path: root/07/b3d76b4d1fe95627de2daede5e6ece5ad12296

Delivery-date: Sun, 25 May 2025 17:48:29 -0700
Received: from mail-oi1-f190.google.com ([209.85.167.190])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBCQ6XM4A6IDBBT7UZ3AQMGQEG5GZM6A@googlegroups.com>)
	id 1uJM0v-00089H-9G
	for bitcoindev@gnusha.org; Sun, 25 May 2025 17:48:29 -0700
Received: by mail-oi1-f190.google.com with SMTP id 5614622812f47-400b3984779sf1845651b6e.3
        for <bitcoindev@gnusha.org>; Sun, 25 May 2025 17:48:25 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1748220499; cv=pass;
        d=google.com; s=arc-20240605;
        b=UUFsn+ujKteK+/t+7gpbjj+ArbAlDHtDAcavu0ZPBbFy0kHDejIQy/ZfI4ccecfLIP
         iqGy2icBUgheR0/fG4I7by6WyjSnqj1AkBIMIKi0Htr1jRL9QCBy5QQQy1S9RYSc1n4I
         f4xPT7nDHoI1gpw2MxbnQmz6Xtpcf4PD88d8iGLnNpZyLfmqme79II2qGaEeHSnS5Rqb
         4jZhxu5MshI07Y2eLMMgO/dYaPSGMV+vLxVl6UlgO34sb8UMOdCVoby/Xn4Bf1A9fTgt
         sdXpTZfGq35/kwsIsqiMN5WSGF55Pjp2f1Gbo6udNkmRhPI4xVcoM+fJuNvu+/FXfwzs
         8i6g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:sender:dkim-signature
         :dkim-signature;
        bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=;
        fh=yQLI1L/9ImmZ7tgX8/owNnJXTuV97e9oL8alxZ2BiwU=;
        b=IbnmL4IqNHJQfLxvMs2ETDKasz8Se9HUGs5W8HV+QoekuXNqnRq/LPEabmu3TAdfRw
         R8wTyGwEZrJW5gtSOWwVePlqxFvc9cAiVWiCnWO4YCMkFEbzP2A6wRByi51hJf/6PEVb
         nUXhXJI3pchwpmvSukd5cR+1odA5wNNwLpJ9fFZsJ7G6f7O7y1aKUUmv3kiyilWmYK+l
         nORRD2YeGHfj5RjjADUNT3RfjeF98dZlIcoJm83BoNIxI8MQ+nB+rS0Fjw4t5EkyEnGV
         22U0xLG0IlbvUA6EQ/tytVjUsrOHAQsWVNQ4tOlFNrqv2sSEKlfJMdXkmWlKtHNCYjWA
         bGwQ==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1;
       spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1748220499; x=1748825299; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=;
        b=kERhGDB763BRFQiP3CQdN8QSIViSXxpAr2P2m/fM94tRTftt3xgCKRDQICWxnan6wB
         tbB+IvlpQzL+fYRCYkB1MnjRdUFTuTumwlvqloylFSJ8euDWYTb6oyxAqjoGqiunXNK8
         gVUvCyhll9Iw/RPhE8P2oClSxhN5bL4NiQ3ZflO5gvluy0VuKVHi/MzyTtroqvRpWJNC
         mXlVawd/oopiYkcZjMx91NGVDRjXRpfkm40fGS/cy7K7n+ODlRgGK9q1mMjnT1db9qNV
         LQlcyU557uu1+EVgSx/E9JbuoNwsCXQqc1vWeuRr3vpjJKKp6CdyrB1z1Hhjt6RiwyCL
         MqFQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1748220499; x=1748825299; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=;
        b=UtKodlzj4/lJgB7bzpAIUXImIHDm45P/gdkGbVEI+jlkaOyK/hVj7AM9RPZPHmtA/2
         NptXixj00jbNAZAOuExEfaFXVdrdLs2kdMHt/9De7KYcv1VHlR1/E8ztlhcc4IsZJJu3
         Iy5jMJYbascoaNyRZJOitTaSzmEDixczgS6e9PCG3ztsYFnPXAX8v52ctUkciVgEXxka
         zxhs5ytiPwJv7O+m1KbpsxQUHzqOkmA0lnCYJzF5Jv0Qj9sPgGgPNTbWwsVvWfIR8zW6
         Zl771XyjWpTFOSdmvSfNXuxOze75J0T/qsLsb9MNtVF/Q0sDdxq0Ezi9TTnU/OzteU1M
         jjRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748220499; x=1748825299;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to
         :references:mime-version:x-beenthere:x-gm-message-state:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=SkGffRBvIzaZDiySOY8QMr2rqOQVLOuK979BV0yK+eQ=;
        b=kWTxNbAPEdlHDbrx91XtAGQCkXVemhSNdjuR/L3xpghn84ns6WTDH/FdcvNEtirAdH
         wjVodfk7W/IDWJGWvdNxsjHU9lOzAjvcoFZdQNe1D2u+F7jDkuiJzNOIXE1fxj/w/Ean
         L8J1wxD/JyVjPVbIlJtoApQtxE08HapP+pdfrjOjN0Sx+SBy2sxGwLANIC7SZd/7Kz+8
         FAD0FZcl7QfgVEUpJ4jtbq40ZqYreUG54uQtGnkdr00KWayuX+CO6fluYPBq8nTdHLVj
         tqLDSowa1vnyH/989n/KsLzv9O/wqSIF3j3WivyZgsz95iI+RXAkxi8t2PVnIyAAQqII
         cgrw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCWf4hHoSwmWvvz4OzwcFbaAel9Zw5HMVDCOCwczPQFJi6jFRp/KbLnKR5EcK1D/SqD+H+b/Hgl3i7bh@gnusha.org
X-Gm-Message-State: AOJu0YwZp2w6w8fwy79gMYr9wQy5sqafn7mKWb4DUFT5/MHFvfyHhGVd
	QqY/DNqDXABudDOQIFHnRBcIPZe55TO8G0vDVw8Vy/7061Pu13sjoKmg
X-Google-Smtp-Source: AGHT+IEtuqSNDOuYtfqgXZ9l7JGVfd6xu6bb760Lm1HudqWJKNoxAH4pewJItL3q13dsjPs0FzdL9g==
X-Received: by 2002:a05:6808:338a:b0:401:e6f0:a8d4 with SMTP id 5614622812f47-406467c3fabmr4581801b6e.5.1748220499094;
        Sun, 25 May 2025 17:48:19 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AVT/gBEBBRpqlXL19pEe/8RJMQPYbjVkJJOOz/B98pXWGl+FVg==
Received: by 2002:a4a:d504:0:b0:604:8bd0:c016 with SMTP id 006d021491bc7-60b9f754834ls507270eaf.2.-pod-prod-01-us;
 Sun, 25 May 2025 17:48:15 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCXtCUs3vQeTX2QBlhHNqReEEBUoQmiGnnu5/nbvEIioyd0nKbnOz17lxMvVAjjle3kdRIDrprAMHByM@googlegroups.com
X-Received: by 2002:a05:6808:3c48:b0:3f6:65fe:2672 with SMTP id 5614622812f47-406467c3f8emr4586617b6e.2.1748220495254;
        Sun, 25 May 2025 17:48:15 -0700 (PDT)
Received: by 2002:aa7:c344:0:b0:604:5e91:86bb with SMTP id 4fb4d7f45d1cf-6045e9187a0msa12;
        Sun, 25 May 2025 17:32:19 -0700 (PDT)
X-Forwarded-Encrypted: i=2; AJvYcCWIcmsYmATUcDm5l1DIII/K7jvkYjmNb36aQqFTnUiPTZicyIIvKhyTjEArknM/QEEwAj6CCP0DJ7EX@googlegroups.com
X-Received: by 2002:a05:6402:2801:b0:5f7:29e0:5cf9 with SMTP id 4fb4d7f45d1cf-602d8e63095mr5531798a12.5.1748219537429;
        Sun, 25 May 2025 17:32:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1748219537; cv=none;
        d=google.com; s=arc-20240605;
        b=ZCPVZ7PdB6eBeM4K9/dvdPQNPiIPNvSYnmL+J/xNmnOVKsJ6NreyI6ItMYE09rLm4C
         NOcUC8BJw77zeHcdQGaeCd5QTa6c/sekVR9nGgsReXpnHqzfhwHR2TnKlhc+0Rq0fgxX
         cEqgKlUgqy/ljTW9b+dlEBCqWsQet3y1lV/yzZyI8yDBlUgwagn36waSgh7yqgxxGCEy
         lZuE++DxwFbEOOseCHE+lNp3Zag4myLm2/4ZJsRSCXAYJUDUnMm6Id3/I2FLE225gvgb
         clWbPRN1CaMagmjWyi/laTvjEIypxgYzqGvWkufptHZkEPffDGJUHr/n0y1xUourYXfb
         CJPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=s3MBI2zY01CbZFnsqsSgk2lRlaJsYaYujHmtDaVOoV8=;
        fh=MN9CwZkqMNHGESTc40e4dT1lufDTPcTjWNt7bp8uV/c=;
        b=NkGqRUhhhf2eyvWn4JBbAefIU0JCzlMVI8C5EePpTdKe7N+B0kmonYenjQyg+asVm/
         QScZTQd2nRYvCRf50rJXY/oovjvD44utQU6cqqWV49pvxxDSWYEY2NcIQUoXEGkOC1dT
         tgneZS14hk9pYeF88G3mXeTF0oikBbliFOR85L+U6SAkSw0/PL7iNsrUbn4mEmKy+Ncg
         IQjPiKX2QWMPdfLGBDfY0B0TVWqrWz77znOfBswyxDFOj+FzIaSVYCvFuE1LNQAZOery
         6P6XjH5QKKYtMM7r57fVCDMOUdFR6cr5/tVwxV4fmJoKsoI7E6EO+Jd/m+bzJTghOtMO
         OD2g==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1;
       spf=pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
       dara=pass header.i=@googlegroups.com
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com. [2a00:1450:4864:20::22b])
        by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-604703ddb00si47843a12.2.2025.05.25.17.32.17
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 25 May 2025 17:32:17 -0700 (PDT)
Received-SPF: pass (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b as permitted sender) client-ip=2a00:1450:4864:20::22b;
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-32a63ff3bdfso631761fa.3
        for <bitcoindev@googlegroups.com>; Sun, 25 May 2025 17:32:17 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCUAIXTo/dg1BqvNuGQ6znFzQD30PEFN790EcdKotRqJgNCxXdXihXY5uzFsSVY6pGqsY60c0w29PgEu@googlegroups.com
X-Gm-Gg: ASbGncuH3qDLG8jyyZcoMN2zSoxy/L3/fhzgy1mMiBiC75vnuSRVxtKta01tYp9Mchg
	M5LWYFTKisZnHE/1vW3PO7NSeE0or2iXUvWmddbASztlxZkP7kual522E3fycoZ1KhvqvnKrKg4
	9bH50xxuQONNrUmUR6GU3MLhdefkw6LOgiI0o=
X-Received: by 2002:a2e:b888:0:b0:308:f3b4:ea66 with SMTP id
 38308e7fff4ca-3295ba5e02bmr21957161fa.28.1748219536212; Sun, 25 May 2025
 17:32:16 -0700 (PDT)
MIME-Version: 1.0
References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de>
 <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
 <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me>
 <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com>
In-Reply-To: <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com>
From: Agustin Cruz <agustin.cruz@gmail.com>
Date: Sun, 25 May 2025 20:32:04 -0400
X-Gm-Features: AX0GCFsFv3ckA9gaWctWiTvyLOsLDsDpG5OuSQw2fP2ARVpWVJC0fwWySIX42Lo
Message-ID: <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
To: Dustin Ray <dustinvonsandwich@gmail.com>
Cc: conduition <conduition@proton.me>, AstroTown <saulo@astrotown.de>, 
	Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: multipart/alternative; boundary="00000000000072273e0635ff143b"
X-Original-Sender: agustin.cruz@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@gmail.com header.s=20230601 header.b=J+4lFRJ1;       spf=pass
 (google.com: domain of agustin.cruz@gmail.com designates 2a00:1450:4864:20::22b
 as permitted sender) smtp.mailfrom=agustin.cruz@gmail.com;       dmarc=pass
 (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;       dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 0.0 (/)

--00000000000072273e0635ff143b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi everyone,

QRAMP proposal aims to manage the quantum transition responsibly without
disrupting Bitcoin=E2=80=99s core principles.

