntC7OVn2HtOpx6JjlhQR4cn3C/PWVAmgZTL7Dk0QuDgocRE
SgU42QY6zl4DhZd/i9JHaY0roo/NQFsFr574sYpZvW6aWpwEmltl7Tyd5e3epBm5HRA6
smwLEmmIzB5pQWgQ4M/GH/A0e2ogR2Z0RF8Cy/mqJkQqj5CJQ1qm7znCRt41/c3hqKT1
Q/og==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:mime-version:feedback-id
:references:in-reply-to:message-id:subject:from:to:date
:dkim-signature;
bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=;
fh=YAmGQ5G5M4kKxFxVILSH4RnUc6XyRdVl8I4OMzCOT8s=;
b=Q5nxpQIJMHgF5+so8oGofOyHkOh+4xQwZrT016htre+vHD0mls7YrlNqOeFBE79iLJ
Htsde+EbtLa/b7vI1Y985KzFWu3rVrEGQnP5nOhgCOvv1jv+u6KoVKgRAz+yy3ZDHMep
VG+ePXd2OhNiK2gDIZ01+f8A8c8BO5VVVQUGRCFN/wHzxaXzw/QnYvu21Fsc7WgQ+6gi
dCHgsh6A/zb8sZgs5c7fRNk3mwNU9wfGYokYzOzohwogPjRbY/I0fpVIXllFjRLB7Vl+
EYFIsxu/chR/C7Uo/YbpqRxJwb324bQPYejg2JC6AukMOxBYw5epoG2ru4dhFnENqIE+
vhCQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV;
spf=pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1755734850; x=1756339650; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:mime-version
:feedback-id:references:in-reply-to:message-id:subject:from:to:date
:from:to:cc:subject:date:message-id:reply-to;
bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=;
b=gdWOIMZcdb7g2DnrMNFIbjW/0cyZhdS9vp7Vf3IHblXAl+XIoBPK0E9CGLlSKG0AQf
lq5DGOC4FUNpKZx2rWtQdvmTJSg2lv2VYXTBsjinPEaL/mOuw+TkH/3v+0UN/laoOPQh
9z9mvHhU9bUrbimKB9znBI5nDtMWKkNoGo49zb3y3oJlTeQ4MQqVE0X/I/KRO1rnfAha
pS6BoZCh5YP9Xp8oD3XXHB9+HQqZM0Hltqqj0zo2F7FCUf8/ws+LDCybq+AEB4dFqGft
20am2NRNUa+h9OCxlulVSjNGi4yrFAGwBzStmBTQ8gI1zP1lGqW3u7MsqDnjlFBBbKM3
csKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1755734850; x=1756339650;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:mime-version
:feedback-id:references:in-reply-to:message-id:subject:from:to:date
:x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=dE5ny4K7oS/DRU3t8cECp5ijqAAzb5NuBhc+fdPx7/M=;
b=B6lAISbH7XX//1jCtqYC3kPfMcmkF6cz2UQncvTa3N1pxEqSRZJYhSbnA9w4jWWg1v
rczan2PoVvOoPAJV4yjmCm0RaWeru0DyFUjwH/XKMB3T3+ONqyBJFXEoyawdiavxYPX+
W7O8a7zxmRO4X+2v0f1epOebrH9PRsmoVgBG4P1GTSoox8sIfDE9s46kxqCBeBIJIFSV
uUZbKSMrY5Y6TajPzJidWhFQjQrKyFEXyZF4/iwTCHQeWwmZ+nk0oiT9VxSgRJMNUsi8
YH+S+PfAHFXcPMxAgPwvCc9AcMxaAQ+0K3NM4KhZqX41/rKq727Bzc2TRlKT2/tRXqbT
4mpA==
X-Forwarded-Encrypted: i=2; AJvYcCXjuAE/PEqs6LBg9uDBV4C7FoCLGHKfu9kmFFIOFuvmu/v8YcZbYScnRBoNpBOSADXwVJX2IjTL5DTc@gnusha.org
X-Gm-Message-State: AOJu0YzFvaGiQ156SZfS7NAKNwxr4J4D/lvjWVgl9/ZYKppR6Up2dYxQ
5AquQqT2nRhrRG2GKcoQsKLexPD1bQXwsmw2ITplQuYMxVW7UCCtOz4T
X-Google-Smtp-Source: AGHT+IHsh0+dkQ3qduVFSv8cmWm1+l7mORf8Mui4rZpftQq6f900Dw9b51FsdLKdsOMS+s8zW5oUlA==
X-Received: by 2002:a05:6214:5090:b0:70d:81ce:ec1f with SMTP id 6a1803df08f44-70d88e386a3mr5685896d6.12.1755734849922;
Wed, 20 Aug 2025 17:07:29 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZcG5eYCCHth6OqX6wfrK3yu8zwL74UBn5acj6x9VjtrfA==
Received: by 2002:ad4:5967:0:b0:70b:b18a:cc7f with SMTP id 6a1803df08f44-70d85a04151ls8770036d6.0.-pod-prod-06-us;
