path: root/33/316eb5f94d2e1fe02aed600f448b8f2030077e

Delivery-date: Tue, 27 May 2025 18:21:48 -0700
Received: from mail-yw1-f187.google.com ([209.85.128.187])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBDI23FE35EIBBHOK3HAQMGQE7LUIRSQ@googlegroups.com>)
	id 1uK5UF-0004l3-MS
	for bitcoindev@gnusha.org; Tue, 27 May 2025 18:21:48 -0700
Received: by mail-yw1-f187.google.com with SMTP id 00721157ae682-70e735c7857sf21113987b3.3
        for <bitcoindev@gnusha.org>; Tue, 27 May 2025 18:21:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1748395297; x=1749000097; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:sender:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=;
        b=CA+VL8EuV1f/eih0iA3kCFFed1Ub1wF4pncKkl/MwcFqK3r53GKblT6q3IIMWDgVq7
         NR1WqjklpA1Qz5NhTsAKssMZtQLLzf404/yuK89q3kShSD2kLkbce5XSuaeYAyzfmUW8
         8itIObMeAiW5W5L2YS+aR/xyNeFIqAxcoXpbbVfeieYzFacekehtRJt00+VkLIqx5Fy2
         p0+3rd6LlCUVopMYUorri7KeMCzIXym0T78oilgQuV+jt/l33EPk6g3fzo7LeIMTCCw0
         0dRCbSWvTaWzuk4yrQnXMXT/eANo1ICiMleMlb+jRIiXSAXIXrqsfKQgr2AQ+WIx4pC9
         qgQA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1748395297; x=1749000097; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:from:to:cc
         :subject:date:message-id:reply-to;
        bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=;
        b=Ziijw9h6IcDMj8cj9ZkvpbYUJlC5m15O0oPSbl3+wWhNZvjyALexDF1H/4sN0NyhpX
         LLEKcxqIa7D0ozisE0EKKbNfCmqSmCnZCpYG/DnTXnIa6A36JdRMhUuUrwFw7F8Hd5yz
         j5LyzMsCpk/BfrbRQpLitWsTJsX2zGgjWuHbVfwfbfQxUuKqyvoYRl02TPO4Ge9SLaFk
         TSKTel8MRoQp8vwJePDSDWcMlv4sp3YjBHj0A8LMLSwKLLnO+Lc+HFNbseWGNadJ+WwN
         pMGmOOoFZJDQtcFTs7rVSiWkotU1Hzy1OZR09fitSIOseMyCvNYkKKvHQCmhWJDyAlEP
         H5rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748395297; x=1749000097;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-sender:mime-version
         :subject:references:in-reply-to:message-id:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=nr7QXYUq4DweLY2B9lL/kpZdbiYNC9cpsWMr3xd0K4Y=;
        b=XH+T2jiqbJf+VwTYKglFtspa8WIGEt8s5rDD+KYLRUNEkZabKJaovavknNJKItxTgw
         XeNkbrD2y0aAEBaN8SqkMf/SOJsjAANMlvXApdmgN+88zhBgR2VKzr+AS08ky5FabSK2
         +yd1K/dPzbC2oKYcg+6cFIifAnwRruNA2B4LC2UNkoJGbkOW1vE0INOj7B1oNIbOHs5I
         WG8SeWEsjbnpHn0Gc+/pvgcNxa97oahb+V4BNlc2gcCSy53h/bjrg1abNNDC3x3wnI/K
         x4uFjQsALxTYhbOpGOLS5QMKMqP2xndXfGGNgvZw45zEnAqSuKM4A90QCyoz39PebJVR
         ECyw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVWYRr1REQE01vBamSrCIKel0uFPOQMorqlI4mLQiFkDL46ChjnUDGTj92oBgXX55ZQy2iGBGsMktcX@gnusha.org
X-Gm-Message-State: AOJu0YzdQbNejGk8kEedp7R/Qz2GhUvLLYTJTrrh0dkxv/p8pYxHtI5A
	MFer96pHUR1FulW5F9n/F+ypdOk9OOr1JOSv8y2B9rOrwgTbF8Ua1FUF
X-Google-Smtp-Source: AGHT+IGfBKb7126QBowUzjIPoYEiDbtzXdCQ122SPgCAcqzRg6kJD2W/ch0WEi6MLU0rAA4WXv2EGQ==
X-Received: by 2002:a05:6902:1245:b0:e7d:a799:bbd4 with SMTP id 3f1490d57ef6-e7da799c1bcmr14453586276.43.1748395296942;
        Tue, 27 May 2025 18:21:36 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZf7cVeWtuhzgVEG0U5JdRa659AmcGjEf42oHMg4MEbCJA==
Received: by 2002:a25:3fc4:0:b0:e7a:63e6:d8ef with SMTP id 3f1490d57ef6-e7d92107abbls2114465276.1.-pod-prod-09-us;
 Tue, 27 May 2025 18:21:33 -0700 (PDT)
X-Received: by 2002:a05:690c:640d:b0:709:1b68:9f5c with SMTP id 00721157ae682-70e2d9eb85amr206444437b3.16.1748395293035;
        Tue, 27 May 2025 18:21:33 -0700 (PDT)
Received: by 2002:a81:c949:0:b0:6ef:590d:3213 with SMTP id 00721157ae682-70ca9c0bd38ms7b3;
        Tue, 27 May 2025 18:07:58 -0700 (PDT)
X-Received: by 2002:a05:690c:f10:b0:70d:f47a:7e21 with SMTP id 00721157ae682-70e2d9814admr198290597b3.1.1748394477306;
        Tue, 27 May 2025 18:07:57 -0700 (PDT)
Date: Tue, 27 May 2025 18:07:56 -0700 (PDT)
From: waxwing/ AdamISZ <ekaggata@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <c568cc33-abba-4010-ac65-42c84dae6eb8n@googlegroups.com>
In-Reply-To: <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
References: <E8269A1A-1899-46D2-A7CD-4D9D2B732364@astrotown.de>
 <CAJDmzYxw+mXQKjS+h+r6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg@mail.gmail.com>
 <zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY=@proton.me>
 <CAC3UE4+DR=DQqtT+X0SYvH1XCVnmatD7frcHC5dtdVAef39UnQ@mail.gmail.com>
 <CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg@mail.gmail.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_7068_1573834767.1748394476949"
X-Original-Sender: ekaggata@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: 0.0 (/)

------=_Part_7068_1573834767.1748394476949
Content-Type: multipart/alternative; 
	boundary="----=_Part_7069_1578773686.1748394476949"

------=_Part_7069_1578773686.1748394476949
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi all,

I'd like to point out that the worst case scenarios here might be even=20
worse than one naturally thinks.