QRAMP has three phases:

1. Allow wallets to optionally include PQC keys in Taproot outputs. This
enables early adoption without forcing anyone.

2. Announce a soft fork to disable vulnerable scripts, with a long
(~4-year) grace period. This gives ample time to migrate and avoids sudden
shocks.

3. Gradually deactivate vulnerable outputs based on age or inactivity. This
avoids a harsh cutoff and gives time for adaptation.

We can also allow exceptions via proof-of-possession, and delay
restrictions on timelocked outputs to avoid harming future spenders.

QRAMP is not about confiscation or control. It=E2=80=99s about aligning inc=
entives,
maintaining security, and offering a clear, non-coercive upgrade path.

Best,
Agustin Cruz



El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <
dustinvonsandwich@gmail.com> escribi=C3=B3:

> The difference between the ETH/ETC split though was that no one had
> anything confiscated except the DAO hacker, everyone retained an identica=
l
> number of tokens on each chain. The proposal for BTC is very different in
> that some holders will lose access to their coins during the PQ migration
> under the confiscation approach. Just wanted to point that out.
>
> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Developm=
ent
> Mailing List <bitcoindev@googlegroups.com> wrote:
>
>> Hey Saulo,
>>
>> You're right about the possibility of an ugly split. Laggards who don't
>> move coins to PQ address schemes will be incentivized to follow any chai=
n
>> where they keep their coins. But those who do migrate will be incentiviz=
ed
>> to follow the chain where unmigrated pre-quantum coins are frozen.
>>
>> While you're comparing this event to the ETH/ETC split, we should
>> remember that ETH remained the dominant chain despite their heavy-handed
>> rollback. Just goes to show, confusion and face-loss is a lesser evil th=
an
>> allowing an adversary to pwn the network.
>>
>> This is the free-market way to solve problems without imposing rules on
>> everyone.
>>
>>
>> It'd still be a free market even if quantum-vulnerable coins are frozen.
>> The only way to test the relative value of quantum-safe vs
>> quantum-vulnerable coins is to split the chain and see how the market
>> reacts.
>>
>> IMO, the "free market way" is to give people options and let their money
>> flow to where it works best. That means people should be able to choose
>> whether they want their money to be part of a system that allows quantum
>> attack, or part of one which does not. I know which I would choose, but
>> neither you nor I can make that choice for everyone.
>>
>> regards,
>> conduition
>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <
>> agustin.cruz@gmail.com> wrote:
>>
>> I=E2=80=99m against letting quantum computers scoop up funds from addres=
ses that
>> don=E2=80=99t upgrade to quantum-resistant.
>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up for=
 grabs if
>> people don=E2=80=99t move them, sounds fair at first. Let luck decide, r=
ight? But I
>> worry it=E2=80=99d turn into a mess. If quantum machines start cracking =
keys and
>> snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at risk. Pl=
enty of
>> active wallets, like those on the rich list Jameson mentioned, could get
>> hit too. Imagine millions of BTC flooding the market. Prices tank, trust=
 in
>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerabl=
e
>> funds keeps that chaos in check.
>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s heart=
. If quantum tech can
>> steal from you just because you didn=E2=80=99t upgrade fast enough, that=
 promise
>> feels shaky. Freezing funds after a heads-up period (say, four years)
>> protects that idea better than letting tech giants or rogue states play
>> vampire with our network. It also nudges people to get their act togethe=
r
>> and move to safer addresses, which strengthens Bitcoin long-term.
>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark a=
 split
>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look wo=
rse.
>> Bitcoin would seem broken, not just strict. A clear plan and enough time=
 to
>> migrate could smooth things over. History=E2=80=99s on our side too. Bit=
coin=E2=80=99s
>> fixed bugs before, like SegWit. This feels like that, not a bailout.
>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to w=
hoever
>> builds the first quantum rig. It=E2=80=99s less about coddling people an=
d more
>> about keeping Bitcoin solid for everyone. What do you all think?
>> Cheers,
>> Agust=C3=ADn
>>
>>
>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <saulo@astrotown.de> =
wrote:
>>
>>> I believe that having some entity announce the decision to freeze old
>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value)=
 than having
>>> them gathered by QC. This would create another version of Bitcoin, simi=
lar
>>> to Ethereum Classic, causing confusion in the market.
>>>
>>> It would be better to simply implement the possibility of moving funds
>>> to a PQC address without a deadline, allowing those who fail to do so t=
o
>>> rely on luck to avoid having their coins stolen. Most coins would be
>>> migrated to PQC anyway, and in most cases, only the lost ones would rem=
ain
>>> vulnerable. This is the free-market way to solve problems without impos=
ing
>>> rules on everyone.
>>>
>>> Saulo Fonseca
>>>
>>>
>>> On 16. Mar 2025, at 15:15, Jameson Lopp <jameson.lopp@gmail.com> wrote:
>>>
>>> The quantum computing debate is heating up. There are many controversia=
l
>>> aspects to this debate, including whether or not quantum computers will
>>> ever actually become a practical threat.
>>>
>>> I won't tread into the unanswerable question of how worried we should b=
e
>>> about quantum computers. I think it's far from a crisis, but given the
>>> difficulty in changing Bitcoin it's worth starting to seriously discuss=
.
>>> Today I wish to focus on a philosophical quandary related to one of the
>>> decisions that would need to be made if and when we implement a quantum
>>> safe signature scheme.
>>>
>>> Several Scenarios
>>> Because this essay will reference game theory a fair amount, and there
>>> are many variables at play that could change the nature of the game, I
>>> think it's important to clarify the possible scenarios up front.
>>>
>>> 1. Quantum computing never materializes, never becomes a threat, and
>>> thus everything discussed in this essay is moot.
>>> 2. A quantum computing threat materializes suddenly and Bitcoin does no=
t
>>> have quantum safe signatures as part of the protocol. In this scenario =
it
>>> would likely make the points below moot because Bitcoin would be
>>> fundamentally broken and it would take far too long to upgrade the
>>> protocol, wallet software, and migrate user funds in order to restore
>>> confidence in the network.
>>> 3. Quantum computing advances slowly enough that we come to consensus
>>> about how to upgrade Bitcoin and post quantum security has been minimal=
ly
>>> adopted by the time an attacker appears.
>>> 4. Quantum computing advances slowly enough that we come to consensus
>>> about how to upgrade Bitcoin and post quantum security has been highly
>>> adopted by the time an attacker appears.
>>>
>>> For the purposes of this post, I'm envisioning being in situation 3 or =
4.
>>>
>>> To Freeze or not to Freeze?
>>> I've started seeing more people weighing in on what is likely the most
>>> contentious aspect of how a quantum resistance upgrade should be handle=
d in
>>> terms of migrating user funds. Should quantum vulnerable funds be left =
open
>>> to be swept by anyone with a sufficiently powerful quantum computer OR
>>> should they be permanently locked?
>>>
>>> "I don't see why old coins should be confiscated. The better option is
>>>> to let those with quantum computers free up old coins. While this migh=
t
>>>> have an inflationary impact on bitcoin's price, to use a turn of phras=
e,
>>>> the inflation is transitory. Those with low time preference should sup=
port
>>>> returning lost coins to circulation."
>>>
>>> - Hunter Beast
>>>
>>>
>>> On the other hand:
>>>
>>> "Of course they have to be confiscated. If and when (and that's a big
>>>> if) the existence of a cryptography-breaking QC becomes a credible thr=
eat,
>>>> the Bitcoin ecosystem has no other option than softforking out the abi=
lity
>>>> to spend from signature schemes (including ECDSA and BIP340) that are
>>>> vulnerable to QCs. The alternative is that millions of BTC become
>>>> vulnerable to theft; I cannot see how the currency can maintain any va=
lue
>>>> at all in such a setting. And this affects everyone; even those which
>>>> diligently moved their coins to PQC-protected schemes."
>>>> - Pieter Wuille
>>>
>>>
>>> I don't think "confiscation" is the most precise term to use, as the
>>> funds are not being seized and reassigned. Rather, what we're really
>>> discussing would be better described as "burning" - placing the funds *=
out
>>> of reach of everyone*.
>>>
>>> Not freezing user funds is one of Bitcoin's inviolable properties.
>>> However, if quantum computing becomes a threat to Bitcoin's elliptic cu=
rve
>>> cryptography, *an inviolable property of Bitcoin will be violated one
>>> way or another*.
>>>
>>> Fundamental Properties at Risk
>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's
>>> fundamental properties that give it value.
>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>>>
>>> The particular properties in play with regard to this issue seem to be:
>>>
>>> *Censorship Resistance* - No one should have the power to prevent
>>> others from using their bitcoin or interacting with the network.
>>>
>>> *Forward Compatibility* - changing the rules such that certain valid
>>> transactions become invalid could undermine confidence in the protocol.
>>>
>>> *Conservatism* - Users should not be expected to be highly responsive
>>> to system issues.
>>>
>>> As a result of the above principles, we have developed a strong meme
>>> (kudos to Andreas Antonopoulos) that goes as follows:
>>>
>>> Not your keys, not your coins.
>>>
>>>
>>> I posit that the corollary to this principle is:
>>>
>>> Your keys, only your coins.
>>>
>>>
>>> A quantum capable entity breaks the corollary of this foundational
>>> principle. We secure our bitcoin with the mathematical probabilities
>>> related to extremely large random numbers. Your funds are only secure
>>> because truly random large numbers should not be guessable or discovera=
ble
>>> by anyone else in the world.
>>>
>>> This is the principle behind the motto *vires in numeris* - strength in
>>> numbers. In a world with quantum enabled adversaries, this principle is
>>> null and void for many types of cryptography, including the elliptic cu=
rve
>>> digital signatures used in Bitcoin.
>>>
>>> Who is at Risk?