Wed, 20 Aug 2025 17:07:26 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWuJF4EbAMnBK6+Gj2bEG9uqZdBRDaVo9QIX1Fg2lqbuCSz8jJrxHRXyLA7CWM8m7ETIxIYMyGhbQY6@googlegroups.com
X-Received: by 2002:a05:620a:3908:b0:7e8:19d3:24da with SMTP id af79cd13be357-7ea08db6028mr53416385a.29.1755734845902;
Wed, 20 Aug 2025 17:07:25 -0700 (PDT)
Received: by 2002:a05:600c:1c11:b0:456:53b:5b5e with SMTP id 5b1f17b1804b1-45b471384a3ms5e9;
Wed, 20 Aug 2025 13:15:24 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWNOFYWEj5Sqm6WMObK1cox3ENOl3VG8eqiLIVbN71vmGNvjXu+MapFRxC+uog8KwOZQD5MRApby74x@googlegroups.com
X-Received: by 2002:a05:600c:548e:b0:459:d780:3602 with SMTP id 5b1f17b1804b1-45b479f99e1mr37919865e9.23.1755720922104;
Wed, 20 Aug 2025 13:15:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1755720922; cv=none;
d=google.com; s=arc-20240605;
b=jpjK70hq5UjrXexuNs1i8ZWrhpH3Oax02Z9W/RZK2XvKnh5CMzVpVxwjUvcxlTX6k9
0Bky5duZdSsLRWf1Ng3KyfKqspIINdSfE8QFX9N5nypCaHDMmML4X+i6EJKgfKWt8BU0
LD9LJand7uQySnGfLL8uFSCWhe3chQABGa7+YDrQWqImW9mJkeFORsM6BjESTLk7bYR5
6PauqwG7uSew5LulbrKIyU6QaXdT7rtAJmn5axYDN4dKe2Sx1im+ycy1KejcJA8JHEMp
Ma0ApYt2lFrxjzjTDKBgtsaudDimRj4TBUDoX+HdokItgbE++bhmthglj2OkY44SKkIl
qcQg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=mime-version:feedback-id:references:in-reply-to:message-id:subject
:from:to:date:dkim-signature;
bh=ybTJae8vZC4Lo0Ir2ci2/tyyyq0amA6HIYmYb9hjxt4=;
fh=HPPaTbDvciVGpHVhAbJXZ+sNq8E+bOpi59BashMVVxo=;
b=kzn/puTSmja1zIUUbiFbOiyjQXc5BdxBF+N+/jv2/d+Y4EiAU1enAQUMPBcWVo5ryY
60ilb6P9ZUDxJ1OqPJFZ9/WEJGrBmeuT9V64F4WunA4/tKRHTsCPEkvy0hnEfKshacX0
uPezRaD2FENdT1qSTK/ISsfIcoYWlEzc5cq3sGnjtIxpxOtIkWJvrXMrNjvQDUmSO4L3
rp95SpfjgOoEREP1ZzIPPp/lcAPTIOctRKD20sQRGv77KjDwOmuyqHuWa4QrVod+/NGB
WGvtdRD1zg+7GdRP+mlP6YG4WtbMftpoV2znIXfIjD4K/WxIhqtFQ0oQOeuj87DfSdOs
XgHg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV;
spf=pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
Received: from mail-10628.protonmail.ch (mail-10628.protonmail.ch. [79.135.106.28])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-45b47c2ba84si550705e9.1.2025.08.20.13.15.22
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 20 Aug 2025 13:15:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of armchaircryptologist@protonmail.com designates 79.135.106.28 as permitted sender) client-ip=79.135.106.28;
Date: Wed, 20 Aug 2025 20:15:18 +0000
To: Bitcoin Foundation <contact@bitcoin.foundation>, Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
From: "'ArmchairCryptologist' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Re: [Draft BIP] Quantum-Resistant Transition
Framework for Bitcoin
Message-ID: <-a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kjJZvYnaNu1g0oXC9axoltclOgN628CMDc=@protonmail.com>
In-Reply-To: <eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en@googlegroups.com>