(1) The first part is obvious: even though unlikely, it's possible that a=
=20
certain group gains access to this functionality well in advance of the=20
general state of the art, and not only that, but decides to steal coins=20
only surreptitiously. This may be economically optimal for the thieves, but=
=20
may also be negative-optimal (pessimal?) for the rest of us: because there=
=20
will be continuous controversy about whether the theft happened, which=20
relates to the unobvious point:

(2) The second part is somehow even way worse: that a well funded (but not=
=20
having to spend money) attacker (not thief) on the system creates panic by=
=20
pretending to have its coins stolen, even though it does not have access to=
=20
an ECDLP break. This would be most likely in taproot, because they cannot=
=20
prepare this attack in advance on coins created in 2009-10. Their only task=
=20
is to create credibility amongst the general Bitcoin public, and thus force=
=20
sufficient controversy for perhaps a chain split based on disagreeing with=
=20
how to deal with the threat. I admit this is fairly fanciful, but imagine=
=20
it occurring in combination with a heavily pushed proposal for a=20
technically unsound solution to the problem which actually undermines=20
Bitcoin's safety.

Notice that this second observation illustrates the sense in which this is=
=20
crucially very different from the DAO as Jameson suggests: the act of theft=
=20
is not unambiguously visible. (well to be fair the phrase was "*some*=20
similarities" ! :) ).

Two more observations:

(3) I do really like the "disabled NUMS" concept in regard to taproot=20
external keys, for paving the way to PQC in tapleaf. This is one kind of=20
censorship that cannot be controversial.

(4) (in this I agree with Saulo Fonseca): my second observation might be=20
unpopular but I think that a burning coins softfork will be appallingly=20
hard to come to consensus on, and probably shouldn't even be attempted ((2)=
=20
is relevant here). I don't think it's going to happen. I think we need some=
=20
cryptographic chicanery that allows spending currently-hashed utxos safely,=
=20
along the lines of what Tim Ruffing, Adam Back and others have discussed in=
=20
the past, and that P2PK that is untouched even during a transition is just=
=20
a lost cause. (I also think that this is very very far in the future but=20
that is 100% opinion, not fact).

On Sunday, May 25, 2025 at 9:48:19=E2=80=AFPM UTC-3 Agustin Cruz wrote:

> Hi everyone,
>
> QRAMP proposal aims to manage the quantum transition responsibly without=
=20
> disrupting Bitcoin=E2=80=99s core principles.
>
> QRAMP has three phases:
>
> 1. Allow wallets to optionally include PQC keys in Taproot outputs. This=
=20
> enables early adoption without forcing anyone.
>
> 2. Announce a soft fork to disable vulnerable scripts, with a long=20
> (~4-year) grace period. This gives ample time to migrate and avoids sudde=
n=20
> shocks.
>
> 3. Gradually deactivate vulnerable outputs based on age or inactivity.=20
> This avoids a harsh cutoff and gives time for adaptation.
>
> We can also allow exceptions via proof-of-possession, and delay=20
> restrictions on timelocked outputs to avoid harming future spenders.
>
> QRAMP is not about confiscation or control. It=E2=80=99s about aligning=
=20
> incentives, maintaining security, and offering a clear, non-coercive=20
> upgrade path.
>
> Best,
> Agustin Cruz
>
>
>
> El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray <dustinvo...@gma=
il.com>=20
> escribi=C3=B3:
>
>> The difference between the ETH/ETC split though was that no one had=20
>> anything confiscated except the DAO hacker, everyone retained an identic=
al=20
>> number of tokens on each chain. The proposal for BTC is very different i=
n=20
>> that some holders will lose access to their coins during the PQ migratio=
n=20
>> under the confiscation approach. Just wanted to point that out.
>>
>> On Sun, May 25, 2025 at 3:06=E2=80=AFPM 'conduition' via Bitcoin Develop=
ment=20
>> Mailing List <bitco...@googlegroups.com> wrote:
>>
>>> Hey Saulo,
>>>
>>> You're right about the possibility of an ugly split. Laggards who don't=
=20
>>> move coins to PQ address schemes will be incentivized to follow any cha=
in=20
>>> where they keep their coins. But those who do migrate will be incentivi=
zed=20
>>> to follow the chain where unmigrated pre-quantum coins are frozen.=20
>>>
>>> While you're comparing this event to the ETH/ETC split, we should=20
>>> remember that ETH remained the dominant chain despite their heavy-hande=
d=20
>>> rollback. Just goes to show, confusion and face-loss is a lesser evil t=
han=20
>>> allowing an adversary to pwn the network.=20
>>>
>>> This is the free-market way to solve problems without imposing rules on=
=20
>>> everyone.
>>>
>>>
>>> It'd still be a free market even if quantum-vulnerable coins are frozen=
.=20
>>> The only way to test the relative value of quantum-safe vs=20
>>> quantum-vulnerable coins is to split the chain and see how the market=
=20
>>> reacts.=20
>>>
>>> IMO, the "free market way" is to give people options and let their mone=
y=20
>>> flow to where it works best. That means people should be able to choose=
=20
>>> whether they want their money to be part of a system that allows quantu=
m=20
>>> attack, or part of one which does not. I know which I would choose, but=
=20
>>> neither you nor I can make that choice for everyone.
>>>
>>> regards,
>>> conduition
>>> On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <
>>> agusti...@gmail.com> wrote:
>>>
>>> I=E2=80=99m against letting quantum computers scoop up funds from addre=
sses that=20
>>> don=E2=80=99t upgrade to quantum-resistant.=20
>>> Saulo=E2=80=99s idea of a free-market approach, leaving old coins up fo=
r grabs=20
>>> if people don=E2=80=99t move them, sounds fair at first. Let luck decid=
e, right?=20
>>> But I worry it=E2=80=99d turn into a mess. If quantum machines start cr=
acking keys=20
>>> and snagging coins, it=E2=80=99s not just lost Satoshi-era stuff at ris=
k. Plenty of=20
>>> active wallets, like those on the rich list Jameson mentioned, could ge=
t=20
>>> hit too. Imagine millions of BTC flooding the market. Prices tank, trus=
t in=20
>>> Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerab=
le=20
>>> funds keeps that chaos in check.
