Delivery-date: Wed, 04 Jun 2025 00:57:04 -0700
Received-SPF: pass (google.com: domain of armchaircryptologist@protonmail.com designates 185.70.43.16 as permitted sender) client-ip=185.70.43.16;
Date: Mon, 26 May 2025 15:40:22 +0000
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
From: "'ArmchairCryptologist' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
Message-ID: <ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY=@protonmail.com>
In-Reply-To: <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de> <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com> <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me> <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com> <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
Feedback-ID: 24244585:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="b1=_7oXhT4kTnCbuLdEfx4SngRXFsUqVeQyM2oAFYsqQgY0"
Reply-To: ArmchairCryptologist <ArmchairCryptologist@protonmail.com>
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

--b1=_7oXhT4kTnCbuLdEfx4SngRXFsUqVeQyM2oAFYsqQgY0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

With the longer grace period and selective deactivation, this seems more se=
nsible, but there is one elephant in the room that I haven't seen mentioned=
 here - namely, the legal aspect. (If it was, sorry I missed it.)

I'm not a lawyer, but if developers make a conscious decision to make a cod=
e change that confiscates funds, even with a reasonable heads-up, I feel li=
ke some lawyers might be tempted to make an argument that those developers =
should be held responsible for any losses. As everyone knows, Bitcoin has b=
een under legal attacks before, and I'm not sure that anyone would (or shou=
ld) be willing to sign off on a change that might potentially open them up =
to several billion dollars worth of personal responsibility - especially if=
 the "bonded courier" actually shows up and reveals a private key that woul=
d have unlocked funds under the pre-QC scheme.

The only safe-ish way I can see to do this is to have it only affect funds =
that are very likely to be lost in the first place. So at the very least, i=
t could not affect UTXOs that could potentially be encumbered with a timelo=
ck (i.e. P2SH/P2WSH), and it could only affect UTXOs that have not moved fo=
r a very long time (say 15-20 years).

If quantum computers capable of practical attacks against Bitcoin are ever =
known to actually exist, sending=E2=80=8B to non-PQC addresses should of co=
urse be disabled immediately. But I feel that the nature of a permissionles=
s system implies a large degree of self-responsibility, so if someone choos=
es to keep using non-PQC addresses even after PQC addresses have become ava=
ilable and practical quantum attacks are suspected to be an imminent danger=
, it's not necessarily up to the developers to tell them they can't, only t=
hat they really shouldn't.

--
Regards,
ArmchairCryptologist

Sent with [Proton Mail](https://proton.me/mail/home) secure email.

On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <agustin.cruz@gmail.com>=
 wrote:

> Hi everyone,
>
> QRAMP proposal aims to manage the quantum transition responsibly without =
disrupting Bitcoin=E2=80=99s core principles.
>
> QRAMP has three phases:
>
> 1. Allow wallets to optionally include PQC keys in Taproot outputs. This =
enables early adoption without forcing anyone.
>
> 2. Announce a soft fork to disable vulnerable scripts, with a long (~4-ye=
ar) grace period. This gives ample time to migrate and avoids sudden shocks=
.
>
> 3. Gradually deactivate vulnerable outputs based on age or inactivity. Th=
is avoids a harsh cutoff and gives time for adaptation.
>
> We can also allow exceptions via proof-of-possession, and delay restricti=
ons on timelocked outputs to avoid harming future spenders.
>
> QRAMP is not about confiscation or control. It=E2=80=99s about aligning i=
ncentives, maintaining security, and offering a clear, non-coercive upgrade=
 path.
>
> Best,
> Agustin Cruz
>
> El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvonsandwi=
ch@gmail.com> escribi=C3=B3:
>
>> The difference between the ETH/ETC split though was that no one had anyt=
hing confiscated except the DAO hacker, everyone retained an identical numb=
er of tokens on each chain. The proposal for BTC is very different in that =
some holders will lose access to their coins during the PQ migration under =
the confiscation approach. Just wanted to point that out.
>>
>> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop=
ment Mailing List <bitcoindev@googlegroups.com> wrote:
>>
>>> Hey Saulo,
>>>
>>> You're right about the possibility of an ugly split. Laggards who don't=
 move coins to PQ address schemes will be incentivized to follow any chain =
where they keep their coins. But those who do migrate will be incentivized =
to follow the chain where unmigrated pre-quantum coins are frozen.
>>>
>>> While you're comparing this event to the ETH/ETC split, we should remem=
ber that ETH remained the dominant chain despite their heavy-handed rollbac=
k. Just goes to show, confusion and face-loss is a lesser evil than allowin=
g an adversary to pwn the network.
>>>
>>>> This is the free-market way to solve problems without imposing rules o=
n everyone.
>>>
>>> It'd still be a free market even if quantum-vulnerable coins are frozen=
. The only way to test the relative value of quantum-safe vs quantum-vulner=
able coins is to split the chain and see how the market reacts.
>>>
>>> IMO, the "free market way" is to give people options and let their mone=
y flow to where it works best. That means people should be able to choose w=
hether they want their money to be part of a system that allows quantum att=
ack, or part of one which does not. I know which I would choose, but neithe=
r you nor I can make that choice for everyone.
>>>
>>> regards,
>>> conduition
>>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agustin.cruz@gmai=
l.com> wrote:
>>>
>>>> I=E2=80=99m against letting quantum computers scoop up funds from addr=
esses that don=E2=80=99t upgrade to quantum-resistant.
>>>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up f=
or grabs if people don=E2=80=99t move them, sounds fair at first. Let luck =
decide, right? But I worry it=E2=80=99d turn into a mess. If quantum machin=
es start cracking keys and snagging coins, it=E2=80=99s not just lost Satos=
hi-era stuff at risk. Plenty of active wallets, like those on the rich list=
 Jameson mentioned, could get hit too. Imagine millions of BTC flooding the=
 market. Prices tank, trust in Bitcoin takes a dive, and we all feel the pa=
in. Freezing those vulnerable funds keeps that chaos in check.
>>>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hea=
rt. If quantum tech can steal from you just because you didn=E2=80=99t upgr=
ade fast enough, that promise feels shaky. Freezing funds after a heads-up =
period (say, four years) protects that idea better than letting tech giants=
 or rogue states play vampire with our network. It also nudges people to ge=
t their act together and move to safer addresses, which strengthens Bitcoin=
 long-term.
>>>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark=
 a split like Ethereum Classic. But I=E2=80=99d argue quantum theft would l=
ook worse. Bitcoin would seem broken, not just strict. A clear plan and eno=
ugh time to migrate could smooth things over. History=E2=80=99s on our side=
 too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. This feels like tha=
t, not a bailout.
>>>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to=
 whoever builds the first quantum rig. It=E2=80=99s less about coddling peo=
ple and more about keeping Bitcoin solid for everyone. What do you all thin=
k?
>>>> Cheers,
>>>> Agust=C3=ADn
>>>>
>>>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo@astrotown.de=
> wrote:
>>>>
>>>>> I believe that having some entity announce the decision to freeze old=
 UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value) th=
an having them gathered by QC. This would create another version of Bitcoin=
, similar to Ethereum Classic, causing confusion in the market.
>>>>>
>>>>> It would be better to simply implement the possibility of moving fund=
s to a PQC address without a deadline, allowing those who fail to do so to =
rely on luck to avoid having their coins stolen. Most coins would be migrat=
ed to PQC anyway, and in most cases, only the lost ones would remain vulner=
able. This is the free-market way to solve problems without imposing rules =
on everyone.
>>>>>
>>>>> Saulo Fonseca
>>>>>
>>>>>> On 16. Mar 2025, at 15:15, Jameson Lopp <jameson.lopp@gmail.com> wro=
te:
>>>>>>
>>>>>> The quantum computing debate is heating up. There are many controver=
sial aspects to this debate, including whether or not quantum computers wil=
l ever actually become a practical threat.
>>>>>>
>>>>>> I won't tread into the unanswerable question of how worried we shoul=
d be about quantum computers. I think it's far from a crisis, but given the=
 difficulty in changing Bitcoin it's worth starting to seriously discuss. T=
oday I wish to focus on a philosophical quandary related to one of the deci=
sions that would need to be made if and when we implement a quantum safe si=
gnature scheme.
>>>>>>
>>>>>> Several ScenariosBecause this essay will reference game theory a fai=
r amount, and there are many variables at play that could change the nature=
 of the game, I think it's important to clarify the possible scenarios up f=
ront.
>>>>>>
>>>>>> 1. Quantum computing never materializes, never becomes a threat, and=
 thus everything discussed in this essay is moot.
>>>>>> 2. A quantum computing threat materializes suddenly and Bitcoin does=
 not have quantum safe signatures as part of the protocol. In this scenario=
 it would likely make the points below moot because Bitcoin would be fundam=
entally broken and it would take far too long to upgrade the protocol, wall=
et software, and migrate user funds in order to restore confidence in the n=
etwork.
>>>>>> 3. Quantum computing advances slowly enough that we come to consensu=
s about how to upgrade Bitcoin and post quantum security has been minimally=
 adopted by the time an attacker appears.
>>>>>> 4. Quantum computing advances slowly enough that we come to consensu=
s about how to upgrade Bitcoin and post quantum security has been highly ad=
opted by the time an attacker appears.
>>>>>>
>>>>>> For the purposes of this post, I'm envisioning being in situation 3 =
or 4.
>>>>>>
>>>>>> To Freeze or not to Freeze?I've started seeing more people weighing =
in on what is likely the most contentious aspect of how a quantum resistanc=
e upgrade should be handled in terms of migrating user funds. Should quantu=
m vulnerable funds be left open to be swept by anyone with a sufficiently p=
owerful quantum computer OR should they be permanently locked?
>>>>>>
>>>>>>> "I don't see why old coins should be confiscated. The better option=
 is to let those with quantum computers free up old coins. While this might=
 have an inflationary impact on bitcoin's price, to use a turn of phrase, t=
he inflation is transitory. Those with low time preference should support r=
eturning lost coins to circulation."
>>>>>>
>>>>>>> - Hunter Beast
>>>>>>
>>>>>> On the other hand:
>>>>>>
>>>>>>> "Of course they have to be confiscated. If and when (and that's a b=
ig if) the existence of a cryptography-breaking QC becomes a credible threa=
t, the Bitcoin ecosystem has no other option than softforking out the abili=
ty to spend from signature schemes (including ECDSA and BIP340) that are vu=
lnerable to QCs. The alternative is that millions of BTC become vulnerable =
to theft; I cannot see how the currency can maintain any value at all in su=
ch a setting. And this affects everyone; even those which diligently moved =
their coins to PQC-protected schemes."