References: <4d6ecde7-e959-4e6c-a0aa-867af8577151n@googlegroups.com> <fff86606-d6ce-4319-a341-90e9c4eba49dn@googlegroups.com> <6532d72c-fc2b-485a-9984-a9ade31e1760n@googlegroups.com> <1LDO_bQOdcKkNoKyyjfqLXAPUBVXSL667nAKDCNUfN2D7HEpDAkuFQrMubklIi1QdDI6BXdgB674g4uWYRlyQ5f-dlztDtnoEbIAlmrCg5M=@protonmail.com> <eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en@googlegroups.com>
Feedback-ID: 24244585:user:proton
X-Pm-Message-ID: 86adb03ae316d239b44d5c7cb034102409e80d00
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA"
X-Original-Sender: armchaircryptologist@protonmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@protonmail.com header.s=protonmail3 header.b=XoU19NLV;
spf=pass (google.com: domain of armchaircryptologist@protonmail.com
designates 79.135.106.28 as permitted sender) smtp.mailfrom=ArmchairCryptologist@protonmail.com;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=protonmail.com
X-Original-From: ArmchairCryptologist <ArmchairCryptologist@protonmail.com>
Reply-To: ArmchairCryptologist <ArmchairCryptologist@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -1.0 (-)
--b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
When it comes to the NIST recommendation for the deprecation timeline, ther=
e is now a (very) recent paper available, released on August 19th 2025 (i.e=
. yesterday as of this writing), which suggests the timeline should be move=
d up somewhat. This paper targets ECDLP and ECC in general, and secp256k1 a=
s used in Bitcoin specifically. You can find this here:
https://arxiv.org/abs/2508.14011
Some key takeaways:
"When algorithmic curves and vendor trajectories are overlaid on this commo=
n ruler, the earliest inter-
sections appear in the late 2020s; more conservative crossings cluster in t=
he early 2030s. We therefore
indicate a first plausible window for cryptanalytically relevant quantum co=
mputers (CRQCs) around
2027=E2=80=932033. The endpoints move mainly with three levers: reliable ma=
gic-state supply at scale (dis-
tillation or cultivation), code distance sufficient for multi-hour jobs, an=
d classical-control latency that
keeps pace with fast error-correction cycles. If any lever stalls, the wind=
ow shifts to the right; if severalimprove together, it shifts to the left."
"The classical record remains consistent with =CE=98(2b/2) scaling for gene=
ric prime-field curves (Section 3);
constant-factor engineering wins have not changed the asymptotics. In paral=
lel, logical-to-physical
translations suggest that credible ECC-256 attacks via Shor=E2=80=99s algor=
ithm require mid-10^5 to low-10^6
noisy qubits under surface code assumptions, with cat-qubit architectures o=
ffering alternative overhead
tradeoffs (Section 4; [37, 39, 46]) by trading fewer physical qubits for an=
increased complexity of their
architecture. Overlaying algorithmic cost with public roadmaps yields a fir=
st plausible window forcryptanalytically relevant quantum computers in roug=
hly 2027=E2=80=932033, albeit with wide error bars."
