1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
|
Delivery-date: Sun, 20 Jul 2025 10:48:33 -0700
Received: from mail-yb1-f188.google.com ([209.85.219.188])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3IN5GL5YFBBZWX6TBQMGQEOFOYIJA@googlegroups.com>)
id 1udY9J-0006rf-1v
for bitcoindev@gnusha.org; Sun, 20 Jul 2025 10:48:33 -0700
Received: by mail-yb1-f188.google.com with SMTP id 3f1490d57ef6-e72b0980138sf5336108276.1
for <bitcoindev@gnusha.org>; Sun, 20 Jul 2025 10:48:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1753033707; x=1753638507; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=u+eM1zu+Z7qvmHkVqZHft07Fsm/ypP11+6/YSLIfcvU=;
b=EnjYqbxOYAGkeXs9ojOTOjzxzfMBTAcztLl/mdydX1/wZ6qMWCO79WRtlBWROoMfKv
uPG6nkHotNbIi3/fYradsrpIKvAYpC+m99toBO/hbNYdDU4az0JY6J+OAYh6kASrS2hD
OQ+MsLEREVnXhtRuk/bez/Cac/fIGR8PARcbAfpKOYl9gBhFjdygl4pHmOvq5djvnftt
b3+Z0QioPCIPDlH8Lk7zPBgCjAW3kIcpf7EwY4SF6pwgIyQnEga5Hnse9f8YK04kh4Uo
cPbi/yK4GFbGWu7F4325oyS4efnfsSPBTp2OyHEpeUt1GAYiXV/YgmG/J249zte86agN
GY/Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups-com.20230601.gappssmtp.com; s=20230601; t=1753033707; x=1753638507; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=u+eM1zu+Z7qvmHkVqZHft07Fsm/ypP11+6/YSLIfcvU=;
b=naDTuG9laElTD8mUycMG14w8YpWXDlJYyEvYz5w1XJKgnIjXhQp5RvU5pEzk9dUqJm
+W6QkLpQG3XkQRBnN5trGDscJAbLiXr50QAP+8XbqAfBM4xol4FE13TsHNg8lO2Y7x2R
q6VrROPcGpAyYKh+e34+V7REpnh/0Yn0VtVRSjPsv47f2Cg2fKhFj+aZMwWTF7DcJRN6
ULY9S5/cHmjLvkkI+wm0A9bY1Jn/JFYSMPkV0aGrTvP1XOTavQMe1bBbx9Da6d7DyVJU
xvvhiIhvvFgEOk9h9GNzEJXtzKSQGZgg3unLVP6kv0xQvdD7r3NitaXawH/woleEYi0C
0ZYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1753033707; x=1753638507;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=u+eM1zu+Z7qvmHkVqZHft07Fsm/ypP11+6/YSLIfcvU=;
b=MwCaMSJChNwiQ/gZ4jQ8x5b6pKlyFEOBX2TknFv6uVFcf/OLqpcvWFoNuRG87npqT1
LGcWuFq8ULT9Rz0KtegyJAdYLJ1Iyllfugc0nRWxJCSPZpGJty1cG+zh8gcKN4KqrYlZ
4uKecPchtwTpzDKxibU2DnzjgjTtPKGFmhYhMKeYiaVVK4cpAOvVirhRMNYtA0q7fkAh
0S8cjSgwze6ry+uwxGZ81kaLeaH3chSclCH4LmEDYjEkhYt5JBsJ3dGX0UBSi6GtNjoN
pNoTKx8ogf5qhN+Gdme6sulF1rf2d1Hp7qlYmA8JyezGbrgdsHgmCN9GfT68EVlpCw7w
33ug==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCUvMNBpbDZA3Ag7wxBi+llQ5wF4vy2cDQ60gUwFMZEvmbjv1FzR16WdUEOxcd7tQyjH0z0VREX3GmRf@gnusha.org
X-Gm-Message-State: AOJu0YyJ3opO4j/yYxGlmXemvUASHhR8kCKoN3pOb0VDLUB/RzrjHfZa
9Idvr78TTATz1d5+ICtRRPGLVk/QHqhWNK3eCY3HavlmUHHbIVvQlFf8
X-Google-Smtp-Source: AGHT+IGkhcupD7VdSXpe3RtaRR0SaQjOS7XPqIfE5pGXWljNOsnWVVeebaaXSZcpl76KDbShdBH2Dg==
X-Received: by 2002:a05:6902:2005:b0:e87:b0fc:479 with SMTP id 3f1490d57ef6-e8bc24398demr22072862276.5.1753033706935;
Sun, 20 Jul 2025 10:48:26 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZf5FDT2yhHC1PH/4MXjey+liBk1z20iiliUjyE4WsScGQ==
Received: by 2002:a05:6902:610c:b0:e82:492d:12c with SMTP id
3f1490d57ef6-e8bd449aa55ls3748275276.0.-pod-prod-06-us; Sun, 20 Jul 2025
10:48:22 -0700 (PDT)
X-Received: by 2002:a05:690c:b96:b0:70e:6333:64ac with SMTP id 00721157ae682-718370b0d82mr231714127b3.10.1753033702157;
Sun, 20 Jul 2025 10:48:22 -0700 (PDT)
Received: by 2002:a05:690c:3147:b0:710:fccf:6901 with SMTP id 00721157ae682-7194e37fa7ams7b3;
Sun, 20 Jul 2025 10:39:49 -0700 (PDT)
X-Received: by 2002:a05:690c:48c4:b0:70e:2c7f:2ed4 with SMTP id 00721157ae682-7183691b3bcmr231613007b3.0.1753033187977;