>>> Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=99s hear=
t. If quantum tech can=20
>>> steal from you just because you didn=E2=80=99t upgrade fast enough, tha=
t promise=20
>>> feels shaky. Freezing funds after a heads-up period (say, four years)=
=20
>>> protects that idea better than letting tech giants or rogue states play=
=20
>>> vampire with our network. It also nudges people to get their act togeth=
er=20
>>> and move to safer addresses, which strengthens Bitcoin long-term.
>>> Saulo=E2=80=99s right that freezing coins could confuse folks or spark =
a split=20
>>> like Ethereum Classic. But I=E2=80=99d argue quantum theft would look w=
orse.=20
>>> Bitcoin would seem broken, not just strict. A clear plan and enough tim=
e to=20
>>> migrate could smooth things over. History=E2=80=99s on our side too. Bi=
tcoin=E2=80=99s=20
>>> fixed bugs before, like SegWit. This feels like that, not a bailout.
>>> So yeah, I=E2=80=99d rather see vulnerable coins locked than handed to =
whoever=20
>>> builds the first quantum rig. It=E2=80=99s less about coddling people a=
nd more=20
>>> about keeping Bitcoin solid for everyone. What do you all think?
>>> Cheers,
>>> Agust=C3=ADn
>>>
>>>
>>> On Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown <sa...@astrotown.de>=
 wrote:
>>>
>>>> I believe that having some entity announce the decision to freeze old=
=20
>>>> UTXOs would be more damaging to Bitcoin=E2=80=99s image (and its value=
) than having=20
>>>> them gathered by QC. This would create another version of Bitcoin, sim=
ilar=20
>>>> to Ethereum Classic, causing confusion in the market.
>>>>
>>>> It would be better to simply implement the possibility of moving funds=
=20
>>>> to a PQC address without a deadline, allowing those who fail to do so =
to=20
>>>> rely on luck to avoid having their coins stolen. Most coins would be=
=20
>>>> migrated to PQC anyway, and in most cases, only the lost ones would re=
main=20
>>>> vulnerable. This is the free-market way to solve problems without impo=
sing=20
>>>> rules on everyone.
>>>>
>>>> Saulo Fonseca
>>>>
>>>>
>>>> On 16. Mar 2025, at 15:15, Jameson Lopp <jameso...@gmail.com> wrote:
>>>>
>>>> The quantum computing debate is heating up. There are many=20
>>>> controversial aspects to this debate, including whether or not quantum=
=20
>>>> computers will ever actually become a practical threat.
>>>>
>>>> I won't tread into the unanswerable question of how worried we should=
=20
>>>> be about quantum computers. I think it's far from a crisis, but given =
the=20
>>>> difficulty in changing Bitcoin it's worth starting to seriously discus=
s.=20
>>>> Today I wish to focus on a philosophical quandary related to one of th=
e=20
>>>> decisions that would need to be made if and when we implement a quantu=
m=20
>>>> safe signature scheme.
>>>>
>>>> Several Scenarios
>>>> Because this essay will reference game theory a fair amount, and there=
=20
>>>> are many variables at play that could change the nature of the game, I=
=20
>>>> think it's important to clarify the possible scenarios up front.
>>>>
>>>> 1. Quantum computing never materializes, never becomes a threat, and=
=20
>>>> thus everything discussed in this essay is moot.
>>>> 2. A quantum computing threat materializes suddenly and Bitcoin does=
=20
>>>> not have quantum safe signatures as part of the protocol. In this scen=
ario=20
>>>> it would likely make the points below moot because Bitcoin would be=20
>>>> fundamentally broken and it would take far too long to upgrade the=20
>>>> protocol, wallet software, and migrate user funds in order to restore=
=20
>>>> confidence in the network.
>>>> 3. Quantum computing advances slowly enough that we come to consensus=
=20
>>>> about how to upgrade Bitcoin and post quantum security has been minima=
lly=20
>>>> adopted by the time an attacker appears.
>>>> 4. Quantum computing advances slowly enough that we come to consensus=
=20
>>>> about how to upgrade Bitcoin and post quantum security has been highly=
=20
>>>> adopted by the time an attacker appears.
>>>>
>>>> For the purposes of this post, I'm envisioning being in situation 3 or=
=20
>>>> 4.
>>>>
>>>> To Freeze or not to Freeze?
>>>> I've started seeing more people weighing in on what is likely the most=
=20
>>>> contentious aspect of how a quantum resistance upgrade should be handl=
ed in=20
>>>> terms of migrating user funds. Should quantum vulnerable funds be left=
 open=20
>>>> to be swept by anyone with a sufficiently powerful quantum computer OR=
=20
>>>> should they be permanently locked?
>>>>
>>>> "I don't see why old coins should be confiscated. The better option is=
=20
>>>>> to let those with quantum computers free up old coins. While this mig=
ht=20
>>>>> have an inflationary impact on bitcoin's price, to use a turn of phra=
se,=20
>>>>> the inflation is transitory. Those with low time preference should su=
pport=20
>>>>> returning lost coins to circulation."=20
>>>>
>>>> - Hunter Beast
>>>>
>>>>
>>>> On the other hand:
>>>>
>>>> "Of course they have to be confiscated. If and when (and that's a big=
=20
>>>>> if) the existence of a cryptography-breaking QC becomes a credible th=
reat,=20
>>>>> the Bitcoin ecosystem has no other option than softforking out the ab=
ility=20
>>>>> to spend from signature schemes (including ECDSA and BIP340) that are=
=20
>>>>> vulnerable to QCs. The alternative is that millions of BTC become=20
>>>>> vulnerable to theft; I cannot see how the currency can maintain any v=
alue=20
>>>>> at all in such a setting. And this affects everyone; even those which=
=20
>>>>> diligently moved their coins to PQC-protected schemes."