The lower bound of the window seems highly optimistic to me when compared t=
o the actual roadmaps for physical qubits provided by Google and IonQ (the =
most optimistic of the bunch) which are summarized on page 15, but targetin=
g 2030 as an actual deadline for having quantum-resistant addresses ready f=
or use is starting to look necessary. Even if the surface code assumptions =
that are relied upon to combine physical qubits into logical ones turn out =
to not hold water, and this ultimately means that the current approach to q=
uantum computers is unworkable, if nothing else, it would to counter the in=
evitable FUD.
--
Best,
ArmchairCryptologist
On Monday, August 18th, 2025 at 7:12 PM, 'Bitcoin Foundation' via Bitcoin D=
evelopment Mailing List <bitcoindev@googlegroups.com> wrote:
> Dear ArmchairCryptologist,
>
> We appreciate your engagement with our quantum resistance proposal.
> Let us address your points with additional technical context:
>
> NIST Reference DocumentationThe referenced blog post includes a link to N=
IST Internal Report 8547 (Initial Public Draft) [0], which offers critical =
guidance regarding the migration to post-quantum cryptographic standards. W=
e strongly recommend thorough review of this document by all stakeholders e=
valuating quantum-resistant solutions.
>
> Pre-Quantum UTXO Sunset PolicyRegarding the migration of pre-quantum UTXO=
s:
>
> - Our current draft proposes freezing these outputs around 2033
> - This timeline appears in the "Migration Path: Phased Implementation" se=
ction ([https://quantum-resistant-bitcoin.bitcoin.foundation](https://quant=
um-resistant-bitcoin.bitcoin.foundation/))
> - We explicitly designed this as an adjustable parameter
> - Based on community feedback, we're prepared to extend this sunset perio=
d beyond 2035
> The proposed recovery mechanism provides optional pathways for legacy UTX=
Os while maintaining network security.
>
> We remain open to community input regarding the sunset period for pre-qua=
ntum UTXOs. The current 2033 (block 1,327,121) proposal aligns conservative=
ly with NIST's recommendation to deprecate ECDSA by 2035 [0], though we ack=
nowledge reasonable arguments exist for adjusting this timeline.
>
> [0]: https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
>
> On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM UTC+2 ArmchairCryptolo=
gist wrote:
>
>>> An astute observation. To clarify the quantum computing landscape: Goog=
le's current quantum processors do not possess 50 logical qubits, and even =
if they did, this would be insufficient to compromise ECDSA - let alone RSA=
-2048, which would require approximately 20 million noisy physical qubits f=
or successful cryptanalysis [0].
>>
>> That paper is pretty old. There is a recent paper from a couple of month=
s ago by the same author (Craig Gidney from Google Quantum AI) claiming tha=
t you could break RSA-2048 with around a million noisy qubits in about a we=
ek.
>>
>> Paper: https://arxiv.org/pdf/2505.15917
>>
>> Blog post: https://security.googleblog.com/2025/05/tracking-cost-of-quan=
tum-factori.html
>>
>> I can't say for sure whether this approach can be applied to ECDSA; I ha=
ve seen claims before that it has less quantum resistance than RSA-2048, bu=
t I'm unsure if this is still considered to be the case. And while these pa=
pers are of course largely theoretical in nature since nothing close to the=
required amount of qubits exists at this point, I haven't seen anyone refu=
te these claim at this point. These is still no hard evidence I'm aware of =
that a quantum computer capable of breaking ECDSA is inevitable, but given =
the rate of development, there could be some cause of concern.
>>
>> Getting post-quantum addresses designed, implemented and activated by 20=
30 in accordance with the recommendations in this paper seems prudent to me=
, if this is at all possible. Deactivating inactive pre-quantum UTXOs with =
exposed public keys by 2035 should certainly be considered. But I still don=
't feel like deactivating pre-quantum UTXOs without exposed public keys in =
general is warranted, at least until a quantum computer capable of breaking=
public keys in the short time between they are broadcast and included in a=
block is known to exist - and even then, only if some scheme could be devi=
sed that still allows spending them using some additional cryptographic pro=
of of ownership, ZKP or otherwise.