>>> There has long been a narrative that Satoshi's coins and others from th=
e
>>> Satoshi era of P2PK locking scripts that exposed the public key directl=
y on
>>> the blockchain will be those that get scooped up by a quantum "miner." =
But
>>> unfortunately it's not that simple. If I had a powerful quantum compute=
r,
>>> which coins would I target? I'd go to the Bitcoin rich list and find th=
e
>>> wallets that have exposed their public keys due to re-using addresses t=
hat
>>> have previously been spent from. You can easily find them at
>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>>>
>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether, woul=
d
>>> be slightly harder to crack because they are multisig wallets. So a qua=
ntum
>>> attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitf=
inex
>>> / Tether in order to spend funds. But many are single signature.
>>>
>>> Point being, it's not only the really old lost BTC that are at risk to =
a
>>> quantum enabled adversary, at least at time of writing. If we add a qua=
ntum
>>> safe signature scheme, we should expect those wallets to be some of the
>>> first to upgrade given their incentives.
>>>
>>> The Ethical Dilemma: Quantifying Harm
>>> Which decision results in the most harm?
>>>
>>> By making quantum vulnerable funds unspendable we potentially harm some
>>> Bitcoin users who were not paying attention and neglected to migrate th=
eir
>>> funds to a quantum safe locking script. This violates the "conservativi=
sm"
>>> principle stated earlier. On the flip side, we prevent those funds plus=
 far
>>> more lost funds from falling into the hands of the few privileged folks=
 who
>>> gain early access to quantum computers.
>>>
>>> By leaving quantum vulnerable funds available to spend, the same set of
>>> users who would otherwise have funds frozen are likely to see them stol=
en.
>>> And many early adopters who lost their keys will eventually see their
>>> unreachable funds scooped up by a quantum enabled adversary.
>>>
>>> Imagine, for example, being James Howells, who accidentally threw away =
a
>>> hard drive with 8,000 BTC on it, currently worth over $600M USD. He has
>>> spent a decade trying to retrieve it from the landfill where he knows i=
t's
>>> buried, but can't get permission to excavate. I suspect that, given the
>>> choice, he'd prefer those funds be permanently frozen rather than fall =
into
>>> someone else's possession - I know I would.
>>>
>>> Allowing a quantum computer to access lost funds doesn't make those
>>> users any worse off than they were before, however it *would*have a
>>> negative impact upon everyone who is currently holding bitcoin.
>>>
>>> It's prudent to expect significant economic disruption if large amounts
>>> of coins fall into new hands. Since a quantum computer is going to have=
 a
>>> massive up front cost, expect those behind it to desire to recoup their
>>> investment. We also know from experience that when someone suddenly fin=
ds
>>> themselves in possession of 9+ figures worth of highly liquid assets, t=
hey
>>> tend to diversify into other things by selling.
>>>
>>> Allowing quantum recovery of bitcoin is *tantamount to wealth
>>> redistribution*. What we'd be allowing is for bitcoin to be
>>> redistributed from those who are ignorant of quantum computers to those=
 who
>>> have won the technological race to acquire quantum computers. It's hard=
 to
>>> see a bright side to that scenario.
>>>
>>> Is Quantum Recovery Good for Anyone?
>>>
>>> Does quantum recovery HELP anyone? I've yet to come across an argument
>>> that it's a net positive in any way. It certainly doesn't add any secur=
ity
>>> to the network. If anything, it greatly decreases the security of the
>>> network by allowing funds to be claimed by those who did not earn them.
>>>
>>> But wait, you may be thinking, wouldn't quantum "miners" have earned
>>> their coins by all the work and resources invested in building a quantu=
m
>>> computer? I suppose, in the same sense that a burglar earns their spoil=
s by
>>> the resources they invest into surveilling targets and learning the ski=
lls
>>> needed to break into buildings. What I say "earned" I mean through
>>> productive mutual trade.
>>>
>>> For example:
>>>
>>> * Investors earn BTC by trading for other currencies.
>>> * Merchants earn BTC by trading for goods and services.
>>> * Miners earn BTC by trading thermodynamic security.
>>> * Quantum miners don't trade anything, they are vampires feeding upon
>>> the system.
>>>
>>> There's no reason to believe that allowing quantum adversaries to
>>> recover vulnerable bitcoin will be of benefit to anyone other than the
>>> select few organizations that win the technological arms race to build =
the
>>> first such computers. Probably nation states and/or the top few largest
>>> tech companies.
>>>
>>> One could certainly hope that an organization with quantum supremacy is
>>> benevolent and acts in a "white hat" manner to return lost coins to the=
ir
>>> owners, but that's incredibly optimistic and foolish to rely upon. Such=
 a
>>> situation creates an insurmountable ethical dilemma of only recovering =
lost
>>> bitcoin rather than currently owned bitcoin. There's no way to precisel=
y
>>> differentiate between the two; anyone can claim to have lost their bitc=
oin
>>> but if they have lost their keys then proving they ever had the keys
>>> becomes rather difficult. I imagine that any such white hat recovery
>>> efforts would have to rely upon attestations from trusted third parties
>>> like exchanges.
>>>
>>> Even if the first actor with quantum supremacy is benevolent, we must
>>> assume the technology could fall into adversarial hands and thus think
>>> adversarially about the potential worst case outcomes. Imagine, for
>>> example, that North Korea continues scooping up billions of dollars fro=
m
>>> hacking crypto exchanges and decides to invest some of those proceeds i=
nto
>>> building a quantum computer for the biggest payday ever...
>>>
>>> Downsides to Allowing Quantum Recovery
>>> Let's think through an exhaustive list of pros and cons for allowing or
>>> preventing the seizure of funds by a quantum adversary.
>>>
>>> Historical Precedent
>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair g=
ame" but
>>> rather were treated as failures to be remediated. Treating quantum thef=
t
>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-all=
 rather than
>>> a system that seeks to protect its users.
>>>
>>> Violation of Property Rights
>>> Allowing a quantum adversary to take control of funds undermines the
>>> fundamental principle of cryptocurrency - if you keep your keys in your
>>> possession, only you should be able to access your money. Bitcoin is bu=
ilt
>>> on the idea that private keys secure an individual=E2=80=99s assets, an=
d
>>> unauthorized access (even via advanced tech) is theft, not a legitimate
>>> transfer.
>>>
>>> Erosion of Trust in Bitcoin
>>> If quantum attackers can exploit vulnerable addresses, confidence in
>>> Bitcoin as a secure store of value would collapse. Users and investors =
rely
>>> on cryptographic integrity, and widespread theft could drive adoption a=
way
>>> from Bitcoin, destabilizing its ecosystem.
>>>
>>> This is essentially the counterpoint to claiming the burning of
>>> vulnerable funds is a violation of property rights. While some will
>>> certainly see it as such, others will find the apathy toward stopping
>>> quantum theft to be similarly concerning.
>>>
>>> Unfair Advantage
>>> Quantum attackers, likely equipped with rare and expensive technology,
>>> would have an unjust edge over regular users who lack access to such to=
ols.
>>> This creates an inequitable system where only the technologically elite=
 can
>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized =
power.
>>>
>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING
>>> one's wealth. It's supposed to be impractically expensive for attackers=
 to
>>> crack the entropy and cryptography protecting one's coins. But now we f=
ind
>>> ourselves discussing a situation where this asymmetric advantage is
>>> compromised in favor of a specific class of attackers.
>>>
>>> Economic Disruption
>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=
=99s price
>>> as quantum recovered funds are dumped on exchanges. This would harm all
>>> holders, not just those directly targeted, leading to broader financial
>>> chaos in the markets.
>>>
>>> Moral Responsibility
>>> Permitting theft via quantum computing sets a precedent that
>>> technological superiority justifies unethical behavior. This is essenti=
ally
>>> taking a "code is law" stance in which we refuse to admit that both cod=
e
>>> and laws can be modified to adapt to previously unforeseen situations.
>>>
>>> Burning of coins can certainly be considered a form of theft, thus I
>>> think it's worth differentiating the two different thefts being discuss=
ed:
>>>
>>> 1. self-enriching & likely malicious
>>> 2. harm prevention & not necessarily malicious
>>>
>>> Both options lack the consent of the party whose coins are being burnt
>>> or transferred, thus I think the simple argument that theft is immoral
>>> becomes a wash and it's important to drill down into the details of eac=
h.
>>>
>>> Incentives Drive Security
>>> I can tell you from a decade of working in Bitcoin security - the
>>> average user is lazy and is a procrastinator. If Bitcoiners are given a
>>> "drop dead date" after which they know vulnerable funds will be burned,
>>> this pressure accelerates the adoption of post-quantum cryptography and
>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgra=
ding
>>> indefinitely will result in more laggards, leaving the network more exp=
osed
>>> when quantum tech becomes available.
>>>
>>> Steel Manning
>>> Clearly this is a complex and controversial topic, thus it's worth
>>> thinking through the opposing arguments.
>>>
>>> Protecting Property Rights
>>> Allowing quantum computers to take vulnerable bitcoin could potentially
>>> be spun as a hard money narrative - we care so greatly about not violat=
ing
>>> someone's access to their coins that we allow them to be stolen!
>>>
>>> But I think the flip side to the property rights narrative is that
>>> burning vulnerable coins prevents said property from falling into
>>> undeserving hands. If the entire Bitcoin ecosystem just stands around a=
nd
>>> allows quantum adversaries to claim funds that rightfully belong to oth=
er
>>> users, is that really a "win" in the "protecting property rights" categ=
ory?
>>> It feels more like apathy to me.
>>>
>>> As such, I think the "protecting property rights" argument is a wash.
>>>
>>> Quantum Computers Won't Attack Bitcoin
>>> There is a great deal of skepticism that sufficiently powerful quantum
>>> computers will ever exist, so we shouldn't bother preparing for a
>>> non-existent threat. Others have argued that even if such a computer wa=
s
>>> built, a quantum attacker would not go after bitcoin because they would=
n't
>>> want to reveal their hand by doing so, and would instead attack other
>>> infrastructure.
>>>
>>> It's quite difficult to quantify exactly how valuable attacking other
>>> infrastructure would be. It also really depends upon when an entity gai=
ns
>>> quantum supremacy and thus if by that time most of the world's systems =
have
>>> already been upgraded. While I think you could argue that certain entit=
ies
>>> gaining quantum capability might not attack Bitcoin, it would only dela=
y
>>> the inevitable - eventually somebody will achieve the capability who
>>> decides to use it for such an attack.
>>>
>>> Quantum Attackers Would Only Steal Small Amounts
>>> Some have argued that even if a quantum attacker targeted bitcoin,
>>> they'd only go after old, likely lost P2PK outputs so as to not arouse
>>> suspicion and cause a market panic.
>>>
>>> I'm not so sure about that; why go after 50 BTC at a time when you coul=
d
>>> take 250,000 BTC with the same effort as 50 BTC? This is a classic "zer=
o
>>> day exploit" game theory in which an attacker knows they have a limited
>>> amount of time before someone else discovers the exploit and either
>>> benefits from it or patches it. Take, for example, the recent ByBit att=
ack
>>> - the highest value crypto hack of all time. Lazarus Group had compromi=
sed
>>> the Safe wallet front end JavaScript app and they could have simply had=
 it
>>> reassign ownership of everyone's Safe wallets as they were interacting =
with
>>> their wallet. But instead they chose to only specifically target ByBit'=
s
>>> wallet with $1.5 billion in it because they wanted to maximize their
>>> extractable value. If Lazarus had started stealing from every wallet, t=
hey
>>> would have been discovered quickly and the Safe web app would likely ha=
ve
>>> been patched well before any billion dollar wallets executed the malici=
ous
>>> code.
