summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAgustin Cruz <agustin.cruz@gmail.com>2025-03-24 08:19:30 -0300
committerbitcoindev <bitcoindev@googlegroups.com>2025-03-24 06:56:34 -0700
commite7fed185cdfbcfd870a4198365dbec8f790d7a87 (patch)
tree50e877537394b00bca36270298544f4df34e9d79
parent0ccfd83337e828c477a24e3c999999539dc6aee6 (diff)
downloadpi-bitcoindev-e7fed185cdfbcfd870a4198365dbec8f790d7a87.tar.gz
pi-bitcoindev-e7fed185cdfbcfd870a4198365dbec8f790d7a87.zip
Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
Diffstat
-rw-r--r--2d/81220b3122f58b822689a474c20abed03190581531
1 files changed, 1531 insertions, 0 deletions
diff --git a/2d/81220b3122f58b822689a474c20abed0319058 b/2d/81220b3122f58b822689a474c20abed0319058
new file mode 100644
index 000000000..21b1807a6
--- /dev/null
+++ b/2d/81220b3122f58b822689a474c20abed0319058
@@ -0,0 +1,1531 @@
+Delivery-date: Mon, 24 Mar 2025 06:56:34 -0700
+Received: from mail-oi1-f189.google.com ([209.85.167.189])
+ by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+ (Exim 4.94.2)
+ (envelope-from <bitcoindev+bncBCQ6XM4A6IDBBBGJQW7QMGQE4MJM7YQ@googlegroups.com>)
+ id 1twiI2-0004xE-2V
+ for bitcoindev@gnusha.org; Mon, 24 Mar 2025 06:56:34 -0700
+Received: by mail-oi1-f189.google.com with SMTP id 5614622812f47-3feba2d5745sf1021416b6e.2
+ for <bitcoindev@gnusha.org>; Mon, 24 Mar 2025 06:56:30 -0700 (PDT)
+ARC-Seal: i=2; a=rsa-sha256; t=1742824584; cv=pass;
+ d=google.com; s=arc-20240605;
+ b=hC5Sq3K5/dQQGHmUi/nShRHxg+gBdYaPvw1uYc7qtE15nZKKLzNrZh/TVkwW1zqYO4
+ xj5+yTmky0F15Yd62Xg5qL8vigNx6gCwfov6g7nottEg+Hk5d1pDO4nr8XPlI/ag2cFs
+ 8QpPYNCYuZ+onv8vjejEBcny55sSMzV7SDOeEdgwdcu8qOHeZ2vZyHee4YCY/EiTzLHW
+ nOE7/E3qnBfvh54Uiu7mgbpT4EsSRxSEj0dnDgaugfrKNNKqXTi5fCDsnBVbAkbkBnv/
+ 3NS+77l05CcHdBjXoxQZiIgeUnXKkVmzPOhqfzamvZtNRNDPjAbSEh7be0/fhj8G5by6
+ sB9Q==
+ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+ h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+ :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from
+ :in-reply-to:references:mime-version:sender:dkim-signature
+ :dkim-signature;
+ bh=F2bhkf5l5iKr8++2vYgIeTWCiA9VykzKJ2KLjHlgMBM=;
+ fh=VpnuTtdx/crUziOyrBMyM91Hb0LMchE7gB2ZLSfjrJI=;
+ b=LvQ6OFXZ79p8whzsoBPyxXCKAP2tgGs4zaDyU6F1bR5smyFQIiqz2dXt+ST9zk9Whb
+ sNHf5LJa7q/cZv3DAdCZsiCJ3siXlBoOnaRTpnGZnRgBarB1Er7xM4+jhzq8HyU8XiUF
+ Epd2i7K6kxx9ur5gQpdwxgsfm2ar6weDufmPdFX2QLRg7Cjgg1BfRr4LakPGnZ/M+dL5
+ Hs1RVEkIWQppFEoeVLoSltEDyzVlnJm6TkrBNwGzk/SRkxjSyXtBFKTt7qXihDDHjLQR
+ Gf+/HDVvnfG6mLuakA4Ra0DlfdFvAeNsMo0E7aF/NW8bjmRaI9d6b8Zh6+0rkt8lW9Db
+ BoBQ==;
+ darn=gnusha.org
+ARC-Authentication-Results: i=2; gmr-mx.google.com;
+ dkim=pass header.i=@gmail.com header.s=20230601 header.b=gjUNZDwH;
+ spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::231 as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com;
+ dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
+ dara=pass header.i=@googlegroups.com
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=googlegroups.com; s=20230601; t=1742824584; x=1743429384; darn=gnusha.org;
+ h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+ :list-id:mailing-list:precedence:x-original-authentication-results
+ :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
+ :references:mime-version:sender:from:to:cc:subject:date:message-id
+ :reply-to;
+ bh=F2bhkf5l5iKr8++2vYgIeTWCiA9VykzKJ2KLjHlgMBM=;
+ b=AdJjt2+0G6bW9L1MrGwi6/gddgHmFILi7lI3Gx+mn2t0CKYGqfzCyWwledFQcI1zcv
+ yYeIZt1+k5nwMh9GJhMLYOGDiLQiq/Jd/sIW4aUpaZO/sJz88LjCxpvziIc5dCRVMdr1
+ Rn2kMsPSH0CnlLnihMPGgz6rLkvIK53W6KyZKbKC0fKexAiVeAVgJhfi3AaJaXzrCGDO
+ YG+/7OUISCgdLmYnW1vLaXQh3UrsKLlqxOLLgP84cYlbaQgyTRPiNFBNS8hQVDTo0Enx
+ fmn01yrpV8Wi7VqLjg3JyG0Lzhg8+YWZMFv0yIq9T0Sf9A0oEO8Lr0ZO38GyCmnPjw0f
+ BZzA==
+DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=gmail.com; s=20230601; t=1742824584; x=1743429384; darn=gnusha.org;
+ h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+ :list-id:mailing-list:precedence:x-original-authentication-results
+ :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
+ :references:mime-version:from:to:cc:subject:date:message-id:reply-to;
+ bh=F2bhkf5l5iKr8++2vYgIeTWCiA9VykzKJ2KLjHlgMBM=;
+ b=D6HyWGAE6V3ihtqkDTup0n4kxO4VTvMEX7maG8iwHyskDbd2xXwnqnRrc0Qc42fWVW
+ 9IhylX1pA1TOx9JLhXYFt06t/8qGE8tsFPMnsTA1knD3iAV/lYE6I7ut5AVqHUiReRde
+ OR0W/3JkHu9kymCy89EFGCGdGeTFU8YA9lQ07vfWd/1zd/cbd9zQcWiwNBXGkxkWsF2d
+ 0LUyzDtITsGJp/pXIKnmoETgK3t+Ms4IH6wFc7WlpAdV3qpNcdKJfeZ34SX0ddS1o9VO
+ qhvEHT96KL3rqbwdwJMXlFY+EYuc1YIYp6hrPuwmRkwuytRhyO0q0nulOmxhMps3CInc
+ Su6g==
+X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
+ d=1e100.net; s=20230601; t=1742824584; x=1743429384;
+ h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
+ :list-id:mailing-list:precedence:x-original-authentication-results
+ :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
+ :references:mime-version:x-beenthere:x-gm-message-state:sender:from
+ :to:cc:subject:date:message-id:reply-to;
+ bh=F2bhkf5l5iKr8++2vYgIeTWCiA9VykzKJ2KLjHlgMBM=;
+ b=OiGHTIXttJc2h875NuJwEPtuhZ97YPr8MoTBEjvV1LTpvxSWQ/WpOykZEJ4D+ERU9x
+ rwvqILNWVJwcsMthGwClmMsY7+FmRK1c1MdJlNjkazdYkoUtLCjPV78N37TicGhuEqUn
+ b7fTQj7PrIdCUsZjq2yATXyTaykdXNx0ppuOTRGZSFt9+Y7eCxqXanVCQt9Rg/L02VaS
+ iR3rL5lT2qe6azcXMa5xCq8EZ0iJLKo3dNuomu04W5jf6d2ppw3np4hcClPyN2Qw+QuV
+ 69NviNLsZYElDRQxvBXaaHeADAmyuurgul+bGVs+k6s4tj04URx+Vi1BNQD/6rGFsDAr
+ 6sJg==
+Sender: bitcoindev@googlegroups.com
+X-Forwarded-Encrypted: i=2; AJvYcCWxYePmjJMvzkS28xzKk4WU2Z3+YEPXKbWLNYuW75x39QPBUNNEGT5dGZikAYFlLSVsC1yfkcocylKU@gnusha.org
+X-Gm-Message-State: AOJu0YyGdBCCLyYIdoDV6ebf5JAZzRIjpK8KRuabxiMaoh3n0Po2+Z7X
+ Dsy3dlsOSq7ZBWYemIbokBVUI9+GkaD2Y34plGwu6yz58hiSF5Gr
+X-Google-Smtp-Source: AGHT+IFswSLp51D0FqwliWbcy+ZifyuXGCzjz07dilmxkUh3YHmxRjPVTlA+g+DrSmsm9Qfj4WCwAA==
+X-Received: by 2002:a05:6808:2395:b0:3fa:daa:dd8e with SMTP id 5614622812f47-3febf7ef5ddmr7742423b6e.35.1742824583960;
+ Mon, 24 Mar 2025 06:56:23 -0700 (PDT)
+X-BeenThere: bitcoindev@googlegroups.com; h=ARLLPAJGfbf+C3/XmFroWc636bBsWBT84O1oUtkeUNLI+tOvIg==
+Received: by 2002:a4a:e645:0:b0:602:25ca:d66b with SMTP id 006d021491bc7-60228f058bdls1331991eaf.2.-pod-prod-02-us;
+ Mon, 24 Mar 2025 06:56:20 -0700 (PDT)
+X-Received: by 2002:a05:6808:11c8:b0:3f9:bdd:3eb3 with SMTP id 5614622812f47-3febf726820mr7364103b6e.16.1742824580377;
+ Mon, 24 Mar 2025 06:56:20 -0700 (PDT)
+Received: by 2002:a05:600c:5c3:b0:43c:fe99:f0d4 with SMTP id 5b1f17b1804b1-43d504233aams5e9;
+ Mon, 24 Mar 2025 04:20:10 -0700 (PDT)
+X-Received: by 2002:a05:6000:2806:b0:391:40b8:e890 with SMTP id ffacd0b85a97d-3997f8ff295mr6925456f8f.22.1742815208010;
+ Mon, 24 Mar 2025 04:20:08 -0700 (PDT)
+ARC-Seal: i=1; a=rsa-sha256; t=1742815207; cv=none;
+ d=google.com; s=arc-20240605;
+ b=NiiMMxO1KFubSAgE2ZWXKr1hgZrnElknYiUr6xBB0EyKemersa+urlnb66rn9Bs0Sd
+ W9q9pdzq0OimCUanZ/Zn+EGDreszkKyUYd0otLiIKG35c6g3Vk7XNuOeDE/8O2w6qHxr
+ FpHbrgjlVRr6ls1FNdWgs+fl2KhmlsYfhYEEtD8K9kSDWVgNhuVcwdsTghGuD512c9vp
+ hkkLsvFvtuVS3FJIt6j6eSS2DNt/iec2jSn8mvPWkgJ+3WW6jKq2WAqRLvJ3TA/w1GwK
+ KaDcokt0+XKgu6kOw6RbsWVyOq8lwfTcc+yx8/BruVTVzonkyC0gH9Wkj/PHtBDhET26
+ 9GdA==
+ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
+ h=cc:to:subject:message-id:date:from:in-reply-to:references
+ :mime-version:dkim-signature;
+ bh=5btFxuDNEH6NFoxIC3lWDpiFH8/EZ/3vu0sLeAxVcv4=;
+ fh=hAPFRN/diF43I97jXKS0jv/Vcwvjh3/o885cAHERbQU=;
+ b=NKac5L51YrqcigWPiv/kFWoLBz7K1ufKFxAWrT7s80YhRGtdQFQq5uCzoAIZaYgw9z
+ fZh6BzdscLDfooVO7lAH0EtPrxD7+CCNQshFz8qyZNI9lW1cWkohRxYuaEt9xlUlYEAz
+ wv06sX2wGeh1Mfh1P96yCqemWJuv4sAZYwGZhDv81eO4Jeninr/86G9zmp4mM4JJ61T7
+ Bmsc2HAGQeWyxfY3lREJik+OT9LWGRV/oeTYpOpvj/F/+pHlcD3eSJnqnfRCPnfWF8TO
+ ok2cOK/KFvaIsnmgtN+1ff7W+jMkllrJYdQva9NzG1LDicJoJExmOR4DcciZImH3dyPq
+ 3AwQ==;
+ dara=google.com
+ARC-Authentication-Results: i=1; gmr-mx.google.com;
+ dkim=pass header.i=@gmail.com header.s=20230601 header.b=gjUNZDwH;
+ spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::231 as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com;
+ dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
+ dara=pass header.i=@googlegroups.com
+Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com. [2a00:1450:4864:20::231])
+ by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-43d3ad4422bsi11399085e9.0.2025.03.24.04.20.07
+ for <bitcoindev@googlegroups.com>
+ (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
+ Mon, 24 Mar 2025 04:20:07 -0700 (PDT)
+Received-SPF: pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::231 as permitted sender) client-ip=2a00:1450:4864:20::231;
+Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-30bf8f5dde5so40983401fa.2
+ for <bitcoindev@googlegroups.com>; Mon, 24 Mar 2025 04:20:07 -0700 (PDT)
+X-Gm-Gg: ASbGnct8RgT5KZMiXIr/WA9mFCh0s6FGxTgwUfI1PtxS5jZ1Ec2/3lL8GzPsVEGIiiI
+ nUwakN+hsaFGXn1MDY4V/kYXmvn5epS13SZjp402xlTYWZzcH+GAFckL7eohnJXo6/+uTIDHUzc
+ NqqDMisD7Z9vqNfMn1hXLRbZmkiKgX
+X-Received: by 2002:a05:651c:4104:10b0:30d:62a6:4431 with SMTP id
+ 38308e7fff4ca-30d7e21a51dmr27325561fa.9.1742815206681; Mon, 24 Mar 2025
+ 04:20:06 -0700 (PDT)
+MIME-Version: 1.0
+References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de>
+In-Reply-To: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de>
+From: Agustin Cruz <agustin.cruz@gmail.com>
+Date: Mon, 24 Mar 2025 08:19:30 -0300
+X-Gm-Features: AQ5f1JoGelvBEON6m30D2uke4tNv-dfgunZl4CXbFcEBDARkDMxpS2jcFS1vR-Y
+Message-ID: <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
+Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
+To: AstroTown <saulo@astrotown.de>
+Cc: bitcoindev@googlegroups.com
+Content-Type: multipart/alternative; boundary="0000000000004db4db063114c996"
+X-Original-Sender: agustin.cruz@gmail.com
+X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
+ header.i=@gmail.com header.s=20230601 header.b=gjUNZDwH; spf=pass
+ (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::231
+ as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com; dmarc=pass
+ (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
+Precedence: list
+Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
+List-ID: <bitcoindev.googlegroups.com>
+X-Google-Group-Id: 786775582512
+List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
+List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
+List-Archive: <https://groups.google.com/group/bitcoindev
+List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
+List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
+ <https://groups.google.com/group/bitcoindev/subscribe>
+X-Spam-Score: 0.0 (/)
+
+--0000000000004db4db063114c996
+Content-Type: text/plain; charset="UTF-8"
+Content-Transfer-Encoding: quoted-printable
+
+I=E2=80=99m against letting quantum computers scoop up funds from addresses=
+ that
+don=E2=80=99t upgrade to quantum-resistant.
+Saulo=E2=80=99s idea of a free-market approach, leaving old coins up for gr=
+abs if
+people don=E2=80=99t move them, sounds fair at first. Let luck decide, righ=
+t? But I
+worry it=E2=80=99d turn into a mess. If quantum machines start cracking key=
+s and
+snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at risk. Plent=
+y of
+active wallets, like those on the rich list Jameson mentioned, could get
+hit too. Imagine millions of BTC flooding the market. Prices tank, trust in
+Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerable
+funds keeps that chaos in check.
+Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s heart. I=
+f quantum tech can steal
+from you just because you didn=E2=80=99t upgrade fast enough, that promise =
+feels
+shaky. Freezing funds after a heads-up period (say, four years) protects
+that idea better than letting tech giants or rogue states play vampire with
+our network. It also nudges people to get their act together and move to
+safer addresses, which strengthens Bitcoin long-term.
+Saulo=E2=80=99s right that freezing coins could confuse folks or spark a sp=
+lit like
+Ethereum Classic. But I=E2=80=99d argue quantum theft would look worse. Bit=
+coin
+would seem broken, not just strict. A clear plan and enough time to migrate
+could smooth things over. History=E2=80=99s on our side too. Bitcoin=E2=80=
+=99s fixed bugs
+before, like SegWit. This feels like that, not a bailout.
+So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to whoe=
+ver
+builds the first quantum rig. It=E2=80=99s less about coddling people and m=
+ore
+about keeping Bitcoin solid for everyone. What do you all think?
+Cheers,
+Agust=C3=ADn
+
+
+On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo@astrotown.de> wro=
+te:
+
+> I believe that having some entity announce the decision to freeze old
+> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value) t=
+han having
+> them gathered by QC. This would create another version of Bitcoin, simila=
+r
+> to Ethereum Classic, causing confusion in the market.
+>
+> It would be better to simply implement the possibility of moving funds to
+> a PQC address without a deadline, allowing those who fail to do so to rel=
+y
+> on luck to avoid having their coins stolen. Most coins would be migrated =
+to
+> PQC anyway, and in most cases, only the lost ones would remain vulnerable=
+.
+> This is the free-market way to solve problems without imposing rules on
+> everyone.
+>
+> Saulo Fonseca
+>
+>
+> On 16. Mar 2025, at 15:15, Jameson Lopp <jameson.lopp@gmail.com> wrote:
+>
+> The quantum computing debate is heating up. There are many controversial
+> aspects to this debate, including whether or not quantum computers will
+> ever actually become a practical threat.
+>
+> I won't tread into the unanswerable question of how worried we should be
+> about quantum computers. I think it's far from a crisis, but given the
+> difficulty in changing Bitcoin it's worth starting to seriously discuss.
+> Today I wish to focus on a philosophical quandary related to one of the
+> decisions that would need to be made if and when we implement a quantum
+> safe signature scheme.
+>
+> Several Scenarios
+> Because this essay will reference game theory a fair amount, and there ar=
+e
+> many variables at play that could change the nature of the game, I think
+> it's important to clarify the possible scenarios up front.
+>
+> 1. Quantum computing never materializes, never becomes a threat, and thus
+> everything discussed in this essay is moot.
+> 2. A quantum computing threat materializes suddenly and Bitcoin does not
+> have quantum safe signatures as part of the protocol. In this scenario it
+> would likely make the points below moot because Bitcoin would be
+> fundamentally broken and it would take far too long to upgrade the
+> protocol, wallet software, and migrate user funds in order to restore
+> confidence in the network.
+> 3. Quantum computing advances slowly enough that we come to consensus
+> about how to upgrade Bitcoin and post quantum security has been minimally
+> adopted by the time an attacker appears.
+> 4. Quantum computing advances slowly enough that we come to consensus
+> about how to upgrade Bitcoin and post quantum security has been highly
+> adopted by the time an attacker appears.
+>
+> For the purposes of this post, I'm envisioning being in situation 3 or 4.
+>
+> To Freeze or not to Freeze?
+> I've started seeing more people weighing in on what is likely the most
+> contentious aspect of how a quantum resistance upgrade should be handled =
+in
+> terms of migrating user funds. Should quantum vulnerable funds be left op=
+en
+> to be swept by anyone with a sufficiently powerful quantum computer OR
+> should they be permanently locked?
+>
+> "I don't see why old coins should be confiscated. The better option is to
+>> let those with quantum computers free up old coins. While this might hav=
+e
+>> an inflationary impact on bitcoin's price, to use a turn of phrase, the
+>> inflation is transitory. Those with low time preference should support
+>> returning lost coins to circulation."
+>
+> - Hunter Beast
+>
+>
+> On the other hand:
+>
+> "Of course they have to be confiscated. If and when (and that's a big if)
+>> the existence of a cryptography-breaking QC becomes a credible threat, t=
+he
+>> Bitcoin ecosystem has no other option than softforking out the ability t=
+o
+>> spend from signature schemes (including ECDSA and BIP340) that are
+>> vulnerable to QCs. The alternative is that millions of BTC become
+>> vulnerable to theft; I cannot see how the currency can maintain any valu=
+e
+>> at all in such a setting. And this affects everyone; even those which
+>> diligently moved their coins to PQC-protected schemes."
+>> - Pieter Wuille
+>
+>
+> I don't think "confiscation" is the most precise term to use, as the fund=
+s
+> are not being seized and reassigned. Rather, what we're really discussing
+> would be better described as "burning" - placing the funds *out of reach
+> of everyone*.
+>
+> Not freezing user funds is one of Bitcoin's inviolable properties.
+> However, if quantum computing becomes a threat to Bitcoin's elliptic curv=
+e
+> cryptography, *an inviolable property of Bitcoin will be violated one way
+> or another*.