>>
>> --
>> Best,
>> ArmchairCryptologist
>
> --
> You received this message because you are subscribed to the Google Groups=
"Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoinde=
v/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
-a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kj=
JZvYnaNu1g0oXC9axoltclOgN628CMDc%3D%40protonmail.com.
--b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div style=3D"font-family: Arial, sans-serif; font-size: 14px; color: rgb(0=
, 0, 0); background-color: rgb(255, 255, 255);">When it comes to the NIST r=
ecommendation for the deprecation timeline, there is now a (very) recent pa=
per available, released on August 19th 2025 (i.e. yesterday as of this writ=
ing), which suggests the timeline should be moved up somewhat. This paper t=
argets <span>ECDLP and </span>ECC in general, and <span>secp256k1</spa=
n> as used in Bitcoin specifically. You can find this here:</div><div =
style=3D"font-family: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, =
0); background-color: rgb(255, 255, 255);"><br></div><div style=3D"font-fam=
ily: Arial, sans-serif; font-size: 14px; color: rgb(0, 0, 0); background-co=
lor: rgb(255, 255, 255);"><span><a target=3D"_blank" rel=3D"noreferrer nofo=
llow noopener" href=3D"https://arxiv.org/abs/2508.14011">https://arxiv.org/=
abs/2508.14011</a></span></div><div style=3D"font-family: Arial, sans-serif=
; font-size: 14px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255=
);"><br></div><div style=3D"font-family: Arial, sans-serif; font-size: 14px=
; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">Some key take=
aways:</div><br><div style=3D"font-family: Arial, sans-serif; font-size: 14=
px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);"><div><span>=
"When algorithmic curves and vendor trajectories are overlaid on this commo=
n ruler, the earliest inter-</span><div><span>sections appear in the late 2=
020s; more conservative crossings cluster in the early 2030s. We therefore<=
/span></div><div><span>indicate a first plausible window for cryptanalytica=
lly relevant quantum computers (CRQCs) around</span></div><div><span>2027=
=E2=80=932033. The endpoints move mainly with three levers: reliable magic-=
state supply at scale (dis-</span></div><div><span>tillation or cultivation=
), code distance sufficient for multi-hour jobs, and classical-control late=
ncy that</span></div><div><span>keeps pace with fast error-correction cycle=
s. If any lever stalls, the window shifts to the right; if several</span></=
div><span>improve together, it shifts to the left."</span></div><div><span>=
<br></span></div><div><span><span>"The classical record remains consistent =
with =CE=98(2b/2) scaling for generic prime-field curves (Section 3);</span=
><div><span>constant-factor engineering wins have not changed the asymptoti=
cs. In parallel, logical-to-physical</span></div><div><span>translations su=
ggest that credible ECC-256 attacks via Shor=E2=80=99s algorithm require mi=
d-10^5 to low-10^6</span></div><div><span>noisy qubits under surface code a=
ssumptions, with cat-qubit architectures offering alternative overhead</spa=
n></div><div><span>tradeoffs (Section 4; [37, 39, 46]) by trading fewer phy=
sical qubits for an increased complexity of their</span></div><div><span>ar=
chitecture. Overlaying algorithmic cost with public roadmaps yields a first=
plausible window for</span></div><span>cryptanalytically relevant quantum =
computers in roughly 2027=E2=80=932033, albeit with wide error bars.</span>=
"</span></div></div><div style=3D"font-family: Arial, sans-serif; font-size=
: 14px;" class=3D"protonmail_signature_block protonmail_signature_block-emp=
ty">
<div class=3D"protonmail_signature_block-user protonmail_signature_bloc=
k-empty">
=20
</div>
=20