>>>
>>> I think the "only stealing small amounts" argument is strongest for
>>> Situation #2 described earlier, where a quantum attacker arrives before
>>> quantum safe cryptography has been deployed across the Bitcoin ecosyste=
m.
>>> Because if it became clear that Bitcoin's cryptography was broken AND t=
here
>>> was nowhere safe for vulnerable users to migrate, the only logical opti=
on
>>> would be for everyone to liquidate their bitcoin as quickly as possible=
. As
>>> such, I don't think it applies as strongly for situations in which we h=
ave
>>> a migration path available.
>>>
>>> The 21 Million Coin Supply Should be in Circulation
>>> Some folks are arguing that it's important for the "circulating /
>>> spendable" supply to be as close to 21M as possible and that having a
>>> significant portion of the supply out of circulation is somehow undesir=
able.
>>>
>>> While the "21M BTC" attribute is a strong memetic narrative, I don't
>>> think anyone has ever expected that it would all be in circulation. It =
has
>>> always been understood that many coins will be lost, and that's actuall=
y
>>> part of the game theory of owning bitcoin!
>>>
>>> And remember, the 21M number in and of itself is not a particularly
>>> important detail - it's not even mentioned in the whitepaper. What's
>>> important is that the supply is well known and not subject to change.
>>>
>>> Self-Sovereignty and Personal Responsibility
>>> Bitcoin=E2=80=99s design empowers individuals to control their own weal=
th, free
>>> from centralized intervention. This freedom comes with the burden of
>>> securing one's private keys. If quantum computing can break obsolete
>>> cryptography, the fault lies with users who didn't move their funds to
>>> quantum safe locking scripts. Expecting the network to shield users fro=
m
>>> their own negligence undermines the principle that you, and not a third
>>> party, are accountable for your assets.
>>>
>>> I think this is generally a fair point that "the community" doesn't owe
>>> you anything in terms of helping you. I think that we do, however, need=
 to
>>> consider the incentives and game theory in play with regard to quantum =
safe
>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>>>
>>> Code is Law
>>> Bitcoin operates on transparent, immutable rules embedded in its
>>> protocol. If a quantum attacker uses superior technology to derive priv=
ate
>>> keys from public keys, they=E2=80=99re not "hacking" the system - they'=
re simply
>>> following what's mathematically permissible within the current code.
>>> Altering the protocol to stop this introduces subjective human
>>> intervention, which clashes with the objective, deterministic nature of
>>> blockchain.
>>>
>>> While I tend to agree that code is law, one of the entire points of law=
s
>>> is that they can be amended to improve their efficacy in reducing harm.
>>> Leaning on this point seems more like a pro-ossification stance that it=
's
>>> better to do nothing and allow harm to occur rather than take action to
>>> stop an attack that was foreseen far in advance.
>>>
>>> Technological Evolution as a Feature, Not a Bug
>>> It's well known that cryptography tends to weaken over time and
>>> eventually break. Quantum computing is just the next step in this
>>> progression. Users who fail to adapt (e.g., by adopting quantum-resista=
nt
>>> wallets when available) are akin to those who ignored technological
>>> advancements like multisig or hardware wallets. Allowing quantum theft
>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic, =
punishing
>>> complacency while rewarding vigilance.
>>>
>>> Market Signals Drive Security
>>> If quantum attackers start stealing funds, it sends a clear signal to
>>> the market: upgrade your security or lose everything. This pressure
>>> accelerates the adoption of post-quantum cryptography and strengthens
>>> Bitcoin long-term. Coddling vulnerable users delays this necessary
>>> evolution, potentially leaving the network more exposed when quantum te=
ch
>>> becomes widely accessible. Theft is a brutal but effective teacher.
>>>
>>> Centralized Blacklisting Power
>>> Burning vulnerable funds requires centralized decision-making - a soft
>>> fork to invalidate certain transactions. This sets a dangerous preceden=
t
>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. I=
f quantum
>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The s=
ystem must
>>> remain neutral, even if it means some lose out.
>>>
>>> I think this could be a potential slippery slope if the proposal was to
>>> only burn specific addresses. Rather, I'd expect a neutral proposal to =
burn
>>> all funds in locking script types that are known to be quantum vulnerab=
le.
>>> Thus, we could eliminate any subjectivity from the code.
>>>
>>> Fairness in Competition
>>> Quantum attackers aren't cheating; they're using publicly available
>>> physics and math. Anyone with the resources and foresight can build or
>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a C=
PU.
>>> Early adopters took risks and reaped rewards; quantum innovators are do=
ing
>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has =
never promised
>>> equality of outcome - only equality of opportunity within its rules.
>>>
>>> I find this argument to be a mischaracterization because we're not
>>> talking about CPUs. This is more akin to talking about ASICs, except ea=
ch
>>> ASIC costs millions if not billions of dollars. This is out of reach fr=
om
>>> all but the wealthiest organizations.
>>>
>>> Economic Resilience
>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and
>>> emerged stronger. The market can absorb quantum losses, with unaffected
>>> users continuing to hold and new entrants buying in at lower prices. Fe=
ar
>>> of economic collapse overestimates the impact - the network=E2=80=99s a=
ntifragility
>>> thrives on such challenges.
>>>
>>> This is a big grey area because we don't know when a quantum computer
>>> will come online and we don't know how quickly said computers would be =
able
>>> to steal bitcoin. If, for example, the first generation of sufficiently
>>> powerful quantum computers were stealing less volume than the current b=
lock
>>> reward then of course it will have minimal economic impact. But if they=
're
>>> taking thousands of BTC per day and bringing them back into circulation=
,
>>> there will likely be a noticeable market impact as it absorbs the new
>>> supply.
>>>
>>> This is where the circumstances will really matter. If a quantum
>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppor=
t
>>> quantum resistant cryptography then we should expect the most valuable
>>> active wallets will have upgraded and the juiciest target would be the
>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has =
been
>>> dormant since 2010. In general I'd expect that the amount of BTC
>>> re-entering the circulating supply would look somewhat similar to the
>>> mining emission curve: volume would start off very high as the most
>>> valuable addresses are drained and then it would fall off as quantum
>>> computers went down the list targeting addresses with less and less BTC=
.
>>>
>>> Why is economic impact a factor worth considering? Miners and businesse=
s
>>> in general. More coins being liquidated will push down the price, which
>>> will negatively impact miner revenue. Similarly, I can attest from work=
ing
>>> in the industry for a decade, that lower prices result in less demand f=
rom
>>> businesses across the entire industry. As such, burning quantum vulnera=
ble
>>> bitcoin is good for the entire industry.
>>>
>>> Practicality & Neutrality of Non-Intervention
>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D =
from legitimate "white
>>> hat" key recovery. If someone loses their private key and a quantum
>>> computer recovers it, is that stealing or reclaiming? Policing quantum
>>> actions requires invasive assumptions about intent, which Bitcoin=E2=80=
=99s
>>> trustless design can=E2=80=99t accommodate. Letting the chips fall wher=
e they may
>>> avoids this mess.
>>>
>>> Philosophical Purity
>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcom=
es
>>> reflect preparation and skill, not sentimentality. If quantum computing
>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant=
 to be safe or fair
>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose f=
unds to
>>> quantum attacks are casualties of liberty and their own ignorance, not
>>> victims of injustice.
>>>
>>> Bitcoin's DAO Moment
>>> This situation has some similarities to The DAO hack of an Ethereum
>>> smart contract in 2016, which resulted in a fork to stop the attacker a=
nd
>>> return funds to their original owners. The game theory is similar becau=
se
>>> it's a situation where a threat is known but there's some period of tim=
e
>>> before the attacker can actually execute the theft. As such, there's ti=
me
>>> to mitigate the attack by changing the protocol.
>>>
>>> It also created a schism in the community around the true meaning of
>>> "code is law," resulting in Ethereum Classic, which decided to allow th=
e
>>> attacker to retain control of the stolen funds.
>>>
>>> A soft fork to burn vulnerable bitcoin could certainly result in a hard
>>> fork if there are enough miners who reject the soft fork and continue
>>> including transactions.
>>>
>>> Incentives Matter
>>> We can wax philosophical until the cows come home, but what are the
>>> actual incentives for existing Bitcoin holders regarding this decision?
>>>
>>> "Lost coins only make everyone else's coins worth slightly more. Think
>>>> of it as a donation to everyone." - Satoshi Nakamoto
>>>
>>>
>>> If true, the corollary is:
>>>
>>> "Quantum recovered coins only make everyone else's coins worth less.
>>>> Think of it as a theft from everyone." - Jameson Lopp
>>>
>>>
>>> Thus, assuming we get to a point where quantum resistant signatures are
>>> supported within the Bitcoin protocol, what's the incentive to let
>>> vulnerable coins remain spendable?
>>>
>>> * It's not good for the actual owners of those coins. It disincentivize=
s
>>> owners from upgrading until perhaps it's too late.
>>> * It's not good for the more attentive / responsible owners of coins wh=
o
>>> have quantum secured their stash. Allowing the circulating supply to
>>> balloon will assuredly reduce the purchasing power of all bitcoin holde=
rs.
>>>
>>> Forking Game Theory
>>> From a game theory point of view, I see this as incentivizing users to
>>> upgrade their wallets. If you disagree with the burning of vulnerable
>>> coins, all you have to do is move your funds to a quantum safe signatur=
e
>>> scheme. Point being, I don't see there being an economic majority (or e=
ven
>>> more than a tiny minority) of users who would fight such a soft fork. W=
hy
>>> expend significant resources fighting a fork when you can just move you=
r
>>> coins to a new address?
>>>
>>> Remember that blocking spending of certain classes of locking scripts i=
s
>>> a tightening of the rules - a soft fork. As such, it can be meaningfull=
y
>>> enacted and enforced by a mere majority of hashpower. If miners general=
ly
>>> agree that it's in their best interest to burn vulnerable coins, are ot=
her
>>> users going to care enough to put in the effort to run new node softwar=
e
>>> that resists the soft fork? Seems unlikely to me.
>>>
>>> How to Execute Burning
>>> In order to be as objective as possible, the goal would be to announce
>>> to the world that after a specific block height / timestamp, Bitcoin no=
des
>>> will no longer accept transactions (or blocks containing such transacti=
ons)
>>> that spend funds from any scripts other than the newly instituted quant=
um
>>> safe schemes.
>>>
>>> It could take a staggered approach to first freeze funds that are
>>> susceptible to long-range attacks such as those in P2PK scripts or thos=
e
>>> that exposed their public keys due to previously re-using addresses, bu=
t I
>>> expect the additional complexity would drive further controversy.
>>>
>>> How long should the grace period be in order to give the ecosystem time
>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrade=
. We
>>> can only hope that hardware wallet manufacturers are able to implement =
post
>>> quantum cryptography on their existing hardware with only a firmware up=
date.