+>
+> Fundamental Properties at Risk
+> 5 years ago I attempted to comprehensively categorize all of Bitcoin's
+> fundamental properties that give it value.
+> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
+>
+> The particular properties in play with regard to this issue seem to be:
+>
+> *Censorship Resistance* - No one should have the power to prevent others
+> from using their bitcoin or interacting with the network.
+>
+> *Forward Compatibility* - changing the rules such that certain valid
+> transactions become invalid could undermine confidence in the protocol.
+>
+> *Conservatism* - Users should not be expected to be highly responsive to
+> system issues.
+>
+> As a result of the above principles, we have developed a strong meme
+> (kudos to Andreas Antonopoulos) that goes as follows:
+>
+> Not your keys, not your coins.
+>
+>
+> I posit that the corollary to this principle is:
+>
+> Your keys, only your coins.
+>
+>
+> A quantum capable entity breaks the corollary of this foundational
+> principle. We secure our bitcoin with the mathematical probabilities
+> related to extremely large random numbers. Your funds are only secure
+> because truly random large numbers should not be guessable or discoverabl=
+e
+> by anyone else in the world.
+>
+> This is the principle behind the motto *vires in numeris* - strength in
+> numbers. In a world with quantum enabled adversaries, this principle is
+> null and void for many types of cryptography, including the elliptic curv=
+e
+> digital signatures used in Bitcoin.
+>
+> Who is at Risk?
+> There has long been a narrative that Satoshi's coins and others from the
+> Satoshi era of P2PK locking scripts that exposed the public key directly =
+on
+> the blockchain will be those that get scooped up by a quantum "miner." Bu=
+t
+> unfortunately it's not that simple. If I had a powerful quantum computer,
+> which coins would I target? I'd go to the Bitcoin rich list and find the
+> wallets that have exposed their public keys due to re-using addresses tha=
+t
+> have previously been spent from. You can easily find them at
+> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
+>
+> Note that a few of these wallets, like Bitfinex / Kraken / Tether, would
+> be slightly harder to crack because they are multisig wallets. So a quant=
+um
+> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfin=
+ex
+> / Tether in order to spend funds. But many are single signature.
+>
+> Point being, it's not only the really old lost BTC that are at risk to a
+> quantum enabled adversary, at least at time of writing. If we add a quant=
+um
+> safe signature scheme, we should expect those wallets to be some of the
+> first to upgrade given their incentives.
+>
+> The Ethical Dilemma: Quantifying Harm
+> Which decision results in the most harm?
+>
+> By making quantum vulnerable funds unspendable we potentially harm some
+> Bitcoin users who were not paying attention and neglected to migrate thei=
+r
+> funds to a quantum safe locking script. This violates the "conservativism=
+"
+> principle stated earlier. On the flip side, we prevent those funds plus f=
+ar
+> more lost funds from falling into the hands of the few privileged folks w=
+ho
+> gain early access to quantum computers.
+>
+> By leaving quantum vulnerable funds available to spend, the same set of
+> users who would otherwise have funds frozen are likely to see them stolen=
+.
+> And many early adopters who lost their keys will eventually see their
+> unreachable funds scooped up by a quantum enabled adversary.
+>
+> Imagine, for example, being James Howells, who accidentally threw away a
+> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has
+> spent a decade trying to retrieve it from the landfill where he knows it'=
+s
+> buried, but can't get permission to excavate. I suspect that, given the
+> choice, he'd prefer those funds be permanently frozen rather than fall in=
+to
+> someone else's possession - I know I would.
+>
+> Allowing a quantum computer to access lost funds doesn't make those users
+> any worse off than they were before, however it *would*have a negative
+> impact upon everyone who is currently holding bitcoin.
+>
+> It's prudent to expect significant economic disruption if large amounts o=
+f
+> coins fall into new hands. Since a quantum computer is going to have a
+> massive up front cost, expect those behind it to desire to recoup their
+> investment. We also know from experience that when someone suddenly finds
+> themselves in possession of 9+ figures worth of highly liquid assets, the=
+y
+> tend to diversify into other things by selling.
+>
+> Allowing quantum recovery of bitcoin is *tantamount to wealth
+> redistribution*. What we'd be allowing is for bitcoin to be redistributed
+> from those who are ignorant of quantum computers to those who have won th=
+e
+> technological race to acquire quantum computers. It's hard to see a brigh=
+t
+> side to that scenario.
+>
+> Is Quantum Recovery Good for Anyone?
+>
+> Does quantum recovery HELP anyone? I've yet to come across an argument
+> that it's a net positive in any way. It certainly doesn't add any securit=
+y
+> to the network. If anything, it greatly decreases the security of the
+> network by allowing funds to be claimed by those who did not earn them.
+>
+> But wait, you may be thinking, wouldn't quantum "miners" have earned thei=
+r
+> coins by all the work and resources invested in building a quantum
+> computer? I suppose, in the same sense that a burglar earns their spoils =
+by
+> the resources they invest into surveilling targets and learning the skill=
+s
+> needed to break into buildings. What I say "earned" I mean through
+> productive mutual trade.
+>
+> For example:
+>
+> * Investors earn BTC by trading for other currencies.
+> * Merchants earn BTC by trading for goods and services.
+> * Miners earn BTC by trading thermodynamic security.
+> * Quantum miners don't trade anything, they are vampires feeding upon the
+> system.
+>
+> There's no reason to believe that allowing quantum adversaries to recover
+> vulnerable bitcoin will be of benefit to anyone other than the select few
+> organizations that win the technological arms race to build the first suc=
+h
+> computers. Probably nation states and/or the top few largest tech compani=
+es.
+>
+> One could certainly hope that an organization with quantum supremacy is
+> benevolent and acts in a "white hat" manner to return lost coins to their
+> owners, but that's incredibly optimistic and foolish to rely upon. Such a
+> situation creates an insurmountable ethical dilemma of only recovering lo=
+st
+> bitcoin rather than currently owned bitcoin. There's no way to precisely
+> differentiate between the two; anyone can claim to have lost their bitcoi=
+n
+> but if they have lost their keys then proving they ever had the keys
+> becomes rather difficult. I imagine that any such white hat recovery
+> efforts would have to rely upon attestations from trusted third parties
+> like exchanges.
+>
+> Even if the first actor with quantum supremacy is benevolent, we must
+> assume the technology could fall into adversarial hands and thus think
+> adversarially about the potential worst case outcomes. Imagine, for
+> example, that North Korea continues scooping up billions of dollars from
+> hacking crypto exchanges and decides to invest some of those proceeds int=
+o
+> building a quantum computer for the biggest payday ever...
+>
+> Downsides to Allowing Quantum Recovery
+> Let's think through an exhaustive list of pros and cons for allowing or
+> preventing the seizure of funds by a quantum adversary.
+>
+> Historical Precedent
+> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam=
+e" but
+> rather were treated as failures to be remediated. Treating quantum theft
+> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all r=
+ather than
+> a system that seeks to protect its users.
+>
+> Violation of Property Rights
+> Allowing a quantum adversary to take control of funds undermines the
+> fundamental principle of cryptocurrency - if you keep your keys in your
+> possession, only you should be able to access your money. Bitcoin is buil=
+t
+> on the idea that private keys secure an individual=E2=80=99s assets, and
+> unauthorized access (even via advanced tech) is theft, not a legitimate
+> transfer.
+>
+> Erosion of Trust in Bitcoin
+> If quantum attackers can exploit vulnerable addresses, confidence in
+> Bitcoin as a secure store of value would collapse. Users and investors re=
+ly
+> on cryptographic integrity, and widespread theft could drive adoption awa=
+y
+> from Bitcoin, destabilizing its ecosystem.
+>
+> This is essentially the counterpoint to claiming the burning of vulnerabl=
+e
+> funds is a violation of property rights. While some will certainly see it
+> as such, others will find the apathy toward stopping quantum theft to be
+> similarly concerning.
+>
+> Unfair Advantage
+> Quantum attackers, likely equipped with rare and expensive technology,
+> would have an unjust edge over regular users who lack access to such tool=
+s.
+> This creates an inequitable system where only the technologically elite c=
+an
+> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized po=
+wer.
+>
+> Bitcoin is designed to create an asymmetric advantage for DEFENDING one's
+> wealth. It's supposed to be impractically expensive for attackers to crac=
+k
+> the entropy and cryptography protecting one's coins. But now we find
+> ourselves discussing a situation where this asymmetric advantage is
+> compromised in favor of a specific class of attackers.
+>
+> Economic Disruption
+> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s=
+ price as
+> quantum recovered funds are dumped on exchanges. This would harm all
+> holders, not just those directly targeted, leading to broader financial
+> chaos in the markets.
+>
+> Moral Responsibility
+> Permitting theft via quantum computing sets a precedent that technologica=
+l
+> superiority justifies unethical behavior. This is essentially taking a
+> "code is law" stance in which we refuse to admit that both code and laws
+> can be modified to adapt to previously unforeseen situations.
+>
+> Burning of coins can certainly be considered a form of theft, thus I thin=
+k
+> it's worth differentiating the two different thefts being discussed:
+>
+> 1. self-enriching & likely malicious
+> 2. harm prevention & not necessarily malicious
+>
+> Both options lack the consent of the party whose coins are being burnt or
+> transferred, thus I think the simple argument that theft is immoral becom=
+es
+> a wash and it's important to drill down into the details of each.
+>
+> Incentives Drive Security
+> I can tell you from a decade of working in Bitcoin security - the average
+> user is lazy and is a procrastinator. If Bitcoiners are given a "drop dea=
+d
+> date" after which they know vulnerable funds will be burned, this pressur=
+e
+> accelerates the adoption of post-quantum cryptography and strengthens
+> Bitcoin long-term. Allowing vulnerable users to delay upgrading
+> indefinitely will result in more laggards, leaving the network more expos=
+ed
+> when quantum tech becomes available.
+>
+> Steel Manning
+> Clearly this is a complex and controversial topic, thus it's worth
+> thinking through the opposing arguments.
+>
+> Protecting Property Rights
+> Allowing quantum computers to take vulnerable bitcoin could potentially b=
+e
+> spun as a hard money narrative - we care so greatly about not violating
+> someone's access to their coins that we allow them to be stolen!
+>
+> But I think the flip side to the property rights narrative is that burnin=
+g
+> vulnerable coins prevents said property from falling into undeserving
+> hands. If the entire Bitcoin ecosystem just stands around and allows
+> quantum adversaries to claim funds that rightfully belong to other users,
+> is that really a "win" in the "protecting property rights" category? It
+> feels more like apathy to me.
+>
+> As such, I think the "protecting property rights" argument is a wash.