>>>>>>> - Pieter Wuille
>>>>>>
>>>>>> I don't think "confiscation" is the most precise term to use, as the=
 funds are not being seized and reassigned. Rather, what we're really discu=
ssing would be better described as "burning" - placing the funds out of rea=
ch of everyone.
>>>>>>
>>>>>> Not freezing user funds is one of Bitcoin's inviolable properties. H=
owever, if quantum computing becomes a threat to Bitcoin's elliptic curve c=
ryptography, an inviolable property of Bitcoin will be violated one way or =
another.
>>>>>>
>>>>>> Fundamental Properties at Risk5 years ago I attempted to comprehensi=
vely categorize all of Bitcoin's fundamental properties that give it value.=
 https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>>>>>> The particular properties in play with regard to this issue seem to =
be:
>>>>>>
>>>>>> Censorship Resistance - No one should have the power to prevent othe=
rs from using their bitcoin or interacting with the network.
>>>>>>
>>>>>> Forward Compatibility - changing the rules such that certain valid t=
ransactions become invalid could undermine confidence in the protocol.
>>>>>>
>>>>>> Conservatism - Users should not be expected to be highly responsive =
to system issues.
>>>>>>
>>>>>> As a result of the above principles, we have developed a strong meme=
 (kudos to Andreas Antonopoulos) that goes as follows:
>>>>>>
>>>>>>> Not your keys, not your coins.
>>>>>>
>>>>>> I posit that the corollary to this principle is:
>>>>>>
>>>>>>> Your keys, only your coins.
>>>>>>
>>>>>> A quantum capable entity breaks the corollary of this foundational p=
rinciple. We secure our bitcoin with the mathematical probabilities related=
 to extremely large random numbers. Your funds are only secure because trul=
y random large numbers should not be guessable or discoverable by anyone el=
se in the world.
>>>>>>
>>>>>> This is the principle behind the motto vires in numeris - strength i=
n numbers. In a world with quantum enabled adversaries, this principle is n=
ull and void for many types of cryptography, including the elliptic curve d=
igital signatures used in Bitcoin.
>>>>>>
>>>>>> Who is at Risk?There has long been a narrative that Satoshi's coins =
and others from the Satoshi era of P2PK locking scripts that exposed the pu=
blic key directly on the blockchain will be those that get scooped up by a =
quantum "miner." But unfortunately it's not that simple. If I had a powerfu=
l quantum computer, which coins would I target? I'd go to the Bitcoin rich =
list and find the wallets that have exposed their public keys due to re-usi=
ng addresses that have previously been spent from. You can easily find them=
 at https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>>>>>>
>>>>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether, w=
ould be slightly harder to crack because they are multisig wallets. So a qu=
antum attacker would need to reverse engineer 2 keys for Kraken or 3 for Bi=
tfinex / Tether in order to spend funds. But many are single signature.
>>>>>>
>>>>>> Point being, it's not only the really old lost BTC that are at risk =
to a quantum enabled adversary, at least at time of writing. If we add a qu=
antum safe signature scheme, we should expect those wallets to be some of t=
he first to upgrade given their incentives.
>>>>>>
>>>>>> The Ethical Dilemma: Quantifying HarmWhich decision results in the m=
ost harm?
>>>>>>
>>>>>> By making quantum vulnerable funds unspendable we potentially harm s=
ome Bitcoin users who were not paying attention and neglected to migrate th=
eir funds to a quantum safe locking script. This violates the "conservativi=
sm" principle stated earlier. On the flip side, we prevent those funds plus=
 far more lost funds from falling into the hands of the few privileged folk=
s who gain early access to quantum computers.
>>>>>>
>>>>>> By leaving quantum vulnerable funds available to spend, the same set=
 of users who would otherwise have funds frozen are likely to see them stol=
en. And many early adopters who lost their keys will eventually see their u=
nreachable funds scooped up by a quantum enabled adversary.
>>>>>>
>>>>>> Imagine, for example, being James Howells, who accidentally threw aw=
ay a hard drive with 8,000 BTC on it, currently worth over $600M USD. He ha=
s spent a decade trying to retrieve it from the landfill where he knows it'=
s buried, but can't get permission to excavate. I suspect that, given the c=
hoice, he'd prefer those funds be permanently frozen rather than fall into =
someone else's possession - I know I would.
>>>>>>
>>>>>> Allowing a quantum computer to access lost funds doesn't make those =
users any worse off than they were before, however it wouldhave a negative =
impact upon everyone who is currently holding bitcoin.
>>>>>>
>>>>>> It's prudent to expect significant economic disruption if large amou=
nts of coins fall into new hands. Since a quantum computer is going to have=
 a massive up front cost, expect those behind it to desire to recoup their =
investment. We also know from experience that when someone suddenly finds t=
hemselves in possession of 9+ figures worth of highly liquid assets, they t=
end to diversify into other things by selling.
>>>>>>
>>>>>> Allowing quantum recovery of bitcoin is tantamount to wealth redistr=
ibution. What we'd be allowing is for bitcoin to be redistributed from thos=
e who are ignorant of quantum computers to those who have won the technolog=
ical race to acquire quantum computers. It's hard to see a bright side to t=
hat scenario.
>>>>>>
>>>>>> Is Quantum Recovery Good for Anyone?
>>>>>>
>>>>>> Does quantum recovery HELP anyone? I've yet to come across an argume=
nt that it's a net positive in any way. It certainly doesn't add any securi=
ty to the network. If anything, it greatly decreases the security of the ne=
twork by allowing funds to be claimed by those who did not earn them.
>>>>>>
>>>>>> But wait, you may be thinking, wouldn't quantum "miners" have earned=
 their coins by all the work and resources invested in building a quantum c=
omputer? I suppose, in the same sense that a burglar earns their spoils by =
the resources they invest into surveilling targets and learning the skills =
needed to break into buildings. What I say "earned" I mean through producti=
ve mutual trade.
>>>>>>
>>>>>> For example:
>>>>>>
>>>>>> * Investors earn BTC by trading for other currencies.
>>>>>> * Merchants earn BTC by trading for goods and services.
>>>>>> * Miners earn BTC by trading thermodynamic security.
>>>>>> * Quantum miners don't trade anything, they are vampires feeding upo=
n the system.
>>>>>>
>>>>>> There's no reason to believe that allowing quantum adversaries to re=
cover vulnerable bitcoin will be of benefit to anyone other than the select=
 few organizations that win the technological arms race to build the first =
such computers. Probably nation states and/or the top few largest tech comp=
anies.
>>>>>>
>>>>>> One could certainly hope that an organization with quantum supremacy=
 is benevolent and acts in a "white hat" manner to return lost coins to the=
ir owners, but that's incredibly optimistic and foolish to rely upon. Such =
a situation creates an insurmountable ethical dilemma of only recovering lo=
st bitcoin rather than currently owned bitcoin. There's no way to precisely=
 differentiate between the two; anyone can claim to have lost their bitcoin=
 but if they have lost their keys then proving they ever had the keys becom=
es rather difficult. I imagine that any such white hat recovery efforts wou=
ld have to rely upon attestations from trusted third parties like exchanges=
.
>>>>>>
>>>>>> Even if the first actor with quantum supremacy is benevolent, we mus=
t assume the technology could fall into adversarial hands and thus think ad=
versarially about the potential worst case outcomes. Imagine, for example, =
that North Korea continues scooping up billions of dollars from hacking cry=
pto exchanges and decides to invest some of those proceeds into building a =
quantum computer for the biggest payday ever...
>>>>>>
>>>>>> Downsides to Allowing Quantum Recovery
>>>>>> Let's think through an exhaustive list of pros and cons for allowing=
 or preventing the seizure of funds by a quantum adversary.
>>>>>>
>>>>>> Historical Precedent
>>>>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fai=
r game" but rather were treated as failures to be remediated. Treating quan=
tum theft differently risks rewriting Bitcoin=E2=80=99s history as a free-f=
or-all rather than a system that seeks to protect its users.
>>>>>>
>>>>>> Violation of Property Rights
>>>>>> Allowing a quantum adversary to take control of funds undermines the=
 fundamental principle of cryptocurrency - if you keep your keys in your po=
ssession, only you should be able to access your money. Bitcoin is built on=
 the idea that private keys secure an individual=E2=80=99s assets, and unau=
thorized access (even via advanced tech) is theft, not a legitimate transfe=
r.
>>>>>>
>>>>>> Erosion of Trust in Bitcoin
>>>>>> If quantum attackers can exploit vulnerable addresses, confidence in=
 Bitcoin as a secure store of value would collapse. Users and investors rel=
y on cryptographic integrity, and widespread theft could drive adoption awa=
y from Bitcoin, destabilizing its ecosystem.
>>>>>>
>>>>>> This is essentially the counterpoint to claiming the burning of vuln=
erable funds is a violation of property rights. While some will certainly s=
ee it as such, others will find the apathy toward stopping quantum theft to=
 be similarly concerning.
>>>>>>
>>>>>> Unfair Advantage
>>>>>> Quantum attackers, likely equipped with rare and expensive technolog=
y, would have an unjust edge over regular users who lack access to such too=
ls. This creates an inequitable system where only the technologically elite=
 can exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized=
 power.
>>>>>>
>>>>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING =
one's wealth. It's supposed to be impractically expensive for attackers to =
crack the entropy and cryptography protecting one's coins. But now we find =
ourselves discussing a situation where this asymmetric advantage is comprom=
ised in favor of a specific class of attackers.
>>>>>>
>>>>>> Economic Disruption
>>>>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=
=80=99s price as quantum recovered funds are dumped on exchanges. This woul=
d harm all holders, not just those directly targeted, leading to broader fi=
nancial chaos in the markets.
>>>>>>
>>>>>> Moral Responsibility
>>>>>> Permitting theft via quantum computing sets a precedent that technol=
ogical superiority justifies unethical behavior. This is essentially taking=
 a "code is law" stance in which we refuse to admit that both code and laws=
 can be modified to adapt to previously unforeseen situations.
>>>>>>
>>>>>> Burning of coins can certainly be considered a form of theft, thus I=
 think it's worth differentiating the two different thefts being discussed:
>>>>>>
>>>>>> 1. self-enriching & likely malicious
>>>>>> 2. harm prevention & not necessarily malicious
>>>>>>
>>>>>> Both options lack the consent of the party whose coins are being bur=
nt or transferred, thus I think the simple argument that theft is immoral b=
ecomes a wash and it's important to drill down into the details of each.