>>>
>>> Beyond that, it will take at least 6 months worth of block space for al=
l
>>> users to migrate their funds, even in a best case scenario. Though if y=
ou
>>> exclude dust UTXOs you could probably get 95% of BTC value migrated in =
1
>>> month. Of course this is a highly optimistic situation where everyone i=
s
>>> completely focused on migrations - in reality it will take far longer.
>>>
>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's
>>> conservatism it would be preferable to allow a 4 year migration window.=
 In
>>> the meantime, mining pools could coordinate emergency soft forking logi=
c
>>> such that if quantum attackers materialized, they could accelerate the
>>> countdown to the quantum vulnerable funds burn.
>>>
>>> Random Tangential Benefits
>>> On the plus side, burning all quantum vulnerable bitcoin would allow us
>>> to prune all of those UTXOs out of the UTXO set, which would also clean=
 up
>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even =
been
>>> a recent proposal for how to incentivize cleaning them up.
>>>
>>> We should also expect that incentivizing migration of the entire UTXO
>>> set will create substantial demand for block space that will sustain a =
fee
>>> market for a fairly lengthy amount of time.
>>>
>>> In Summary
>>> While the moral quandary of violating any of Bitcoin's inviolable
>>> properties can make this a very complex issue to discuss, the game theo=
ry
>>> and incentives between burning vulnerable coins versus allowing them to=
 be
>>> claimed by entities with quantum supremacy appears to be a much simpler
>>> issue.
>>>
>>> I, for one, am not interested in rewarding quantum capable entities by
>>> inflating the circulating money supply just because some people lost th=
eir
>>> keys long ago and some laggards are not upgrading their bitcoin wallet'=
s
>>> security.
>>>
>>> We can hope that this scenario never comes to pass, but hope is not a
>>> strategy.
>>>
>>> I welcome your feedback upon any of the above points, and contribution
>>> of any arguments I failed to consider.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to bitcoindev+unsubscribe@googlegroups.com.
>>> To view this discussion visit
>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8=
nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
>>> .
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to bitcoindev+unsubscribe@googlegroups.com.
>>> To view this discussion visit
>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D=
9D2B732364%40astrotown.de
>>> .
>>
>>
>>> --
>> You received this message because you are subscribed to the Google Group=
s
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send a=
n
>> email to bitcoindev+unsubscribe@googlegroups.com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6=
mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com
>> .
>>
>>
>> --
>> You received this message because you are subscribed to the Google Group=
s
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send a=
n
>> email to bitcoindev+unsubscribe@googlegroups.com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfX=
niazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLm=
iCJOY%3D%40proton.me
>> <https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf=
XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL=
miCJOY%3D%40proton.me?utm_medium=3Demail&utm_source=3Dfooter>
>> .
>>
>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com.

--00000000000072273e0635ff143b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto">Hi everyone,<div dir=3D"auto"><br></div><div dir=3D"auto"=
>QRAMP proposal aims to manage the quantum transition responsibly without d=
isrupting Bitcoin=E2=80=99s core principles.</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto">QRAMP has three phases:</div><div dir=3D"auto"><br></d=
iv><div dir=3D"auto">1. Allow wallets to optionally include PQC keys in Tap=
root outputs. This enables early adoption without forcing anyone.</div><div=
 dir=3D"auto"><br></div><div dir=3D"auto">2. Announce a soft fork to disabl=
e vulnerable scripts, with a long (~4-year) grace period. This gives ample =
time to migrate and avoids sudden shocks.</div><div dir=3D"auto"><br></div>=
<div dir=3D"auto">3. Gradually deactivate vulnerable outputs based on age o=
r inactivity. This avoids a harsh cutoff and gives time for adaptation.</di=
v><div dir=3D"auto"></div><div dir=3D"auto"><br></div><div dir=3D"auto">We =
can also allow exceptions via proof-of-possession, and delay restrictions o=
n timelocked outputs to avoid harming future spenders.</div><div dir=3D"aut=
o"><br></div><div dir=3D"auto">QRAMP is not about confiscation or control. =
It=E2=80=99s about aligning incentives, maintaining security, and offering =
a clear, non-coercive upgrade path.</div><div dir=3D"auto"><br></div><div d=
ir=3D"auto">Best,</div><div dir=3D"auto">Agustin Cruz</div><div dir=3D"auto=
"><br></div><div dir=3D"auto"><br></div></div><br><div class=3D"gmail_quote=
 gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_attr">El dom, 25 de=
 may de 2025, 7:03=E2=80=AFp.m., Dustin Ray &lt;<a href=3D"mailto:dustinvon=
sandwich@gmail.com">dustinvonsandwich@gmail.com</a>&gt; escribi=C3=B3:<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-le=
ft:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">The difference betwee=
n the ETH/ETC split though was that no one had anything confiscated except =
the DAO hacker, everyone retained an identical number of tokens on each cha=
in. The proposal for BTC is very different in that some holders will lose a=
ccess to their coins during the PQ migration under the confiscation approac=
h. Just wanted to point that out.</div><div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Sun, May 25, 2025 at 3:06=E2=80=AF=
PM &#39;conduition&#39; via Bitcoin Development Mailing List &lt;<a href=3D=
"mailto:bitcoindev@googlegroups.com" target=3D"_blank" rel=3D"noreferrer">b=
itcoindev@googlegroups.com</a>&gt; wrote:<br></div><blockquote class=3D"gma=
il_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-le=
ft-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)"><div st=
yle=3D"font-family:Arial,sans-serif;font-size:14px">Hey Saulo,</div><div st=
yle=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><div style=3D=
"font-family:Arial,sans-serif;font-size:14px">You&#39;re right about the po=
ssibility of an ugly split. Laggards who don&#39;t move coins to PQ address=
 schemes will be incentivized to follow any chain where they keep their coi=
ns. But those who do migrate will be incentivized to follow the chain where=
 unmigrated pre-quantum coins are frozen.=C2=A0</div><div style=3D"font-fam=
ily:Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Ar=
ial,sans-serif;font-size:14px">While you&#39;re comparing this event to the=
 ETH/ETC split, we should remember that ETH remained the dominant chain des=
pite their heavy-handed rollback. Just goes to show, confusion and face-los=
s is a lesser evil than allowing an adversary to pwn the network.=C2=A0</di=
v><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><blo=
ckquote style=3D"border-left-width:3px;border-left-style:solid;padding-left=
:10px;border-color:rgb(200,200,200);color:rgb(102,102,102)"><div style=3D"f=
ont-family:Arial,sans-serif;font-size:14px">This is the free-market way to =
solve problems without imposing rules on everyone.<br></div></blockquote><d=
iv style=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><div sty=
le=3D"font-family:Arial,sans-serif;font-size:14px">It&#39;d still be a free=
 market even if quantum-vulnerable coins are frozen. The only way to test t=
he relative value of quantum-safe vs quantum-vulnerable coins is to split t=
he chain and see how the market reacts.=C2=A0</div><div style=3D"font-famil=
y:Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Aria=
l,sans-serif;font-size:14px">IMO, the &quot;free market way&quot; is to giv=
e people options and let their money flow to where it works best. That mean=
s people should be able to choose whether they want their money to be part =
of a system that allows quantum attack, or part of one which does not. I kn=
ow which I would choose, but neither you nor I can make that choice for eve=
ryone.</div><div style=3D"font-family:Arial,sans-serif;font-size:14px"><br>=
</div><div style=3D"font-family:Arial,sans-serif;font-size:14px">regards,</=
div><div style=3D"font-family:Arial,sans-serif;font-size:14px">conduition</=
div><div>
        On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz &lt;<a href=3D=
"mailto:agustin.cruz@gmail.com" target=3D"_blank" rel=3D"noreferrer">agusti=
n.cruz@gmail.com</a>&gt; wrote:<br>
        <blockquote type=3D"cite">
            <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q=
uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t=
o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le=
aving old coins up for grabs if people don=E2=80=99t move them, sounds fair=
 at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes=
s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s=
 not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th=
ose on the rich list Jameson mentioned, could get hit too. Imagine millions=
 of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an=
d we all feel the pain. Freezing those vulnerable funds keeps that chaos in=
 check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=
=99s heart. If quantum tech can steal from you just because you didn=E2=80=
=99t upgrade fast enough, that promise feels shaky. Freezing funds after a =
heads-up period (say, four years) protects that idea better than letting te=
ch giants or rogue states play vampire with our network. It also nudges peo=
ple to get their act together and move to safer addresses, which strengthen=
s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con=
fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu=
antum theft would look worse. Bitcoin would seem broken, not just strict. A=
 clear plan and enough time to migrate could smooth things over. History=E2=
=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. =
This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul=
nerable coins locked than handed to whoever builds the first quantum rig. I=
t=E2=80=99s less about coddling people and more about keeping Bitcoin solid=
 for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d=
iv><br><div class=3D"gmail_quote"><div class=3D"gmail_attr" dir=3D"ltr">On =
Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<a href=3D"mailto:saulo=
@astrotown.de" rel=3D"noreferrer nofollow noopener noreferrer" target=3D"_b=
lank">saulo@astrotown.de</a>&gt; wrote:<br></div><blockquote style=3D"margi=
n:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-l=
eft:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote"><div dir=
=3D"auto"><div dir=3D"ltr"><span style=3D"color:rgb(0,0,0)">I believe that =
having some entity announce the decision to freeze old UTXOs would be more =
damaging to Bitcoin=E2=80=99s image (and its value) than having them gather=
ed by QC. This would create another version of Bitcoin, similar to Ethereum=
 Classic, causing confusion in the market.</span><div dir=3D"ltr"><div styl=
e=3D"color:rgb(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)">It would b=
e better to simply implement the possibility of moving funds to a PQC addre=
ss without a deadline, allowing those who fail to do so to rely on luck to =
avoid having their coins stolen. Most coins would be migrated to PQC anyway=
, and in most cases, only the lost ones would remain vulnerable. This is th=
e free-market way to solve problems without imposing rules on everyone.</di=
v><div style=3D"color:rgb(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)"=
>Saulo Fonseca</div><div style=3D"color:rgb(0,0,0)"><br></div><div style=3D=
"color:rgb(0,0,0)"><br><blockquote type=3D"cite"><div>On 16. Mar 2025, at 1=
5:15, Jameson Lopp &lt;<span dir=3D"ltr"><a href=3D"mailto:jameson.lopp@gma=
il.com" rel=3D"noreferrer nofollow noopener noreferrer" target=3D"_blank">j=
ameson.lopp@gmail.com</a></span>&gt; wrote:</div><br><div><div dir=3D"ltr">=
The quantum computing debate is heating up. There are many controversial as=
pects to this debate, including whether or not quantum computers will ever =
actually become a practical threat.<div><br>I won&#39;t tread into the unan=
swerable question of how worried we should be about quantum computers. I th=
ink it&#39;s far from a crisis, but given the difficulty in changing Bitcoi=