Sun, 20 Jul 2025 10:39:47 -0700 (PDT)
Date: Sun, 20 Jul 2025 10:39:47 -0700 (PDT)
From: Marin Ivezic <marin@appliedquantum.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <1e39e6bd-8da4-45b1-9dc9-feacd923417dn@googlegroups.com>
In-Reply-To: <CAgIQP8YXvI8FjDiv0v29pw0VHdrlY6go6QoGMj1qqMsLKfGxeMBWVdxxQ5ZWhzl3T1wxjqj7XsPiRpTlBevo9hiNL92OtIQmMdGBsZaDqg=@proton.me>
References: <CADL_X_fpv-aXBxX+eJ_EVTirkAJGyPRUNqOCYdz5um8zu6ma5Q@mail.gmail.com>
<37ed2e5d-34cd-4391-84b8-5bcc6d42c617n@googlegroups.com>
<4d9ce13e-466d-478b-ab4d-00404c80d620n@googlegroups.com>
<CADL_X_f3sDECRUosNaXyez3F_inKjJAWm=ESm3DSLCKD4JV7yA@mail.gmail.com>
<aHuKIKqvCZl5rcEX@petertodd.org>
<CAgIQP8YXvI8FjDiv0v29pw0VHdrlY6go6QoGMj1qqMsLKfGxeMBWVdxxQ5ZWhzl3T1wxjqj7XsPiRpTlBevo9hiNL92OtIQmMdGBsZaDqg=@proton.me>
Subject: Re: [bitcoindev] Re: A Post Quantum Migration Proposal
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_246690_1416585505.1753033187207"
X-Original-Sender: marin@appliedquantum.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.7 (/)
------=_Part_246690_1416585505.1753033187207
Content-Type: multipart/alternative;
boundary="----=_Part_246691_2133930374.1753033187207"
------=_Part_246691_2133930374.1753033187207
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Even a year ago it was totally fair to question the feasibility of CRQCs.=
=20
After all the recent scientific and engineering wins, that is not in=20
question anymore. Eventual arrival of CRQC is pretty much a consensus now=
=20
in quantum and cyber communities.
But that question is almost irrelevant now. The world is acting like CRQCs=
=20
are coming, so we should act like it too. Regulators and governments are=20
issuing quantum readiness roadmaps, banks have started their programs,=20
insurers are carving out quantum risks, shareholders and analysts are=20
questioning quantum readiness on earnings calls=E2=80=A6 and the media is e=
ating it=20
all up. The general public awareness is rapidly growing.
Rightly or wrongly, users will soon expect to see some assurances or plans=
=20
on how bitcoin will resist the quantum threat. And if our response is that=
=20
a few on the list think CRQC are laughable, the confidence will take a big=
=20
hit.
The proposed BIP makes lots of sense. With that and BIP-360, a plan is=20
shaping. And then we need three almost independent discussions:
1. We could technically solve Phase C (Post-Quantum Legacy Recovery) for=20
any impacted BIP-39 wallets. This is the (relatively) easy one.
2. How do we make it all a bit more =E2=80=9Ccrypto-agile=E2=80=9D?
3. And finally the philosophical discussion on how to treat legacy non-HD=
=20
wallets - burn them or allow them to be =E2=80=9Cstolen=E2=80=9D / =E2=80=
=9Cliberated=E2=80=9D.
Best,=20
Marin
On Sunday, July 20, 2025 at 6:07:01=E2=80=AFPM UTC+2 conduition wrote:
> Hi Peter,
>
> I think everyone here is well-aware of the possibility
> that CRQCs may not ever appear, but that doesn't change
> the fact we must have a plan ready to handle them. Lopp's
> proposal does exactly that, and in a way that can be
> rolled out incrementally as the risk increases. And even
> if CRQCs never break discrete log, we would do well to
> invest the time in designing this migration path anyway.
