Delivery-date: Mon, 07 Apr 2025 03:35:05 -0700
Sender: bitcoindev@googlegroups.com
Received-SPF: pass (google.com: domain of nadav@shesek.info designates 2607:f8b0:4864:20::b30 as permitted sender) client-ip=2607:f8b0:4864:20::b30;
MIME-Version: 1.0
References: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
In-Reply-To: <CADL_X_cF=UKVa7CitXReMq8nA_4RadCF==kU4YG+0GYN97P6hQ@mail.gmail.com>
From: Nadav Ivgi <nadav@shesek.info>
Date: Sun, 6 Apr 2025 17:07:03 +0300
Message-ID: <CAGXD5f1eTwqMAkxzdJOup3syR+5UjrkAaHroBJT0HQw5FA2_YQ@mail.gmail.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
To: Jameson Lopp <jameson.lopp@gmail.com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: multipart/alternative; boundary="000000000000f49e7406321ca294"
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

--000000000000f49e7406321ca294
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

One possible alternative to freezing/burning the coins entirely is letting
quantum attackers keep some small percent as a reward, but force them to
stage the rest to future miners as an additional security budget subsidy.

This can be implemented as a soft fork, by requiring transactions spending
QC-vulnerable coins to allocate some funds to an OP_CLTV[0]-only encumbered
output timelocked far into the future. Miners would then monitor these
outputs and claim them as they become available.

For example, allow a 1% reward to be spent freely to any address but
require 99% to be sent to an OP_CLTV output timelocked to a
deterministically random height between 10-100 years from now.

The 1% reward could also be required to be sent to a script that enforces a
timelock (in addition to other conditions), to avoid flooding the markets
with the rewarded coins all at once. Probably a shorter timelock duration
though, say picked randomly between 10-30 months.

To further smooth out variance in the release schedule, coins could be
split into up-to-N-BTC outputs, each staggered with a different
deterministic timelock. So for example, a single tx spending 10,000 BTC
won't release 9,900 BTC to the miners in a single far-future block (which
may cause chain instability if the miners get into a reorg war over it),
but rather as 9,900 separate outputs of 1 BTC each released gradually
time.[1]

I'm still not sure what I think about this. This is not necessarily an
endorsement, just a thought. :)

- shesek

[0] OP_CSV only supports relative timelocks of up to 65535 blocks (~15
months), which is too short for that purpose. OP_CLTV supports longer
(absolute) timelocks.

[1] This can be made more efficient with CTV, by having a single UTXO
carrying the full amount that slowly unrolls rather than 9,900 separate
UTXO entries.


On Sun, Mar 16, 2025 at 5:22=E2=80=AFPM Jameson Lopp <jameson.lopp@gmail.co=
m> wrote:

> The quantum computing debate is heating up. There are many controversial
> aspects to this debate, including whether or not quantum computers will
> ever actually become a practical threat.
>
> I won't tread into the unanswerable question of how worried we should be
> about quantum computers. I think it's far from a crisis, but given the
> difficulty in changing Bitcoin it's worth starting to seriously discuss.
> Today I wish to focus on a philosophical quandary related to one of the
> decisions that would need to be made if and when we implement a quantum
> safe signature scheme.
>
> Several Scenarios
> Because this essay will reference game theory a fair amount, and there ar=
e
> many variables at play that could change the nature of the game, I think
> it's important to clarify the possible scenarios up front.
>
> 1. Quantum computing never materializes, never becomes a threat, and thus
> everything discussed in this essay is moot.
> 2. A quantum computing threat materializes suddenly and Bitcoin does not
> have quantum safe signatures as part of the protocol. In this scenario it
> would likely make the points below moot because Bitcoin would be
> fundamentally broken and it would take far too long to upgrade the
> protocol, wallet software, and migrate user funds in order to restore
> confidence in the network.
> 3. Quantum computing advances slowly enough that we come to consensus
> about how to upgrade Bitcoin and post quantum security has been minimally
> adopted by the time an attacker appears.
> 4. Quantum computing advances slowly enough that we come to consensus
> about how to upgrade Bitcoin and post quantum security has been highly
> adopted by the time an attacker appears.
>
> For the purposes of this post, I'm envisioning being in situation 3 or 4.
>
> To Freeze or not to Freeze?
> I've started seeing more people weighing in on what is likely the most
> contentious aspect of how a quantum resistance upgrade should be handled =
in
> terms of migrating user funds. Should quantum vulnerable funds be left op=
en
> to be swept by anyone with a sufficiently powerful quantum computer OR
> should they be permanently locked?
>
> "I don't see why old coins should be confiscated. The better option is to
>> let those with quantum computers free up old coins. While this might hav=
e
>> an inflationary impact on bitcoin's price, to use a turn of phrase, the
>> inflation is transitory. Those with low time preference should support
>> returning lost coins to circulation."
>
> - Hunter Beast
>
>
> On the other hand:
>
> "Of course they have to be confiscated. If and when (and that's a big if)
>> the existence of a cryptography-breaking QC becomes a credible threat, t=
he
>> Bitcoin ecosystem has no other option than softforking out the ability t=
o
>> spend from signature schemes (including ECDSA and BIP340) that are
>> vulnerable to QCs. The alternative is that millions of BTC become
>> vulnerable to theft; I cannot see how the currency can maintain any valu=
e
>> at all in such a setting. And this affects everyone; even those which
>> diligently moved their coins to PQC-protected schemes."
>> - Pieter Wuille
>
>
> I don't think "confiscation" is the most precise term to use, as the fund=
s
> are not being seized and reassigned. Rather, what we're really discussing
> would be better described as "burning" - placing the funds *out of reach
> of everyone*.
>
> Not freezing user funds is one of Bitcoin's inviolable properties.
> However, if quantum computing becomes a threat to Bitcoin's elliptic curv=
e
> cryptography, *an inviolable property of Bitcoin will be violated one way
> or another*.
>
> Fundamental Properties at Risk
> 5 years ago I attempted to comprehensively categorize all of Bitcoin's
> fundamental properties that give it value.
> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>
> The particular properties in play with regard to this issue seem to be:
>
> *Censorship Resistance* - No one should have the power to prevent others
> from using their bitcoin or interacting with the network.
>
> *Forward Compatibility* - changing the rules such that certain valid
> transactions become invalid could undermine confidence in the protocol.
>
> *Conservatism* - Users should not be expected to be highly responsive to
> system issues.
>
> As a result of the above principles, we have developed a strong meme
> (kudos to Andreas Antonopoulos) that goes as follows:
>
> Not your keys, not your coins.
>
>
> I posit that the corollary to this principle is:
>
> Your keys, only your coins.
>
>
> A quantum capable entity breaks the corollary of this foundational
> principle. We secure our bitcoin with the mathematical probabilities
> related to extremely large random numbers. Your funds are only secure
> because truly random large numbers should not be guessable or discoverabl=
e
> by anyone else in the world.
>
> This is the principle behind the motto *vires in numeris* - strength in
> numbers. In a world with quantum enabled adversaries, this principle is
> null and void for many types of cryptography, including the elliptic curv=
e
> digital signatures used in Bitcoin.
>
> Who is at Risk?
> There has long been a narrative that Satoshi's coins and others from the
> Satoshi era of P2PK locking scripts that exposed the public key directly =
on
> the blockchain will be those that get scooped up by a quantum "miner." Bu=
t
> unfortunately it's not that simple. If I had a powerful quantum computer,
> which coins would I target? I'd go to the Bitcoin rich list and find the
> wallets that have exposed their public keys due to re-using addresses tha=
t
> have previously been spent from. You can easily find them at
> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>
> Note that a few of these wallets, like Bitfinex / Kraken / Tether, would
> be slightly harder to crack because they are multisig wallets. So a quant=
um
> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfin=
ex
> / Tether in order to spend funds. But many are single signature.
>
> Point being, it's not only the really old lost BTC that are at risk to a
> quantum enabled adversary, at least at time of writing. If we add a quant=
um
> safe signature scheme, we should expect those wallets to be some of the
> first to upgrade given their incentives.