>>>>> - Pieter Wuille
>>>>
>>>>
>>>> I don't think "confiscation" is the most precise term to use, as the=
=20
>>>> funds are not being seized and reassigned. Rather, what we're really=
=20
>>>> discussing would be better described as "burning" - placing the funds =
*out=20
>>>> of reach of everyone*.
>>>>
>>>> Not freezing user funds is one of Bitcoin's inviolable properties.=20
>>>> However, if quantum computing becomes a threat to Bitcoin's elliptic c=
urve=20
>>>> cryptography, *an inviolable property of Bitcoin will be violated one=
=20
>>>> way or another*.
>>>>
>>>> Fundamental Properties at Risk
>>>> 5 years ago I attempted to comprehensively categorize all of Bitcoin's=
=20
>>>> fundamental properties that give it value.=20
>>>> https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
>>>>
>>>> The particular properties in play with regard to this issue seem to be=
:
>>>>
>>>> *Censorship Resistance* - No one should have the power to prevent=20
>>>> others from using their bitcoin or interacting with the network.
>>>>
>>>> *Forward Compatibility* - changing the rules such that certain valid=
=20
>>>> transactions become invalid could undermine confidence in the protocol=
.
>>>>
>>>> *Conservatism* - Users should not be expected to be highly responsive=
=20
>>>> to system issues.
>>>>
>>>> As a result of the above principles, we have developed a strong meme=
=20
>>>> (kudos to Andreas Antonopoulos) that goes as follows:
>>>>
>>>> Not your keys, not your coins.
>>>>
>>>>
>>>> I posit that the corollary to this principle is:
>>>>
>>>> Your keys, only your coins.
>>>>
>>>>
>>>> A quantum capable entity breaks the corollary of this foundational=20
>>>> principle. We secure our bitcoin with the mathematical probabilities=
=20
>>>> related to extremely large random numbers. Your funds are only secure=
=20
>>>> because truly random large numbers should not be guessable or discover=
able=20
>>>> by anyone else in the world.
>>>>
>>>> This is the principle behind the motto *vires in numeris* - strength=
=20
>>>> in numbers. In a world with quantum enabled adversaries, this principl=
e is=20
>>>> null and void for many types of cryptography, including the elliptic c=
urve=20
>>>> digital signatures used in Bitcoin.
>>>>
>>>> Who is at Risk?
>>>> There has long been a narrative that Satoshi's coins and others from=
=20
>>>> the Satoshi era of P2PK locking scripts that exposed the public key=20
>>>> directly on the blockchain will be those that get scooped up by a quan=
tum=20
>>>> "miner." But unfortunately it's not that simple. If I had a powerful=
=20
>>>> quantum computer, which coins would I target? I'd go to the Bitcoin ri=
ch=20
>>>> list and find the wallets that have exposed their public keys due to=
=20
>>>> re-using addresses that have previously been spent from. You can easil=
y=20
>>>> find them at=20
>>>> https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
>>>>
>>>> Note that a few of these wallets, like Bitfinex / Kraken / Tether,=20
>>>> would be slightly harder to crack because they are multisig wallets. S=
o a=20
>>>> quantum attacker would need to reverse engineer 2 keys for Kraken or 3=
 for=20
>>>> Bitfinex / Tether in order to spend funds. But many are single signatu=
re.
>>>>
>>>> Point being, it's not only the really old lost BTC that are at risk to=
=20
>>>> a quantum enabled adversary, at least at time of writing. If we add a=
=20
>>>> quantum safe signature scheme, we should expect those wallets to be so=
me of=20
>>>> the first to upgrade given their incentives.
>>>>
>>>> The Ethical Dilemma: Quantifying Harm
>>>> Which decision results in the most harm?
>>>>
>>>> By making quantum vulnerable funds unspendable we potentially harm som=
e=20
>>>> Bitcoin users who were not paying attention and neglected to migrate t=
heir=20
>>>> funds to a quantum safe locking script. This violates the "conservativ=
ism"=20
>>>> principle stated earlier. On the flip side, we prevent those funds plu=
s far=20
>>>> more lost funds from falling into the hands of the few privileged folk=
s who=20
>>>> gain early access to quantum computers.
>>>>
>>>> By leaving quantum vulnerable funds available to spend, the same set o=
f=20
>>>> users who would otherwise have funds frozen are likely to see them sto=
len.=20
>>>> And many early adopters who lost their keys will eventually see their=
=20
>>>> unreachable funds scooped up by a quantum enabled adversary.
>>>>
>>>> Imagine, for example, being James Howells, who accidentally threw away=
=20
>>>> a hard drive with 8,000 BTC on it, currently worth over $600M USD. He =
has=20
>>>> spent a decade trying to retrieve it from the landfill where he knows =
it's=20
>>>> buried, but can't get permission to excavate. I suspect that, given th=
e=20
>>>> choice, he'd prefer those funds be permanently frozen rather than fall=
 into=20
>>>> someone else's possession - I know I would.
>>>>
>>>> Allowing a quantum computer to access lost funds doesn't make those=20
>>>> users any worse off than they were before, however it *would*have a=20
>>>> negative impact upon everyone who is currently holding bitcoin.
>>>>
>>>> It's prudent to expect significant economic disruption if large amount=
s=20
>>>> of coins fall into new hands. Since a quantum computer is going to hav=
e a=20
>>>> massive up front cost, expect those behind it to desire to recoup thei=
r=20
>>>> investment. We also know from experience that when someone suddenly fi=
nds=20
>>>> themselves in possession of 9+ figures worth of highly liquid assets, =
they=20
>>>> tend to diversify into other things by selling.
>>>>
>>>> Allowing quantum recovery of bitcoin is *tantamount to wealth=20
>>>> redistribution*. What we'd be allowing is for bitcoin to be=20
>>>> redistributed from those who are ignorant of quantum computers to thos=
e who=20
>>>> have won the technological race to acquire quantum computers. It's har=
d to=20
>>>> see a bright side to that scenario.
>>>>
>>>> Is Quantum Recovery Good for Anyone?
>>>>
>>>> Does quantum recovery HELP anyone? I've yet to come across an argument=
=20
>>>> that it's a net positive in any way. It certainly doesn't add any secu=
rity=20
>>>> to the network. If anything, it greatly decreases the security of the=
=20
>>>> network by allowing funds to be claimed by those who did not earn them=
.