n it&#39;s worth starting to seriously discuss. Today I wish to focus on a =
philosophical quandary related to one of the decisions that would need to b=
e made if and when we implement a quantum safe signature scheme.<br><br><fo=
nt size=3D"6" style=3D"color:rgb(0,0,0)">Several Scenarios<br></font>Becaus=
e this essay will reference game theory a fair amount, and there are many v=
ariables at play that could change the nature of the game, I think it&#39;s=
 important to clarify the possible scenarios up front.<br><br>1. Quantum co=
mputing never materializes, never becomes a threat, and thus everything dis=
cussed in this essay is moot.<br>2. A quantum computing threat materializes=
 suddenly and Bitcoin does not have quantum safe signatures as part of the =
protocol. In this scenario it would likely make the points below moot becau=
se Bitcoin would be fundamentally broken and it would take far too long to =
upgrade the protocol, wallet software, and migrate user funds in order to r=
estore confidence in the network.<br>3. Quantum computing advances slowly e=
nough that we come to consensus about how to upgrade Bitcoin and post quant=
um security has been minimally adopted by the time an attacker appears.<br>=
4. Quantum computing advances slowly enough that we come to consensus about=
 how to upgrade Bitcoin and post quantum security has been highly adopted b=
y the time an attacker appears.<br><br>For the purposes of this post, I&#39=
;m envisioning being in situation 3 or 4.<br><br><font size=3D"6" style=3D"=
color:rgb(0,0,0)">To Freeze or not to Freeze?<br></font>I&#39;ve started se=
eing more people weighing in on what is likely the most contentious aspect =
of how a quantum resistance upgrade should be handled in terms of migrating=
 user funds. Should quantum vulnerable funds be left open to be swept by an=
yone with a sufficiently powerful quantum computer OR should they be perman=
ently locked?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-=
left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote">&quot;I =
don&#39;t see why old coins should be confiscated. The better option is to =
let those with quantum computers free up old coins. While this might have a=
n inflationary impact on bitcoin&#39;s price, to use a turn of phrase, the =
inflation is transitory. Those with low time preference should support retu=
rning lost coins to circulation.&quot; </blockquote><blockquote style=3D"ma=
rgin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)"=
 class=3D"gmail_quote">- Hunter Beast</blockquote><div><br></div>On the oth=
er hand:</div><div><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;paddin=
g-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote">&quot;=
Of course they have to be confiscated. If and when (and that&#39;s a big if=
) the existence of a cryptography-breaking QC becomes a credible threat, th=
e Bitcoin ecosystem has no other option than softforking out the ability to=
 spend from signature schemes (including ECDSA and BIP340) that are vulnera=
ble to QCs. The alternative is that millions of BTC become vulnerable to th=
eft; I cannot see how the currency can maintain any value at all in such a =
setting. And this affects everyone; even those which diligently moved their=
 coins to PQC-protected schemes.&quot;<br>- Pieter Wuille</blockquote><br>I=
 don&#39;t think &quot;confiscation&quot; is the most precise term to use, =
as the funds are not being seized and reassigned. Rather, what we&#39;re re=
ally discussing would be better described as &quot;burning&quot; - placing =
the funds <b>out of reach of everyone</b>.<br><br>Not freezing user funds i=
s one of Bitcoin&#39;s inviolable properties. However, if quantum computing=
 becomes a threat to Bitcoin&#39;s elliptic curve cryptography, <b>an invio=
lable property of Bitcoin will be violated one way or another</b>.<br><br><=
font size=3D"6" style=3D"color:rgb(0,0,0)">Fundamental Properties at Risk<b=
r></font>5 years ago I attempted to comprehensively categorize all of Bitco=
in&#39;s fundamental properties that give it value. <a href=3D"https://naka=
moto.com/what-are-the-key-properties-of-bitcoin/" rel=3D"noreferrer nofollo=
w noopener noreferrer" target=3D"_blank">https://nakamoto.com/what-are-the-=
key-properties-of-bitcoin/<br></a><br>The particular properties in play wit=
h regard to this issue seem to be:<br><br><b>Censorship Resistance</b> - No=
 one should have the power to prevent others from using their bitcoin or in=
teracting with the network.<br><br><b>Forward Compatibility</b> - changing =
the rules such that certain valid transactions become invalid could undermi=
ne confidence in the protocol.<br><br><b>Conservatism</b> - Users should no=
t be expected to be highly responsive to system issues.<br><br>As a result =
of the above principles, we have developed a strong meme (kudos to Andreas =
Antonopoulos) that goes as follows:<br><br><blockquote style=3D"margin:0px =
0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D=
"gmail_quote">Not your keys, not your coins.</blockquote><br>I posit that t=
he corollary to this principle is:<br><br><blockquote style=3D"margin:0px 0=
px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"=
gmail_quote">Your keys, only your coins.</blockquote><br>A quantum capable =
entity breaks the corollary of this foundational principle. We secure our b=
itcoin with the mathematical probabilities related to extremely large rando=
m numbers. Your funds are only secure because truly random large numbers sh=
ould not be guessable or discoverable by anyone else in the world.<br><br>T=
his is the principle behind the motto <i>vires in numeris</i> - strength in=
 numbers. In a world with quantum enabled adversaries, this principle is nu=
ll and void for many types of cryptography, including the elliptic curve di=
gital signatures used in Bitcoin.<br><br><font size=3D"6" style=3D"color:rg=
b(0,0,0)">Who is at Risk?<br></font>There has long been a narrative that Sa=
toshi&#39;s coins and others from the Satoshi era of P2PK locking scripts t=
hat exposed the public key directly on the blockchain will be those that ge=
t scooped up by a quantum &quot;miner.&quot; But unfortunately it&#39;s not=
 that simple. If I had a powerful quantum computer, which coins would I tar=
get? I&#39;d go to the Bitcoin rich list and find the wallets that have exp=
osed their public keys due to re-using addresses that have previously been =
spent from. You can easily find them at <a href=3D"https://bitinfocharts.co=
m/top-100-richest-bitcoin-addresses.html" rel=3D"noreferrer nofollow noopen=
er noreferrer" target=3D"_blank">https://bitinfocharts.com/top-100-richest-=
bitcoin-addresses.html</a><br><br>Note that a few of these wallets, like Bi=
tfinex / Kraken / Tether, would be slightly harder to crack because they ar=
e multisig wallets. So a quantum attacker would need to reverse engineer 2 =
keys for Kraken or 3 for Bitfinex / Tether in order to spend funds. But man=
y are single signature.<br><br>Point being, it&#39;s not only the really ol=
d lost BTC that are at risk to a quantum enabled adversary, at least at tim=
e of writing. If we add a quantum safe signature scheme, we should expect t=
hose wallets to be some of the first to upgrade given their incentives.<br>=
<br><font size=3D"6" style=3D"color:rgb(0,0,0)">The Ethical Dilemma: Quanti=
fying Harm<br></font>Which decision results in the most harm?<br><br>By mak=
ing quantum vulnerable funds unspendable we potentially harm some Bitcoin u=
sers who were not paying attention and neglected to migrate their funds to =
a quantum safe locking script. This violates the &quot;conservativism&quot;=
 principle stated earlier. On the flip side, we prevent those funds plus fa=
r more lost funds from falling into the hands of the few privileged folks w=
ho gain early access to quantum computers.<br><br>By leaving quantum vulner=
able funds available to spend, the same set of users who would otherwise ha=
ve funds frozen are likely to see them stolen. And many early adopters who =
lost their keys will eventually see their unreachable funds scooped up by a=
 quantum enabled adversary.<br><br>Imagine, for example, being James Howell=
s, who accidentally threw away a hard drive with 8,000 BTC on it, currently=
 worth over $600M USD. He has spent a decade trying to retrieve it from the=
 landfill where he knows it&#39;s buried, but can&#39;t get permission to e=
xcavate. I suspect that, given the choice, he&#39;d prefer those funds be p=
ermanently frozen rather than fall into someone else&#39;s possession - I k=
now I would.<br><br>Allowing a quantum computer to access lost funds doesn&=
#39;t make those users any worse off than they were before, however it <i>w=
ould</i>have a negative impact upon everyone who is currently holding bitco=
in.<br><br>It&#39;s prudent to expect significant economic disruption if la=
rge amounts of coins fall into new hands. Since a quantum computer is going=
 to have a massive up front cost, expect those behind it to desire to recou=
p their investment. We also know from experience that when someone suddenly=
 finds themselves in possession of 9+ figures worth of highly liquid assets=
, they tend to diversify into other things by selling.<br><br>Allowing quan=
tum recovery of bitcoin is <i>tantamount to wealth redistribution</i>. What=
 we&#39;d be allowing is for bitcoin to be redistributed from those who are=
 ignorant of quantum computers to those who have won the technological race=
 to acquire quantum computers. It&#39;s hard to see a bright side to that s=
cenario.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Is Quantum Reco=
very Good for Anyone?</font><br><br>Does quantum recovery HELP anyone? I&#3=
9;ve yet to come across an argument that it&#39;s a net positive in any way=
. It certainly doesn&#39;t add any security to the network. If anything, it=
 greatly decreases the security of the network by allowing funds to be clai=
med by those who did not earn them.<br><br>But wait, you may be thinking, w=
ouldn&#39;t quantum &quot;miners&quot; have earned their coins by all the w=
ork and resources invested in building a quantum computer? I suppose, in th=
e same sense that a burglar earns their spoils by the resources they invest=
 into surveilling targets and learning the skills needed to break into buil=
dings. What I say &quot;earned&quot; I mean through productive mutual trade=
.<br><br>For example:<br><br>* Investors earn BTC by trading for other curr=
encies.<br>* Merchants earn BTC by trading for goods and services.<br>* Min=
ers earn BTC by trading thermodynamic security.<br>* Quantum miners don&#39=
;t trade anything, they are vampires feeding upon the system.<br><br>There&=
#39;s no reason to believe that allowing quantum adversaries to recover vul=
nerable bitcoin will be of benefit to anyone other than the select few orga=
nizations that win the technological arms race to build the first such comp=
uters. Probably nation states and/or the top few largest tech companies.<br=
><br>One could certainly hope that an organization with quantum supremacy i=
s benevolent and acts in a &quot;white hat&quot; manner to return lost coin=
s to their owners, but that&#39;s incredibly optimistic and foolish to rely=
 upon. Such a situation creates an insurmountable ethical dilemma of only r=
ecovering lost bitcoin rather than currently owned bitcoin. There&#39;s no =
way to precisely differentiate between the two; anyone can claim to have lo=
st their bitcoin but if they have lost their keys then proving they ever ha=
d the keys becomes rather difficult. I imagine that any such white hat reco=
very efforts would have to rely upon attestations from trusted third partie=
s like exchanges.<br><br>Even if the first actor with quantum supremacy is =
benevolent, we must assume the technology could fall into adversarial hands=
 and thus think adversarially about the potential worst case outcomes. Imag=
ine, for example, that North Korea continues scooping up billions of dollar=
s from hacking crypto exchanges and decides to invest some of those proceed=
s into building a quantum computer for the biggest payday ever...<br><br><f=
ont size=3D"6" style=3D"color:rgb(0,0,0)">Downsides to Allowing Quantum Rec=
overy</font><br>Let&#39;s think through an exhaustive list of pros and cons=
 for allowing or preventing the seizure of funds by a quantum adversary.<br=
><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Historical Precedent</font=
><br>Previous protocol vulnerabilities weren=E2=80=99t celebrated as &quot;=