>
> The Ethical Dilemma: Quantifying Harm
> Which decision results in the most harm?
>
> By making quantum vulnerable funds unspendable we potentially harm some
> Bitcoin users who were not paying attention and neglected to migrate thei=
r
> funds to a quantum safe locking script. This violates the "conservativism=
"
> principle stated earlier. On the flip side, we prevent those funds plus f=
ar
> more lost funds from falling into the hands of the few privileged folks w=
ho
> gain early access to quantum computers.
>
> By leaving quantum vulnerable funds available to spend, the same set of
> users who would otherwise have funds frozen are likely to see them stolen=
.
> And many early adopters who lost their keys will eventually see their
> unreachable funds scooped up by a quantum enabled adversary.
>
> Imagine, for example, being James Howells, who accidentally threw away a
> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has
> spent a decade trying to retrieve it from the landfill where he knows it'=
s
> buried, but can't get permission to excavate. I suspect that, given the
> choice, he'd prefer those funds be permanently frozen rather than fall in=
to
> someone else's possession - I know I would.
>
> Allowing a quantum computer to access lost funds doesn't make those users
> any worse off than they were before, however it *would* have a negative
> impact upon everyone who is currently holding bitcoin.
>
> It's prudent to expect significant economic disruption if large amounts o=
f
> coins fall into new hands. Since a quantum computer is going to have a
> massive up front cost, expect those behind it to desire to recoup their
> investment. We also know from experience that when someone suddenly finds
> themselves in possession of 9+ figures worth of highly liquid assets, the=
y
> tend to diversify into other things by selling.
>
> Allowing quantum recovery of bitcoin is *tantamount to wealth
> redistribution*. What we'd be allowing is for bitcoin to be redistributed
> from those who are ignorant of quantum computers to those who have won th=
e
> technological race to acquire quantum computers. It's hard to see a brigh=
t
> side to that scenario.
>
> Is Quantum Recovery Good for Anyone?
>
> Does quantum recovery HELP anyone? I've yet to come across an argument
> that it's a net positive in any way. It certainly doesn't add any securit=
y
> to the network. If anything, it greatly decreases the security of the
> network by allowing funds to be claimed by those who did not earn them.
>
> But wait, you may be thinking, wouldn't quantum "miners" have earned thei=
r
> coins by all the work and resources invested in building a quantum
> computer? I suppose, in the same sense that a burglar earns their spoils =
by
> the resources they invest into surveilling targets and learning the skill=
s
> needed to break into buildings. What I say "earned" I mean through
> productive mutual trade.
>
> For example:
>
> * Investors earn BTC by trading for other currencies.
> * Merchants earn BTC by trading for goods and services.
> * Miners earn BTC by trading thermodynamic security.
> * Quantum miners don't trade anything, they are vampires feeding upon the
> system.
>
> There's no reason to believe that allowing quantum adversaries to recover
> vulnerable bitcoin will be of benefit to anyone other than the select few
> organizations that win the technological arms race to build the first suc=
h
> computers. Probably nation states and/or the top few largest tech compani=
es.
>
> One could certainly hope that an organization with quantum supremacy is
> benevolent and acts in a "white hat" manner to return lost coins to their
> owners, but that's incredibly optimistic and foolish to rely upon. Such a
> situation creates an insurmountable ethical dilemma of only recovering lo=
st
> bitcoin rather than currently owned bitcoin. There's no way to precisely
> differentiate between the two; anyone can claim to have lost their bitcoi=
n
> but if they have lost their keys then proving they ever had the keys
> becomes rather difficult. I imagine that any such white hat recovery
> efforts would have to rely upon attestations from trusted third parties
> like exchanges.
>
> Even if the first actor with quantum supremacy is benevolent, we must
> assume the technology could fall into adversarial hands and thus think
> adversarially about the potential worst case outcomes. Imagine, for
> example, that North Korea continues scooping up billions of dollars from
> hacking crypto exchanges and decides to invest some of those proceeds int=
o
> building a quantum computer for the biggest payday ever...
>
> Downsides to Allowing Quantum Recovery
> Let's think through an exhaustive list of pros and cons for allowing or
> preventing the seizure of funds by a quantum adversary.
>
> Historical Precedent
> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair gam=
e" but
> rather were treated as failures to be remediated. Treating quantum theft
> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all r=
ather than
> a system that seeks to protect its users.
>
> Violation of Property Rights
> Allowing a quantum adversary to take control of funds undermines the
> fundamental principle of cryptocurrency - if you keep your keys in your
> possession, only you should be able to access your money. Bitcoin is buil=
t
> on the idea that private keys secure an individual=E2=80=99s assets, and
> unauthorized access (even via advanced tech) is theft, not a legitimate
> transfer.
>
> Erosion of Trust in Bitcoin
> If quantum attackers can exploit vulnerable addresses, confidence in
> Bitcoin as a secure store of value would collapse. Users and investors re=
ly
> on cryptographic integrity, and widespread theft could drive adoption awa=
y
> from Bitcoin, destabilizing its ecosystem.
>
> This is essentially the counterpoint to claiming the burning of vulnerabl=
e
> funds is a violation of property rights. While some will certainly see it
> as such, others will find the apathy toward stopping quantum theft to be
> similarly concerning.
>
> Unfair Advantage
> Quantum attackers, likely equipped with rare and expensive technology,
> would have an unjust edge over regular users who lack access to such tool=
s.
> This creates an inequitable system where only the technologically elite c=
an
> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized po=
wer.
>
> Bitcoin is designed to create an asymmetric advantage for DEFENDING one's
> wealth. It's supposed to be impractically expensive for attackers to crac=
k
> the entropy and cryptography protecting one's coins. But now we find
> ourselves discussing a situation where this asymmetric advantage is
> compromised in favor of a specific class of attackers.
>
> Economic Disruption
> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s=
 price as
> quantum recovered funds are dumped on exchanges. This would harm all
> holders, not just those directly targeted, leading to broader financial
> chaos in the markets.
>
> Moral Responsibility
> Permitting theft via quantum computing sets a precedent that technologica=
l
> superiority justifies unethical behavior. This is essentially taking a
> "code is law" stance in which we refuse to admit that both code and laws
> can be modified to adapt to previously unforeseen situations.
>
> Burning of coins can certainly be considered a form of theft, thus I thin=
k
> it's worth differentiating the two different thefts being discussed:
>
> 1. self-enriching & likely malicious
> 2. harm prevention & not necessarily malicious
>
> Both options lack the consent of the party whose coins are being burnt or
> transferred, thus I think the simple argument that theft is immoral becom=
es
> a wash and it's important to drill down into the details of each.
>
> Incentives Drive Security
> I can tell you from a decade of working in Bitcoin security - the average
> user is lazy and is a procrastinator. If Bitcoiners are given a "drop dea=
d
> date" after which they know vulnerable funds will be burned, this pressur=
e
> accelerates the adoption of post-quantum cryptography and strengthens
> Bitcoin long-term. Allowing vulnerable users to delay upgrading
> indefinitely will result in more laggards, leaving the network more expos=
ed
> when quantum tech becomes available.
>
> Steel Manning
> Clearly this is a complex and controversial topic, thus it's worth
> thinking through the opposing arguments.
>
> Protecting Property Rights
> Allowing quantum computers to take vulnerable bitcoin could potentially b=
e
> spun as a hard money narrative - we care so greatly about not violating
> someone's access to their coins that we allow them to be stolen!
>
> But I think the flip side to the property rights narrative is that burnin=
g
> vulnerable coins prevents said property from falling into undeserving
> hands. If the entire Bitcoin ecosystem just stands around and allows
> quantum adversaries to claim funds that rightfully belong to other users,
> is that really a "win" in the "protecting property rights" category? It
> feels more like apathy to me.
>
> As such, I think the "protecting property rights" argument is a wash.