+>
+> Quantum Computers Won't Attack Bitcoin
+> There is a great deal of skepticism that sufficiently powerful quantum
+> computers will ever exist, so we shouldn't bother preparing for a
+> non-existent threat. Others have argued that even if such a computer was
+> built, a quantum attacker would not go after bitcoin because they wouldn'=
+t
+> want to reveal their hand by doing so, and would instead attack other
+> infrastructure.
+>
+> It's quite difficult to quantify exactly how valuable attacking other
+> infrastructure would be. It also really depends upon when an entity gains
+> quantum supremacy and thus if by that time most of the world's systems ha=
+ve
+> already been upgraded. While I think you could argue that certain entitie=
+s
+> gaining quantum capability might not attack Bitcoin, it would only delay
+> the inevitable - eventually somebody will achieve the capability who
+> decides to use it for such an attack.
+>
+> Quantum Attackers Would Only Steal Small Amounts
+> Some have argued that even if a quantum attacker targeted bitcoin, they'd
+> only go after old, likely lost P2PK outputs so as to not arouse suspicion
+> and cause a market panic.
+>
+> I'm not so sure about that; why go after 50 BTC at a time when you could
+> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero
+> day exploit" game theory in which an attacker knows they have a limited
+> amount of time before someone else discovers the exploit and either
+> benefits from it or patches it. Take, for example, the recent ByBit attac=
+k
+> - the highest value crypto hack of all time. Lazarus Group had compromise=
+d
+> the Safe wallet front end JavaScript app and they could have simply had i=
+t
+> reassign ownership of everyone's Safe wallets as they were interacting wi=
+th
+> their wallet. But instead they chose to only specifically target ByBit's
+> wallet with $1.5 billion in it because they wanted to maximize their
+> extractable value. If Lazarus had started stealing from every wallet, the=
+y
+> would have been discovered quickly and the Safe web app would likely have
+> been patched well before any billion dollar wallets executed the maliciou=
+s
+> code.
+>
+> I think the "only stealing small amounts" argument is strongest for
+> Situation #2 described earlier, where a quantum attacker arrives before
+> quantum safe cryptography has been deployed across the Bitcoin ecosystem.
+> Because if it became clear that Bitcoin's cryptography was broken AND the=
+re
+> was nowhere safe for vulnerable users to migrate, the only logical option
+> would be for everyone to liquidate their bitcoin as quickly as possible. =
+As
+> such, I don't think it applies as strongly for situations in which we hav=
+e
+> a migration path available.
+>
+> The 21 Million Coin Supply Should be in Circulation
+> Some folks are arguing that it's important for the "circulating /
+> spendable" supply to be as close to 21M as possible and that having a
+> significant portion of the supply out of circulation is somehow undesirab=
+le.
+>
+> While the "21M BTC" attribute is a strong memetic narrative, I don't thin=
+k
+> anyone has ever expected that it would all be in circulation. It has alwa=
+ys
+> been understood that many coins will be lost, and that's actually part of
+> the game theory of owning bitcoin!
+>
+> And remember, the 21M number in and of itself is not a particularly
+> important detail - it's not even mentioned in the whitepaper. What's
+> important is that the supply is well known and not subject to change.
+>
+> Self-Sovereignty and Personal Responsibility
+> Bitcoin=E2=80=99s design empowers individuals to control their own wealth=
+, free
+> from centralized intervention. This freedom comes with the burden of
+> securing one's private keys. If quantum computing can break obsolete
+> cryptography, the fault lies with users who didn't move their funds to
+> quantum safe locking scripts. Expecting the network to shield users from
+> their own negligence undermines the principle that you, and not a third
+> party, are accountable for your assets.
+>
+> I think this is generally a fair point that "the community" doesn't owe
+> you anything in terms of helping you. I think that we do, however, need t=
+o
+> consider the incentives and game theory in play with regard to quantum sa=
+fe
+> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
+>
+> Code is Law
+> Bitcoin operates on transparent, immutable rules embedded in its protocol=
+.
+> If a quantum attacker uses superior technology to derive private keys fro=
+m
+> public keys, they=E2=80=99re not "hacking" the system - they're simply fo=
+llowing
+> what's mathematically permissible within the current code. Altering the
+> protocol to stop this introduces subjective human intervention, which
+> clashes with the objective, deterministic nature of blockchain.
+>
+> While I tend to agree that code is law, one of the entire points of laws
+> is that they can be amended to improve their efficacy in reducing harm.
+> Leaning on this point seems more like a pro-ossification stance that it's
+> better to do nothing and allow harm to occur rather than take action to
+> stop an attack that was foreseen far in advance.
+>
+> Technological Evolution as a Feature, Not a Bug
+> It's well known that cryptography tends to weaken over time and eventuall=
+y
+> break. Quantum computing is just the next step in this progression. Users
+> who fail to adapt (e.g., by adopting quantum-resistant wallets when
+> available) are akin to those who ignored technological advancements like
+> multisig or hardware wallets. Allowing quantum theft incentivizes
+> innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing compl=
+acency
+> while rewarding vigilance.
+>
+> Market Signals Drive Security
+> If quantum attackers start stealing funds, it sends a clear signal to the
+> market: upgrade your security or lose everything. This pressure accelerat=
+es
+> the adoption of post-quantum cryptography and strengthens Bitcoin
+> long-term. Coddling vulnerable users delays this necessary evolution,
+> potentially leaving the network more exposed when quantum tech becomes
+> widely accessible. Theft is a brutal but effective teacher.
+>
+> Centralized Blacklisting Power
+> Burning vulnerable funds requires centralized decision-making - a soft
+> fork to invalidate certain transactions. This sets a dangerous precedent
+> for future interventions, eroding Bitcoin=E2=80=99s decentralization. If =
+quantum
+> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sys=
+tem must
+> remain neutral, even if it means some lose out.
+>
+> I think this could be a potential slippery slope if the proposal was to
+> only burn specific addresses. Rather, I'd expect a neutral proposal to bu=
+rn
+> all funds in locking script types that are known to be quantum vulnerable=
+.
+> Thus, we could eliminate any subjectivity from the code.
+>
+> Fairness in Competition
+> Quantum attackers aren't cheating; they're using publicly available
+> physics and math. Anyone with the resources and foresight can build or
+> access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU=
+.
+> Early adopters took risks and reaped rewards; quantum innovators are doin=
+g
+> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne=
+ver promised
+> equality of outcome - only equality of opportunity within its rules.
+>
+> I find this argument to be a mischaracterization because we're not talkin=
+g
+> about CPUs. This is more akin to talking about ASICs, except each ASIC
+> costs millions if not billions of dollars. This is out of reach from all
+> but the wealthiest organizations.
+>
+> Economic Resilience
+> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and
+> emerged stronger. The market can absorb quantum losses, with unaffected
+> users continuing to hold and new entrants buying in at lower prices. Fear
+> of economic collapse overestimates the impact - the network=E2=80=99s ant=
+ifragility
+> thrives on such challenges.
+>
+> This is a big grey area because we don't know when a quantum computer wil=
+l
+> come online and we don't know how quickly said computers would be able to
+> steal bitcoin. If, for example, the first generation of sufficiently
+> powerful quantum computers were stealing less volume than the current blo=
+ck
+> reward then of course it will have minimal economic impact. But if they'r=
+e
+> taking thousands of BTC per day and bringing them back into circulation,
+> there will likely be a noticeable market impact as it absorbs the new
+> supply.
+>
+> This is where the circumstances will really matter. If a quantum attacker
+> appears AFTER the Bitcoin protocol has been upgraded to support quantum
+> resistant cryptography then we should expect the most valuable active
+> wallets will have upgraded and the juiciest target would be the 31,000 BT=
+C
+> in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant
+> since 2010. In general I'd expect that the amount of BTC re-entering the
+> circulating supply would look somewhat similar to the mining emission
+> curve: volume would start off very high as the most valuable addresses ar=
+e
+> drained and then it would fall off as quantum computers went down the lis=
+t
+> targeting addresses with less and less BTC.
+>
+> Why is economic impact a factor worth considering? Miners and businesses
+> in general. More coins being liquidated will push down the price, which
+> will negatively impact miner revenue. Similarly, I can attest from workin=
+g
+> in the industry for a decade, that lower prices result in less demand fro=
+m
+> businesses across the entire industry. As such, burning quantum vulnerabl=
+e
+> bitcoin is good for the entire industry.
+>
+> Practicality & Neutrality of Non-Intervention
+> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D fr=
+om legitimate "white hat"
+> key recovery. If someone loses their private key and a quantum computer
+> recovers it, is that stealing or reclaiming? Policing quantum actions
+> requires invasive assumptions about intent, which Bitcoin=E2=80=99s trust=
+less
+> design can=E2=80=99t accommodate. Letting the chips fall where they may a=
+voids this
+> mess.
+>
+> Philosophical Purity
+> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes=
+ reflect
+> preparation and skill, not sentimentality. If quantum computing upends th=
+e
+> game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe o=
+r fair in a
+> nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds to=
+ quantum
+> attacks are casualties of liberty and their own ignorance, not victims of
+> injustice.
+>
+> Bitcoin's DAO Moment
+> This situation has some similarities to The DAO hack of an Ethereum smart
+> contract in 2016, which resulted in a fork to stop the attacker and retur=
+n
+> funds to their original owners. The game theory is similar because it's a
+> situation where a threat is known but there's some period of time before
+> the attacker can actually execute the theft. As such, there's time to
+> mitigate the attack by changing the protocol.
+>
+> It also created a schism in the community around the true meaning of "cod=
+e
+> is law," resulting in Ethereum Classic, which decided to allow the attack=
+er
+> to retain control of the stolen funds.
+>
+> A soft fork to burn vulnerable bitcoin could certainly result in a hard
+> fork if there are enough miners who reject the soft fork and continue
+> including transactions.
+>
+> Incentives Matter
+> We can wax philosophical until the cows come home, but what are the actua=
+l
+> incentives for existing Bitcoin holders regarding this decision?
+>
+> "Lost coins only make everyone else's coins worth slightly more. Think of
+>> it as a donation to everyone." - Satoshi Nakamoto
+>
+>
+> If true, the corollary is:
+>
+> "Quantum recovered coins only make everyone else's coins worth less. Thin=
+k
+>> of it as a theft from everyone." - Jameson Lopp
+>
+>
+> Thus, assuming we get to a point where quantum resistant signatures are
+> supported within the Bitcoin protocol, what's the incentive to let
+> vulnerable coins remain spendable?
+>
+> * It's not good for the actual owners of those coins. It disincentivizes
+> owners from upgrading until perhaps it's too late.
+> * It's not good for the more attentive / responsible owners of coins who
+> have quantum secured their stash. Allowing the circulating supply to
+> balloon will assuredly reduce the purchasing power of all bitcoin holders=
+.