<div class=3D"protonmail_signature_block-proton protonmail_sign=
ature_block-empty">
=20
</div>
</div>
<div style=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></div><=
div style=3D"font-family: Arial, sans-serif; font-size: 14px;">The lower bo=
und of the window seems highly optimistic to me when compared to the actual=
roadmaps for physical qubits provided by Google and IonQ (the most optimis=
tic of the bunch) which are summarized on page 15, but targeting 2030 =
as an actual deadline for having quantum-resistant addresses ready for use =
is starting to look necessary. Even if the <span><span>surface code assumpt=
ions</span></span> that are relied upon to combine physical qubits int=
o logical ones turn out to not hold water, and this ultimately means that t=
he current approach to quantum computers is unworkable, if nothing else, it=
would to counter the inevitable FUD.</div><div style=3D"font-family: Arial=
, sans-serif; font-size: 14px;"><br></div><div style=3D"font-family: Arial,=
sans-serif; font-size: 14px;">--</div><div style=3D"font-family: Arial, sa=
ns-serif; font-size: 14px;">Best,</div><div style=3D"font-family: Arial, sa=
ns-serif; font-size: 14px;">ArmchairCryptologist</div><div style=3D"font-fa=
mily: Arial, sans-serif; font-size: 14px;"><br><div class=3D"protonmail_quo=
te">
On Monday, August 18th, 2025 at 7:12 PM, 'Bitcoin Foundation' via B=
itcoin Development Mailing List <bitcoindev@googlegroups.com> wrote:<=
br>
<blockquote class=3D"protonmail_quote" type=3D"cite">
Dear ArmchairCryptologist,<br><br>We appreciate your engagement=
with our quantum resistance proposal. <br>Let us address your points with =
additional technical context:<br><br><b>NIST Reference Documentation<br></b=
>The referenced blog post includes a link to NIST Internal Report 8547 (Ini=
tial Public Draft) [0], which offers critical guidance regarding the migrat=
ion to post-quantum cryptographic standards. We strongly recommend thorough=
review of this document by all stakeholders evaluating quantum-resistant s=
olutions.<br><br><b>Pre-Quantum UTXO Sunset Policy<br></b>Regarding the mig=
ration of pre-quantum UTXOs:<br><ul><li>Our current draft proposes freezing=
these outputs around 2033</li><li>This timeline appears in the "Migration =
Path: Phased Implementation" section (<a href=3D"https://quantum-resistant-=
bitcoin.bitcoin.foundation/" target=3D"_blank" rel=3D"noreferrer nofollow n=
oopener">https://quantum-resistant-bitcoin.bitcoin.foundation</a>)</li><li>=
We explicitly designed this as an adjustable parameter</li><li>Based on com=
munity feedback, we're prepared to extend this sunset period beyond 2035</l=
i></ul>The proposed recovery mechanism provides optional pathways for legac=
y UTXOs while maintaining network security. <br><br>We remain open to commu=
nity input regarding the sunset period for pre-quantum UTXOs. The current 2=
033 (block 1,327,121) proposal aligns conservatively with NIST's recommenda=
tion to deprecate ECDSA by 2035 [0], though we acknowledge reasonable argum=
ents exist for adjusting this timeline.<br><br>[0]: <a href=3D"https://nvlp=
ubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf" target=3D"_blank" rel=
=3D"noreferrer nofollow noopener">https://nvlpubs.nist.gov/nistpubs/ir/2024=
/NIST.IR.8547.ipd.pdf</a><br><br><div class=3D"gmail_quote"><div dir=3D"aut=
o" class=3D"gmail_attr">On Tuesday, August 12, 2025 at 11:04:32=E2=80=AFAM =
UTC+2 ArmchairCryptologist wrote:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); =
padding-left: 1ex;"><div style=3D"font-family:Arial,sans-serif;font-size:14=
px"><div><br>
<blockquote type=3D"cite">
An astute observation. To clarify the quantum computing landscape:
Google's current quantum processors do not possess 50 logical qubits,
and even if they did, this would be insufficient to compromise ECDSA -