>
> Quantum Computers Won't Attack Bitcoin
> There is a great deal of skepticism that sufficiently powerful quantum
> computers will ever exist, so we shouldn't bother preparing for a
> non-existent threat. Others have argued that even if such a computer was
> built, a quantum attacker would not go after bitcoin because they wouldn'=
t
> want to reveal their hand by doing so, and would instead attack other
> infrastructure.
>
> It's quite difficult to quantify exactly how valuable attacking other
> infrastructure would be. It also really depends upon when an entity gains
> quantum supremacy and thus if by that time most of the world's systems ha=
ve
> already been upgraded. While I think you could argue that certain entitie=
s
> gaining quantum capability might not attack Bitcoin, it would only delay
> the inevitable - eventually somebody will achieve the capability who
> decides to use it for such an attack.
>
> Quantum Attackers Would Only Steal Small Amounts
> Some have argued that even if a quantum attacker targeted bitcoin, they'd
> only go after old, likely lost P2PK outputs so as to not arouse suspicion
> and cause a market panic.
>
> I'm not so sure about that; why go after 50 BTC at a time when you could
> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero
> day exploit" game theory in which an attacker knows they have a limited
> amount of time before someone else discovers the exploit and either
> benefits from it or patches it. Take, for example, the recent ByBit attac=
k
> - the highest value crypto hack of all time. Lazarus Group had compromise=
d
> the Safe wallet front end JavaScript app and they could have simply had i=
t
> reassign ownership of everyone's Safe wallets as they were interacting wi=
th
> their wallet. But instead they chose to only specifically target ByBit's
> wallet with $1.5 billion in it because they wanted to maximize their
> extractable value. If Lazarus had started stealing from every wallet, the=
y
> would have been discovered quickly and the Safe web app would likely have
> been patched well before any billion dollar wallets executed the maliciou=
s
> code.
>
> I think the "only stealing small amounts" argument is strongest for
> Situation #2 described earlier, where a quantum attacker arrives before
> quantum safe cryptography has been deployed across the Bitcoin ecosystem.
> Because if it became clear that Bitcoin's cryptography was broken AND the=
re
> was nowhere safe for vulnerable users to migrate, the only logical option
> would be for everyone to liquidate their bitcoin as quickly as possible. =
As
> such, I don't think it applies as strongly for situations in which we hav=
e
> a migration path available.
>
> The 21 Million Coin Supply Should be in Circulation
> Some folks are arguing that it's important for the "circulating /
> spendable" supply to be as close to 21M as possible and that having a
> significant portion of the supply out of circulation is somehow undesirab=
le.
>
> While the "21M BTC" attribute is a strong memetic narrative, I don't thin=
k
> anyone has ever expected that it would all be in circulation. It has alwa=
ys
> been understood that many coins will be lost, and that's actually part of
> the game theory of owning bitcoin!
>
> And remember, the 21M number in and of itself is not a particularly
> important detail - it's not even mentioned in the whitepaper. What's
> important is that the supply is well known and not subject to change.
>
> Self-Sovereignty and Personal Responsibility
> Bitcoin=E2=80=99s design empowers individuals to control their own wealth=
, free
> from centralized intervention. This freedom comes with the burden of
> securing one's private keys. If quantum computing can break obsolete
> cryptography, the fault lies with users who didn't move their funds to
> quantum safe locking scripts. Expecting the network to shield users from
> their own negligence undermines the principle that you, and not a third
> party, are accountable for your assets.
>
> I think this is generally a fair point that "the community" doesn't owe
> you anything in terms of helping you. I think that we do, however, need t=
o
> consider the incentives and game theory in play with regard to quantum sa=
fe
> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>
> Code is Law
> Bitcoin operates on transparent, immutable rules embedded in its protocol=
.
> If a quantum attacker uses superior technology to derive private keys fro=
m
> public keys, they=E2=80=99re not "hacking" the system - they're simply fo=
llowing
> what's mathematically permissible within the current code. Altering the
> protocol to stop this introduces subjective human intervention, which
> clashes with the objective, deterministic nature of blockchain.
>
> While I tend to agree that code is law, one of the entire points of laws
> is that they can be amended to improve their efficacy in reducing harm.
> Leaning on this point seems more like a pro-ossification stance that it's
> better to do nothing and allow harm to occur rather than take action to
> stop an attack that was foreseen far in advance.
>
> Technological Evolution as a Feature, Not a Bug
> It's well known that cryptography tends to weaken over time and eventuall=
y
> break. Quantum computing is just the next step in this progression. Users
> who fail to adapt (e.g., by adopting quantum-resistant wallets when
> available) are akin to those who ignored technological advancements like
> multisig or hardware wallets. Allowing quantum theft incentivizes
> innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing compl=
acency
> while rewarding vigilance.
>
> Market Signals Drive Security
> If quantum attackers start stealing funds, it sends a clear signal to the
> market: upgrade your security or lose everything. This pressure accelerat=
es
> the adoption of post-quantum cryptography and strengthens Bitcoin
> long-term. Coddling vulnerable users delays this necessary evolution,
> potentially leaving the network more exposed when quantum tech becomes
> widely accessible. Theft is a brutal but effective teacher.
>
> Centralized Blacklisting Power
> Burning vulnerable funds requires centralized decision-making - a soft
> fork to invalidate certain transactions. This sets a dangerous precedent
> for future interventions, eroding Bitcoin=E2=80=99s decentralization. If =
quantum
> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The sys=
tem must
> remain neutral, even if it means some lose out.
>
> I think this could be a potential slippery slope if the proposal was to
> only burn specific addresses. Rather, I'd expect a neutral proposal to bu=
rn
> all funds in locking script types that are known to be quantum vulnerable=
.
> Thus, we could eliminate any subjectivity from the code.
>
> Fairness in Competition
> Quantum attackers aren't cheating; they're using publicly available
> physics and math. Anyone with the resources and foresight can build or
> access quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU=
.
> Early adopters took risks and reaped rewards; quantum innovators are doin=
g
> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has ne=
ver promised
> equality of outcome - only equality of opportunity within its rules.
>
> I find this argument to be a mischaracterization because we're not talkin=
g
> about CPUs. This is more akin to talking about ASICs, except each ASIC
> costs millions if not billions of dollars. This is out of reach from all
> but the wealthiest organizations.
>
> Economic Resilience
> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and
> emerged stronger. The market can absorb quantum losses, with unaffected
> users continuing to hold and new entrants buying in at lower prices. Fear
> of economic collapse overestimates the impact - the network=E2=80=99s ant=
ifragility
> thrives on such challenges.
>
> This is a big grey area because we don't know when a quantum computer wil=
l
> come online and we don't know how quickly said computers would be able to
> steal bitcoin. If, for example, the first generation of sufficiently
> powerful quantum computers were stealing less volume than the current blo=
ck
> reward then of course it will have minimal economic impact. But if they'r=
e
> taking thousands of BTC per day and bringing them back into circulation,
> there will likely be a noticeable market impact as it absorbs the new
> supply.
>
> This is where the circumstances will really matter. If a quantum attacker
> appears AFTER the Bitcoin protocol has been upgraded to support quantum
> resistant cryptography then we should expect the most valuable active
> wallets will have upgraded and the juiciest target would be the 31,000 BT=
C
> in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant
> since 2010. In general I'd expect that the amount of BTC re-entering the
> circulating supply would look somewhat similar to the mining emission
> curve: volume would start off very high as the most valuable addresses ar=
e
> drained and then it would fall off as quantum computers went down the lis=
t
> targeting addresses with less and less BTC.
>
> Why is economic impact a factor worth considering? Miners and businesses
> in general. More coins being liquidated will push down the price, which
> will negatively impact miner revenue. Similarly, I can attest from workin=
g
> in the industry for a decade, that lower prices result in less demand fro=
m
> businesses across the entire industry. As such, burning quantum vulnerabl=
e
> bitcoin is good for the entire industry.
>
> Practicality & Neutrality of Non-Intervention
> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D fr=
om legitimate "white hat"
> key recovery. If someone loses their private key and a quantum computer
> recovers it, is that stealing or reclaiming? Policing quantum actions
> requires invasive assumptions about intent, which Bitcoin=E2=80=99s trust=
less
> design can=E2=80=99t accommodate. Letting the chips fall where they may a=
voids this
> mess.