+>
+> Forking Game Theory
+> From a game theory point of view, I see this as incentivizing users to
+> upgrade their wallets. If you disagree with the burning of vulnerable
+> coins, all you have to do is move your funds to a quantum safe signature
+> scheme. Point being, I don't see there being an economic majority (or eve=
+n
+> more than a tiny minority) of users who would fight such a soft fork. Why
+> expend significant resources fighting a fork when you can just move your
+> coins to a new address?
+>
+> Remember that blocking spending of certain classes of locking scripts is =
+a
+> tightening of the rules - a soft fork. As such, it can be meaningfully
+> enacted and enforced by a mere majority of hashpower. If miners generally
+> agree that it's in their best interest to burn vulnerable coins, are othe=
+r
+> users going to care enough to put in the effort to run new node software
+> that resists the soft fork? Seems unlikely to me.
+>
+> How to Execute Burning
+> In order to be as objective as possible, the goal would be to announce to
+> the world that after a specific block height / timestamp, Bitcoin nodes
+> will no longer accept transactions (or blocks containing such transaction=
+s)
+> that spend funds from any scripts other than the newly instituted quantum
+> safe schemes.
+>
+> It could take a staggered approach to first freeze funds that are
+> susceptible to long-range attacks such as those in P2PK scripts or those
+> that exposed their public keys due to previously re-using addresses, but =
+I
+> expect the additional complexity would drive further controversy.
+>
+> How long should the grace period be in order to give the ecosystem time t=
+o
+> upgrade? I'd say a minimum of 1 year for software wallets to upgrade. We
+> can only hope that hardware wallet manufacturers are able to implement po=
+st
+> quantum cryptography on their existing hardware with only a firmware upda=
+te.
+>
+> Beyond that, it will take at least 6 months worth of block space for all
+> users to migrate their funds, even in a best case scenario. Though if you
+> exclude dust UTXOs you could probably get 95% of BTC value migrated in 1
+> month. Of course this is a highly optimistic situation where everyone is
+> completely focused on migrations - in reality it will take far longer.
+>
+> Regardless, I'd think that in order to reasonably uphold Bitcoin's
+> conservatism it would be preferable to allow a 4 year migration window. I=
+n
+> the meantime, mining pools could coordinate emergency soft forking logic
+> such that if quantum attackers materialized, they could accelerate the
+> countdown to the quantum vulnerable funds burn.
+>
+> Random Tangential Benefits
+> On the plus side, burning all quantum vulnerable bitcoin would allow us t=
+o
+> prune all of those UTXOs out of the UTXO set, which would also clean up a
+> lot of dust. Dust UTXOs are a bit of an annoyance and there has even been=
+ a
+> recent proposal for how to incentivize cleaning them up.
+>
+> We should also expect that incentivizing migration of the entire UTXO set
+> will create substantial demand for block space that will sustain a fee
+> market for a fairly lengthy amount of time.
+>
+> In Summary
+> While the moral quandary of violating any of Bitcoin's inviolable
+> properties can make this a very complex issue to discuss, the game theory
+> and incentives between burning vulnerable coins versus allowing them to b=
+e
+> claimed by entities with quantum supremacy appears to be a much simpler
+> issue.
+>
+> I, for one, am not interested in rewarding quantum capable entities by
+> inflating the circulating money supply just because some people lost thei=
+r
+> keys long ago and some laggards are not upgrading their bitcoin wallet's
+> security.
+>
+> We can hope that this scenario never comes to pass, but hope is not a
+> strategy.
+>
+> I welcome your feedback upon any of the above points, and contribution of
+> any arguments I failed to consider.
+>
+> --
+> You received this message because you are subscribed to the Google Groups
+> "Bitcoin Development Mailing List" group.
+> To unsubscribe from this group and stop receiving emails from it, send an
+> email to bitcoindev+unsubscribe@googlegroups.com.
+> To view this discussion visit
+> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA=
+_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
+> <https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8n=
+A_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com?utm_medium=3Demail&utm_so=
+urce=3Dfooter>
+> .
+>
+> --
+> You received this message because you are subscribed to the Google Groups
+> "Bitcoin Development Mailing List" group.
+> To unsubscribe from this group and stop receiving emails from it, send an
+> email to bitcoindev+unsubscribe@googlegroups.com.
+> To view this discussion visit
+> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D=
+2B732364%40astrotown.de
+> <https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9=
+D2B732364%40astrotown.de?utm_medium=3Demail&utm_source=3Dfooter>
+> .
+>
+
+--=20
+You received this message because you are subscribed to the Google Groups "=
+Bitcoin Development Mailing List" group.
+To unsubscribe from this group and stop receiving emails from it, send an e=
+mail to bitcoindev+unsubscribe@googlegroups.com.
+To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
+CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com.
+
+--0000000000004db4db063114c996
+Content-Type: text/html; charset="UTF-8"
+Content-Transfer-Encoding: quoted-printable
+
+<div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting quantum compu=
+ters scoop up funds from addresses that don=E2=80=99t upgrade to quantum-re=
+sistant.=C2=A0<br>Saulo=E2=80=99s idea of a free-market approach, leaving o=
+ld coins up for grabs if people don=E2=80=99t move them, sounds fair at fir=
+st. Let luck decide, right? But I worry it=E2=80=99d turn into a mess. If q=
+uantum machines start cracking keys and snagging coins, it=E2=80=99s not ju=
+st lost Satoshi-era stuff at risk. Plenty of active wallets, like those on =
+the rich list Jameson mentioned, could get hit too. Imagine millions of BTC=
+ flooding the market. Prices tank, trust in Bitcoin takes a dive, and we al=
+l feel the pain. Freezing those vulnerable funds keeps that chaos in check.=
+<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear=
+t. If quantum tech can steal from you just because you didn=E2=80=99t upgra=
+de fast enough, that promise feels shaky. Freezing funds after a heads-up p=
+eriod (say, four years) protects that idea better than letting tech giants =
+or rogue states play vampire with our network. It also nudges people to get=
+ their act together and move to safer addresses, which strengthens Bitcoin =
+long-term.<br>Saulo=E2=80=99s right that freezing coins could confuse folks=
+ or spark a split like Ethereum Classic. But I=E2=80=99d argue quantum thef=
+t would look worse. Bitcoin would seem broken, not just strict. A clear pla=
+n and enough time to migrate could smooth things over. History=E2=80=99s on=
+ our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. This feels=
+ like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vulnerable co=
+ins locked than handed to whoever builds the first quantum rig. It=E2=80=99=
+s less about coddling people and more about keeping Bitcoin solid for every=
+one. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></div><br><di=
+v class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gma=
+il_attr">On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<a href=3D"=
+mailto:saulo@astrotown.de">saulo@astrotown.de</a>&gt; wrote:<br></div><bloc=
+kquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:=
+1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto"><div dir=3D"=
+ltr"><span style=3D"color:rgb(0,0,0)">I believe that having some entity ann=
+ounce the decision to freeze old UTXOs would be more damaging to Bitcoin=E2=
+=80=99s image (and its value) than having them gathered by QC. This would c=
+reate another version of Bitcoin, similar to Ethereum Classic, causing conf=
+usion in the market.</span><div dir=3D"ltr"><div style=3D"color:rgb(0,0,0)"=
+><br></div><div style=3D"color:rgb(0,0,0)">It would be better to simply imp=
+lement the possibility of moving funds to a PQC address without a deadline,=
+ allowing those who fail to do so to rely on luck to avoid having their coi=
+ns stolen. Most coins would be migrated to PQC anyway, and in most cases, o=
+nly the lost ones would remain vulnerable. This is the free-market way to s=
+olve problems without imposing rules on everyone.</div><div style=3D"color:=
+rgb(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)">Saulo Fonseca</div><d=
+iv style=3D"color:rgb(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)"><br=
+><blockquote type=3D"cite"><div>On 16. Mar 2025, at 15:15, Jameson Lopp &lt=
+;<span dir=3D"ltr"><a href=3D"mailto:jameson.lopp@gmail.com" target=3D"_bla=
+nk">jameson.lopp@gmail.com</a></span>&gt; wrote:</div><br><div><div dir=3D"=
+ltr">The quantum computing debate is heating up. There are many controversi=
+al aspects to this debate, including whether or not quantum computers will =
+ever actually become a practical threat.<div><br>I won&#39;t tread into the=
+ unanswerable question of how worried we should be about quantum computers.=
+ I think it&#39;s far from a crisis, but given the difficulty in changing B=
+itcoin it&#39;s worth starting to seriously discuss. Today I wish to focus =
+on a philosophical quandary related to one of the decisions that would need=
+ to be made if and when we implement a quantum safe signature scheme.<br><b=
+r><font size=3D"6">Several Scenarios<br></font>Because this essay will refe=
+rence game theory a fair amount, and there are many variables at play that =
+could change the nature of the game, I think it&#39;s important to clarify =
+the possible scenarios up front.<br><br>1. Quantum computing never material=
+izes, never becomes a threat, and thus everything discussed in this essay i=
+s moot.<br>2. A quantum computing threat materializes suddenly and Bitcoin =
+does not have quantum safe signatures as part of the protocol. In this scen=
+ario it would likely make the points below moot because Bitcoin would be fu=
+ndamentally broken and it would take far too long to upgrade the protocol, =
+wallet software, and migrate user funds in order to restore confidence in t=
+he network.<br>3. Quantum computing advances slowly enough that we come to =
+consensus about how to upgrade Bitcoin and post quantum security has been m=
+inimally adopted by the time an attacker appears.<br>4. Quantum computing a=
+dvances slowly enough that we come to consensus about how to upgrade Bitcoi=
+n and post quantum security has been highly adopted by the time an attacker=
+ appears.<br><br>For the purposes of this post, I&#39;m envisioning being i=
+n situation 3 or 4.<br><br><font size=3D"6">To Freeze or not to Freeze?<br>=
+</font>I&#39;ve started seeing more people weighing in on what is likely th=
+e most contentious aspect of how a quantum resistance upgrade should be han=
+dled in terms of migrating user funds. Should quantum vulnerable funds be l=
+eft open to be swept by anyone with a sufficiently powerful quantum compute=
+r OR should they be permanently locked?<br><br><blockquote class=3D"gmail_q=
+uote" style=3D"margin:0px 0px 0px 0.8ex;border-left-color:rgb(204,204,204);=
+padding-left:1ex">&quot;I don&#39;t see why old coins should be confiscated=
+. The better option is to let those with quantum computers free up old coin=