fair game&quot; but rather were treated as failures to be remediated. Treat=
ing quantum theft differently risks rewriting Bitcoin=E2=80=99s history as =
a free-for-all rather than a system that seeks to protect its users.<br><br=
><font size=3D"4" style=3D"color:rgb(0,0,0)">Violation of Property Rights</=
font><br>Allowing a quantum adversary to take control of funds undermines t=
he fundamental principle of cryptocurrency - if you keep your keys in your =
possession, only you should be able to access your money. Bitcoin is built =
on the idea that private keys secure an individual=E2=80=99s assets, and un=
authorized access (even via advanced tech) is theft, not a legitimate trans=
fer.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Erosion of Trust in=
 Bitcoin</font><br>If quantum attackers can exploit vulnerable addresses, c=
onfidence in Bitcoin as a secure store of value would collapse. Users and i=
nvestors rely on cryptographic integrity, and widespread theft could drive =
adoption away from Bitcoin, destabilizing its ecosystem.<br><br>This is ess=
entially the counterpoint to claiming the burning of vulnerable funds is a =
violation of property rights. While some will certainly see it as such, oth=
ers will find the apathy toward stopping quantum theft to be similarly conc=
erning.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Unfair Advantage=
</font><br>Quantum attackers, likely equipped with rare and expensive techn=
ology, would have an unjust edge over regular users who lack access to such=
 tools. This creates an inequitable system where only the technologically e=
lite can exploit others, contradicting Bitcoin=E2=80=99s ethos of decentral=
ized power.<br><br>Bitcoin is designed to create an asymmetric advantage fo=
r DEFENDING one&#39;s wealth. It&#39;s supposed to be impractically expensi=
ve for attackers to crack the entropy and cryptography protecting one&#39;s=
 coins. But now we find ourselves discussing a situation where this asymmet=
ric advantage is compromised in favor of a specific class of attackers.<br>=
<br><font size=3D"4" style=3D"color:rgb(0,0,0)">Economic Disruption</font><=
br>Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99=
s price as quantum recovered funds are dumped on exchanges. This would harm=
 all holders, not just those directly targeted, leading to broader financia=
l chaos in the markets.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">=
Moral Responsibility</font><br>Permitting theft via quantum computing sets =
a precedent that technological superiority justifies unethical behavior. Th=
is is essentially taking a &quot;code is law&quot; stance in which we refus=
e to admit that both code and laws can be modified to adapt to previously u=
nforeseen situations.<br><br>Burning of coins can certainly be considered a=
 form of theft, thus I think it&#39;s worth differentiating the two differe=
nt thefts being discussed:<br><br>1. self-enriching &amp; likely malicious<=
br>2. harm prevention &amp; not necessarily malicious<br><br>Both options l=
ack the consent of the party whose coins are being burnt or transferred, th=
us I think the simple argument that theft is immoral becomes a wash and it&=
#39;s important to drill down into the details of each.<br><br><font size=
=3D"4" style=3D"color:rgb(0,0,0)">Incentives Drive Security</font><br>I can=
 tell you from a decade of working in Bitcoin security - the average user i=
s lazy and is a procrastinator. If Bitcoiners are given a &quot;drop dead d=
ate&quot; after which they know vulnerable funds will be burned, this press=
ure accelerates the adoption of post-quantum cryptography and strengthens B=
itcoin long-term. Allowing vulnerable users to delay upgrading indefinitely=
 will result in more laggards, leaving the network more exposed when quantu=
m tech becomes available.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)=
">Steel Manning<br></font>Clearly this is a complex and controversial topic=
, thus it&#39;s worth thinking through the opposing arguments.<br><br><font=
 size=3D"4" style=3D"color:rgb(0,0,0)">Protecting Property Rights</font><br=
>Allowing quantum computers to take vulnerable bitcoin could potentially be=
 spun as a hard money narrative - we care so greatly about not violating so=
meone&#39;s access to their coins that we allow them to be stolen!<br><br>B=
ut I think the flip side to the property rights narrative is that burning v=
ulnerable coins prevents said property from falling into undeserving hands.=
 If the entire Bitcoin ecosystem just stands around and allows quantum adve=
rsaries to claim funds that rightfully belong to other users, is that reall=
y a &quot;win&quot; in the &quot;protecting property rights&quot; category?=
 It feels more like apathy to me.<br><br>As such, I think the &quot;protect=
ing property rights&quot; argument is a wash.<br><br><font size=3D"4" style=
=3D"color:rgb(0,0,0)">Quantum Computers Won&#39;t Attack Bitcoin</font><br>=
There is a great deal of skepticism that sufficiently powerful quantum comp=
uters will ever exist, so we shouldn&#39;t bother preparing for a non-exist=
ent threat. Others have argued that even if such a computer was built, a qu=
antum attacker would not go after bitcoin because they wouldn&#39;t want to=
 reveal their hand by doing so, and would instead attack other infrastructu=
re.<br><br>It&#39;s quite difficult to quantify exactly how valuable attack=
ing other infrastructure would be. It also really depends upon when an enti=
ty gains quantum supremacy and thus if by that time most of the world&#39;s=
 systems have already been upgraded. While I think you could argue that cer=
tain entities gaining quantum capability might not attack Bitcoin, it would=
 only delay the inevitable - eventually somebody will achieve the capabilit=
y who decides to use it for such an attack.<br><br><font size=3D"4" style=
=3D"color:rgb(0,0,0)">Quantum Attackers Would Only Steal Small Amounts</fon=
t><br>Some have argued that even if a quantum attacker targeted bitcoin, th=
ey&#39;d only go after old, likely lost P2PK outputs so as to not arouse su=
spicion and cause a market panic.<br><br>I&#39;m not so sure about that; wh=
y go after 50 BTC at a time when you could take 250,000 BTC with the same e=
ffort as 50 BTC? This is a classic &quot;zero day exploit&quot; game theory=
 in which an attacker knows they have a limited amount of time before someo=
ne else discovers the exploit and either benefits from it or patches it. Ta=
ke, for example, the recent ByBit attack - the highest value crypto hack of=
 all time. Lazarus Group had compromised the Safe wallet front end JavaScri=
pt app and they could have simply had it reassign ownership of everyone&#39=
;s Safe wallets as they were interacting with their wallet. But instead the=
y chose to only specifically target ByBit&#39;s wallet with $1.5 billion in=
 it because they wanted to maximize their extractable value. If Lazarus had=
 started stealing from every wallet, they would have been discovered quickl=
y and the Safe web app would likely have been patched well before any billi=
on dollar wallets executed the malicious code.<br><br>I think the &quot;onl=
y stealing small amounts&quot; argument is strongest for Situation #2 descr=
ibed earlier, where a quantum attacker arrives before quantum safe cryptogr=
aphy has been deployed across the Bitcoin ecosystem. Because if it became c=
lear that Bitcoin&#39;s cryptography was broken AND there was nowhere safe =
for vulnerable users to migrate, the only logical option would be for every=
one to liquidate their bitcoin as quickly as possible. As such, I don&#39;t=
 think it applies as strongly for situations in which we have a migration p=
ath available.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">The 21 Mi=
llion Coin Supply Should be in Circulation</font><br>Some folks are arguing=
 that it&#39;s important for the &quot;circulating / spendable&quot; supply=
 to be as close to 21M as possible and that having a significant portion of=
 the supply out of circulation is somehow undesirable.<br><br>While the &qu=
ot;21M BTC&quot; attribute is a strong memetic narrative, I don&#39;t think=
 anyone has ever expected that it would all be in circulation. It has alway=
s been understood that many coins will be lost, and that&#39;s actually par=
t of the game theory of owning bitcoin!<br><br>And remember, the 21M number=
 in and of itself is not a particularly important detail - it&#39;s not eve=
n mentioned in the whitepaper. What&#39;s important is that the supply is w=
ell known and not subject to change.<br><br><font size=3D"4" style=3D"color=
:rgb(0,0,0)">Self-Sovereignty and Personal Responsibility</font><br>Bitcoin=
=E2=80=99s design empowers individuals to control their own wealth, free fr=
om centralized intervention. This freedom comes with the burden of securing=
 one&#39;s private keys. If quantum computing can break obsolete cryptograp=
hy, the fault lies with users who didn&#39;t move their funds to quantum sa=
fe locking scripts. Expecting the network to shield users from their own ne=
gligence undermines the principle that you, and not a third party, are acco=
untable for your assets.<br><br>I think this is generally a fair point that=
 &quot;the community&quot; doesn&#39;t owe you anything in terms of helping=
 you. I think that we do, however, need to consider the incentives and game=
 theory in play with regard to quantum safe Bitcoiners vs quantum vulnerabl=
e Bitcoiners. More on that later.<br><br><font size=3D"4" style=3D"color:rg=
b(0,0,0)">Code is Law</font><br>Bitcoin operates on transparent, immutable =
rules embedded in its protocol. If a quantum attacker uses superior technol=
ogy to derive private keys from public keys, they=E2=80=99re not &quot;hack=
ing&quot; the system - they&#39;re simply following what&#39;s mathematical=
ly permissible within the current code. Altering the protocol to stop this =
introduces subjective human intervention, which clashes with the objective,=
 deterministic nature of blockchain.<br><br>While I tend to agree that code=
 is law, one of the entire points of laws is that they can be amended to im=
prove their efficacy in reducing harm. Leaning on this point seems more lik=
e a pro-ossification stance that it&#39;s better to do nothing and allow ha=
rm to occur rather than take action to stop an attack that was foreseen far=
 in advance.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Technologic=
al Evolution as a Feature, Not a Bug</font><br>It&#39;s well known that cry=
ptography tends to weaken over time and eventually break. Quantum computing=
 is just the next step in this progression. Users who fail to adapt (e.g., =
by adopting quantum-resistant wallets when available) are akin to those who=
 ignored technological advancements like multisig or hardware wallets. Allo=
wing quantum theft incentivizes innovation and keeps Bitcoin=E2=80=99s ecos=
ystem dynamic, punishing complacency while rewarding vigilance.<br><br><fon=
t size=3D"4" style=3D"color:rgb(0,0,0)">Market Signals Drive Security</font=
><br>If quantum attackers start stealing funds, it sends a clear signal to =
the market: upgrade your security or lose everything. This pressure acceler=
ates the adoption of post-quantum cryptography and strengthens Bitcoin long=
-term. Coddling vulnerable users delays this necessary evolution, potential=
ly leaving the network more exposed when quantum tech becomes widely access=
ible. Theft is a brutal but effective teacher.<br><br><font size=3D"4" styl=
e=3D"color:rgb(0,0,0)">Centralized Blacklisting Power</font><br>Burning vul=
nerable funds requires centralized decision-making - a soft fork to invalid=
ate certain transactions. This sets a dangerous precedent for future interv=
entions, eroding Bitcoin=E2=80=99s decentralization. If quantum theft is bl=
ocked, what=E2=80=99s next - reversing exchange hacks? The system must rema=
in neutral, even if it means some lose out.<br><br>I think this could be a =
potential slippery slope if the proposal was to only burn specific addresse=
s. Rather, I&#39;d expect a neutral proposal to burn all funds in locking s=
cript types that are known to be quantum vulnerable. Thus, we could elimina=
te any subjectivity from the code.<br><br><font size=3D"4" style=3D"color:r=
gb(0,0,0)">Fairness in Competition</font><br>Quantum attackers aren&#39;t c=
heating; they&#39;re using publicly available physics and math. Anyone with=
 the resources and foresight can build or access quantum tech, just as anyo=