>
> Philosophical Purity
> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes=
 reflect
> preparation and skill, not sentimentality. If quantum computing upends th=
e
> game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe o=
r fair in a
> nanny-state sense; it=E2=80=99s meant to be free. Users who lose funds to=
 quantum
> attacks are casualties of liberty and their own ignorance, not victims of
> injustice.
>
> Bitcoin's DAO Moment
> This situation has some similarities to The DAO hack of an Ethereum smart
> contract in 2016, which resulted in a fork to stop the attacker and retur=
n
> funds to their original owners. The game theory is similar because it's a
> situation where a threat is known but there's some period of time before
> the attacker can actually execute the theft. As such, there's time to
> mitigate the attack by changing the protocol.
>
> It also created a schism in the community around the true meaning of "cod=
e
> is law," resulting in Ethereum Classic, which decided to allow the attack=
er
> to retain control of the stolen funds.
>
> A soft fork to burn vulnerable bitcoin could certainly result in a hard
> fork if there are enough miners who reject the soft fork and continue
> including transactions.
>
> Incentives Matter
> We can wax philosophical until the cows come home, but what are the actua=
l
> incentives for existing Bitcoin holders regarding this decision?
>
> "Lost coins only make everyone else's coins worth slightly more. Think of
>> it as a donation to everyone." - Satoshi Nakamoto
>
>
> If true, the corollary is:
>
> "Quantum recovered coins only make everyone else's coins worth less. Thin=
k
>> of it as a theft from everyone." - Jameson Lopp
>
>
> Thus, assuming we get to a point where quantum resistant signatures are
> supported within the Bitcoin protocol, what's the incentive to let
> vulnerable coins remain spendable?
>
> * It's not good for the actual owners of those coins. It disincentivizes
> owners from upgrading until perhaps it's too late.
> * It's not good for the more attentive / responsible owners of coins who
> have quantum secured their stash. Allowing the circulating supply to
> balloon will assuredly reduce the purchasing power of all bitcoin holders=
.
>
> Forking Game Theory
> From a game theory point of view, I see this as incentivizing users to
> upgrade their wallets. If you disagree with the burning of vulnerable
> coins, all you have to do is move your funds to a quantum safe signature
> scheme. Point being, I don't see there being an economic majority (or eve=
n
> more than a tiny minority) of users who would fight such a soft fork. Why
> expend significant resources fighting a fork when you can just move your
> coins to a new address?
>
> Remember that blocking spending of certain classes of locking scripts is =
a
> tightening of the rules - a soft fork. As such, it can be meaningfully
> enacted and enforced by a mere majority of hashpower. If miners generally
> agree that it's in their best interest to burn vulnerable coins, are othe=
r
> users going to care enough to put in the effort to run new node software
> that resists the soft fork? Seems unlikely to me.
>
> How to Execute Burning
> In order to be as objective as possible, the goal would be to announce to
> the world that after a specific block height / timestamp, Bitcoin nodes
> will no longer accept transactions (or blocks containing such transaction=
s)
> that spend funds from any scripts other than the newly instituted quantum
> safe schemes.
>
> It could take a staggered approach to first freeze funds that are
> susceptible to long-range attacks such as those in P2PK scripts or those
> that exposed their public keys due to previously re-using addresses, but =
I
> expect the additional complexity would drive further controversy.
>
> How long should the grace period be in order to give the ecosystem time t=
o
> upgrade? I'd say a minimum of 1 year for software wallets to upgrade. We
> can only hope that hardware wallet manufacturers are able to implement po=
st
> quantum cryptography on their existing hardware with only a firmware upda=
te.
>
> Beyond that, it will take at least 6 months worth of block space for all
> users to migrate their funds, even in a best case scenario. Though if you
> exclude dust UTXOs you could probably get 95% of BTC value migrated in 1
> month. Of course this is a highly optimistic situation where everyone is
> completely focused on migrations - in reality it will take far longer.
>
> Regardless, I'd think that in order to reasonably uphold Bitcoin's
> conservatism it would be preferable to allow a 4 year migration window. I=
n
> the meantime, mining pools could coordinate emergency soft forking logic
> such that if quantum attackers materialized, they could accelerate the
> countdown to the quantum vulnerable funds burn.
>
> Random Tangential Benefits
> On the plus side, burning all quantum vulnerable bitcoin would allow us t=
o
> prune all of those UTXOs out of the UTXO set, which would also clean up a
> lot of dust. Dust UTXOs are a bit of an annoyance and there has even been=
 a
> recent proposal for how to incentivize cleaning them up.
>
> We should also expect that incentivizing migration of the entire UTXO set
> will create substantial demand for block space that will sustain a fee
> market for a fairly lengthy amount of time.
>
> In Summary
> While the moral quandary of violating any of Bitcoin's inviolable
> properties can make this a very complex issue to discuss, the game theory
> and incentives between burning vulnerable coins versus allowing them to b=
e
> claimed by entities with quantum supremacy appears to be a much simpler
> issue.
>
> I, for one, am not interested in rewarding quantum capable entities by
> inflating the circulating money supply just because some people lost thei=
r
> keys long ago and some laggards are not upgrading their bitcoin wallet's
> security.
>
> We can hope that this scenario never comes to pass, but hope is not a
> strategy.
>
> I welcome your feedback upon any of the above points, and contribution of
> any arguments I failed to consider.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA=
_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8n=
A_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com?utm_medium=3Demail&utm_so=
urce=3Dfooter>
> .
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAGXD5f1eTwqMAkxzdJOup3syR%2B5UjrkAaHroBJT0HQw5FA2_YQ%40mail.gmail.com.