+s. While this might have an inflationary impact on bitcoin&#39;s price, to =
+use a turn of phrase, the inflation is transitory. Those with low time pref=
+erence should support returning lost coins to circulation.&quot;=C2=A0</blo=
+ckquote><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
+;border-left-color:rgb(204,204,204);padding-left:1ex">- Hunter Beast</block=
+quote><div><br></div>On the other hand:</div><div><br><blockquote class=3D"=
+gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-color:rgb(204,20=
+4,204);padding-left:1ex">&quot;Of course they have to be confiscated. If an=
+d when (and that&#39;s a big if) the existence of a cryptography-breaking Q=
+C becomes a credible threat, the Bitcoin ecosystem has no other option than=
+ softforking out the ability to spend from signature schemes (including ECD=
+SA and BIP340) that are vulnerable to QCs. The alternative is that millions=
+ of BTC become vulnerable to theft; I cannot see how the currency can maint=
+ain any value at all in such a setting. And this affects everyone; even tho=
+se which diligently moved their coins to PQC-protected schemes.&quot;<br>- =
+Pieter Wuille</blockquote><br>I don&#39;t think &quot;confiscation&quot; is=
+ the most precise term to use, as the funds are not being seized and reassi=
+gned. Rather, what we&#39;re really discussing would be better described as=
+ &quot;burning&quot; - placing the funds=C2=A0<b>out of reach of everyone</=
+b>.<br><br>Not freezing user funds is one of Bitcoin&#39;s inviolable prope=
+rties. However, if quantum computing becomes a threat to Bitcoin&#39;s elli=
+ptic curve cryptography,=C2=A0<b>an inviolable property of Bitcoin will be =
+violated one way or another</b>.<br><br><font size=3D"6">Fundamental Proper=
+ties at Risk<br></font>5 years ago I attempted to comprehensively categoriz=
+e all of Bitcoin&#39;s fundamental properties that give it value.=C2=A0<a h=
+ref=3D"https://nakamoto.com/what-are-the-key-properties-of-bitcoin/" target=
+=3D"_blank">https://nakamoto.com/what-are-the-key-properties-of-bitcoin/<br=
+></a><br>The particular properties in play with regard to this issue seem t=
+o be:<br><br><b>Censorship Resistance</b>=C2=A0- No one should have the pow=
+er to prevent others from using their bitcoin or interacting with the netwo=
+rk.<br><br><b>Forward Compatibility</b>=C2=A0- changing the rules such that=
+ certain valid transactions become invalid could undermine confidence in th=
+e protocol.<br><br><b>Conservatism</b>=C2=A0- Users should not be expected =
+to be highly responsive to system issues.<br><br>As a result of the above p=
+rinciples, we have developed a strong meme (kudos to Andreas Antonopoulos) =
+that goes as follows:<br><br><blockquote class=3D"gmail_quote" style=3D"mar=
+gin:0px 0px 0px 0.8ex;border-left-color:rgb(204,204,204);padding-left:1ex">=
+Not your keys, not your coins.</blockquote><br>I posit that the corollary t=
+o this principle is:<br><br><blockquote class=3D"gmail_quote" style=3D"marg=
+in:0px 0px 0px 0.8ex;border-left-color:rgb(204,204,204);padding-left:1ex">Y=
+our keys, only your coins.</blockquote><br>A quantum capable entity breaks =
+the corollary of this foundational principle. We secure our bitcoin with th=
+e mathematical probabilities related to extremely large random numbers. You=
+r funds are only secure because truly random large numbers should not be gu=
+essable or discoverable by anyone else in the world.<br><br>This is the pri=
+nciple behind the motto=C2=A0<i>vires in numeris</i>=C2=A0- strength in num=
+bers. In a world with quantum enabled adversaries, this principle is null a=
+nd void for many types of cryptography, including the elliptic curve digita=
+l signatures used in Bitcoin.<br><br><font size=3D"6">Who is at Risk?<br></=
+font>There has long been a narrative that Satoshi&#39;s coins and others fr=
+om the Satoshi era of P2PK locking scripts that exposed the public key dire=
+ctly on the blockchain will be those that get scooped up by a quantum &quot=
+;miner.&quot; But unfortunately it&#39;s not that simple. If I had a powerf=
+ul quantum computer, which coins would I target? I&#39;d go to the Bitcoin =
+rich list and find the wallets that have exposed their public keys due to r=
+e-using addresses that have previously been spent from. You can easily find=
+ them at=C2=A0<a href=3D"https://bitinfocharts.com/top-100-richest-bitcoin-=
+addresses.html" target=3D"_blank">https://bitinfocharts.com/top-100-richest=
+-bitcoin-addresses.html</a><br><br>Note that a few of these wallets, like B=
+itfinex / Kraken / Tether, would be slightly harder to crack because they a=
+re multisig wallets. So a quantum attacker would need to reverse engineer 2=
+ keys for Kraken or 3 for Bitfinex / Tether in order to spend funds. But ma=
+ny are single signature.<br><br>Point being, it&#39;s not only the really o=
+ld lost BTC that are at risk to a quantum enabled adversary, at least at ti=
+me of writing. If we add a quantum safe signature scheme, we should expect =
+those wallets to be some of the first to upgrade given their incentives.<br=
+><br><font size=3D"6">The Ethical Dilemma: Quantifying Harm<br></font>Which=
+ decision results in the most harm?<br><br>By making quantum vulnerable fun=
+ds unspendable we potentially harm some Bitcoin users who were not paying a=
+ttention and neglected to migrate their funds to a quantum safe locking scr=
+ipt. This violates the &quot;conservativism&quot; principle stated earlier.=
+ On the flip side, we prevent those funds plus far more lost funds from fal=
+ling into the hands of the few privileged folks who gain early access to qu=
+antum computers.<br><br>By leaving quantum vulnerable funds available to sp=
+end, the same set of users who would otherwise have funds frozen are likely=
+ to see them stolen. And many early adopters who lost their keys will event=
+ually see their unreachable funds scooped up by a quantum enabled adversary=
+.<br><br>Imagine, for example, being James Howells, who accidentally threw =
+away a hard drive with 8,000 BTC on it, currently worth over $600M USD. He =
+has spent a decade trying to retrieve it from the landfill where he knows i=
+t&#39;s buried, but can&#39;t get permission to excavate. I suspect that, g=
+iven the choice, he&#39;d prefer those funds be permanently frozen rather t=
+han fall into someone else&#39;s possession - I know I would.<br><br>Allowi=
+ng a quantum computer to access lost funds doesn&#39;t make those users any=
+ worse off than they were before, however it=C2=A0<i>would</i>have a negati=
+ve impact upon everyone who is currently holding bitcoin.<br><br>It&#39;s p=
+rudent to expect significant economic disruption if large amounts of coins =
+fall into new hands. Since a quantum computer is going to have a massive up=
+ front cost, expect those behind it to desire to recoup their investment. W=
+e also know from experience that when someone suddenly finds themselves in =
+possession of 9+ figures worth of highly liquid assets, they tend to divers=
+ify into other things by selling.<br><br>Allowing quantum recovery of bitco=
+in is=C2=A0<i>tantamount to wealth redistribution</i>. What we&#39;d be all=
+owing is for bitcoin to be redistributed from those who are ignorant of qua=
+ntum computers to those who have won the technological race to acquire quan=
+tum computers. It&#39;s hard to see a bright side to that scenario.<br><br>=
+<font size=3D"6">Is Quantum Recovery Good for Anyone?</font><br><br>Does qu=
+antum recovery HELP anyone? I&#39;ve yet to come across an argument that it=
+&#39;s a net positive in any way. It certainly doesn&#39;t add any security=
+ to the network. If anything, it greatly decreases the security of the netw=
+ork by allowing funds to be claimed by those who did not earn them.<br><br>=
+But wait, you may be thinking, wouldn&#39;t quantum &quot;miners&quot; have=
+ earned their coins by all the work and resources invested in building a qu=
+antum computer? I suppose, in the same sense that a burglar earns their spo=
+ils by the resources they invest into surveilling targets and learning the =
+skills needed to break into buildings. What I say &quot;earned&quot; I mean=
+ through productive mutual trade.<br><br>For example:<br><br>* Investors ea=
+rn BTC by trading for other currencies.<br>* Merchants earn BTC by trading =
+for goods and services.<br>* Miners earn BTC by trading thermodynamic secur=
+ity.<br>* Quantum miners don&#39;t trade anything, they are vampires feedin=
+g upon the system.<br><br>There&#39;s no reason to believe that allowing qu=
+antum adversaries to recover vulnerable bitcoin will be of benefit to anyon=
+e other than the select few organizations that win the technological arms r=
+ace to build the first such computers. Probably nation states and/or the to=
+p few largest tech companies.<br><br>One could certainly hope that an organ=
+ization with quantum supremacy is benevolent and acts in a &quot;white hat&=
+quot; manner to return lost coins to their owners, but that&#39;s incredibl=
+y optimistic and foolish to rely upon. Such a situation creates an insurmou=
+ntable ethical dilemma of only recovering lost bitcoin rather than currentl=
+y owned bitcoin. There&#39;s no way to precisely differentiate between the =
+two; anyone can claim to have lost their bitcoin but if they have lost thei=
+r keys then proving they ever had the keys becomes rather difficult. I imag=
+ine that any such white hat recovery efforts would have to rely upon attest=
+ations from trusted third parties like exchanges.<br><br>Even if the first =
+actor with quantum supremacy is benevolent, we must assume the technology c=
+ould fall into adversarial hands and thus think adversarially about the pot=
+ential worst case outcomes. Imagine, for example, that North Korea continue=
+s scooping up billions of dollars from hacking crypto exchanges and decides=
+ to invest some of those proceeds into building a quantum computer for the =
+biggest payday ever...<br><br><font size=3D"6">Downsides to Allowing Quantu=
+m Recovery</font><br>Let&#39;s think through an exhaustive list of pros and=
+ cons for allowing or preventing the seizure of funds by a quantum adversar=
+y.<br><br><font size=3D"4">Historical Precedent</font><br>Previous protocol=
+ vulnerabilities weren=E2=80=99t celebrated as &quot;fair game&quot; but ra=
+ther were treated as failures to be remediated. Treating quantum theft diff=
+erently risks rewriting Bitcoin=E2=80=99s history as a free-for-all rather =
+than a system that seeks to protect its users.<br><br><font size=3D"4">Viol=
+ation of Property Rights</font><br>Allowing a quantum adversary to take con=
+trol of funds undermines the fundamental principle of cryptocurrency - if y=
+ou keep your keys in your possession, only you should be able to access you=
+r money. Bitcoin is built on the idea that private keys secure an individua=
+l=E2=80=99s assets, and unauthorized access (even via advanced tech) is the=
+ft, not a legitimate transfer.<br><br><font size=3D"4">Erosion of Trust in =
+Bitcoin</font><br>If quantum attackers can exploit vulnerable addresses, co=
+nfidence in Bitcoin as a secure store of value would collapse. Users and in=
+vestors rely on cryptographic integrity, and widespread theft could drive a=
+doption away from Bitcoin, destabilizing its ecosystem.<br><br>This is esse=
+ntially the counterpoint to claiming the burning of vulnerable funds is a v=
+iolation of property rights. While some will certainly see it as such, othe=