>>>>
>>>> But wait, you may be thinking, wouldn't quantum "miners" have earned=
=20
>>>> their coins by all the work and resources invested in building a quant=
um=20
>>>> computer? I suppose, in the same sense that a burglar earns their spoi=
ls by=20
>>>> the resources they invest into surveilling targets and learning the sk=
ills=20
>>>> needed to break into buildings. What I say "earned" I mean through=20
>>>> productive mutual trade.
>>>>
>>>> For example:
>>>>
>>>> * Investors earn BTC by trading for other currencies.
>>>> * Merchants earn BTC by trading for goods and services.
>>>> * Miners earn BTC by trading thermodynamic security.
>>>> * Quantum miners don't trade anything, they are vampires feeding upon=
=20
>>>> the system.
>>>>
>>>> There's no reason to believe that allowing quantum adversaries to=20
>>>> recover vulnerable bitcoin will be of benefit to anyone other than the=
=20
>>>> select few organizations that win the technological arms race to build=
 the=20
>>>> first such computers. Probably nation states and/or the top few larges=
t=20
>>>> tech companies.
>>>>
>>>> One could certainly hope that an organization with quantum supremacy i=
s=20
>>>> benevolent and acts in a "white hat" manner to return lost coins to th=
eir=20
>>>> owners, but that's incredibly optimistic and foolish to rely upon. Suc=
h a=20
>>>> situation creates an insurmountable ethical dilemma of only recovering=
 lost=20
>>>> bitcoin rather than currently owned bitcoin. There's no way to precise=
ly=20
>>>> differentiate between the two; anyone can claim to have lost their bit=
coin=20
>>>> but if they have lost their keys then proving they ever had the keys=
=20
>>>> becomes rather difficult. I imagine that any such white hat recovery=
=20
>>>> efforts would have to rely upon attestations from trusted third partie=
s=20
>>>> like exchanges.
>>>>
>>>> Even if the first actor with quantum supremacy is benevolent, we must=
=20
>>>> assume the technology could fall into adversarial hands and thus think=
=20
>>>> adversarially about the potential worst case outcomes. Imagine, for=20
>>>> example, that North Korea continues scooping up billions of dollars fr=
om=20
>>>> hacking crypto exchanges and decides to invest some of those proceeds =
into=20
>>>> building a quantum computer for the biggest payday ever...
>>>>
>>>> Downsides to Allowing Quantum Recovery
>>>> Let's think through an exhaustive list of pros and cons for allowing o=
r=20
>>>> preventing the seizure of funds by a quantum adversary.
>>>>
>>>> Historical Precedent
>>>> Previous protocol vulnerabilities weren=E2=80=99t celebrated as "fair =
game" but=20
>>>> rather were treated as failures to be remediated. Treating quantum the=
ft=20
>>>> differently risks rewriting Bitcoin=E2=80=99s history as a free-for-al=
l rather than=20
>>>> a system that seeks to protect its users.
>>>>
>>>> Violation of Property Rights
>>>> Allowing a quantum adversary to take control of funds undermines the=
=20
>>>> fundamental principle of cryptocurrency - if you keep your keys in you=
r=20
>>>> possession, only you should be able to access your money. Bitcoin is b=
uilt=20
>>>> on the idea that private keys secure an individual=E2=80=99s assets, a=
nd=20
>>>> unauthorized access (even via advanced tech) is theft, not a legitimat=
e=20
>>>> transfer.
>>>>
>>>> Erosion of Trust in Bitcoin
>>>> If quantum attackers can exploit vulnerable addresses, confidence in=
=20
>>>> Bitcoin as a secure store of value would collapse. Users and investors=
 rely=20
>>>> on cryptographic integrity, and widespread theft could drive adoption =
away=20
>>>> from Bitcoin, destabilizing its ecosystem.
>>>>
>>>> This is essentially the counterpoint to claiming the burning of=20
>>>> vulnerable funds is a violation of property rights. While some will=20
>>>> certainly see it as such, others will find the apathy toward stopping=
=20
>>>> quantum theft to be similarly concerning.
>>>>
>>>> Unfair Advantage
>>>> Quantum attackers, likely equipped with rare and expensive technology,=
=20
>>>> would have an unjust edge over regular users who lack access to such t=
ools.=20
>>>> This creates an inequitable system where only the technologically elit=
e can=20
>>>> exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized=
 power.
>>>>
>>>> Bitcoin is designed to create an asymmetric advantage for DEFENDING=20
>>>> one's wealth. It's supposed to be impractically expensive for attacker=
s to=20
>>>> crack the entropy and cryptography protecting one's coins. But now we =
find=20
>>>> ourselves discussing a situation where this asymmetric advantage is=20
>>>> compromised in favor of a specific class of attackers.
>>>>
>>>> Economic Disruption
>>>> Large-scale theft from vulnerable addresses could crash Bitcoin=E2=80=
=99s price=20
>>>> as quantum recovered funds are dumped on exchanges. This would harm al=
l=20
>>>> holders, not just those directly targeted, leading to broader financia=
l=20
>>>> chaos in the markets.
>>>>
>>>> Moral Responsibility
>>>> Permitting theft via quantum computing sets a precedent that=20
>>>> technological superiority justifies unethical behavior. This is essent=
ially=20
>>>> taking a "code is law" stance in which we refuse to admit that both co=
de=20
>>>> and laws can be modified to adapt to previously unforeseen situations.
>>>>
>>>> Burning of coins can certainly be considered a form of theft, thus I=
=20
>>>> think it's worth differentiating the two different thefts being discus=
sed:
>>>>
>>>> 1. self-enriching & likely malicious
>>>> 2. harm prevention & not necessarily malicious
>>>>
>>>> Both options lack the consent of the party whose coins are being burnt=
=20
>>>> or transferred, thus I think the simple argument that theft is immoral=
=20
>>>> becomes a wash and it's important to drill down into the details of ea=
ch.
>>>>
>>>> Incentives Drive Security
>>>> I can tell you from a decade of working in Bitcoin security - the=20
>>>> average user is lazy and is a procrastinator. If Bitcoiners are given =
a=20
>>>> "drop dead date" after which they know vulnerable funds will be burned=
,=20
>>>> this pressure accelerates the adoption of post-quantum cryptography an=
d=20
>>>> strengthens Bitcoin long-term. Allowing vulnerable users to delay upgr=
ading=20
>>>> indefinitely will result in more laggards, leaving the network more ex=
posed=20
>>>> when quantum tech becomes available.