>>>>>>
>>>>>> Incentives Drive Security
>>>>>> I can tell you from a decade of working in Bitcoin security - the av=
erage user is lazy and is a procrastinator. If Bitcoiners are given a "drop=
 dead date" after which they know vulnerable funds will be burned, this pre=
ssure accelerates the adoption of post-quantum cryptography and strengthens=
 Bitcoin long-term. Allowing vulnerable users to delay upgrading indefinite=
ly will result in more laggards, leaving the network more exposed when quan=
tum tech becomes available.
>>>>>>
>>>>>> Steel ManningClearly this is a complex and controversial topic, thus=
 it's worth thinking through the opposing arguments.
>>>>>>
>>>>>> Protecting Property Rights
>>>>>> Allowing quantum computers to take vulnerable bitcoin could potentia=
lly be spun as a hard money narrative - we care so greatly about not violat=
ing someone's access to their coins that we allow them to be stolen!
>>>>>>
>>>>>> But I think the flip side to the property rights narrative is that b=
urning vulnerable coins prevents said property from falling into undeservin=
g hands. If the entire Bitcoin ecosystem just stands around and allows quan=
tum adversaries to claim funds that rightfully belong to other users, is th=
at really a "win" in the "protecting property rights" category? It feels mo=
re like apathy to me.
>>>>>>
>>>>>> As such, I think the "protecting property rights" argument is a wash=
.
>>>>>>
>>>>>> Quantum Computers Won't Attack Bitcoin
>>>>>> There is a great deal of skepticism that sufficiently powerful quant=
um computers will ever exist, so we shouldn't bother preparing for a non-ex=
istent threat. Others have argued that even if such a computer was built, a=
 quantum attacker would not go after bitcoin because they wouldn't want to =
reveal their hand by doing so, and would instead attack other infrastructur=
e.
>>>>>>
>>>>>> It's quite difficult to quantify exactly how valuable attacking othe=
r infrastructure would be. It also really depends upon when an entity gains=
 quantum supremacy and thus if by that time most of the world's systems hav=
e already been upgraded. While I think you could argue that certain entitie=
s gaining quantum capability might not attack Bitcoin, it would only delay =
the inevitable - eventually somebody will achieve the capability who decide=
s to use it for such an attack.
>>>>>>
>>>>>> Quantum Attackers Would Only Steal Small Amounts
>>>>>> Some have argued that even if a quantum attacker targeted bitcoin, t=
hey'd only go after old, likely lost P2PK outputs so as to not arouse suspi=
cion and cause a market panic.
>>>>>>
>>>>>> I'm not so sure about that; why go after 50 BTC at a time when you c=
ould take 250,000 BTC with the same effort as 50 BTC? This is a classic "ze=
ro day exploit" game theory in which an attacker knows they have a limited =
amount of time before someone else discovers the exploit and either benefit=
s from it or patches it. Take, for example, the recent ByBit attack - the h=
ighest value crypto hack of all time. Lazarus Group had compromised the Saf=
e wallet front end JavaScript app and they could have simply had it reassig=
n ownership of everyone's Safe wallets as they were interacting with their =
wallet. But instead they chose to only specifically target ByBit's wallet w=
ith $1.5 billion in it because they wanted to maximize their extractable va=
lue. If Lazarus had started stealing from every wallet, they would have bee=
n discovered quickly and the Safe web app would likely have been patched we=
ll before any billion dollar wallets executed the malicious code.
>>>>>>
>>>>>> I think the "only stealing small amounts" argument is strongest for =
Situation #2 described earlier, where a quantum attacker arrives before qua=
ntum safe cryptography has been deployed across the Bitcoin ecosystem. Beca=
use if it became clear that Bitcoin's cryptography was broken AND there was=
 nowhere safe for vulnerable users to migrate, the only logical option woul=
d be for everyone to liquidate their bitcoin as quickly as possible. As suc=
h, I don't think it applies as strongly for situations in which we have a m=
igration path available.
>>>>>>
>>>>>> The 21 Million Coin Supply Should be in Circulation
>>>>>> Some folks are arguing that it's important for the "circulating / sp=
endable" supply to be as close to 21M as possible and that having a signifi=
cant portion of the supply out of circulation is somehow undesirable.
>>>>>>
>>>>>> While the "21M BTC" attribute is a strong memetic narrative, I don't=
 think anyone has ever expected that it would all be in circulation. It has=
 always been understood that many coins will be lost, and that's actually p=
art of the game theory of owning bitcoin!
>>>>>>
>>>>>> And remember, the 21M number in and of itself is not a particularly =
important detail - it's not even mentioned in the whitepaper. What's import=
ant is that the supply is well known and not subject to change.
>>>>>>
>>>>>> Self-Sovereignty and Personal Responsibility
>>>>>> Bitcoin=E2=80=99s design empowers individuals to control their own w=
ealth, free from centralized intervention. This freedom comes with the burd=
en of securing one's private keys. If quantum computing can break obsolete =
cryptography, the fault lies with users who didn't move their funds to quan=
tum safe locking scripts. Expecting the network to shield users from their =
own negligence undermines the principle that you, and not a third party, ar=
e accountable for your assets.
>>>>>>
>>>>>> I think this is generally a fair point that "the community" doesn't =
owe you anything in terms of helping you. I think that we do, however, need=
 to consider the incentives and game theory in play with regard to quantum =
safe Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>>>>>>
>>>>>> Code is Law
>>>>>> Bitcoin operates on transparent, immutable rules embedded in its pro=
tocol. If a quantum attacker uses superior technology to derive private key=
s from public keys, they=E2=80=99re not "hacking" the system - they're simp=
ly following what's mathematically permissible within the current code. Alt=
ering the protocol to stop this introduces subjective human intervention, w=
hich clashes with the objective, deterministic nature of blockchain.
>>>>>>
>>>>>> While I tend to agree that code is law, one of the entire points of =
laws is that they can be amended to improve their efficacy in reducing harm=
. Leaning on this point seems more like a pro-ossification stance that it's=
 better to do nothing and allow harm to occur rather than take action to st=
op an attack that was foreseen far in advance.
>>>>>>
>>>>>> Technological Evolution as a Feature, Not a Bug
>>>>>> It's well known that cryptography tends to weaken over time and even=
tually break. Quantum computing is just the next step in this progression. =
Users who fail to adapt (e.g., by adopting quantum-resistant wallets when a=
vailable) are akin to those who ignored technological advancements like mul=
tisig or hardware wallets. Allowing quantum theft incentivizes innovation a=
nd keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing complacency while r=
ewarding vigilance.
>>>>>>
>>>>>> Market Signals Drive Security
>>>>>> If quantum attackers start stealing funds, it sends a clear signal t=
o the market: upgrade your security or lose everything. This pressure accel=
erates the adoption of post-quantum cryptography and strengthens Bitcoin lo=
ng-term. Coddling vulnerable users delays this necessary evolution, potenti=
ally leaving the network more exposed when quantum tech becomes widely acce=
ssible. Theft is a brutal but effective teacher.
>>>>>>
>>>>>> Centralized Blacklisting Power
>>>>>> Burning vulnerable funds requires centralized decision-making - a so=
ft fork to invalidate certain transactions. This sets a dangerous precedent=
 for future interventions, eroding Bitcoin=E2=80=99s decentralization. If q=
uantum theft is blocked, what=E2=80=99s next - reversing exchange hacks? Th=
e system must remain neutral, even if it means some lose out.
>>>>>>
>>>>>> I think this could be a potential slippery slope if the proposal was=
 to only burn specific addresses. Rather, I'd expect a neutral proposal to =
burn all funds in locking script types that are known to be quantum vulnera=
ble. Thus, we could eliminate any subjectivity from the code.
>>>>>>
>>>>>> Fairness in Competition
>>>>>> Quantum attackers aren't cheating; they're using publicly available =
physics and math. Anyone with the resources and foresight can build or acce=
ss quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Earl=
y adopters took risks and reaped rewards; quantum innovators are doing the =
same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has never pr=
omised equality of outcome - only equality of opportunity within its rules.
>>>>>>
>>>>>> I find this argument to be a mischaracterization because we're not t=
alking about CPUs. This is more akin to talking about ASICs, except each AS=
IC costs millions if not billions of dollars. This is out of reach from all=
 but the wealthiest organizations.
>>>>>>
>>>>>> Economic Resilience
>>>>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and =
emerged stronger. The market can absorb quantum losses, with unaffected use=
rs continuing to hold and new entrants buying in at lower prices. Fear of e=
conomic collapse overestimates the impact - the network=E2=80=99s antifragi=
lity thrives on such challenges.
>>>>>>
>>>>>> This is a big grey area because we don't know when a quantum compute=
r will come online and we don't know how quickly said computers would be ab=
le to steal bitcoin. If, for example, the first generation of sufficiently =
powerful quantum computers were stealing less volume than the current block=
 reward then of course it will have minimal economic impact. But if they're=
 taking thousands of BTC per day and bringing them back into circulation, t=
here will likely be a noticeable market impact as it absorbs the new supply=
.
>>>>>>
>>>>>> This is where the circumstances will really matter. If a quantum att=
acker appears AFTER the Bitcoin protocol has been upgraded to support quant=
um resistant cryptography then we should expect the most valuable active wa=
llets will have upgraded and the juiciest target would be the 31,000 BTC in=
 the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant sinc=
e 2010. In general I'd expect that the amount of BTC re-entering the circul=
ating supply would look somewhat similar to the mining emission curve: volu=
me would start off very high as the most valuable addresses are drained and=
 then it would fall off as quantum computers went down the list targeting a=
ddresses with less and less BTC.
>>>>>>
>>>>>> Why is economic impact a factor worth considering? Miners and busine=
sses in general. More coins being liquidated will push down the price, whic=
h will negatively impact miner revenue. Similarly, I can attest from workin=
g in the industry for a decade, that lower prices result in less demand fro=
m businesses across the entire industry. As such, burning quantum vulnerabl=
e bitcoin is good for the entire industry.
>>>>>>
>>>>>> Practicality & Neutrality of Non-Intervention
>>>>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=
=9D from legitimate "white hat" key recovery. If someone loses their privat=
e key and a quantum computer recovers it, is that stealing or reclaiming? P=
olicing quantum actions requires invasive assumptions about intent, which B=
itcoin=E2=80=99s trustless design can=E2=80=99t accommodate. Letting the ch=
ips fall where they may avoids this mess.