+rs will find the apathy toward stopping quantum theft to be similarly conce=
+rning.<br><br><font size=3D"4">Unfair Advantage</font><br>Quantum attackers=
+, likely equipped with rare and expensive technology, would have an unjust =
+edge over regular users who lack access to such tools. This creates an ineq=
+uitable system where only the technologically elite can exploit others, con=
+tradicting Bitcoin=E2=80=99s ethos of decentralized power.<br><br>Bitcoin i=
+s designed to create an asymmetric advantage for DEFENDING one&#39;s wealth=
+. It&#39;s supposed to be impractically expensive for attackers to crack th=
+e entropy and cryptography protecting one&#39;s coins. But now we find ours=
+elves discussing a situation where this asymmetric advantage is compromised=
+ in favor of a specific class of attackers.<br><br><font size=3D"4">Economi=
+c Disruption</font><br>Large-scale theft from vulnerable addresses could cr=
+ash Bitcoin=E2=80=99s price as quantum recovered funds are dumped on exchan=
+ges. This would harm all holders, not just those directly targeted, leading=
+ to broader financial chaos in the markets.<br><br><font size=3D"4">Moral R=
+esponsibility</font><br>Permitting theft via quantum computing sets a prece=
+dent that technological superiority justifies unethical behavior. This is e=
+ssentially taking a &quot;code is law&quot; stance in which we refuse to ad=
+mit that both code and laws can be modified to adapt to previously unforese=
+en situations.<br><br>Burning of coins can certainly be considered a form o=
+f theft, thus I think it&#39;s worth differentiating the two different thef=
+ts being discussed:<br><br>1. self-enriching &amp; likely malicious<br>2. h=
+arm prevention &amp; not necessarily malicious<br><br>Both options lack the=
+ consent of the party whose coins are being burnt or transferred, thus I th=
+ink the simple argument that theft is immoral becomes a wash and it&#39;s i=
+mportant to drill down into the details of each.<br><br><font size=3D"4">In=
+centives Drive Security</font><br>I can tell you from a decade of working i=
+n Bitcoin security - the average user is lazy and is a procrastinator. If B=
+itcoiners are given a &quot;drop dead date&quot; after which they know vuln=
+erable funds will be burned, this pressure accelerates the adoption of post=
+-quantum cryptography and strengthens Bitcoin long-term. Allowing vulnerabl=
+e users to delay upgrading indefinitely will result in more laggards, leavi=
+ng the network more exposed when quantum tech becomes available.<br><br><fo=
+nt size=3D"6">Steel Manning<br></font>Clearly this is a complex and controv=
+ersial topic, thus it&#39;s worth thinking through the opposing arguments.<=
+br><br><font size=3D"4">Protecting Property Rights</font><br>Allowing quant=
+um computers to take vulnerable bitcoin could potentially be spun as a hard=
+ money narrative - we care so greatly about not violating someone&#39;s acc=
+ess to their coins that we allow them to be stolen!<br><br>But I think the =
+flip side to the property rights narrative is that burning vulnerable coins=
+ prevents said property from falling into undeserving hands. If the entire =
+Bitcoin ecosystem just stands around and allows quantum adversaries to clai=
+m funds that rightfully belong to other users, is that really a &quot;win&q=
+uot; in the &quot;protecting property rights&quot; category? It feels more =
+like apathy to me.<br><br>As such, I think the &quot;protecting property ri=
+ghts&quot; argument is a wash.<br><br><font size=3D"4">Quantum Computers Wo=
+n&#39;t Attack Bitcoin</font><br>There is a great deal of skepticism that s=
+ufficiently powerful quantum computers will ever exist, so we shouldn&#39;t=
+ bother preparing for a non-existent threat. Others have argued that even i=
+f such a computer was built, a quantum attacker would not go after bitcoin =
+because they wouldn&#39;t want to reveal their hand by doing so, and would =
+instead attack other infrastructure.<br><br>It&#39;s quite difficult to qua=
+ntify exactly how valuable attacking other infrastructure would be. It also=
+ really depends upon when an entity gains quantum supremacy and thus if by =
+that time most of the world&#39;s systems have already been upgraded. While=
+ I think you could argue that certain entities gaining quantum capability m=
+ight not attack Bitcoin, it would only delay the inevitable - eventually so=
+mebody will achieve the capability who decides to use it for such an attack=
+.<br><br><font size=3D"4">Quantum Attackers Would Only Steal Small Amounts<=
+/font><br>Some have argued that even if a quantum attacker targeted bitcoin=
+, they&#39;d only go after old, likely lost P2PK outputs so as to not arous=
+e suspicion and cause a market panic.<br><br>I&#39;m not so sure about that=
+; why go after 50 BTC at a time when you could take 250,000 BTC with the sa=
+me effort as 50 BTC? This is a classic &quot;zero day exploit&quot; game th=
+eory in which an attacker knows they have a limited amount of time before s=
+omeone else discovers the exploit and either benefits from it or patches it=
+. Take, for example, the recent ByBit attack - the highest value crypto hac=
+k of all time. Lazarus Group had compromised the Safe wallet front end Java=
+Script app and they could have simply had it reassign ownership of everyone=
+&#39;s Safe wallets as they were interacting with their wallet. But instead=
+ they chose to only specifically target ByBit&#39;s wallet with $1.5 billio=
+n in it because they wanted to maximize their extractable value. If Lazarus=
+ had started stealing from every wallet, they would have been discovered qu=
+ickly and the Safe web app would likely have been patched well before any b=
+illion dollar wallets executed the malicious code.<br><br>I think the &quot=
+;only stealing small amounts&quot; argument is strongest for Situation #2 d=
+escribed earlier, where a quantum attacker arrives before quantum safe cryp=
+tography has been deployed across the Bitcoin ecosystem. Because if it beca=
+me clear that Bitcoin&#39;s cryptography was broken AND there was nowhere s=
+afe for vulnerable users to migrate, the only logical option would be for e=
+veryone to liquidate their bitcoin as quickly as possible. As such, I don&#=
+39;t think it applies as strongly for situations in which we have a migrati=
+on path available.<br><br><font size=3D"4">The 21 Million Coin Supply Shoul=
+d be in Circulation</font><br>Some folks are arguing that it&#39;s importan=
+t for the &quot;circulating / spendable&quot; supply to be as close to 21M =
+as possible and that having a significant portion of the supply out of circ=
+ulation is somehow undesirable.<br><br>While the &quot;21M BTC&quot; attrib=
+ute is a strong memetic narrative, I don&#39;t think anyone has ever expect=
+ed that it would all be in circulation. It has always been understood that =
+many coins will be lost, and that&#39;s actually part of the game theory of=
+ owning bitcoin!<br><br>And remember, the 21M number in and of itself is no=
+t a particularly important detail - it&#39;s not even mentioned in the whit=
+epaper. What&#39;s important is that the supply is well known and not subje=
+ct to change.<br><br><font size=3D"4">Self-Sovereignty and Personal Respons=
+ibility</font><br>Bitcoin=E2=80=99s design empowers individuals to control =
+their own wealth, free from centralized intervention. This freedom comes wi=
+th the burden of securing one&#39;s private keys. If quantum computing can =
+break obsolete cryptography, the fault lies with users who didn&#39;t move =
+their funds to quantum safe locking scripts. Expecting the network to shiel=
+d users from their own negligence undermines the principle that you, and no=
+t a third party, are accountable for your assets.<br><br>I think this is ge=
+nerally a fair point that &quot;the community&quot; doesn&#39;t owe you any=
+thing in terms of helping you. I think that we do, however, need to conside=
+r the incentives and game theory in play with regard to quantum safe Bitcoi=
+ners vs quantum vulnerable Bitcoiners. More on that later.<br><br><font siz=
+e=3D"4">Code is Law</font><br>Bitcoin operates on transparent, immutable ru=
+les embedded in its protocol. If a quantum attacker uses superior technolog=
+y to derive private keys from public keys, they=E2=80=99re not &quot;hackin=
+g&quot; the system - they&#39;re simply following what&#39;s mathematically=
+ permissible within the current code. Altering the protocol to stop this in=
+troduces subjective human intervention, which clashes with the objective, d=
+eterministic nature of blockchain.<br><br>While I tend to agree that code i=
+s law, one of the entire points of laws is that they can be amended to impr=
+ove their efficacy in reducing harm. Leaning on this point seems more like =
+a pro-ossification stance that it&#39;s better to do nothing and allow harm=
+ to occur rather than take action to stop an attack that was foreseen far i=
+n advance.<br><br><font size=3D"4">Technological Evolution as a Feature, No=
+t a Bug</font><br>It&#39;s well known that cryptography tends to weaken ove=
+r time and eventually break. Quantum computing is just the next step in thi=
+s progression. Users who fail to adapt (e.g., by adopting quantum-resistant=
+ wallets when available) are akin to those who ignored technological advanc=
+ements like multisig or hardware wallets. Allowing quantum theft incentiviz=
+es innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing comp=
+lacency while rewarding vigilance.<br><br><font size=3D"4">Market Signals D=
+rive Security</font><br>If quantum attackers start stealing funds, it sends=
+ a clear signal to the market: upgrade your security or lose everything. Th=
+is pressure accelerates the adoption of post-quantum cryptography and stren=
+gthens Bitcoin long-term. Coddling vulnerable users delays this necessary e=
+volution, potentially leaving the network more exposed when quantum tech be=
+comes widely accessible. Theft is a brutal but effective teacher.<br><br><f=
+ont size=3D"4">Centralized Blacklisting Power</font><br>Burning vulnerable =
+funds requires centralized decision-making - a soft fork to invalidate cert=
+ain transactions. This sets a dangerous precedent for future interventions,=
+ eroding Bitcoin=E2=80=99s decentralization. If quantum theft is blocked, w=
+hat=E2=80=99s next - reversing exchange hacks? The system must remain neutr=
+al, even if it means some lose out.<br><br>I think this could be a potentia=
+l slippery slope if the proposal was to only burn specific addresses. Rathe=
+r, I&#39;d expect a neutral proposal to burn all funds in locking script ty=
+pes that are known to be quantum vulnerable. Thus, we could eliminate any s=
+ubjectivity from the code.<br><br><font size=3D"4">Fairness in Competition<=
+/font><br>Quantum attackers aren&#39;t cheating; they&#39;re using publicly=
+ available physics and math. Anyone with the resources and foresight can bu=
+ild or access quantum tech, just as anyone could mine Bitcoin in 2009 with =
+a CPU. Early adopters took risks and reaped rewards; quantum innovators are=
+ doing the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin h=
+as never promised equality of outcome - only equality of opportunity within=
+ its rules.<br><br>I find this argument to be a mischaracterization because=
+ we&#39;re not talking about CPUs. This is more akin to talking about ASICs=
+, except each ASIC costs millions if not billions of dollars. This is out o=
+f reach from all but the wealthiest organizations.<br><br><font size=3D"4">=