>>>>
>>>> Steel Manning
>>>> Clearly this is a complex and controversial topic, thus it's worth=20
>>>> thinking through the opposing arguments.
>>>>
>>>> Protecting Property Rights
>>>> Allowing quantum computers to take vulnerable bitcoin could potentiall=
y=20
>>>> be spun as a hard money narrative - we care so greatly about not viola=
ting=20
>>>> someone's access to their coins that we allow them to be stolen!
>>>>
>>>> But I think the flip side to the property rights narrative is that=20
>>>> burning vulnerable coins prevents said property from falling into=20
>>>> undeserving hands. If the entire Bitcoin ecosystem just stands around =
and=20
>>>> allows quantum adversaries to claim funds that rightfully belong to ot=
her=20
>>>> users, is that really a "win" in the "protecting property rights" cate=
gory?=20
>>>> It feels more like apathy to me.
>>>>
>>>> As such, I think the "protecting property rights" argument is a wash.
>>>>
>>>> Quantum Computers Won't Attack Bitcoin
>>>> There is a great deal of skepticism that sufficiently powerful quantum=
=20
>>>> computers will ever exist, so we shouldn't bother preparing for a=20
>>>> non-existent threat. Others have argued that even if such a computer w=
as=20
>>>> built, a quantum attacker would not go after bitcoin because they woul=
dn't=20
>>>> want to reveal their hand by doing so, and would instead attack other=
=20
>>>> infrastructure.
>>>>
>>>> It's quite difficult to quantify exactly how valuable attacking other=
=20
>>>> infrastructure would be. It also really depends upon when an entity ga=
ins=20
>>>> quantum supremacy and thus if by that time most of the world's systems=
 have=20
>>>> already been upgraded. While I think you could argue that certain enti=
ties=20
>>>> gaining quantum capability might not attack Bitcoin, it would only del=
ay=20
>>>> the inevitable - eventually somebody will achieve the capability who=
=20
>>>> decides to use it for such an attack.
>>>>
>>>> Quantum Attackers Would Only Steal Small Amounts
>>>> Some have argued that even if a quantum attacker targeted bitcoin,=20
>>>> they'd only go after old, likely lost P2PK outputs so as to not arouse=
=20
>>>> suspicion and cause a market panic.
>>>>
>>>> I'm not so sure about that; why go after 50 BTC at a time when you=20
>>>> could take 250,000 BTC with the same effort as 50 BTC? This is a class=
ic=20
>>>> "zero day exploit" game theory in which an attacker knows they have a=
=20
>>>> limited amount of time before someone else discovers the exploit and e=
ither=20
>>>> benefits from it or patches it. Take, for example, the recent ByBit at=
tack=20
>>>> - the highest value crypto hack of all time. Lazarus Group had comprom=
ised=20
>>>> the Safe wallet front end JavaScript app and they could have simply ha=
d it=20
>>>> reassign ownership of everyone's Safe wallets as they were interacting=
 with=20
>>>> their wallet. But instead they chose to only specifically target ByBit=
's=20
>>>> wallet with $1.5 billion in it because they wanted to maximize their=
=20
>>>> extractable value. If Lazarus had started stealing from every wallet, =
they=20
>>>> would have been discovered quickly and the Safe web app would likely h=
ave=20
>>>> been patched well before any billion dollar wallets executed the malic=
ious=20
>>>> code.
>>>>
>>>> I think the "only stealing small amounts" argument is strongest for=20
>>>> Situation #2 described earlier, where a quantum attacker arrives befor=
e=20
>>>> quantum safe cryptography has been deployed across the Bitcoin ecosyst=
em.=20
>>>> Because if it became clear that Bitcoin's cryptography was broken AND =
there=20
>>>> was nowhere safe for vulnerable users to migrate, the only logical opt=
ion=20
>>>> would be for everyone to liquidate their bitcoin as quickly as possibl=
e. As=20
>>>> such, I don't think it applies as strongly for situations in which we =
have=20
>>>> a migration path available.
>>>>
>>>> The 21 Million Coin Supply Should be in Circulation
>>>> Some folks are arguing that it's important for the "circulating /=20
>>>> spendable" supply to be as close to 21M as possible and that having a=
=20
>>>> significant portion of the supply out of circulation is somehow undesi=
rable.
>>>>
>>>> While the "21M BTC" attribute is a strong memetic narrative, I don't=
=20
>>>> think anyone has ever expected that it would all be in circulation. It=
 has=20
>>>> always been understood that many coins will be lost, and that's actual=
ly=20
>>>> part of the game theory of owning bitcoin!
>>>>
>>>> And remember, the 21M number in and of itself is not a particularly=20
>>>> important detail - it's not even mentioned in the whitepaper. What's=
=20
>>>> important is that the supply is well known and not subject to change.
>>>>
>>>> Self-Sovereignty and Personal Responsibility
>>>> Bitcoin=E2=80=99s design empowers individuals to control their own wea=
lth, free=20
>>>> from centralized intervention. This freedom comes with the burden of=
=20
>>>> securing one's private keys. If quantum computing can break obsolete=
=20
>>>> cryptography, the fault lies with users who didn't move their funds to=
=20
>>>> quantum safe locking scripts. Expecting the network to shield users fr=
om=20
>>>> their own negligence undermines the principle that you, and not a thir=
d=20
>>>> party, are accountable for your assets.
>>>>
>>>> I think this is generally a fair point that "the community" doesn't ow=
e=20
>>>> you anything in terms of helping you. I think that we do, however, nee=
d to=20
>>>> consider the incentives and game theory in play with regard to quantum=
 safe=20
>>>> Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
>>>>
>>>> Code is Law
>>>> Bitcoin operates on transparent, immutable rules embedded in its=20
>>>> protocol. If a quantum attacker uses superior technology to derive pri=
vate=20
>>>> keys from public keys, they=E2=80=99re not "hacking" the system - they=
're simply=20
>>>> following what's mathematically permissible within the current code.=
=20
>>>> Altering the protocol to stop this introduces subjective human=20
>>>> intervention, which clashes with the objective, deterministic nature o=
f=20
>>>> blockchain.