ne could mine Bitcoin in 2009 with a CPU. Early adopters took risks and rea=
ped rewards; quantum innovators are doing the same. Calling it =E2=80=9Cunf=
air=E2=80=9D ignores that Bitcoin has never promised equality of outcome - =
only equality of opportunity within its rules.<br><br>I find this argument =
to be a mischaracterization because we&#39;re not talking about CPUs. This =
is more akin to talking about ASICs, except each ASIC costs millions if not=
 billions of dollars. This is out of reach from all but the wealthiest orga=
nizations.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Economic Resi=
lience</font><br>Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX,=
 etc) and emerged stronger. The market can absorb quantum losses, with unaf=
fected users continuing to hold and new entrants buying in at lower prices.=
 Fear of economic collapse overestimates the impact - the network=E2=80=99s=
 antifragility thrives on such challenges.<br><br>This is a big grey area b=
ecause we don&#39;t know when a quantum computer will come online and we do=
n&#39;t know how quickly said computers would be able to steal bitcoin. If,=
 for example, the first generation of sufficiently powerful quantum compute=
rs were stealing less volume than the current block reward then of course i=
t will have minimal economic impact. But if they&#39;re taking thousands of=
 BTC per day and bringing them back into circulation, there will likely be =
a noticeable market impact as it absorbs the new supply.<br><br>This is whe=
re the circumstances will really matter. If a quantum attacker appears AFTE=
R the Bitcoin protocol has been upgraded to support quantum resistant crypt=
ography then we should expect the most valuable active wallets will have up=
graded and the juiciest target would be the 31,000 BTC in the address 12ib7=
dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general=
 I&#39;d expect that the amount of BTC re-entering the circulating supply w=
ould look somewhat similar to the mining emission curve: volume would start=
 off very high as the most valuable addresses are drained and then it would=
 fall off as quantum computers went down the list targeting addresses with =
less and less BTC.<br><br>Why is economic impact a factor worth considering=
? Miners and businesses in general. More coins being liquidated will push d=
own the price, which will negatively impact miner revenue. Similarly, I can=
 attest from working in the industry for a decade, that lower prices result=
 in less demand from businesses across the entire industry. As such, burnin=
g quantum vulnerable bitcoin is good for the entire industry.<br><br><font =
size=3D"4" style=3D"color:rgb(0,0,0)">Practicality &amp; Neutrality of Non-=
Intervention</font><br>There=E2=80=99s no reliable way to distinguish =E2=
=80=9Ctheft=E2=80=9D from legitimate &quot;white hat&quot; key recovery. If=
 someone loses their private key and a quantum computer recovers it, is tha=
t stealing or reclaiming? Policing quantum actions requires invasive assump=
tions about intent, which Bitcoin=E2=80=99s trustless design can=E2=80=99t =
accommodate. Letting the chips fall where they may avoids this mess.<br><br=
><font size=3D"4" style=3D"color:rgb(0,0,0)">Philosophical Purity</font><br=
>Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outcomes =
reflect preparation and skill, not sentimentality. If quantum computing upe=
nds the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be =
safe or fair in a nanny-state sense; it=E2=80=99s meant to be free. Users w=
ho lose funds to quantum attacks are casualties of liberty and their own ig=
norance, not victims of injustice.<br><br><font size=3D"6" style=3D"color:r=
gb(0,0,0)">Bitcoin&#39;s DAO Moment</font><br>This situation has some simil=
arities to The DAO hack of an Ethereum smart contract in 2016, which result=
ed in a fork to stop the attacker and return funds to their original owners=
. The game theory is similar because it&#39;s a situation where a threat is=
 known but there&#39;s some period of time before the attacker can actually=
 execute the theft. As such, there&#39;s time to mitigate the attack by cha=
nging the protocol.<br><br>It also created a schism in the community around=
 the true meaning of &quot;code is law,&quot; resulting in Ethereum Classic=
, which decided to allow the attacker to retain control of the stolen funds=
.<br><br>A soft fork to burn vulnerable bitcoin could certainly result in a=
 hard fork if there are enough miners who reject the soft fork and continue=
 including transactions.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)"=
>Incentives Matter</font><br>We can wax philosophical until the cows come h=
ome, but what are the actual incentives for existing Bitcoin holders regard=
ing this decision?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;pad=
ding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote">&qu=
ot;Lost coins only make everyone else&#39;s coins worth slightly more. Thin=
k of it as a donation to everyone.&quot; - Satoshi Nakamoto</blockquote><br=
>If true, the corollary is:<br><br><blockquote style=3D"margin:0px 0px 0px =
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_q=
uote">&quot;Quantum recovered coins only make everyone else&#39;s coins wor=
th less. Think of it as a theft from everyone.&quot; - Jameson Lopp</blockq=
uote><br>Thus, assuming we get to a point where quantum resistant signature=
s are supported within the Bitcoin protocol, what&#39;s the incentive to le=
t vulnerable coins remain spendable?<br><br>* It&#39;s not good for the act=
ual owners of those coins. It disincentivizes owners from upgrading until p=
erhaps it&#39;s too late.<br>* It&#39;s not good for the more attentive / r=
esponsible owners of coins who have quantum secured their stash. Allowing t=
he circulating supply to balloon will assuredly reduce the purchasing power=
 of all bitcoin holders.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)"=
>Forking Game Theory</font><br>From a game theory point of view, I see this=
 as incentivizing users to upgrade their wallets. If you disagree with the =
burning of vulnerable coins, all you have to do is move your funds to a qua=
ntum safe signature scheme. Point being, I don&#39;t see there being an eco=
nomic majority (or even more than a tiny minority) of users who would fight=
 such a soft fork. Why expend significant resources fighting a fork when yo=
u can just move your coins to a new address?<br><br>Remember that blocking =
spending of certain classes of locking scripts is a tightening of the rules=
 - a soft fork. As such, it can be meaningfully enacted and enforced by a m=
ere majority of hashpower. If miners generally agree that it&#39;s in their=
 best interest to burn vulnerable coins, are other users going to care enou=
gh to put in the effort to run new node software that resists the soft fork=
? Seems unlikely to me.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">=
How to Execute Burning</font><br>In order to be as objective as possible, t=
he goal would be to announce to the world that after a specific block heigh=
t / timestamp, Bitcoin nodes will no longer accept transactions (or blocks =
containing such transactions) that spend funds from any scripts other than =
the newly instituted quantum safe schemes.<br><br>It could take a staggered=
 approach to first freeze funds that are susceptible to long-range attacks =
such as those in P2PK scripts or those that exposed their public keys due t=
o previously re-using addresses, but I expect the additional complexity wou=
ld drive further controversy.<br><br>How long should the grace period be in=
 order to give the ecosystem time to upgrade? I&#39;d say a minimum of 1 ye=
ar for software wallets to upgrade. We can only hope that hardware wallet m=
anufacturers are able to implement post quantum cryptography on their exist=
ing hardware with only a firmware update.<br><br>Beyond that, it will take =
at least 6 months worth of block space for all users to migrate their funds=
, even in a best case scenario. Though if you exclude dust UTXOs you could =
probably get 95% of BTC value migrated in 1 month. Of course this is a high=
ly optimistic situation where everyone is completely focused on migrations =
- in reality it will take far longer.<br><br>Regardless, I&#39;d think that=
 in order to reasonably uphold Bitcoin&#39;s conservatism it would be prefe=
rable to allow a 4 year migration window. In the meantime, mining pools cou=
ld coordinate emergency soft forking logic such that if quantum attackers m=
aterialized, they could accelerate the countdown to the quantum vulnerable =
funds burn.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Random Tange=
ntial Benefits</font><br>On the plus side, burning all quantum vulnerable b=
itcoin would allow us to prune all of those UTXOs out of the UTXO set, whic=
h would also clean up a lot of dust. Dust UTXOs are a bit of an annoyance a=
nd there has even been a recent proposal for how to incentivize cleaning th=
em up.<br><br>We should also expect that incentivizing migration of the ent=
ire UTXO set will create substantial demand for block space that will susta=
in a fee market for a fairly lengthy amount of time.<br><br><font size=3D"6=
" style=3D"color:rgb(0,0,0)">In Summary</font><br>While the moral quandary =
of violating any of Bitcoin&#39;s inviolable properties can make this a ver=
y complex issue to discuss, the game theory and incentives between burning =
vulnerable coins versus allowing them to be claimed by entities with quantu=
m supremacy appears to be a much simpler issue.<br><br>I, for one, am not i=
nterested in rewarding quantum capable entities by inflating the circulatin=
g money supply just because some people lost their keys long ago and some l=
aggards are not upgrading their bitcoin wallet&#39;s security.<br><br>We ca=
n hope that this scenario never comes to pass, but hope is not a strategy.<=
br><br>I welcome your feedback upon any of the above points, and contributi=
on of any arguments I failed to consider.</div></div><div><br></div>-- <br>=
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>To unsubscribe from t=
his group and stop receiving emails from it, send an email to <a href=3D"ma=
ilto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"noreferrer nofollow no=
opener noreferrer" target=3D"_blank">bitcoindev+unsubscribe@googlegroups.co=
m</a>.<br>To view this discussion visit <a href=3D"https://groups.google.co=
m/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN9=
7P6hQ%40mail.gmail.com" rel=3D"noreferrer nofollow noopener noreferrer" tar=
get=3D"_blank">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKV=
a7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div></b=
lockquote></div><div dir=3D"ltr"></div></div></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"n=
oreferrer nofollow noopener noreferrer" target=3D"_blank">bitcoindev+unsubs=
cribe@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de" rel=3D"nore=
ferrer nofollow noopener noreferrer" target=3D"_blank">https://groups.googl=
e.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.d=
e</a>.</blockquote></div></div></blockquote></div><div><blockquote type=3D"=
cite"><div dir=3D"ltr"><div class=3D"gmail_quote"><blockquote style=3D"marg=
in:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;padding-=
left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote"><br>
</blockquote></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" rel=3D"n=
oreferrer nofollow noopener noreferrer" target=3D"_blank">bitcoindev+unsubs=
cribe@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail=
.gmail.com" rel=3D"noreferrer nofollow noopener noreferrer" target=3D"_blan=
k">https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6=
mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com" target=
=3D"_blank" rel=3D"noreferrer">bitcoindev+unsubscribe@googlegroups.com</a>.=
<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuH=
Mjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me?utm_medium=3Dema=
il&amp;utm_source=3Dfooter" target=3D"_blank" rel=3D"noreferrer">https://gr=
oups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuG=
LeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40pr=
oton.me</a>.<br>
</blockquote></div></div>
</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail=
.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/ms=
gid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.g=
mail.com</a>.<br />

--00000000000072273e0635ff143b--