+Economic Resilience</font><br>Bitcoin has weathered thefts before (MTGOX, B=
+itfinex, FTX, etc) and emerged stronger. The market can absorb quantum loss=
+es, with unaffected users continuing to hold and new entrants buying in at =
+lower prices. Fear of economic collapse overestimates the impact - the netw=
+ork=E2=80=99s antifragility thrives on such challenges.<br><br>This is a bi=
+g grey area because we don&#39;t know when a quantum computer will come onl=
+ine and we don&#39;t know how quickly said computers would be able to steal=
+ bitcoin. If, for example, the first generation of sufficiently powerful qu=
+antum computers were stealing less volume than the current block reward the=
+n of course it will have minimal economic impact. But if they&#39;re taking=
+ thousands of BTC per day and bringing them back into circulation, there wi=
+ll likely be a noticeable market impact as it absorbs the new supply.<br><b=
+r>This is where the circumstances will really matter. If a quantum attacker=
+ appears AFTER the Bitcoin protocol has been upgraded to support quantum re=
+sistant cryptography then we should expect the most valuable active wallets=
+ will have upgraded and the juiciest target would be the 31,000 BTC in the =
+address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since 201=
+0. In general I&#39;d expect that the amount of BTC re-entering the circula=
+ting supply would look somewhat similar to the mining emission curve: volum=
+e would start off very high as the most valuable addresses are drained and =
+then it would fall off as quantum computers went down the list targeting ad=
+dresses with less and less BTC.<br><br>Why is economic impact a factor wort=
+h considering? Miners and businesses in general. More coins being liquidate=
+d will push down the price, which will negatively impact miner revenue. Sim=
+ilarly, I can attest from working in the industry for a decade, that lower =
+prices result in less demand from businesses across the entire industry. As=
+ such, burning quantum vulnerable bitcoin is good for the entire industry.<=
+br><br><font size=3D"4">Practicality &amp; Neutrality of Non-Intervention</=
+font><br>There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=
+=80=9D from legitimate &quot;white hat&quot; key recovery. If someone loses=
+ their private key and a quantum computer recovers it, is that stealing or =
+reclaiming? Policing quantum actions requires invasive assumptions about in=
+tent, which Bitcoin=E2=80=99s trustless design can=E2=80=99t accommodate. L=
+etting the chips fall where they may avoids this mess.<br><br><font size=3D=
+"4">Philosophical Purity</font><br>Bitcoin rejects bailouts. It=E2=80=99s a=
+ cold, hard system where outcomes reflect preparation and skill, not sentim=
+entality. If quantum computing upends the game, that=E2=80=99s the point - =
+Bitcoin isn=E2=80=99t meant to be safe or fair in a nanny-state sense; it=
+=E2=80=99s meant to be free. Users who lose funds to quantum attacks are ca=
+sualties of liberty and their own ignorance, not victims of injustice.<br><=
+br><font size=3D"6">Bitcoin&#39;s DAO Moment</font><br>This situation has s=
+ome similarities to The DAO hack of an Ethereum smart contract in 2016, whi=
+ch resulted in a fork to stop the attacker and return funds to their origin=
+al owners. The game theory is similar because it&#39;s a situation where a =
+threat is known but there&#39;s some period of time before the attacker can=
+ actually execute the theft. As such, there&#39;s time to mitigate the atta=
+ck by changing the protocol.<br><br>It also created a schism in the communi=
+ty around the true meaning of &quot;code is law,&quot; resulting in Ethereu=
+m Classic, which decided to allow the attacker to retain control of the sto=
+len funds.<br><br>A soft fork to burn vulnerable bitcoin could certainly re=
+sult in a hard fork if there are enough miners who reject the soft fork and=
+ continue including transactions.<br><br><font size=3D"6">Incentives Matter=
+</font><br>We can wax philosophical until the cows come home, but what are =
+the actual incentives for existing Bitcoin holders regarding this decision?=
+<br><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
+;border-left-color:rgb(204,204,204);padding-left:1ex">&quot;Lost coins only=
+ make everyone else&#39;s coins worth slightly more. Think of it as a donat=
+ion to everyone.&quot; - Satoshi Nakamoto</blockquote><br>If true, the coro=
+llary is:<br><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
+0px 0.8ex;border-left-color:rgb(204,204,204);padding-left:1ex">&quot;Quantu=
+m recovered coins only make everyone else&#39;s coins worth less. Think of =
+it as a theft from everyone.&quot; - Jameson Lopp</blockquote><br>Thus, ass=
+uming we get to a point where quantum resistant signatures are supported wi=
+thin the Bitcoin protocol, what&#39;s the incentive to let vulnerable coins=
+ remain spendable?<br><br>* It&#39;s not good for the actual owners of thos=
+e coins. It disincentivizes owners from upgrading until perhaps it&#39;s to=
+o late.<br>* It&#39;s not good for the more attentive / responsible owners =
+of coins who have quantum secured their stash. Allowing the circulating sup=
+ply to balloon will assuredly reduce the purchasing power of all bitcoin ho=
+lders.<br><br><font size=3D"6">Forking Game Theory</font><br>From a game th=
+eory point of view, I see this as incentivizing users to upgrade their wall=
+ets. If you disagree with the burning of vulnerable coins, all you have to =
+do is move your funds to a quantum safe signature scheme. Point being, I do=
+n&#39;t see there being an economic majority (or even more than a tiny mino=
+rity) of users who would fight such a soft fork. Why expend significant res=
+ources fighting a fork when you can just move your coins to a new address?<=
+br><br>Remember that blocking spending of certain classes of locking script=
+s is a tightening of the rules - a soft fork. As such, it can be meaningful=
+ly enacted and enforced by a mere majority of hashpower. If miners generall=
+y agree that it&#39;s in their best interest to burn vulnerable coins, are =
+other users going to care enough to put in the effort to run new node softw=
+are that resists the soft fork? Seems unlikely to me.<br><br><font size=3D"=
+6">How to Execute Burning</font><br>In order to be as objective as possible=
+, the goal would be to announce to the world that after a specific block he=
+ight / timestamp, Bitcoin nodes will no longer accept transactions (or bloc=
+ks containing such transactions) that spend funds from any scripts other th=
+an the newly instituted quantum safe schemes.<br><br>It could take a stagge=
+red approach to first freeze funds that are susceptible to long-range attac=
+ks such as those in P2PK scripts or those that exposed their public keys du=
+e to previously re-using addresses, but I expect the additional complexity =
+would drive further controversy.<br><br>How long should the grace period be=
+ in order to give the ecosystem time to upgrade? I&#39;d say a minimum of 1=
+ year for software wallets to upgrade. We can only hope that hardware walle=
+t manufacturers are able to implement post quantum cryptography on their ex=
+isting hardware with only a firmware update.<br><br>Beyond that, it will ta=
+ke at least 6 months worth of block space for all users to migrate their fu=
+nds, even in a best case scenario. Though if you exclude dust UTXOs you cou=
+ld probably get 95% of BTC value migrated in 1 month. Of course this is a h=
+ighly optimistic situation where everyone is completely focused on migratio=
+ns - in reality it will take far longer.<br><br>Regardless, I&#39;d think t=
+hat in order to reasonably uphold Bitcoin&#39;s conservatism it would be pr=
+eferable to allow a 4 year migration window. In the meantime, mining pools =
+could coordinate emergency soft forking logic such that if quantum attacker=
+s materialized, they could accelerate the countdown to the quantum vulnerab=
+le funds burn.<br><br><font size=3D"6">Random Tangential Benefits</font><br=
+>On the plus side, burning all quantum vulnerable bitcoin would allow us to=
+ prune all of those UTXOs out of the UTXO set, which would also clean up a =
+lot of dust. Dust UTXOs are a bit of an annoyance and there has even been a=
+ recent proposal for how to incentivize cleaning them up.<br><br>We should =
+also expect that incentivizing migration of the entire UTXO set will create=
+ substantial demand for block space that will sustain a fee market for a fa=
+irly lengthy amount of time.<br><br><font size=3D"6">In Summary</font><br>W=
+hile the moral quandary of violating any of Bitcoin&#39;s inviolable proper=
+ties can make this a very complex issue to discuss, the game theory and inc=
+entives between burning vulnerable coins versus allowing them to be claimed=
+ by entities with quantum supremacy appears to be a much simpler issue.<br>=
+<br>I, for one, am not interested in rewarding quantum capable entities by =
+inflating the circulating money supply just because some people lost their =
+keys long ago and some laggards are not upgrading their bitcoin wallet&#39;=
+s security.<br><br>We can hope that this scenario never comes to pass, but =
+hope is not a strategy.<br><br>I welcome your feedback upon any of the abov=
+e points, and contribution of any arguments I failed to consider.</div></di=
+v><div><br></div>--=C2=A0<br>You received this message because you are subs=
+cribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; gr=
+oup.<br>To unsubscribe from this group and stop receiving emails from it, s=
+end an email to=C2=A0<a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.=
+com" target=3D"_blank">bitcoindev+unsubscribe@googlegroups.com</a>.<br>To v=
+iew this discussion visit=C2=A0<a href=3D"https://groups.google.com/d/msgid=
+/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40m=
+ail.gmail.com?utm_medium=3Demail&amp;utm_source=3Dfooter" target=3D"_blank"=
+>https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_=
+4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div></blockquote></di=
+v><div dir=3D"ltr"></div></div></div></div>
+
+<p></p>
+
+-- <br>
+You received this message because you are subscribed to the Google Groups &=
+quot;Bitcoin Development Mailing List&quot; group.<br>
+To unsubscribe from this group and stop receiving emails from it, send an e=
+mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" target=
+=3D"_blank">bitcoindev+unsubscribe@googlegroups.com</a>.<br>
+To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
+bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de?utm_medium=
+=3Demail&amp;utm_source=3Dfooter" target=3D"_blank">https://groups.google.c=
+om/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de</=
+a>.<br>
+</blockquote></div></div>
+
+<p></p>
+
+-- <br />
+You received this message because you are subscribed to the Google Groups &=
+quot;Bitcoin Development Mailing List&quot; group.<br />
+To unsubscribe from this group and stop receiving emails from it, send an e=
+mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
+ev+unsubscribe@googlegroups.com</a>.<br />
+To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
+bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail=
+.gmail.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.co=
+m/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5Jh=
+ZLg%40mail.gmail.com</a>.<br />
+
+--0000000000004db4db063114c996--
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-01 03:26:46 +0000