>>>>
>>>> While I tend to agree that code is law, one of the entire points of=20
>>>> laws is that they can be amended to improve their efficacy in reducing=
=20
>>>> harm. Leaning on this point seems more like a pro-ossification stance =
that=20
>>>> it's better to do nothing and allow harm to occur rather than take act=
ion=20
>>>> to stop an attack that was foreseen far in advance.
>>>>
>>>> Technological Evolution as a Feature, Not a Bug
>>>> It's well known that cryptography tends to weaken over time and=20
>>>> eventually break. Quantum computing is just the next step in this=20
>>>> progression. Users who fail to adapt (e.g., by adopting quantum-resist=
ant=20
>>>> wallets when available) are akin to those who ignored technological=20
>>>> advancements like multisig or hardware wallets. Allowing quantum theft=
=20
>>>> incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynamic,=
 punishing=20
>>>> complacency while rewarding vigilance.
>>>>
>>>> Market Signals Drive Security
>>>> If quantum attackers start stealing funds, it sends a clear signal to=
=20
>>>> the market: upgrade your security or lose everything. This pressure=20
>>>> accelerates the adoption of post-quantum cryptography and strengthens=
=20
>>>> Bitcoin long-term. Coddling vulnerable users delays this necessary=20
>>>> evolution, potentially leaving the network more exposed when quantum t=
ech=20
>>>> becomes widely accessible. Theft is a brutal but effective teacher.
>>>>
>>>> Centralized Blacklisting Power
>>>> Burning vulnerable funds requires centralized decision-making - a soft=
=20
>>>> fork to invalidate certain transactions. This sets a dangerous precede=
nt=20
>>>> for future interventions, eroding Bitcoin=E2=80=99s decentralization. =
If quantum=20
>>>> theft is blocked, what=E2=80=99s next - reversing exchange hacks? The =
system must=20
>>>> remain neutral, even if it means some lose out.
>>>>
>>>> I think this could be a potential slippery slope if the proposal was t=
o=20
>>>> only burn specific addresses. Rather, I'd expect a neutral proposal to=
 burn=20
>>>> all funds in locking script types that are known to be quantum vulnera=
ble.=20
>>>> Thus, we could eliminate any subjectivity from the code.
>>>>
>>>> Fairness in Competition
>>>> Quantum attackers aren't cheating; they're using publicly available=20
>>>> physics and math. Anyone with the resources and foresight can build or=
=20
>>>> access quantum tech, just as anyone could mine Bitcoin in 2009 with a =
CPU.=20
>>>> Early adopters took risks and reaped rewards; quantum innovators are d=
oing=20
>>>> the same. Calling it =E2=80=9Cunfair=E2=80=9D ignores that Bitcoin has=
 never promised=20
>>>> equality of outcome - only equality of opportunity within its rules.
>>>>
>>>> I find this argument to be a mischaracterization because we're not=20
>>>> talking about CPUs. This is more akin to talking about ASICs, except e=
ach=20
>>>> ASIC costs millions if not billions of dollars. This is out of reach f=
rom=20
>>>> all but the wealthiest organizations.
>>>>
>>>> Economic Resilience
>>>> Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=20
>>>> emerged stronger. The market can absorb quantum losses, with unaffecte=
d=20
>>>> users continuing to hold and new entrants buying in at lower prices. F=
ear=20
>>>> of economic collapse overestimates the impact - the network=E2=80=99s =
antifragility=20
>>>> thrives on such challenges.
>>>>
>>>> This is a big grey area because we don't know when a quantum computer=
=20
>>>> will come online and we don't know how quickly said computers would be=
 able=20
>>>> to steal bitcoin. If, for example, the first generation of sufficientl=
y=20
>>>> powerful quantum computers were stealing less volume than the current =
block=20
>>>> reward then of course it will have minimal economic impact. But if the=
y're=20
>>>> taking thousands of BTC per day and bringing them back into circulatio=
n,=20
>>>> there will likely be a noticeable market impact as it absorbs the new=
=20
>>>> supply.
>>>>
>>>> This is where the circumstances will really matter. If a quantum=20
>>>> attacker appears AFTER the Bitcoin protocol has been upgraded to suppo=
rt=20
>>>> quantum resistant cryptography then we should expect the most valuable=
=20
>>>> active wallets will have upgraded and the juiciest target would be the=
=20
>>>> 31,000 BTC in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has=
 been=20
>>>> dormant since 2010. In general I'd expect that the amount of BTC=20
>>>> re-entering the circulating supply would look somewhat similar to the=
=20
>>>> mining emission curve: volume would start off very high as the most=20
>>>> valuable addresses are drained and then it would fall off as quantum=
=20
>>>> computers went down the list targeting addresses with less and less BT=
C.
>>>>
>>>> Why is economic impact a factor worth considering? Miners and=20
>>>> businesses in general. More coins being liquidated will push down the=
=20
>>>> price, which will negatively impact miner revenue. Similarly, I can at=
test=20
>>>> from working in the industry for a decade, that lower prices result in=
 less=20
>>>> demand from businesses across the entire industry. As such, burning qu=
antum=20
>>>> vulnerable bitcoin is good for the entire industry.
>>>>
>>>> Practicality & Neutrality of Non-Intervention
>>>> There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=E2=80=9D=
 from legitimate "white=20
>>>> hat" key recovery. If someone loses their private key and a quantum=20
>>>> computer recovers it, is that stealing or reclaiming? Policing quantum=
=20
>>>> actions requires invasive assumptions about intent, which Bitcoin=E2=
=80=99s=20
>>>> trustless design can=E2=80=99t accommodate. Letting the chips fall whe=
re they may=20
>>>> avoids this mess.
>>>>
>>>> Philosophical Purity
>>>> Bitcoin rejects bailouts. It=E2=80=99s a cold, hard system where outco=
mes=20
>>>> reflect preparation and skill, not sentimentality. If quantum computin=
g=20
>>>> upends the game, that=E2=80=99s the point - Bitcoin isn=E2=80=99t mean=
t to be safe or fair=20
>>>> in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose =
funds to=20
>>>> quantum attacks are casualties of liberty and their own ignorance, not=
=20
>>>> victims of injustice.