--000000000000f49e7406321ca294
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div>One possible alternative to freezing=
/burning the coins entirely is letting quantum attackers keep some small pe=
rcent as a reward, but force them to stage the rest to future miners as an =
additional security budget subsidy.</div><div><br></div><div><div><div>This=
 can be implemented as a soft fork, by requiring  transactions=20
spending QC-vulnerable coins to allocate some funds to an OP_CLTV[0]-only e=
ncumbered output timelocked far into the future. Miners would then monitor =
these outputs and claim them as they become available.</div></div></div><di=
v><br></div><div>For example, allow a 1% reward to be spent freely to any a=
ddress but require 99% to be sent to an OP_CLTV output timelocked to a dete=
rministically random height between 10-100 years from now.</div><br><div>Th=
e 1% reward could also be required to be sent to a script that enforces a t=
imelock (in addition to other conditions), to avoid flooding the markets wi=
th the rewarded coins all at once. Probably a shorter timelock duration tho=
ugh, say picked randomly between 10-30 months.</div><div><br></div><div>To =
further smooth out variance in the release schedule, coins could be split i=
nto up-to-N-BTC outputs, each staggered with a different deterministic time=
lock. So for example, a single tx spending 10,000 BTC won&#39;t release 9,9=
00 BTC to the miners in a single far-future block (which may cause chain in=
stability if the miners get into a reorg war over it), but rather as 9,900 =
separate outputs of 1 BTC each released=C2=A0gradually time.[1]</div><div><=
br></div><div>I&#39;m still not sure what I think about this. This is not n=
ecessarily an endorsement, just a thought. :)</div><div><br></div><div>- sh=
esek</div><div><br></div><div>[0] OP_CSV only supports relative timelocks o=
f up to 65535 blocks (~15 months), which is too short for that purpose. OP_=
CLTV supports longer (absolute) timelocks.</div><div><br></div><div>[1] Thi=
s can be made more efficient with CTV, by having a single UTXO carrying the=
 full amount that slowly unrolls rather than 9,900 separate UTXO entries.</=
div></div><br></div><br><div class=3D"gmail_quote gmail_quote_container"><d=
iv dir=3D"ltr" class=3D"gmail_attr">On Sun, Mar 16, 2025 at 5:22=E2=80=AFPM=
 Jameson Lopp &lt;<a href=3D"mailto:jameson.lopp@gmail.com">jameson.lopp@gm=
ail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div dir=3D"ltr">The quantum computing debate is heating up. There a=
re many controversial aspects to this debate, including whether or not quan=
tum computers will ever actually become a practical threat.<div><br>I won&#=
39;t tread into the unanswerable question of how worried we should be about=
 quantum computers. I think it&#39;s far from a crisis, but given the diffi=
culty in changing Bitcoin it&#39;s worth starting to seriously discuss. Tod=
ay I wish to focus on a philosophical quandary related to one of the decisi=
ons that would need to be made if and when we implement a quantum safe sign=
ature scheme.<br><br><font size=3D"6">Several Scenarios<br></font>Because t=
his essay will reference game theory a fair amount, and there are many vari=
ables at play that could change the nature of the game, I think it&#39;s im=
portant to clarify the possible scenarios up front.<br><br>1. Quantum compu=
ting never materializes, never becomes a threat, and thus everything discus=
sed in this essay is moot.<br>2. A quantum computing threat materializes su=
ddenly and Bitcoin does not have quantum safe signatures as part of the pro=
tocol. In this scenario it would likely make the points below moot because =
Bitcoin would be fundamentally broken and it would take far too long to upg=
rade the protocol, wallet software, and migrate user funds in order to rest=
ore confidence in the network.<br>3. Quantum computing advances slowly enou=
gh that we come to consensus about how to upgrade Bitcoin and post quantum =
security has been minimally adopted by the time an attacker appears.<br>4. =
Quantum computing advances slowly enough that we come to consensus about ho=
w to upgrade Bitcoin and post quantum security has been highly adopted by t=
he time an attacker appears.<br><br>For the purposes of this post, I&#39;m =
envisioning being in situation 3 or 4.<br><br><font size=3D"6">To Freeze or=
 not to Freeze?<br></font>I&#39;ve started seeing more people weighing in o=
n what is likely the most contentious aspect of how a quantum resistance up=
grade should be handled in terms of migrating user funds. Should quantum vu=
lnerable funds be left open to be swept by anyone with a sufficiently power=
ful quantum computer OR should they be permanently locked?<br><br><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">&quot;I don&#39;t see why old coin=
s should be confiscated. The better option is to let those with quantum com=
puters free up old coins. While this might have an inflationary impact on b=
itcoin&#39;s price, to use a turn of phrase, the inflation is transitory. T=
hose with low time preference should support returning lost coins to circul=
ation.&quot;=C2=A0</blockquote><blockquote class=3D"gmail_quote" style=3D"m=
argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left=
:1ex">- Hunter Beast</blockquote><div><br></div>On the other hand:</div><di=
v><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;b=
order-left:1px solid rgb(204,204,204);padding-left:1ex">&quot;Of course the=
y have to be confiscated. If and when (and that&#39;s a big if) the existen=
ce of a cryptography-breaking QC becomes a credible threat, the Bitcoin eco=
system has no other option than softforking out the ability to spend from s=
ignature schemes (including ECDSA and BIP340) that are vulnerable to QCs. T=
he alternative is that millions of BTC become vulnerable to theft; I cannot=
 see how the currency can maintain any value at all in such a setting. And =
this affects everyone; even those which diligently moved their coins to PQC=
-protected schemes.&quot;<br>- Pieter Wuille</blockquote><br>I don&#39;t th=
ink &quot;confiscation&quot; is the most precise term to use, as the funds =
are not being seized and reassigned. Rather, what we&#39;re really discussi=
ng would be better described as &quot;burning&quot; - placing the funds <b>=
out of reach of everyone</b>.<br><br>Not freezing user funds is one of Bitc=
oin&#39;s inviolable properties. However, if quantum computing becomes a th=
reat to Bitcoin&#39;s elliptic curve cryptography, <b>an inviolable propert=
y of Bitcoin will be violated one way or another</b>.<br><br><font size=3D"=
6">Fundamental Properties at Risk<br></font>5 years ago I attempted to comp=
rehensively categorize all of Bitcoin&#39;s fundamental properties that giv=
e it value. <a href=3D"https://nakamoto.com/what-are-the-key-properties-of-=
bitcoin/" target=3D"_blank">https://nakamoto.com/what-are-the-key-propertie=
s-of-bitcoin/<br></a><br>The particular properties in play with regard to t=
his issue seem to be:<br><br><b>Censorship Resistance</b> - No one should h=
ave the power to prevent others from using their bitcoin or interacting wit=
h the network.<br><br><b>Forward Compatibility</b> - changing the rules suc=
h that certain valid transactions become invalid could undermine confidence=
 in the protocol.<br><br><b>Conservatism</b> - Users should not be expected=
 to be highly responsive to system issues.<br><br>As a result of the above =
principles, we have developed a strong meme (kudos to Andreas Antonopoulos)=
 that goes as follows:<br><br><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex">Not your keys, not your coins.</blockquote><br>I posit that the coroll=
ary to this principle is:<br><br><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex">Your keys, only your coins.</blockquote><br>A quantum capable entit=
y breaks the corollary of this foundational principle. We secure our bitcoi=
n with the mathematical probabilities related to extremely large random num=
bers. Your funds are only secure because truly random large numbers should =
not be guessable or discoverable by anyone else in the world.<br><br>This i=
s the principle behind the motto <i>vires in numeris</i> - strength in numb=
ers. In a world with quantum enabled adversaries, this principle is null an=
d void for many types of cryptography, including the elliptic curve digital=
 signatures used in Bitcoin.<br><br><font size=3D"6">Who is at Risk?<br></f=
ont>There has long been a narrative that Satoshi&#39;s coins and others fro=
m the Satoshi era of P2PK locking scripts that exposed the public key direc=
tly on the blockchain will be those that get scooped up by a quantum &quot;=
miner.&quot; But unfortunately it&#39;s not that simple. If I had a powerfu=
l quantum computer, which coins would I target? I&#39;d go to the Bitcoin r=
ich list and find the wallets that have exposed their public keys due to re=
-using addresses that have previously been spent from. You can easily find =
them at <a href=3D"https://bitinfocharts.com/top-100-richest-bitcoin-addres=
ses.html" target=3D"_blank">https://bitinfocharts.com/top-100-richest-bitco=
in-addresses.html</a><br><br>Note that a few of these wallets, like Bitfine=
x / Kraken / Tether, would be slightly harder to crack because they are mul=