>>>>>>
>>>>>> Philosophical Purity
>>>>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where out=
comes reflect preparation and skill, not sentimentality. If quantum computi=
ng upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant =
to be safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. U=
sers who lose funds to quantum attacks are casualties of liberty and their =
own ignorance, not victims of injustice.
>>>>>>
>>>>>> Bitcoin's DAO Moment
>>>>>> This situation has some similarities to The DAO hack of an Ethereum =
smart contract in 2016, which resulted in a fork to stop the attacker and r=
eturn funds to their original owners. The game theory is similar because it=
's a situation where a threat is known but there's some period of time befo=
re the attacker can actually execute the theft. As such, there's time to mi=
tigate the attack by changing the protocol.
>>>>>>
>>>>>> It also created a schism in the community around the true meaning of=
 "code is law," resulting in Ethereum Classic, which decided to allow the a=
ttacker to retain control of the stolen funds.
>>>>>>
>>>>>> A soft fork to burn vulnerable bitcoin could certainly result in a h=
ard fork if there are enough miners who reject the soft fork and continue i=
ncluding transactions.
>>>>>>
>>>>>> Incentives Matter
>>>>>> We can wax philosophical until the cows come home, but what are the =
actual incentives for existing Bitcoin holders regarding this decision?
>>>>>>
>>>>>>> "Lost coins only make everyone else's coins worth slightly more. Th=
ink of it as a donation to everyone." - Satoshi Nakamoto
>>>>>>
>>>>>> If true, the corollary is:
>>>>>>
>>>>>>> "Quantum recovered coins only make everyone else's coins worth less=
. Think of it as a theft from everyone." - Jameson Lopp
>>>>>>
>>>>>> Thus, assuming we get to a point where quantum resistant signatures =
are supported within the Bitcoin protocol, what's the incentive to let vuln=
erable coins remain spendable?
>>>>>>
>>>>>> * It's not good for the actual owners of those coins. It disincentiv=
izes owners from upgrading until perhaps it's too late.
>>>>>> * It's not good for the more attentive / responsible owners of coins=
 who have quantum secured their stash. Allowing the circulating supply to b=
alloon will assuredly reduce the purchasing power of all bitcoin holders.
>>>>>>
>>>>>> Forking Game Theory
>>>>>> From a game theory point of view, I see this as incentivizing users =
to upgrade their wallets. If you disagree with the burning of vulnerable co=
ins, all you have to do is move your funds to a quantum safe signature sche=
me. Point being, I don't see there being an economic majority (or even more=
 than a tiny minority) of users who would fight such a soft fork. Why expen=
d significant resources fighting a fork when you can just move your coins t=
o a new address?
>>>>>>
>>>>>> Remember that blocking spending of certain classes of locking script=
s is a tightening of the rules - a soft fork. As such, it can be meaningful=
ly enacted and enforced by a mere majority of hashpower. If miners generall=
y agree that it's in their best interest to burn vulnerable coins, are othe=
r users going to care enough to put in the effort to run new node software =
that resists the soft fork? Seems unlikely to me.
>>>>>>
>>>>>> How to Execute Burning
>>>>>> In order to be as objective as possible, the goal would be to announ=
ce to the world that after a specific block height / timestamp, Bitcoin nod=
es will no longer accept transactions (or blocks containing such transactio=
ns) that spend funds from any scripts other than the newly instituted quant=
um safe schemes.
>>>>>>
>>>>>> It could take a staggered approach to first freeze funds that are su=
sceptible to long-range attacks such as those in P2PK scripts or those that=
 exposed their public keys due to previously re-using addresses, but I expe=
ct the additional complexity would drive further controversy.
>>>>>>
>>>>>> How long should the grace period be in order to give the ecosystem t=
ime to upgrade? I'd say a minimum of 1 year for software wallets to upgrade=
. We can only hope that hardware wallet manufacturers are able to implement=
 post quantum cryptography on their existing hardware with only a firmware =
update.
>>>>>>
>>>>>> Beyond that, it will take at least 6 months worth of block space for=
 all users to migrate their funds, even in a best case scenario. Though if =
you exclude dust UTXOs you could probably get 95% of BTC value migrated in =
1 month. Of course this is a highly optimistic situation where everyone is =
completely focused on migrations - in reality it will take far longer.
>>>>>>
>>>>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's c=
onservatism it would be preferable to allow a 4 year migration window. In t=
he meantime, mining pools could coordinate emergency soft forking logic suc=
h that if quantum attackers materialized, they could accelerate the countdo=
wn to the quantum vulnerable funds burn.
>>>>>>
>>>>>> Random Tangential Benefits
>>>>>> On the plus side, burning all quantum vulnerable bitcoin would allow=
 us to prune all of those UTXOs out of the UTXO set, which would also clean=
 up a lot of dust. Dust UTXOs are a bit of an annoyance and there has even =
been a recent proposal for how to incentivize cleaning them up.
>>>>>>
>>>>>> We should also expect that incentivizing migration of the entire UTX=
O set will create substantial demand for block space that will sustain a fe=
e market for a fairly lengthy amount of time.
>>>>>>
>>>>>> In Summary
>>>>>> While the moral quandary of violating any of Bitcoin's inviolable pr=
operties can make this a very complex issue to discuss, the game theory and=
 incentives between burning vulnerable coins versus allowing them to be cla=
imed by entities with quantum supremacy appears to be a much simpler issue.
>>>>>>
>>>>>> I, for one, am not interested in rewarding quantum capable entities =
by inflating the circulating money supply just because some people lost the=
ir keys long ago and some laggards are not upgrading their bitcoin wallet's=
 security.
>>>>>>
>>>>>> We can hope that this scenario never comes to pass, but hope is not =
a strategy.
>>>>>>
>>>>>> I welcome your feedback upon any of the above points, and contributi=
on of any arguments I failed to consider.
>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google G=
roups "Bitcoin Development Mailing List" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it, se=
nd an email to bitcoindev+unsubscribe@googlegroups.com.
>>>>>> To view this discussion visit https://groups.google.com/d/msgid/bitc=
oindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.g=
mail.com.
>>>>>
>>>>> --
>>>>> You received this message because you are subscribed to the Google Gr=
oups "Bitcoin Development Mailing List" group.
>>>>> To unsubscribe from this group and stop receiving emails from it, sen=
d an email to bitcoindev+unsubscribe@googlegroups.com.
>>>>> To view this discussion visit https://groups.google.com/d/msgid/bitco=
indev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de.
>>>
>>>>>
>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Gro=
ups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send=
 an email to bitcoindev+unsubscribe@googlegroups.com.
>>>> To view this discussion visit https://groups.google.com/d/msgid/bitcoi=
ndev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail=
.com.
>>>
>>> --
>>> You received this message because you are subscribed to the Google Grou=
ps "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send =
an email to bitcoindev+unsubscribe@googlegroups.com.
>>> To view this discussion visit https://groups.google.com/d/msgid/bitcoin=
dev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8Ra=
sO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me.
>
> --
> You received this message because you are subscribed to the Google Groups=
 "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an=
 email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoinde=
v/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com.

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgL=
lNUCkHucTAliQf7aesPZBLRFoceu_9BY%3D%40protonmail.com.

--b1=_7oXhT4kTnCbuLdEfx4SngRXFsUqVeQyM2oAFYsqQgY0
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div style=3D"font-family: Arial, sans-serif; font-size: 14px;">Hi,</div><d=
iv style=3D"font-family: Arial, sans-serif; font-size: 14px;"><br></div><di=
v style=3D"font-family: Arial, sans-serif; font-size: 14px;">With the longe=
r grace period and selective deactivation, this seems more sensible, but th=
ere is one elephant in the room that I haven't seen mentioned here - namely=
, the legal aspect. (If it was, sorry I missed it.)</div><div style=3D"font=
-family: Arial, sans-serif; font-size: 14px;"><br></div><div style=3D"font-=
family: Arial, sans-serif; font-size: 14px;">I'm not a lawyer, but if devel=
opers make a conscious decision to make a code change that confiscates fund=
s, even with a reasonable heads-up, I feel like some lawyers might be tempt=
ed to make an argument that those developers should be held responsible for=
 any losses. As everyone knows, Bitcoin has been under legal attacks before=
, and I'm not sure that anyone would (or should) be willing to sign off on =
a change that might potentially open them up to several billion dollars wor=
th of personal responsibility - especially if the "bonded courier" actually=
 shows up and reveals a private key that would have unlocked funds under th=
e pre-QC scheme.</div><div style=3D"font-family: Arial, sans-serif; font-si=
ze: 14px;"><br></div><div style=3D"font-family: Arial, sans-serif; font-siz=
e: 14px;">The only safe-ish way I can see to do this is to have it only aff=
ect funds that are very likely to be lost in
 the first place. So at the very least, it could not affect UTXOs that coul=
d potentially be encumbered with a timelock (i.e. P2SH/P2WSH), and it could=
 only affect UTXOs that have not moved for a very long time (say 15-20 year=
s). </div><div style=3D"font-family: Arial, sans-serif; font-size: 14px;"><=
br></div><div style=3D"font-family: Arial, sans-serif; font-size: 14px;">If=
 quantum computers capable of practical attacks against Bitcoin are ever kn=
own to actually exist, <b>sending</b>=E2=80=8B to non-PQC addresses should =
of course be disabled immediately. But I feel that the nature of a permissi=
onless system implies a large degree of self-responsibility, so if someone =
chooses to keep using non-PQC addresses even after PQC addresses have becom=
e available and practical quantum attacks are suspected to be an imminent d=
anger, it's not necessarily up to the developers to tell them they can't, o=
nly that they really shouldn't.</div><div style=3D"font-family: Arial, sans=
-serif; font-size: 14px;"><br></div><div style=3D"font-family: Arial, sans-=
serif; font-size: 14px;">--</div><div style=3D"font-family: Arial, sans-ser=
if; font-size: 14px;">Regards,</div><div style=3D"font-family: Arial, sans-=
serif; font-size: 14px;">ArmchairCryptologist</div><div style=3D"font-famil=
y: Arial, sans-serif; font-size: 14px;"><br></div>
<div class=3D"protonmail_signature_block" style=3D"font-family: Arial, sans=
-serif; font-size: 14px;">
    <div class=3D"protonmail_signature_block-user protonmail_signature_bloc=
k-empty">
       =20
            </div>
   =20
            <div class=3D"protonmail_signature_block-proton">
        Sent with <a target=3D"_blank" href=3D"https://proton.me/mail/home"=
>Proton Mail</a> secure email.