> We'd then have a playbook to handle other sources of
> cryptanalytic breakthroughs in the future.
>
> I think you're worried the community may jump the gun and
> deploy a freezing upgrade like phases A or B too early. I
> share your concern but if anything I suspect the opposite
> will happen. Nobody is going to be willing to freeze
> anything unless imminent danger is readily apparent, and
> fear-based reactions kick in.
>
> Once it does, things will happen fast, and we need a plan
> ready for that day (if it comes).
>
> regards,
> conduition
>
>
>
> On Saturday, July 19th, 2025 at 8:13 AM, Peter Todd <pe...@petertodd.org>=
=20
> wrote:
>
> > On Mon, Jul 14, 2025 at 02:52:17PM -0400, Jameson Lopp wrote:
> >
> > > Correct, this time is different in that we're not talking about vague
> > > unknown weaknesses. Rather, we're talking about a known algorithm tha=
t
> > > makes breaking cryptographic primitives orders of magnitude cheaper.
> >
> >
> > We already have known algorithms that would break cryptographic=20
> primitives if
> > sufficiently good analog computers actually existed. Or for that matter=
,=20
> "split
> > the universe" brute forcing. No-one is worried about them because=20
> "sufficiently
> > good" analog computers and multiverses are widely belived to not be=20
> physically
> > realizable.
> >
> > For all the claims of progress on quantum computing hardware, the fact=
=20
> still
> > remains that no-one is even close to demonstrating cryptographic-releva=
nt
> > quantum computing capabilities and the actual cryptographic-relevant
> > capabilities of real hardware are laughable. It's still an unknown=20
> whether or
> > not they are physically possible, and outside of the part of the physic=
s
> > community that would like to sell you a quantum computer - or research
> > developing one - they're widely belived to be not physical.
> >
> > Hence, these are still vague unknown weaknesses. Until progress is less=
=20
> vague,
> > actively freezing peoples' coins is not going to happen.
> >
> > --
> > https://petertodd.org 'peter'[:-1]@petertodd.org
> >
> > --
> > You received this message because you are subscribed to the Google=20
> Groups "Bitcoin Development Mailing List" group.
> > To unsubscribe from this group and stop receiving emails from it, send=
=20
> an email to bitcoindev+...@googlegroups.com.
> > To view this discussion visit=20
> https://groups.google.com/d/msgid/bitcoindev/aHuKIKqvCZl5rcEX%40petertodd=
.org
> .
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
1e39e6bd-8da4-45b1-9dc9-feacd923417dn%40googlegroups.com.
------=_Part_246691_2133930374.1753033187207
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<p>Even a year ago it was totally fair to question the feasibility of
CRQCs. After all the recent scientific and engineering wins, that is not in
question anymore. Eventual arrival of CRQC is pretty much a consensus now i=
n quantum and cyber communities.</p>
<p>But that question is almost irrelevant now. The world is acting like CRQ=
Cs
are coming, so we should act like it too. Regulators and governments are is=
suing quantum readiness roadmaps, banks
have started their programs, insurers are carving out quantum risks,
shareholders and analysts are questioning quantum readiness on earnings cal=
ls=E2=80=A6
and the media is eating it all up. The general public awareness is rapidly
growing.</p>
<p>Rightly or wrongly, users will soon expect to see some assurances or pla=
ns on how bitcoin
will resist the quantum threat. And if our response is that a few on the li=
st think CRQC are laughable, the confidence will take a big hit.</p>
<p>The proposed BIP makes lots of sense. With that and BIP-360, a plan is s=
haping. And then we need three almost independent discussions:<br />1. We c=
ould technically solve Phase C (Post-Quantum Legacy Recovery) for any
impacted BIP-39 wallets. This is the (relatively) easy one.<br />2. How do =
we make it all a bit more =E2=80=9Ccrypto-agile=E2=80=9D?<br />3. And final=
ly the philosophical discussion on how to treat
legacy non-HD wallets - burn them or allow them to be =E2=80=9Cstolen=E2=80=
=9D / =E2=80=9Cliberated=E2=80=9D.</p>Best,=C2=A0<br />Marin<div class=3D"g=
mail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Sunday, July 20, 2025=
at 6:07:01=E2=80=AFPM UTC+2 conduition wrote:<br/></div><blockquote class=
=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(2=
04, 204, 204); padding-left: 1ex;">Hi Peter,
<br>
<br>I think everyone here is well-aware of the possibility
<br>that CRQCs may not ever appear, but that doesn't change
<br>the fact we must have a plan ready to handle them. Lopp's
<br>proposal does exactly that, and in a way that can be
<br>rolled out incrementally as the risk increases. And even
<br>if CRQCs never break discrete log, we would do well to
<br>invest the time in designing this migration path anyway.