tisig wallets. So a quantum attacker would need to reverse engineer 2 keys =
for Kraken or 3 for Bitfinex / Tether in order to spend funds. But many are=
 single signature.<br><br>Point being, it&#39;s not only the really old los=
t BTC that are at risk to a quantum enabled adversary, at least at time of =
writing. If we add a quantum safe signature scheme, we should expect those =
wallets to be some of the first to upgrade given their incentives.<br><br><=
font size=3D"6">The Ethical Dilemma: Quantifying Harm<br></font>Which decis=
ion results in the most harm?<br><br>By making quantum vulnerable funds uns=
pendable we potentially harm some Bitcoin users who were not paying attenti=
on and neglected to migrate their funds to a quantum safe locking script. T=
his violates the &quot;conservativism&quot; principle stated earlier. On th=
e flip side, we prevent those funds plus far more lost funds from falling i=
nto the hands of the few privileged folks who gain early access to quantum =
computers.<br><br>By leaving quantum vulnerable funds available to spend, t=
he same set of users who would otherwise have funds frozen are likely to se=
e them stolen. And many early adopters who lost their keys will eventually =
see their unreachable funds scooped up by a quantum enabled adversary.<br><=
br>Imagine, for example, being James Howells, who accidentally threw away a=
 hard drive with 8,000 BTC on it, currently worth over $600M USD. He has sp=
ent a decade trying to retrieve it from the landfill where he knows it&#39;=
s buried, but can&#39;t get permission to excavate. I suspect that, given t=
he choice, he&#39;d prefer those funds be permanently frozen rather than fa=
ll into someone else&#39;s possession - I know I would.<br><br>Allowing a q=
uantum computer to access lost funds doesn&#39;t make those users any worse=
 off than they were before, however it <i>would</i> have a negative impact =
upon everyone who is currently holding bitcoin.<br><br>It&#39;s prudent to =
expect significant economic disruption if large amounts of coins fall into =
new hands. Since a quantum computer is going to have a massive up front cos=
t, expect those behind it to desire to recoup their investment. We also kno=
w from experience that when someone suddenly finds themselves in possession=
 of 9+ figures worth of highly liquid assets, they tend to diversify into o=
ther things by selling.<br><br>Allowing quantum recovery of bitcoin is <i>t=
antamount to wealth redistribution</i>. What we&#39;d be allowing is for bi=
tcoin to be redistributed from those who are ignorant of quantum computers =
to those who have won the technological race to acquire quantum computers. =
It&#39;s hard to see a bright side to that scenario.<br><br><font size=3D"6=
">Is Quantum Recovery Good for Anyone?</font><br><br>Does quantum recovery =
HELP anyone? I&#39;ve yet to come across an argument that it&#39;s a net po=
sitive in any way. It certainly doesn&#39;t add any security to the network=
. If anything, it greatly decreases the security of the network by allowing=
 funds to be claimed by those who did not earn them.<br><br>But wait, you m=
ay be thinking, wouldn&#39;t quantum &quot;miners&quot; have earned their c=
oins by all the work and resources invested in building a quantum computer?=
 I suppose, in the same sense that a burglar earns their spoils by the reso=
urces they invest into surveilling targets and learning the skills needed t=
o break into buildings. What I say &quot;earned&quot; I mean through produc=
tive mutual trade.<br><br>For example:<br><br>* Investors earn BTC by tradi=
ng for other currencies.<br>* Merchants earn BTC by trading for goods and s=
ervices.<br>* Miners earn BTC by trading thermodynamic security.<br>* Quant=
um miners don&#39;t trade anything, they are vampires feeding upon the syst=
em.<br><br>There&#39;s no reason to believe that allowing quantum adversari=
es to recover vulnerable bitcoin will be of benefit to anyone other than th=
e select few organizations that win the technological arms race to build th=
e first such computers. Probably nation states and/or the top few largest t=
ech companies.<br><br>One could certainly hope that an organization with qu=
antum supremacy is benevolent and acts in a &quot;white hat&quot; manner to=
 return lost coins to their owners, but that&#39;s incredibly optimistic an=
d foolish to rely upon. Such a situation creates an insurmountable ethical =
dilemma of only recovering lost bitcoin rather than currently owned bitcoin=
. There&#39;s no way to precisely differentiate between the two; anyone can=
 claim to have lost their bitcoin but if they have lost their keys then pro=
ving they ever had the keys becomes rather difficult. I imagine that any su=
ch white hat recovery efforts would have to rely upon attestations from tru=
sted third parties like exchanges.<br><br>Even if the first actor with quan=
tum supremacy is benevolent, we must assume the technology could fall into =
adversarial hands and thus think adversarially about the potential worst ca=
se outcomes. Imagine, for example, that North Korea continues scooping up b=
illions of dollars from hacking crypto exchanges and decides to invest some=
 of those proceeds into building a quantum computer for the biggest payday =
ever...<br><br><font size=3D"6">Downsides to Allowing Quantum Recovery</fon=
t><br>Let&#39;s think through an exhaustive list of pros and cons for allow=
ing or preventing the seizure of funds by a quantum adversary.<br><br><font=
 size=3D"4">Historical Precedent</font><br>Previous protocol vulnerabilitie=
s weren=E2=80=99t celebrated as &quot;fair game&quot; but rather were treat=
ed as failures to be remediated. Treating quantum theft differently risks r=
ewriting Bitcoin=E2=80=99s history as a free-for-all rather than a system t=
hat seeks to protect its users.<br><br><font size=3D"4">Violation of Proper=
ty Rights</font><br>Allowing a quantum adversary to take control of funds u=
ndermines the fundamental principle of cryptocurrency - if you keep your ke=
ys in your possession, only you should be able to access your money. Bitcoi=
n is built on the idea that private keys secure an individual=E2=80=99s ass=
ets, and unauthorized access (even via advanced tech) is theft, not a legit=
imate transfer.<br><br><font size=3D"4">Erosion of Trust in Bitcoin</font><=
br>If quantum attackers can exploit vulnerable addresses, confidence in Bit=
coin as a secure store of value would collapse. Users and investors rely on=
 cryptographic integrity, and widespread theft could drive adoption away fr=
om Bitcoin, destabilizing its ecosystem.<br><br>This is essentially the cou=
nterpoint to claiming the burning of vulnerable funds is a violation of pro=
perty rights. While some will certainly see it as such, others will find th=
e apathy toward stopping quantum theft to be similarly concerning.<br><br><=
font size=3D"4">Unfair Advantage</font><br>Quantum attackers, likely equipp=
ed with rare and expensive technology, would have an unjust edge over regul=
ar users who lack access to such tools. This creates an inequitable system =
where only the technologically elite can exploit others, contradicting Bitc=
oin=E2=80=99s ethos of decentralized power.<br><br>Bitcoin is designed to c=
reate an asymmetric advantage for DEFENDING one&#39;s wealth. It&#39;s supp=
osed to be impractically expensive for attackers to crack the entropy and c=
ryptography protecting one&#39;s coins. But now we find ourselves discussin=
g a situation where this asymmetric advantage is compromised in favor of a =
specific class of attackers.<br><br><font size=3D"4">Economic Disruption</f=
ont><br>Large-scale theft from vulnerable addresses could crash Bitcoin=E2=
=80=99s price as quantum recovered funds are dumped on exchanges. This woul=
d harm all holders, not just those directly targeted, leading to broader fi=
nancial chaos in the markets.<br><br><font size=3D"4">Moral Responsibility<=
/font><br>Permitting theft via quantum computing sets a precedent that tech=
nological superiority justifies unethical behavior. This is essentially tak=
ing a &quot;code is law&quot; stance in which we refuse to admit that both =
code and laws can be modified to adapt to previously unforeseen situations.=
<br><br>Burning of coins can certainly be considered a form of theft, thus =
I think it&#39;s worth differentiating the two different thefts being discu=
ssed:<br><br>1. self-enriching &amp; likely malicious<br>2. harm prevention=
 &amp; not necessarily malicious<br><br>Both options lack the consent of th=
e party whose coins are being burnt or transferred, thus I think the simple=
 argument that theft is immoral becomes a wash and it&#39;s important to dr=
ill down into the details of each.<br><br><font size=3D"4">Incentives Drive=
 Security</font><br>I can tell you from a decade of working in Bitcoin secu=
rity - the average user is lazy and is a procrastinator. If Bitcoiners are =
given a &quot;drop dead date&quot; after which they know vulnerable funds w=
ill be burned, this pressure accelerates the adoption of post-quantum crypt=
ography and strengthens Bitcoin long-term. Allowing vulnerable users to del=
ay upgrading indefinitely will result in more laggards, leaving the network=
 more exposed when quantum tech becomes available.<br><br><font size=3D"6">=