let alone RSA-2048, which would require approximately 20 million noisy
physical qubits for successful cryptanalysis [0].<br></blockquote><div><br>=
</div></div></div><div style=3D"font-family:Arial,sans-serif;font-size:14px=
"><div><div><span>That paper is pretty old. There is a recent paper from a =
couple of months ago by the same author (<span>Craig Gidney</span> from <sp=
an>Google Quantum AI</span>) claiming that you could break RSA-2048 with ar=
ound a million noisy qubits in about a week. <span><br></span></span><div><=
span><br></span></div><div><span>Paper: <a rel=3D"noreferrer nofollow noope=
ner" href=3D"https://arxiv.org/pdf/2505.15917" target=3D"_blank" data-safer=
edirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps://arxiv.org/=
pdf/2505.15917&source=3Dgmail&ust=3D1755120415626000&usg=3DAOvV=
aw0MylOCi7Vj18oGqMIysEkm">https://arxiv.org/pdf/2505.15917</a><br></span></=
div><div>Blog post: <span><a rel=3D"noreferrer nofollow noopener" href=3D"h=
ttps://security.googleblog.com/2025/05/tracking-cost-of-quantum-factori.htm=
l" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=
=3Den&q=3Dhttps://security.googleblog.com/2025/05/tracking-cost-of-quan=
tum-factori.html&source=3Dgmail&ust=3D1755120415626000&usg=3DAO=
vVaw18LTcm1cvGv33DpU2hOmtI">https://security.googleblog.com/2025/05/trackin=
g-cost-of-quantum-factori.html</a></span></div><div><br></div><div>I
can't say for sure whether this approach can be applied to
ECDSA; I have seen claims before that it has less quantum resistance than R=
SA-2048, but I'm unsure if this is still considered to be the case. And whi=
le these papers are of course largely theoretical in nature
since nothing close to the required amount of qubits exists at this
point, I haven't seen anyone refute these claim at this point. These is sti=
ll no hard evidence I'm aware of that a quantum computer capable of breakin=
g ECDSA is inevitable, but given the rate of development, there could be so=
me cause of concern.</div><div><br></div><div><span>Getting post-quantum ad=
dresses designed, implemented and activated by 2030 in accordance with the =
recommendations in this paper seems prudent to me, if this is at all possib=
le. Deactivating inactive <span>pre-quantum </span>UTXOs with exposed publi=
c keys by 2035 should certainly be considered. But I still don't feel like =
deactivating pre-quantum UTXOs without exposed public keys in general is wa=
rranted, at least until a quantum computer capable of breaking public keys =
in the short time between they are broadcast and included in a block <span>=
is known to exist</span> - and even then, only if some scheme could be devi=
sed that still allows spending them using some additional cryptographic pro=
of of ownership, ZKP or otherwise.</span></div><div><span><br></span></div>=
<div><span>--</span></div><div><span>Best,</span></div><div><span>ArmchairC=
ryptologist</span></div></div></div></div></blockquote></div>
-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"n=
oreferrer nofollow noopener">bitcoindev+unsubscribe@googlegroups.com</a>.<b=
r>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com" target=
=3D"_blank" rel=3D"noreferrer nofollow noopener">https://groups.google.com/=
d/msgid/bitcoindev/eefdcf22-9609-4fb1-b8c4-3274dc7f1f2en%40googlegroups.com=
</a>.<br>
</blockquote><br>
</div></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/-a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7Qc=
fAUpjgDO3kjJZvYnaNu1g0oXC9axoltclOgN628CMDc%3D%40protonmail.com?utm_medium=
=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoindev/=
-a-KFgZ_XFrN2mUZTauxRoD3H2f4Qhid-h1B2CcC0WgOxbJD-mfRvku_v-SOV7QcfAUpjgDO3kj=
JZvYnaNu1g0oXC9axoltclOgN628CMDc%3D%40protonmail.com</a>.<br />
--b1=_INxSBDAri1Of4Z4fc8SmwQOLUHzjD5xcELicu7pRHA--
|