    </div>
</div>
<div style=3D"font-family: Arial, sans-serif; font-size: 14px;"><br><div cl=
ass=3D"protonmail_quote">
        On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz &lt;agustin.cruz=
@gmail.com&gt; wrote:<br>
        <blockquote class=3D"protonmail_quote" type=3D"cite">
            <div dir=3D"auto">Hi everyone,<div dir=3D"auto"><br></div><div =
dir=3D"auto">QRAMP proposal aims to manage the quantum transition responsib=
ly without disrupting Bitcoin=E2=80=99s core principles.</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">QRAMP has three phases:</div><div dir=3D"a=
uto"><br></div><div dir=3D"auto">1. Allow wallets to optionally include PQC=
 keys in Taproot outputs. This enables early adoption without forcing anyon=
e.</div><div dir=3D"auto"><br></div><div dir=3D"auto">2. Announce a soft fo=
rk to disable vulnerable scripts, with a long (~4-year) grace period. This =
gives ample time to migrate and avoids sudden shocks.</div><div dir=3D"auto=
"><br></div><div dir=3D"auto">3. Gradually deactivate vulnerable outputs ba=
sed on age or inactivity. This avoids a harsh cutoff and gives time for ada=
ptation.</div><div dir=3D"auto"></div><div dir=3D"auto"><br></div><div dir=
=3D"auto">We can also allow exceptions via proof-of-possession, and delay r=
estrictions on timelocked outputs to avoid harming future spenders.</div><d=
iv dir=3D"auto"><br></div><div dir=3D"auto">QRAMP is not about confiscation=
 or control. It=E2=80=99s about aligning incentives, maintaining security, =
and offering a clear, non-coercive upgrade path.</div><div dir=3D"auto"><br=
></div><div dir=3D"auto">Best,</div><div dir=3D"auto">Agustin Cruz</div><di=
v dir=3D"auto"><br></div><div dir=3D"auto"><br></div></div><br><div class=
=3D"gmail_quote gmail_quote_container"><div class=3D"gmail_attr" dir=3D"ltr=
">El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray &lt;<a href=3D"m=
ailto:dustinvonsandwich@gmail.com" rel=3D"noreferrer nofollow noopener">dus=
tinvonsandwich@gmail.com</a>&gt; escribi=C3=B3:<br></div><blockquote style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex" class=3D=
"gmail_quote"><div dir=3D"auto">The difference between the ETH/ETC split th=
ough was that no one had anything confiscated except the DAO hacker, everyo=
ne retained an identical number of tokens on each chain. The proposal for B=
TC is very different in that some holders will lose access to their coins d=
uring the PQ migration under the confiscation approach. Just wanted to poin=
t that out.</div><div><br><div class=3D"gmail_quote"><div class=3D"gmail_at=
tr" dir=3D"ltr">On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bi=
tcoin Development Mailing List &lt;<a rel=3D"noreferrer nofollow noopener" =
target=3D"_blank" href=3D"mailto:bitcoindev@googlegroups.com">bitcoindev@go=
oglegroups.com</a>&gt; wrote:<br></div><blockquote style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-left:1ex;bo=
rder-left-color:rgb(204,204,204)" class=3D"gmail_quote"><div style=3D"font-=
family:Arial,sans-serif;font-size:14px">Hey Saulo,</div><div style=3D"font-=
family:Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family=
:Arial,sans-serif;font-size:14px">You're right about the possibility of an =
ugly split. Laggards who don't move coins to PQ address schemes will be inc=
entivized to follow any chain where they keep their coins. But those who do=
 migrate will be incentivized to follow the chain where unmigrated pre-quan=
tum coins are frozen. </div><div style=3D"font-family:Arial,sans-serif;font=
-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;font-size:=
14px">While you're comparing this event to the ETH/ETC split, we should rem=
ember that ETH remained the dominant chain despite their heavy-handed rollb=
ack. Just goes to show, confusion and face-loss is a lesser evil than allow=
ing an adversary to pwn the network. </div><div style=3D"font-family:Arial,=
sans-serif;font-size:14px"><br></div><blockquote style=3D"border-left: 3px =
solid rgb(200, 200, 200); padding-left: 10px; border-color: rgb(200, 200, 2=
00); color: rgb(102, 102, 102);"><div style=3D"font-family:Arial,sans-serif=
;font-size:14px">This is the free-market way to solve problems without impo=
sing rules on everyone.<br></div></blockquote><div style=3D"font-family:Ari=
al,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,san=
s-serif;font-size:14px">It'd still be a free market even if quantum-vulnera=
ble coins are frozen. The only way to test the relative value of quantum-sa=
fe vs quantum-vulnerable coins is to split the chain and see how the market=
 reacts. </div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><=
br></div><div style=3D"font-family:Arial,sans-serif;font-size:14px">IMO, th=
e "free market way" is to give people options and let their money flow to w=
here it works best. That means people should be able to choose whether they=
 want their money to be part of a system that allows quantum attack, or par=
t of one which does not. I know which I would choose, but neither you nor I=
 can make that choice for everyone.</div><div style=3D"font-family:Arial,sa=
ns-serif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-ser=
if;font-size:14px">regards,</div><div style=3D"font-family:Arial,sans-serif=
;font-size:14px">conduition</div><div>
        On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz &lt;<a rel=3D"=
noreferrer nofollow noopener" target=3D"_blank" href=3D"mailto:agustin.cruz=
@gmail.com">agustin.cruz@gmail.com</a>&gt; wrote:<br>
        <blockquote type=3D"cite">
            <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q=
uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t=
o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le=
aving old coins up for grabs if people don=E2=80=99t move them, sounds fair=
 at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes=
s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s=
 not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th=
ose on the rich list Jameson mentioned, could get hit too. Imagine millions=
 of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an=
d we all feel the pain. Freezing those vulnerable funds keeps that chaos in=
 check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=
=99s heart. If quantum tech can steal from you just because you didn=E2=80=
=99t upgrade fast enough, that promise feels shaky. Freezing funds after a =
heads-up period (say, four years) protects that idea better than letting te=
ch giants or rogue states play vampire with our network. It also nudges peo=
ple to get their act together and move to safer addresses, which strengthen=
s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con=
fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu=
antum theft would look worse. Bitcoin would seem broken, not just strict. A=
 clear plan and enough time to migrate could smooth things over. History=E2=
=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. =
This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul=
nerable coins locked than handed to whoever builds the first quantum rig. I=
t=E2=80=99s less about coddling people and more about keeping Bitcoin solid=
 for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d=
iv><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On =
Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<a target=3D"_blank" re=
l=3D"noreferrer nofollow noopener" href=3D"mailto:saulo@astrotown.de">saulo=
@astrotown.de</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:soli=
d;padding-left:1ex;border-left-color:rgb(204,204,204)"><div dir=3D"auto"><d=
iv dir=3D"ltr"><span style=3D"color: rgb(0, 0, 0);">I believe that having s=
ome entity announce the decision to freeze old UTXOs would be more damaging=
 to Bitcoin=E2=80=99s image (and its value) than having them gathered by QC=
. This would create another version of Bitcoin, similar to Ethereum Classic=
, causing confusion in the market.</span><div dir=3D"ltr"><div style=3D"col=
or: rgb(0, 0, 0);"><br></div><div style=3D"color: rgb(0, 0, 0);">It would b=
e better to simply implement the possibility of moving funds to a PQC addre=
ss without a deadline, allowing those who fail to do so to rely on luck to =
avoid having their coins stolen. Most coins would be migrated to PQC anyway=
, and in most cases, only the lost ones would remain vulnerable. This is th=
e free-market way to solve problems without imposing rules on everyone.</di=
v><div style=3D"color: rgb(0, 0, 0);"><br></div><div style=3D"color: rgb(0,=
 0, 0);">Saulo Fonseca</div><div style=3D"color: rgb(0, 0, 0);"><br></div><=
div style=3D"color: rgb(0, 0, 0);"><br><blockquote type=3D"cite"><div>On 16=
. Mar 2025, at 15:15, Jameson Lopp &lt;<span dir=3D"ltr"><a target=3D"_blan=
k" rel=3D"noreferrer nofollow noopener" href=3D"mailto:jameson.lopp@gmail.c=
om">jameson.lopp@gmail.com</a></span>&gt; wrote:</div><br><div><div dir=3D"=
ltr">The quantum computing debate is heating up. There are many controversi=
al aspects to this debate, including whether or not quantum computers will =
ever actually become a practical threat.<div><br>I won't tread into the una=
nswerable question of how worried we should be about quantum computers. I t=
hink it's far from a crisis, but given the difficulty in changing Bitcoin i=
t's worth starting to seriously discuss. Today I wish to focus on a philoso=
phical quandary related to one of the decisions that would need to be made =
if and when we implement a quantum safe signature scheme.<br><br><font styl=
e=3D"color: rgb(0, 0, 0);" size=3D"6">Several Scenarios<br></font>Because t=
his essay will reference game theory a fair amount, and there are many vari=
ables at play that could change the nature of the game, I think it's import=
ant to clarify the possible scenarios up front.<br><br>1. Quantum computing=
 never materializes, never becomes a threat, and thus everything discussed =
in this essay is moot.<br>2. A quantum computing threat materializes sudden=
ly and Bitcoin does not have quantum safe signatures as part of the protoco=
l. In this scenario it would likely make the points below moot because Bitc=
oin would be fundamentally broken and it would take far too long to upgrade=
 the protocol, wallet software, and migrate user funds in order to restore =
confidence in the network.<br>3. Quantum computing advances slowly enough t=
hat we come to consensus about how to upgrade Bitcoin and post quantum secu=
rity has been minimally adopted by the time an attacker appears.<br>4. Quan=
tum computing advances slowly enough that we come to consensus about how to=
 upgrade Bitcoin and post quantum security has been highly adopted by the t=
ime an attacker appears.<br><br>For the purposes of this post, I'm envision=
ing being in situation 3 or 4.<br><br><font style=3D"color: rgb(0, 0, 0);" =
size=3D"6">To Freeze or not to Freeze?<br></font>I've started seeing more p=
eople weighing in on what is likely the most contentious aspect of how a qu=
antum resistance upgrade should be handled in terms of migrating user funds=
. Should quantum vulnerable funds be left open to be swept by anyone with a=
 sufficiently powerful quantum computer OR should they be permanently locke=
d?<br><br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;padding-left:1ex;border-left-color:rgb(204,204,204)">"I don't see why ol=
d coins should be confiscated. The better option is to let those with quant=
um computers free up old coins. While this might have an inflationary impac=
t on bitcoin's price, to use a turn of phrase, the inflation is transitory.=
 Those with low time preference should support returning lost coins to circ=
ulation." </blockquote><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)">- Hunt=
er Beast</blockquote><div><br></div>On the other hand:</div><div><br><block=