Steel Manning<br></font>Clearly this is a complex and controversial topic, =
thus it&#39;s worth thinking through the opposing arguments.<br><br><font s=
ize=3D"4">Protecting Property Rights</font><br>Allowing quantum computers t=
o take vulnerable bitcoin could potentially be spun as a hard money narrati=
ve - we care so greatly about not violating someone&#39;s access to their c=
oins that we allow them to be stolen!<br><br>But I think the flip side to t=
he property rights narrative is that burning vulnerable coins prevents said=
 property from falling into undeserving hands. If the entire Bitcoin ecosys=
tem just stands around and allows quantum adversaries to claim funds that r=
ightfully belong to other users, is that really a &quot;win&quot; in the &q=
uot;protecting property rights&quot; category? It feels more like apathy to=
 me.<br><br>As such, I think the &quot;protecting property rights&quot; arg=
ument is a wash.<br><br><font size=3D"4">Quantum Computers Won&#39;t Attack=
 Bitcoin</font><br>There is a great deal of skepticism that sufficiently po=
werful quantum computers will ever exist, so we shouldn&#39;t bother prepar=
ing for a non-existent threat. Others have argued that even if such a compu=
ter was built, a quantum attacker would not go after bitcoin because they w=
ouldn&#39;t want to reveal their hand by doing so, and would instead attack=
 other infrastructure.<br><br>It&#39;s quite difficult to quantify exactly =
how valuable attacking other infrastructure would be. It also really depend=
s upon when an entity gains quantum supremacy and thus if by that time most=
 of the world&#39;s systems have already been upgraded. While I think you c=
ould argue that certain entities gaining quantum capability might not attac=
k Bitcoin, it would only delay the inevitable - eventually somebody will ac=
hieve the capability who decides to use it for such an attack.<br><br><font=
 size=3D"4">Quantum Attackers Would Only Steal Small Amounts</font><br>Some=
 have argued that even if a quantum attacker targeted bitcoin, they&#39;d o=
nly go after old, likely lost P2PK outputs so as to not arouse suspicion an=
d cause a market panic.<br><br>I&#39;m not so sure about that; why go after=
 50 BTC at a time when you could take 250,000 BTC with the same effort as 5=
0 BTC? This is a classic &quot;zero day exploit&quot; game theory in which =
an attacker knows they have a limited amount of time before someone else di=
scovers the exploit and either benefits from it or patches it. Take, for ex=
ample, the recent ByBit attack - the highest value crypto hack of all time.=
 Lazarus Group had compromised the Safe wallet front end JavaScript app and=
 they could have simply had it reassign ownership of everyone&#39;s Safe wa=
llets as they were interacting with their wallet. But instead they chose to=
 only specifically target ByBit&#39;s wallet with $1.5 billion in it becaus=
e they wanted to maximize their extractable value. If Lazarus had started s=
tealing from every wallet, they would have been discovered quickly and the =
Safe web app would likely have been patched well before any billion dollar =
wallets executed the malicious code.<br><br>I think the &quot;only stealing=
 small amounts&quot; argument is strongest for Situation #2 described earli=
er, where a quantum attacker arrives before quantum safe cryptography has b=
een deployed across the Bitcoin ecosystem. Because if it became clear that =
Bitcoin&#39;s cryptography was broken AND there was nowhere safe for vulner=
able users to migrate, the only logical option would be for everyone to liq=
uidate their bitcoin as quickly as possible. As such, I don&#39;t think it =
applies as strongly for situations in which we have a migration path availa=
ble.<br><br><font size=3D"4">The 21 Million Coin Supply Should be in Circul=
ation</font><br>Some folks are arguing that it&#39;s important for the &quo=
t;circulating / spendable&quot; supply to be as close to 21M as possible an=
d that having a significant portion of the supply out of circulation is som=
ehow undesirable.<br><br>While the &quot;21M BTC&quot; attribute is a stron=
g memetic narrative, I don&#39;t think anyone has ever expected that it wou=
ld all be in circulation. It has always been understood that many coins wil=
l be lost, and that&#39;s actually part of the game theory of owning bitcoi=
n!<br><br>And remember, the 21M number in and of itself is not a particular=
ly important detail - it&#39;s not even mentioned in the whitepaper. What&#=
39;s important is that the supply is well known and not subject to change.<=
br><br><font size=3D"4">Self-Sovereignty and Personal Responsibility</font>=
<br>Bitcoin=E2=80=99s design empowers individuals to control their own weal=
th, free from centralized intervention. This freedom comes with the burden =
of securing one&#39;s private keys. If quantum computing can break obsolete=
 cryptography, the fault lies with users who didn&#39;t move their funds to=
 quantum safe locking scripts. Expecting the network to shield users from t=
heir own negligence undermines the principle that you, and not a third part=
y, are accountable for your assets.<br><br>I think this is generally a fair=
 point that &quot;the community&quot; doesn&#39;t owe you anything in terms=
 of helping you. I think that we do, however, need to consider the incentiv=
es and game theory in play with regard to quantum safe Bitcoiners vs quantu=
m vulnerable Bitcoiners. More on that later.<br><br><font size=3D"4">Code i=
s Law</font><br>Bitcoin operates on transparent, immutable rules embedded i=
n its protocol. If a quantum attacker uses superior technology to derive pr=
ivate keys from public keys, they=E2=80=99re not &quot;hacking&quot; the sy=
stem - they&#39;re simply following what&#39;s mathematically permissible w=
ithin the current code. Altering the protocol to stop this introduces subje=
ctive human intervention, which clashes with the objective, deterministic n=
ature of blockchain.<br><br>While I tend to agree that code is law, one of =
the entire points of laws is that they can be amended to improve their effi=
cacy in reducing harm. Leaning on this point seems more like a pro-ossifica=
tion stance that it&#39;s better to do nothing and allow harm to occur rath=
er than take action to stop an attack that was foreseen far in advance.<br>=
<br><font size=3D"4">Technological Evolution as a Feature, Not a Bug</font>=
<br>It&#39;s well known that cryptography tends to weaken over time and eve=
ntually break. Quantum computing is just the next step in this progression.=
 Users who fail to adapt (e.g., by adopting quantum-resistant wallets when =
available) are akin to those who ignored technological advancements like mu=
ltisig or hardware wallets. Allowing quantum theft incentivizes innovation =
and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency while =
rewarding vigilance.<br><br><font size=3D"4">Market Signals Drive Security<=
/font><br>If quantum attackers start stealing funds, it sends a clear signa=
l to the market: upgrade your security or lose everything. This pressure ac=
celerates the adoption of post-quantum cryptography and strengthens Bitcoin=
 long-term. Coddling vulnerable users delays this necessary evolution, pote=
ntially leaving the network more exposed when quantum tech becomes widely a=
ccessible. Theft is a brutal but effective teacher.<br><br><font size=3D"4"=
>Centralized Blacklisting Power</font><br>Burning vulnerable funds requires=
 centralized decision-making - a soft fork to invalidate certain transactio=
ns. This sets a dangerous precedent for future interventions, eroding Bitco=
in=E2=80=99s decentralization. If quantum theft is blocked, what=E2=80=99s =
next - reversing exchange hacks? The system must remain neutral, even if it=
 means some lose out.<br><br>I think this could be a potential slippery slo=
pe if the proposal was to only burn specific addresses. Rather, I&#39;d exp=
ect a neutral proposal to burn all funds in locking script types that are k=
nown to be quantum vulnerable. Thus, we could eliminate any subjectivity fr=
om the code.<br><br><font size=3D"4">Fairness in Competition</font><br>Quan=
tum attackers aren&#39;t cheating; they&#39;re using publicly available phy=
sics and math. Anyone with the resources and foresight can build or access =
quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early a=
dopters took risks and reaped rewards; quantum innovators are doing the sam=
e. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never promi=
sed equality of outcome - only equality of opportunity within its rules.<br=
><br>I find this argument to be a mischaracterization because we&#39;re not=
 talking about CPUs. This is more akin to talking about ASICs, except each =
ASIC costs millions if not billions of dollars. This is out of reach from a=
ll but the wealthiest organizations.<br><br><font size=3D"4">Economic Resil=
ience</font><br>Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, =
etc) and emerged stronger. The market can absorb quantum losses, with unaff=
ected users continuing to hold and new entrants buying in at lower prices. =
Fear of economic collapse overestimates the impact - the network=E2=80=99s =
antifragility thrives on such challenges.<br><br>This is a big grey area be=
cause we don&#39;t know when a quantum computer will come online and we don=