<br>We'd then have a playbook to handle other sources of
<br>cryptanalytic breakthroughs in the future.
<br>
<br>I think you're worried the community may jump the gun and
<br>deploy a freezing upgrade like phases A or B too early. I
<br>share your concern but if anything I suspect the opposite
<br>will happen. Nobody is going to be willing to freeze
<br>anything unless imminent danger is readily apparent, and
<br>fear-based reactions kick in.
<br>
<br>Once it does, things will happen fast, and we need a plan
<br>ready for that day (if it comes).
<br>
<br>regards,
<br>conduition
<br>
<br>
<br>
<br>On Saturday, July 19th, 2025 at 8:13 AM, Peter Todd <<a href data-em=
ail-masked rel=3D"nofollow">pe...@petertodd.org</a>> wrote:
<br>
<br>> On Mon, Jul 14, 2025 at 02:52:17PM -0400, Jameson Lopp wrote:
<br>>
<br>> > Correct, this time is different in that we're not talking=
about vague
<br>> > unknown weaknesses. Rather, we're talking about a known a=
lgorithm that
<br>> > makes breaking cryptographic primitives orders of magnitude c=
heaper.
<br>>
<br>>
<br>> We already have known algorithms that would break cryptographic pr=
imitives if
<br>> sufficiently good analog computers actually existed. Or for that m=
atter, "split
<br>> the universe" brute forcing. No-one is worried about them bec=
ause "sufficiently
<br>> good" analog computers and multiverses are widely belived to =
not be physically
<br>> realizable.
<br>>
<br>> For all the claims of progress on quantum computing hardware, the =
fact still
<br>> remains that no-one is even close to demonstrating cryptographic-r=
elevant
<br>> quantum computing capabilities and the actual cryptographic-releva=
nt
<br>> capabilities of real hardware are laughable. It's still an unk=
nown whether or
<br>> not they are physically possible, and outside of the part of the p=
hysics
<br>> community that would like to sell you a quantum computer - or rese=
arch
<br>> developing one - they're widely belived to be not physical.
<br>>
<br>> Hence, these are still vague unknown weaknesses. Until progress is=
less vague,
<br>> actively freezing peoples' coins is not going to happen.
<br>>
<br>> --
<br>> <a href=3D"https://petertodd.org" target=3D"_blank" rel=3D"nofollo=
w" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttps=
://petertodd.org&source=3Dgmail&ust=3D1753119166895000&usg=3DAO=
vVaw08KK-nkUIgqjc0-F9lovCb">https://petertodd.org</a> 'peter'[:-1]@=
<a href=3D"http://petertodd.org" target=3D"_blank" rel=3D"nofollow" data-sa=
feredirecturl=3D"https://www.google.com/url?hl=3Den&q=3Dhttp://petertod=
d.org&source=3Dgmail&ust=3D1753119166895000&usg=3DAOvVaw31QPUE6=
dCd6lNuVFxt9mb7">petertodd.org</a>
<br>>
<br>> --
<br>> You received this message because you are subscribed to the Google=
Groups "Bitcoin Development Mailing List" group.
<br>> To unsubscribe from this group and stop receiving emails from it, =
send an email to <a href data-email-masked rel=3D"nofollow">bitcoindev+...@=
googlegroups.com</a>.
<br>> To view this discussion visit <a href=3D"https://groups.google.com=
/d/msgid/bitcoindev/aHuKIKqvCZl5rcEX%40petertodd.org" target=3D"_blank" rel=
=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&am=
p;q=3Dhttps://groups.google.com/d/msgid/bitcoindev/aHuKIKqvCZl5rcEX%2540pet=
ertodd.org&source=3Dgmail&ust=3D1753119166895000&usg=3DAOvVaw1I=
BWijXGI2iqDJMT9A63pE">https://groups.google.com/d/msgid/bitcoindev/aHuKIKqv=
CZl5rcEX%40petertodd.org</a>.</blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/1e39e6bd-8da4-45b1-9dc9-feacd923417dn%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/1e39e6bd-8da4-45b1-9dc9-feacd923417dn%40googlegroups.com</a>.<br />
------=_Part_246691_2133930374.1753033187207--
------=_Part_246690_1416585505.1753033187207--
|