quote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;padding-left:=
1ex;border-left-color:rgb(204,204,204)">"Of course they have to be confisca=
ted. If and when (and that's a big if) the existence of a cryptography-brea=
king QC becomes a credible threat, the Bitcoin ecosystem has no other optio=
n than softforking out the ability to spend from signature schemes (includi=
ng ECDSA and BIP340) that are vulnerable to QCs. The alternative is that mi=
llions of BTC become vulnerable to theft; I cannot see how the currency can=
 maintain any value at all in such a setting. And this affects everyone; ev=
en those which diligently moved their coins to PQC-protected schemes."<br>-=
 Pieter Wuille</blockquote><br>I don't think "confiscation" is the most pre=
cise term to use, as the funds are not being seized and reassigned. Rather,=
 what we're really discussing would be better described as "burning" - plac=
ing the funds <b>out of reach of everyone</b>.<br><br>Not freezing user fun=
ds is one of Bitcoin's inviolable properties. However, if quantum computing=
 becomes a threat to Bitcoin's elliptic curve cryptography, <b>an inviolabl=
e property of Bitcoin will be violated one way or another</b>.<br><br><font=
 style=3D"color: rgb(0, 0, 0);" size=3D"6">Fundamental Properties at Risk<b=
r></font>5 years ago I attempted to comprehensively categorize all of Bitco=
in's fundamental properties that give it value. <a target=3D"_blank" rel=3D=
"noreferrer nofollow noopener" href=3D"https://nakamoto.com/what-are-the-ke=
y-properties-of-bitcoin/">https://nakamoto.com/what-are-the-key-properties-=
of-bitcoin/<br></a><br>The particular properties in play with regard to thi=
s issue seem to be:<br><br><b>Censorship Resistance</b> - No one should hav=
e the power to prevent others from using their bitcoin or interacting with =
the network.<br><br><b>Forward Compatibility</b> - changing the rules such =
that certain valid transactions become invalid could undermine confidence i=
n the protocol.<br><br><b>Conservatism</b> - Users should not be expected t=
o be highly responsive to system issues.<br><br>As a result of the above pr=
inciples, we have developed a strong meme (kudos to Andreas Antonopoulos) t=
hat goes as follows:<br><br><blockquote class=3D"gmail_quote" style=3D"marg=
in:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)">N=
ot your keys, not your coins.</blockquote><br>I posit that the corollary to=
 this principle is:<br><br><blockquote class=3D"gmail_quote" style=3D"margi=
n:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)">Yo=
ur keys, only your coins.</blockquote><br>A quantum capable entity breaks t=
he corollary of this foundational principle. We secure our bitcoin with the=
 mathematical probabilities related to extremely large random numbers. Your=
 funds are only secure because truly random large numbers should not be gue=
ssable or discoverable by anyone else in the world.<br><br>This is the prin=
ciple behind the motto <i>vires in numeris</i> - strength in numbers. In a =
world with quantum enabled adversaries, this principle is null and void for=
 many types of cryptography, including the elliptic curve digital signature=
s used in Bitcoin.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">W=
ho is at Risk?<br></font>There has long been a narrative that Satoshi's coi=
ns and others from the Satoshi era of P2PK locking scripts that exposed the=
 public key directly on the blockchain will be those that get scooped up by=
 a quantum "miner." But unfortunately it's not that simple. If I had a powe=
rful quantum computer, which coins would I target? I'd go to the Bitcoin ri=
ch list and find the wallets that have exposed their public keys due to re-=
using addresses that have previously been spent from. You can easily find t=
hem at <a target=3D"_blank" rel=3D"noreferrer nofollow noopener" href=3D"ht=
tps://bitinfocharts.com/top-100-richest-bitcoin-addresses.html">https://bit=
infocharts.com/top-100-richest-bitcoin-addresses.html</a><br><br>Note that =
a few of these wallets, like Bitfinex / Kraken / Tether, would be slightly =
harder to crack because they are multisig wallets. So a quantum attacker wo=
uld need to reverse engineer 2 keys for Kraken or 3 for Bitfinex / Tether i=
n order to spend funds. But many are single signature.<br><br>Point being, =
it's not only the really old lost BTC that are at risk to a quantum enabled=
 adversary, at least at time of writing. If we add a quantum safe signature=
 scheme, we should expect those wallets to be some of the first to upgrade =
given their incentives.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D=
"6">The Ethical Dilemma: Quantifying Harm<br></font>Which decision results =
in the most harm?<br><br>By making quantum vulnerable funds unspendable we =
potentially harm some Bitcoin users who were not paying attention and negle=
cted to migrate their funds to a quantum safe locking script. This violates=
 the "conservativism" principle stated earlier. On the flip side, we preven=
t those funds plus far more lost funds from falling into the hands of the f=
ew privileged folks who gain early access to quantum computers.<br><br>By l=
eaving quantum vulnerable funds available to spend, the same set of users w=
ho would otherwise have funds frozen are likely to see them stolen. And man=
y early adopters who lost their keys will eventually see their unreachable =
funds scooped up by a quantum enabled adversary.<br><br>Imagine, for exampl=
e, being James Howells, who accidentally threw away a hard drive with 8,000=
 BTC on it, currently worth over $600M USD. He has spent a decade trying to=
 retrieve it from the landfill where he knows it's buried, but can't get pe=
rmission to excavate. I suspect that, given the choice, he'd prefer those f=
unds be permanently frozen rather than fall into someone else's possession =
- I know I would.<br><br>Allowing a quantum computer to access lost funds d=
oesn't make those users any worse off than they were before, however it <i>=
would</i>have a negative impact upon everyone who is currently holding bitc=
oin.<br><br>It's prudent to expect significant economic disruption if large=
 amounts of coins fall into new hands. Since a quantum computer is going to=
 have a massive up front cost, expect those behind it to desire to recoup t=
heir investment. We also know from experience that when someone suddenly fi=
nds themselves in possession of 9+ figures worth of highly liquid assets, t=
hey tend to diversify into other things by selling.<br><br>Allowing quantum=
 recovery of bitcoin is <i>tantamount to wealth redistribution</i>. What we=
'd be allowing is for bitcoin to be redistributed from those who are ignora=
nt of quantum computers to those who have won the technological race to acq=
uire quantum computers. It's hard to see a bright side to that scenario.<br=
><br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">Is Quantum Recovery Go=
od for Anyone?</font><br><br>Does quantum recovery HELP anyone? I've yet to=
 come across an argument that it's a net positive in any way. It certainly =
doesn't add any security to the network. If anything, it greatly decreases =
the security of the network by allowing funds to be claimed by those who di=
d not earn them.<br><br>But wait, you may be thinking, wouldn't quantum "mi=
ners" have earned their coins by all the work and resources invested in bui=
lding a quantum computer? I suppose, in the same sense that a burglar earns=
 their spoils by the resources they invest into surveilling targets and lea=
rning the skills needed to break into buildings. What I say "earned" I mean=
 through productive mutual trade.<br><br>For example:<br><br>* Investors ea=
rn BTC by trading for other currencies.<br>* Merchants earn BTC by trading =
for goods and services.<br>* Miners earn BTC by trading thermodynamic secur=
ity.<br>* Quantum miners don't trade anything, they are vampires feeding up=
on the system.<br><br>There's no reason to believe that allowing quantum ad=
versaries to recover vulnerable bitcoin will be of benefit to anyone other =
than the select few organizations that win the technological arms race to b=
uild the first such computers. Probably nation states and/or the top few la=
rgest tech companies.<br><br>One could certainly hope that an organization =
with quantum supremacy is benevolent and acts in a "white hat" manner to re=
turn lost coins to their owners, but that's incredibly optimistic and fooli=
sh to rely upon. Such a situation creates an insurmountable ethical dilemma=
 of only recovering lost bitcoin rather than currently owned bitcoin. There=
's no way to precisely differentiate between the two; anyone can claim to h=
ave lost their bitcoin but if they have lost their keys then proving they e=
ver had the keys becomes rather difficult. I imagine that any such white ha=
t recovery efforts would have to rely upon attestations from trusted third =
parties like exchanges.<br><br>Even if the first actor with quantum suprema=
cy is benevolent, we must assume the technology could fall into adversarial=
 hands and thus think adversarially about the potential worst case outcomes=
. Imagine, for example, that North Korea continues scooping up billions of =
dollars from hacking crypto exchanges and decides to invest some of those p=
roceeds into building a quantum computer for the biggest payday ever...<br>=
<br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">Downsides to Allowing Q=
uantum Recovery</font><br>Let's think through an exhaustive list of pros an=
d cons for allowing or preventing the seizure of funds by a quantum adversa=
ry.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Historical Prece=
dent</font><br>Previous protocol vulnerabilities weren=E2=80=99t celebrated=
 as "fair game" but rather were treated as failures to be remediated. Treat=
ing quantum theft differently risks rewriting Bitcoin=E2=80=99s history as =
a free-for-all rather than a system that seeks to protect its users.<br><br=
><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Violation of Property Righ=
ts</font><br>Allowing a quantum adversary to take control of funds undermin=
es the fundamental principle of cryptocurrency - if you keep your keys in y=
our possession, only you should be able to access your money. Bitcoin is bu=
ilt on the idea that private keys secure an individual=E2=80=99s assets, an=
d unauthorized access (even via advanced tech) is theft, not a legitimate t=
ransfer.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Erosion of =
Trust in Bitcoin</font><br>If quantum attackers can exploit vulnerable addr=
esses, confidence in Bitcoin as a secure store of value would collapse. Use=
rs and investors rely on cryptographic integrity, and widespread theft coul=
d drive adoption away from Bitcoin, destabilizing its ecosystem.<br><br>Thi=
s is essentially the counterpoint to claiming the burning of vulnerable fun=
ds is a violation of property rights. While some will certainly see it as s=
uch, others will find the apathy toward stopping quantum theft to be simila=
rly concerning.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Unfa=
ir Advantage</font><br>Quantum attackers, likely equipped with rare and exp=
ensive technology, would have an unjust edge over regular users who lack ac=
cess to such tools. This creates an inequitable system where only the techn=
ologically elite can exploit others, contradicting Bitcoin=E2=80=99s ethos =
of decentralized power.<br><br>Bitcoin is designed to create an asymmetric =
advantage for DEFENDING one's wealth. It's supposed to be impractically exp=
ensive for attackers to crack the entropy and cryptography protecting one's=
 coins. But now we find ourselves discussing a situation where this asymmet=
ric advantage is compromised in favor of a specific class of attackers.<br>=