&#39;t know how quickly said computers would be able to steal bitcoin. If, =
for example, the first generation of sufficiently powerful quantum computer=
s were stealing less volume than the current block reward then of course it=
 will have minimal economic impact. But if they&#39;re taking thousands of =
BTC per day and bringing them back into circulation, there will likely be a=
 noticeable market impact as it absorbs the new supply.<br><br>This is wher=
e the circumstances will really matter. If a quantum attacker appears AFTER=
 the Bitcoin protocol has been upgraded to support quantum resistant crypto=
graphy then we should expect the most valuable active wallets will have upg=
raded and the juiciest target would be the 31,000 BTC in the address 12ib7d=
ApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general =
I&#39;d expect that the amount of BTC re-entering the circulating supply wo=
uld look somewhat similar to the mining emission curve: volume would start =
off very high as the most valuable addresses are drained and then it would =
fall off as quantum computers went down the list targeting addresses with l=
ess and less BTC.<br><br>Why is economic impact a factor worth considering?=
 Miners and businesses in general. More coins being liquidated will push do=
wn the price, which will negatively impact miner revenue. Similarly, I can =
attest from working in the industry for a decade, that lower prices result =
in less demand from businesses across the entire industry. As such, burning=
 quantum vulnerable bitcoin is good for the entire industry.<br><br><font s=
ize=3D"4">Practicality &amp; Neutrality of Non-Intervention</font><br>There=
=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D from legi=
timate &quot;white hat&quot; key recovery. If someone loses their private k=
ey and a quantum computer recovers it, is that stealing or reclaiming? Poli=
cing quantum actions requires invasive assumptions about intent, which Bitc=
oin=E2=80=99s trustless design can=E2=80=99t accommodate. Letting the chips=
 fall where they may avoids this mess.<br><br><font size=3D"4">Philosophica=
l Purity</font><br>Bitcoin rejects bailouts. It=E2=80=99s a cold, hard syst=
em where outcomes reflect preparation and skill, not sentimentality. If qua=
ntum computing upends the game, that=E2=80=99s the point - Bitcoin isn=E2=
=80=99t meant to be safe or fair in a nanny-state sense; it=E2=80=99s meant=
 to be free. Users who lose funds to quantum attacks are casualties of libe=
rty and their own ignorance, not victims of injustice.<br><br><font size=3D=
"6">Bitcoin&#39;s DAO Moment</font><br>This situation has some similarities=
 to The DAO hack of an Ethereum smart contract in 2016, which resulted in a=
 fork to stop the attacker and return funds to their original owners. The g=
ame theory is similar because it&#39;s a situation where a threat is known =
but there&#39;s some period of time before the attacker can actually execut=
e the theft. As such, there&#39;s time to mitigate the attack by changing t=
he protocol.<br><br>It also created a schism in the community around the tr=
ue meaning of &quot;code is law,&quot; resulting in Ethereum Classic, which=
 decided to allow the attacker to retain control of the stolen funds.<br><b=
r>A soft fork to burn vulnerable bitcoin could certainly result in a hard f=
ork if there are enough miners who reject the soft fork and continue includ=
ing transactions.<br><br><font size=3D"6">Incentives Matter</font><br>We ca=
n wax philosophical until the cows come home, but what are the actual incen=
tives for existing Bitcoin holders regarding this decision?<br><br><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex">&quot;Lost coins only make everyo=
ne else&#39;s coins worth slightly more. Think of it as a donation to every=
one.&quot; - Satoshi Nakamoto</blockquote><br>If true, the corollary is:<br=
><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">&quot;Quantum recove=
red coins only make everyone else&#39;s coins worth less. Think of it as a =
theft from everyone.&quot; - Jameson Lopp</blockquote><br>Thus, assuming we=
 get to a point where quantum resistant signatures are supported within the=
 Bitcoin protocol, what&#39;s the incentive to let vulnerable coins remain =
spendable?<br><br>* It&#39;s not good for the actual owners of those coins.=
 It disincentivizes owners from upgrading until perhaps it&#39;s too late.<=
br>* It&#39;s not good for the more attentive / responsible owners of coins=
 who have quantum secured their stash. Allowing the circulating supply to b=
alloon will assuredly reduce the purchasing power of all bitcoin holders.<b=
r><br><font size=3D"6">Forking Game Theory</font><br>From a game theory poi=
nt of view, I see this as incentivizing users to upgrade their wallets. If =
you disagree with the burning of vulnerable coins, all you have to do is mo=
ve your funds to a quantum safe signature scheme. Point being, I don&#39;t =
see there being an economic majority (or even more than a tiny minority) of=
 users who would fight such a soft fork. Why expend significant resources f=
ighting a fork when you can just move your coins to a new address?<br><br>R=
emember that blocking spending of certain classes of locking scripts is a t=
ightening of the rules - a soft fork. As such, it can be meaningfully enact=
ed and enforced by a mere majority of hashpower. If miners generally agree =
that it&#39;s in their best interest to burn vulnerable coins, are other us=
ers going to care enough to put in the effort to run new node software that=
 resists the soft fork? Seems unlikely to me.<br><br><font size=3D"6">How t=
o Execute Burning</font><br>In order to be as objective as possible, the go=
al would be to announce to the world that after a specific block height / t=
imestamp, Bitcoin nodes will no longer accept transactions (or blocks conta=
ining such transactions) that spend funds from any scripts other than the n=
ewly instituted quantum safe schemes.<br><br>It could take a staggered appr=
oach to first freeze funds that are susceptible to long-range attacks such =
as those in P2PK scripts or those that exposed their public keys due to pre=
viously re-using addresses, but I expect the additional complexity would dr=
ive further controversy.<br><br>How long should the grace period be in orde=
r to give the ecosystem time to upgrade? I&#39;d say a minimum of 1 year fo=
r software wallets to upgrade. We can only hope that hardware wallet manufa=
cturers are able to implement post quantum cryptography on their existing h=
ardware with only a firmware update.<br><br>Beyond that, it will take at le=
ast 6 months worth of block space for all users to migrate their funds, eve=
n in a best case scenario. Though if you exclude dust UTXOs you could proba=
bly get 95% of BTC value migrated in 1 month. Of course this is a highly op=
timistic situation where everyone is completely focused on migrations - in =
reality it will take far longer.<br><br>Regardless, I&#39;d think that in o=
rder to reasonably uphold Bitcoin&#39;s conservatism it would be preferable=
 to allow a 4 year migration window. In the meantime, mining pools could co=
ordinate emergency soft forking logic such that if quantum attackers materi=
alized, they could accelerate the countdown to the quantum vulnerable funds=
 burn.<br><br><font size=3D"6">Random Tangential Benefits</font><br>On the =
plus side, burning all quantum vulnerable bitcoin would allow us to prune a=
ll of those UTXOs out of the UTXO set, which would also clean up a lot of d=
ust. Dust UTXOs are a bit of an annoyance and there has even been a recent =
proposal for how to incentivize cleaning them up.<br><br>We should also exp=
ect that incentivizing migration of the entire UTXO set will create substan=
tial demand for block space that will sustain a fee market for a fairly len=
gthy amount of time.<br><br><font size=3D"6">In Summary</font><br>While the=
 moral quandary of violating any of Bitcoin&#39;s inviolable properties can=
 make this a very complex issue to discuss, the game theory and incentives =
between burning vulnerable coins versus allowing them to be claimed by enti=
ties with quantum supremacy appears to be a much simpler issue.<br><br>I, f=
or one, am not interested in rewarding quantum capable entities by inflatin=
g the circulating money supply just because some people lost their keys lon=
g ago and some laggards are not upgrading their bitcoin wallet&#39;s securi=
ty.<br><br>We can hope that this scenario never comes to pass, but hope is =
not a strategy.<br><br>I welcome your feedback upon any of the above points=
, and contribution of any arguments I failed to consider.</div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" target=
=3D"_blank">bitcoindev+unsubscribe@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40ma=
il.gmail.com?utm_medium=3Demail&amp;utm_source=3Dfooter" target=3D"_blank">=
https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4=
RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.<br>
</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAGXD5f1eTwqMAkxzdJOup3syR%2B5UjrkAaHroBJT0HQw5FA2_YQ%40mail.gma=
il.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/=
msgid/bitcoindev/CAGXD5f1eTwqMAkxzdJOup3syR%2B5UjrkAaHroBJT0HQw5FA2_YQ%40ma=
il.gmail.com</a>.<br />

--000000000000f49e7406321ca294--