<br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Economic Disruption</fo=
nt><br>Large-scale theft from vulnerable addresses could crash Bitcoin=E2=
=80=99s price as quantum recovered funds are dumped on exchanges. This woul=
d harm all holders, not just those directly targeted, leading to broader fi=
nancial chaos in the markets.<br><br><font style=3D"color: rgb(0, 0, 0);" s=
ize=3D"4">Moral Responsibility</font><br>Permitting theft via quantum compu=
ting sets a precedent that technological superiority justifies unethical be=
havior. This is essentially taking a "code is law" stance in which we refus=
e to admit that both code and laws can be modified to adapt to previously u=
nforeseen situations.<br><br>Burning of coins can certainly be considered a=
 form of theft, thus I think it's worth differentiating the two different t=
hefts being discussed:<br><br>1. self-enriching &amp; likely malicious<br>2=
. harm prevention &amp; not necessarily malicious<br><br>Both options lack =
the consent of the party whose coins are being burnt or transferred, thus I=
 think the simple argument that theft is immoral becomes a wash and it's im=
portant to drill down into the details of each.<br><br><font style=3D"color=
: rgb(0, 0, 0);" size=3D"4">Incentives Drive Security</font><br>I can tell =
you from a decade of working in Bitcoin security - the average user is lazy=
 and is a procrastinator. If Bitcoiners are given a "drop dead date" after =
which they know vulnerable funds will be burned, this pressure accelerates =
the adoption of post-quantum cryptography and strengthens Bitcoin long-term=
. Allowing vulnerable users to delay upgrading indefinitely will result in =
more laggards, leaving the network more exposed when quantum tech becomes a=
vailable.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">Steel Mann=
ing<br></font>Clearly this is a complex and controversial topic, thus it's =
worth thinking through the opposing arguments.<br><br><font style=3D"color:=
 rgb(0, 0, 0);" size=3D"4">Protecting Property Rights</font><br>Allowing qu=
antum computers to take vulnerable bitcoin could potentially be spun as a h=
ard money narrative - we care so greatly about not violating someone's acce=
ss to their coins that we allow them to be stolen!<br><br>But I think the f=
lip side to the property rights narrative is that burning vulnerable coins =
prevents said property from falling into undeserving hands. If the entire B=
itcoin ecosystem just stands around and allows quantum adversaries to claim=
 funds that rightfully belong to other users, is that really a "win" in the=
 "protecting property rights" category? It feels more like apathy to me.<br=
><br>As such, I think the "protecting property rights" argument is a wash.<=
br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Quantum Computers Wo=
n't Attack Bitcoin</font><br>There is a great deal of skepticism that suffi=
ciently powerful quantum computers will ever exist, so we shouldn't bother =
preparing for a non-existent threat. Others have argued that even if such a=
 computer was built, a quantum attacker would not go after bitcoin because =
they wouldn't want to reveal their hand by doing so, and would instead atta=
ck other infrastructure.<br><br>It's quite difficult to quantify exactly ho=
w valuable attacking other infrastructure would be. It also really depends =
upon when an entity gains quantum supremacy and thus if by that time most o=
f the world's systems have already been upgraded. While I think you could a=
rgue that certain entities gaining quantum capability might not attack Bitc=
oin, it would only delay the inevitable - eventually somebody will achieve =
the capability who decides to use it for such an attack.<br><br><font style=
=3D"color: rgb(0, 0, 0);" size=3D"4">Quantum Attackers Would Only Steal Sma=
ll Amounts</font><br>Some have argued that even if a quantum attacker targe=
ted bitcoin, they'd only go after old, likely lost P2PK outputs so as to no=
t arouse suspicion and cause a market panic.<br><br>I'm not so sure about t=
hat; why go after 50 BTC at a time when you could take 250,000 BTC with the=
 same effort as 50 BTC? This is a classic "zero day exploit" game theory in=
 which an attacker knows they have a limited amount of time before someone =
else discovers the exploit and either benefits from it or patches it. Take,=
 for example, the recent ByBit attack - the highest value crypto hack of al=
l time. Lazarus Group had compromised the Safe wallet front end JavaScript =
app and they could have simply had it reassign ownership of everyone's Safe=
 wallets as they were interacting with their wallet. But instead they chose=
 to only specifically target ByBit's wallet with $1.5 billion in it because=
 they wanted to maximize their extractable value. If Lazarus had started st=
ealing from every wallet, they would have been discovered quickly and the S=
afe web app would likely have been patched well before any billion dollar w=
allets executed the malicious code.<br><br>I think the "only stealing small=
 amounts" argument is strongest for Situation #2 described earlier, where a=
 quantum attacker arrives before quantum safe cryptography has been deploye=
d across the Bitcoin ecosystem. Because if it became clear that Bitcoin's c=
ryptography was broken AND there was nowhere safe for vulnerable users to m=
igrate, the only logical option would be for everyone to liquidate their bi=
tcoin as quickly as possible. As such, I don't think it applies as strongly=
 for situations in which we have a migration path available.<br><br><font s=
tyle=3D"color: rgb(0, 0, 0);" size=3D"4">The 21 Million Coin Supply Should =
be in Circulation</font><br>Some folks are arguing that it's important for =
the "circulating / spendable" supply to be as close to 21M as possible and =
that having a significant portion of the supply out of circulation is someh=
ow undesirable.<br><br>While the "21M BTC" attribute is a strong memetic na=
rrative, I don't think anyone has ever expected that it would all be in cir=
culation. It has always been understood that many coins will be lost, and t=
hat's actually part of the game theory of owning bitcoin!<br><br>And rememb=
er, the 21M number in and of itself is not a particularly important detail =
- it's not even mentioned in the whitepaper. What's important is that the s=
upply is well known and not subject to change.<br><br><font style=3D"color:=
 rgb(0, 0, 0);" size=3D"4">Self-Sovereignty and Personal Responsibility</fo=
nt><br>Bitcoin=E2=80=99s design empowers individuals to control their own w=
ealth, free from centralized intervention. This freedom comes with the burd=
en of securing one's private keys. If quantum computing can break obsolete =
cryptography, the fault lies with users who didn't move their funds to quan=
tum safe locking scripts. Expecting the network to shield users from their =
own negligence undermines the principle that you, and not a third party, ar=
e accountable for your assets.<br><br>I think this is generally a fair poin=
t that "the community" doesn't owe you anything in terms of helping you. I =
think that we do, however, need to consider the incentives and game theory =
in play with regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoi=
ners. More on that later.<br><br><font style=3D"color: rgb(0, 0, 0);" size=
=3D"4">Code is Law</font><br>Bitcoin operates on transparent, immutable rul=
es embedded in its protocol. If a quantum attacker uses superior technology=
 to derive private keys from public keys, they=E2=80=99re not "hacking" the=
 system - they're simply following what's mathematically permissible within=
 the current code. Altering the protocol to stop this introduces subjective=
 human intervention, which clashes with the objective, deterministic nature=
 of blockchain.<br><br>While I tend to agree that code is law, one of the e=
ntire points of laws is that they can be amended to improve their efficacy =
in reducing harm. Leaning on this point seems more like a pro-ossification =
stance that it's better to do nothing and allow harm to occur rather than t=
ake action to stop an attack that was foreseen far in advance.<br><br><font=
 style=3D"color: rgb(0, 0, 0);" size=3D"4">Technological Evolution as a Fea=
ture, Not a Bug</font><br>It's well known that cryptography tends to weaken=
 over time and eventually break. Quantum computing is just the next step in=
 this progression. Users who fail to adapt (e.g., by adopting quantum-resis=
tant wallets when available) are akin to those who ignored technological ad=
vancements like multisig or hardware wallets. Allowing quantum theft incent=
ivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, punishing =
complacency while rewarding vigilance.<br><br><font style=3D"color: rgb(0, =
0, 0);" size=3D"4">Market Signals Drive Security</font><br>If quantum attac=
kers start stealing funds, it sends a clear signal to the market: upgrade y=
our security or lose everything. This pressure accelerates the adoption of =
post-quantum cryptography and strengthens Bitcoin long-term. Coddling vulne=
rable users delays this necessary evolution, potentially leaving the networ=
k more exposed when quantum tech becomes widely accessible. Theft is a brut=
al but effective teacher.<br><br><font style=3D"color: rgb(0, 0, 0);" size=
=3D"4">Centralized Blacklisting Power</font><br>Burning vulnerable funds re=
quires centralized decision-making - a soft fork to invalidate certain tran=
sactions. This sets a dangerous precedent for future interventions, eroding=
 Bitcoin=E2=80=99s decentralization. If quantum theft is blocked, what=E2=
=80=99s next - reversing exchange hacks? The system must remain neutral, ev=
en if it means some lose out.<br><br>I think this could be a potential slip=
pery slope if the proposal was to only burn specific addresses. Rather, I'd=
 expect a neutral proposal to burn all funds in locking script types that a=
re known to be quantum vulnerable. Thus, we could eliminate any subjectivit=
y from the code.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"4">Fai=
rness in Competition</font><br>Quantum attackers aren't cheating; they're u=
sing publicly available physics and math. Anyone with the resources and for=
esight can build or access quantum tech, just as anyone could mine Bitcoin =
in 2009 with a CPU. Early adopters took risks and reaped rewards; quantum i=
nnovators are doing the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores t=
hat Bitcoin has never promised equality of outcome - only equality of oppor=
tunity within its rules.<br><br>I find this argument to be a mischaracteriz=
ation because we're not talking about CPUs. This is more akin to talking ab=
out ASICs, except each ASIC costs millions if not billions of dollars. This=
 is out of reach from all but the wealthiest organizations.<br><br><font st=
yle=3D"color: rgb(0, 0, 0);" size=3D"4">Economic Resilience</font><br>Bitco=
in has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and emerged stro=
nger. The market can absorb quantum losses, with unaffected users continuin=
g to hold and new entrants buying in at lower prices. Fear of economic coll=
apse overestimates the impact - the network=E2=80=99s antifragility thrives=
 on such challenges.<br><br>This is a big grey area because we don't know w=
hen a quantum computer will come online and we don't know how quickly said =
computers would be able to steal bitcoin. If, for example, the first genera=
tion of sufficiently powerful quantum computers were stealing less volume t=
han the current block reward then of course it will have minimal economic i=
mpact. But if they're taking thousands of BTC per day and bringing them bac=
k into circulation, there will likely be a noticeable market impact as it a=
bsorbs the new supply.<br><br>This is where the circumstances will really m=
atter. If a quantum attacker appears AFTER the Bitcoin protocol has been up=
graded to support quantum resistant cryptography then we should expect the =
most valuable active wallets will have upgraded and the juiciest target wou=
ld be the 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr whic=
h has been dormant since 2010. In general I'd expect that the amount of BTC=
 re-entering the circulating supply would look somewhat similar to the mini=
ng emission curve: volume would start off very high as the most valuable ad=
dresses are drained and then it would fall off as quantum computers went do=
wn the list targeting addresses with less and less BTC.<br><br>Why is econo=
mic impact a factor worth considering? Miners and businesses in general. Mo=
re coins being liquidated will push down the price, which will negatively i=
mpact miner revenue. Similarly, I can attest from working in the industry f=
or a decade, that lower prices result in less demand from businesses across=
 the entire industry. As such, burning quantum vulnerable bitcoin is good f=
or the entire industry.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D=
"4">Practicality &amp; Neutrality of Non-Intervention</font><br>There=E2=80=
=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D from legitimate=
 "white hat" key recovery. If someone loses their private key and a quantum=
 computer recovers it, is that stealing or reclaiming? Policing quantum act=
ions requires invasive assumptions about intent, which Bitcoin=E2=80=99s tr=
ustless design can=E2=80=99t accommodate. Letting the chips fall where they=
 may avoids this mess.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"=
4">Philosophical Purity</font><br>Bitcoin rejects bailouts. It=E2=80=99s a =
cold, hard system where outcomes reflect preparation and skill, not sentime=
ntality. If quantum computing upends the game, that=E2=80=99s the point - B=
itcoin isn=E2=80=99t meant to be safe or fair in a nanny-state sense; it=E2=
=80=99s meant to be free. Users who lose funds to quantum attacks are casua=
lties of liberty and their own ignorance, not victims of injustice.<br><br>=
<font style=3D"color: rgb(0, 0, 0);" size=3D"6">Bitcoin's DAO Moment</font>=
<br>This situation has some similarities to The DAO hack of an Ethereum sma=
rt contract in 2016, which resulted in a fork to stop the attacker and retu=
rn funds to their original owners. The game theory is similar because it's =
a situation where a threat is known but there's some period of time before =
the attacker can actually execute the theft. As such, there's time to mitig=
ate the attack by changing the protocol.<br><br>It also created a schism in=
 the community around the true meaning of "code is law," resulting in Ether=
eum Classic, which decided to allow the attacker to retain control of the s=
tolen funds.<br><br>A soft fork to burn vulnerable bitcoin could certainly =
result in a hard fork if there are enough miners who reject the soft fork a=
nd continue including transactions.<br><br><font style=3D"color: rgb(0, 0, =
0);" size=3D"6">Incentives Matter</font><br>We can wax philosophical until =
the cows come home, but what are the actual incentives for existing Bitcoin=
 holders regarding this decision?<br><br><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(20=
4,204,204)">"Lost coins only make everyone else's coins worth slightly more=
. Think of it as a donation to everyone." - Satoshi Nakamoto</blockquote><b=
r>If true, the corollary is:<br><br><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204=
,204)">"Quantum recovered coins only make everyone else's coins worth less.=
 Think of it as a theft from everyone." - Jameson Lopp</blockquote><br>Thus=
, assuming we get to a point where quantum resistant signatures are support=
ed within the Bitcoin protocol, what's the incentive to let vulnerable coin=
s remain spendable?<br><br>* It's not good for the actual owners of those c=
oins. It disincentivizes owners from upgrading until perhaps it's too late.=
<br>* It's not good for the more attentive / responsible owners of coins wh=
o have quantum secured their stash. Allowing the circulating supply to ball=
oon will assuredly reduce the purchasing power of all bitcoin holders.<br><=
br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">Forking Game Theory</fon=
t><br>From a game theory point of view, I see this as incentivizing users t=
o upgrade their wallets. If you disagree with the burning of vulnerable coi=
ns, all you have to do is move your funds to a quantum safe signature schem=
e. Point being, I don't see there being an economic majority (or even more =
than a tiny minority) of users who would fight such a soft fork. Why expend=
 significant resources fighting a fork when you can just move your coins to=
 a new address?<br><br>Remember that blocking spending of certain classes o=
f locking scripts is a tightening of the rules - a soft fork. As such, it c=
an be meaningfully enacted and enforced by a mere majority of hashpower. If=
 miners generally agree that it's in their best interest to burn vulnerable=
 coins, are other users going to care enough to put in the effort to run ne=
w node software that resists the soft fork? Seems unlikely to me.<br><br><f=
ont style=3D"color: rgb(0, 0, 0);" size=3D"6">How to Execute Burning</font>=
<br>In order to be as objective as possible, the goal would be to announce =
to the world that after a specific block height / timestamp, Bitcoin nodes =
will no longer accept transactions (or blocks containing such transactions)=
 that spend funds from any scripts other than the newly instituted quantum =
safe schemes.<br><br>It could take a staggered approach to first freeze fun=
ds that are susceptible to long-range attacks such as those in P2PK scripts=
 or those that exposed their public keys due to previously re-using address=
es, but I expect the additional complexity would drive further controversy.=
<br><br>How long should the grace period be in order to give the ecosystem =
time to upgrade? I'd say a minimum of 1 year for software wallets to upgrad=
e. We can only hope that hardware wallet manufacturers are able to implemen=
t post quantum cryptography on their existing hardware with only a firmware=
 update.<br><br>Beyond that, it will take at least 6 months worth of block =
space for all users to migrate their funds, even in a best case scenario. T=
hough if you exclude dust UTXOs you could probably get 95% of BTC value mig=
rated in 1 month. Of course this is a highly optimistic situation where eve=
ryone is completely focused on migrations - in reality it will take far lon=
ger.<br><br>Regardless, I'd think that in order to reasonably uphold Bitcoi=
n's conservatism it would be preferable to allow a 4 year migration window.=
 In the meantime, mining pools could coordinate emergency soft forking logi=
c such that if quantum attackers materialized, they could accelerate the co=
untdown to the quantum vulnerable funds burn.<br><br><font style=3D"color: =
rgb(0, 0, 0);" size=3D"6">Random Tangential Benefits</font><br>On the plus =
side, burning all quantum vulnerable bitcoin would allow us to prune all of=
 those UTXOs out of the UTXO set, which would also clean up a lot of dust. =
Dust UTXOs are a bit of an annoyance and there has even been a recent propo=
sal for how to incentivize cleaning them up.<br><br>We should also expect t=
hat incentivizing migration of the entire UTXO set will create substantial =
demand for block space that will sustain a fee market for a fairly lengthy =
amount of time.<br><br><font style=3D"color: rgb(0, 0, 0);" size=3D"6">In S=
ummary</font><br>While the moral quandary of violating any of Bitcoin's inv=
iolable properties can make this a very complex issue to discuss, the game =
theory and incentives between burning vulnerable coins versus allowing them=
 to be claimed by entities with quantum supremacy appears to be a much simp=
ler issue.<br><br>I, for one, am not interested in rewarding quantum capabl=
e entities by inflating the circulating money supply just because some peop=
le lost their keys long ago and some laggards are not upgrading their bitco=
in wallet's security.<br><br>We can hope that this scenario never comes to =
pass, but hope is not a strategy.<br><br>I welcome your feedback upon any o=
f the above points, and contribution of any arguments I failed to consider.=
</div></div><div><br></div>-- <br>You received this message because you are=
 subscribed to the Google Groups "Bitcoin Development Mailing List" group.<=
br>To unsubscribe from this group and stop receiving emails from it, send a=
n email to <a target=3D"_blank" rel=3D"noreferrer nofollow noopener" href=
=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@=
googlegroups.com</a>.<br>To view this discussion visit <a target=3D"_blank"=
 rel=3D"noreferrer nofollow noopener" href=3D"https://groups.google.com/d/m=
sgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ=
%40mail.gmail.com">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3=
DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div=
></blockquote></div><div dir=3D"ltr"></div></div></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a target=3D"_blank" rel=3D"noreferrer nofollow noopener" href=3D"m=
ailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googl=
egroups.com</a>.<br>
To view this discussion visit <a target=3D"_blank" rel=3D"noreferrer nofoll=
ow noopener" href=3D"https://groups.google.com/d/msgid/bitcoindev/E8269A1A-=
1899-46D2-A7CD-4D9D2B732364%40astrotown.de">https://groups.google.com/d/msg=
id/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de</a>.</blo=
ckquote></div></div></blockquote></div><div><blockquote type=3D"cite"><div =
dir=3D"ltr"><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:sol=
id;padding-left:1ex;border-left-color:rgb(204,204,204)"><br>
</blockquote></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a target=3D"_blank" rel=3D"noreferrer nofollow noopener" href=3D"m=
ailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googl=
egroups.com</a>.<br>
To view this discussion visit <a target=3D"_blank" rel=3D"noreferrer nofoll=
ow noopener" href=3D"https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw=
%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com">https://=
groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa=
_yZDwmwx6U_eO5JhZLg%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a rel=3D"noreferrer nofollow noopener" target=3D"_blank" href=3D"m=
ailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googl=
egroups.com</a>.<br>
To view this discussion visit <a rel=3D"noreferrer nofollow noopener" targe=
t=3D"_blank" href=3D"https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1T=
yB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Ne=
rv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me">https://groups.google.com/d/msgid/b=
itcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHM=
jjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me</a>.<br>
</blockquote></div></div>
</blockquote></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"n=
oreferrer nofollow noopener">bitcoindev+unsubscribe@googlegroups.com</a>.<b=
r>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail=
.com" target=3D"_blank" rel=3D"noreferrer nofollow noopener">https://groups=
.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5Cd=
cCehsqg%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIq=
uzCR6XNGbgLlNUCkHucTAliQf7aesPZBLRFoceu_9BY%3D%40protonmail.com?utm_medium=
=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoindev/=
ZVSyhRF6sP5xZxzih0EUn-_35mQxiVXYzrvxZ_Dz7tTygUqTmxxyVhFfXswTUmIquzCR6XNGbgL=
lNUCkHucTAliQf7aesPZBLRFoceu_9BY%3D%40protonmail.com</a>.<br />

--b1=_7oXhT4kTnCbuLdEfx4SngRXFsUqVeQyM2oAFYsqQgY0--