>>>>
>>>> Bitcoin's DAO Moment
>>>> This situation has some similarities to The DAO hack of an Ethereum=20
>>>> smart contract in 2016, which resulted in a fork to stop the attacker =
and=20
>>>> return funds to their original owners. The game theory is similar beca=
use=20
>>>> it's a situation where a threat is known but there's some period of ti=
me=20
>>>> before the attacker can actually execute the theft. As such, there's t=
ime=20
>>>> to mitigate the attack by changing the protocol.
>>>>
>>>> It also created a schism in the community around the true meaning of=
=20
>>>> "code is law," resulting in Ethereum Classic, which decided to allow t=
he=20
>>>> attacker to retain control of the stolen funds.
>>>>
>>>> A soft fork to burn vulnerable bitcoin could certainly result in a har=
d=20
>>>> fork if there are enough miners who reject the soft fork and continue=
=20
>>>> including transactions.
>>>>
>>>> Incentives Matter
>>>> We can wax philosophical until the cows come home, but what are the=20
>>>> actual incentives for existing Bitcoin holders regarding this decision=
?
>>>>
>>>> "Lost coins only make everyone else's coins worth slightly more. Think=
=20
>>>>> of it as a donation to everyone." - Satoshi Nakamoto
>>>>
>>>>
>>>> If true, the corollary is:
>>>>
>>>> "Quantum recovered coins only make everyone else's coins worth less.=
=20
>>>>> Think of it as a theft from everyone." - Jameson Lopp
>>>>
>>>>
>>>> Thus, assuming we get to a point where quantum resistant signatures ar=
e=20
>>>> supported within the Bitcoin protocol, what's the incentive to let=20
>>>> vulnerable coins remain spendable?
>>>>
>>>> * It's not good for the actual owners of those coins. It=20
>>>> disincentivizes owners from upgrading until perhaps it's too late.
>>>> * It's not good for the more attentive / responsible owners of coins=
=20
>>>> who have quantum secured their stash. Allowing the circulating supply =
to=20
>>>> balloon will assuredly reduce the purchasing power of all bitcoin hold=
ers.
>>>>
>>>> Forking Game Theory
>>>> From a game theory point of view, I see this as incentivizing users to=
=20
>>>> upgrade their wallets. If you disagree with the burning of vulnerable=
=20
>>>> coins, all you have to do is move your funds to a quantum safe signatu=
re=20
>>>> scheme. Point being, I don't see there being an economic majority (or =
even=20
>>>> more than a tiny minority) of users who would fight such a soft fork. =
Why=20
>>>> expend significant resources fighting a fork when you can just move yo=
ur=20
>>>> coins to a new address?
>>>>
>>>> Remember that blocking spending of certain classes of locking scripts=
=20
>>>> is a tightening of the rules - a soft fork. As such, it can be meaning=
fully=20
>>>> enacted and enforced by a mere majority of hashpower. If miners genera=
lly=20
>>>> agree that it's in their best interest to burn vulnerable coins, are o=
ther=20
>>>> users going to care enough to put in the effort to run new node softwa=
re=20
>>>> that resists the soft fork? Seems unlikely to me.
>>>>
>>>> How to Execute Burning
>>>> In order to be as objective as possible, the goal would be to announce=
=20
>>>> to the world that after a specific block height / timestamp, Bitcoin n=
odes=20
>>>> will no longer accept transactions (or blocks containing such transact=
ions)=20
>>>> that spend funds from any scripts other than the newly instituted quan=
tum=20
>>>> safe schemes.
>>>>
>>>> It could take a staggered approach to first freeze funds that are=20
>>>> susceptible to long-range attacks such as those in P2PK scripts or tho=
se=20
>>>> that exposed their public keys due to previously re-using addresses, b=
ut I=20
>>>> expect the additional complexity would drive further controversy.
>>>>
>>>> How long should the grace period be in order to give the ecosystem tim=
e=20
>>>> to upgrade? I'd say a minimum of 1 year for software wallets to upgrad=
e. We=20
>>>> can only hope that hardware wallet manufacturers are able to implement=
 post=20
>>>> quantum cryptography on their existing hardware with only a firmware u=
pdate.
>>>>
>>>> Beyond that, it will take at least 6 months worth of block space for=
=20
>>>> all users to migrate their funds, even in a best case scenario. Though=
 if=20
>>>> you exclude dust UTXOs you could probably get 95% of BTC value migrate=
d in=20
>>>> 1 month. Of course this is a highly optimistic situation where everyon=
e is=20
>>>> completely focused on migrations - in reality it will take far longer.
>>>>
>>>> Regardless, I'd think that in order to reasonably uphold Bitcoin's=20
>>>> conservatism it would be preferable to allow a 4 year migration window=
. In=20
>>>> the meantime, mining pools could coordinate emergency soft forking log=
ic=20
>>>> such that if quantum attackers materialized, they could accelerate the=
=20
>>>> countdown to the quantum vulnerable funds burn.
>>>>
>>>> Random Tangential Benefits
>>>> On the plus side, burning all quantum vulnerable bitcoin would allow u=
s=20
>>>> to prune all of those UTXOs out of the UTXO set, which would also clea=
n up=20
>>>> a lot of dust. Dust UTXOs are a bit of an annoyance and there has even=
 been=20
>>>> a recent proposal for how to incentivize cleaning them up.
>>>>
>>>> We should also expect that incentivizing migration of the entire UTXO=
=20
>>>> set will create substantial demand for block space that will sustain a=
 fee=20
>>>> market for a fairly lengthy amount of time.
>>>>
>>>> In Summary
>>>> While the moral quandary of violating any of Bitcoin's inviolable=20
>>>> properties can make this a very complex issue to discuss, the game the=
ory=20
>>>> and incentives between burning vulnerable coins versus allowing them t=
o be=20
>>>> claimed by entities with quantum supremacy appears to be a much simple=
r=20
>>>> issue.
>>>>
>>>> I, for one, am not interested in rewarding quantum capable entities by=
=20
>>>> inflating the circulating money supply just because some people lost t=
heir=20
>>>> keys long ago and some laggards are not upgrading their bitcoin wallet=
's=20
>>>> security.
>>>>
>>>> We can hope that this scenario never comes to pass, but hope is not a=
=20
>>>> strategy.
>>>>
>>>> I welcome your feedback upon any of the above points, and contribution=
=20
>>>> of any arguments I failed to consider.
>>>>
>>>> --=20
>>>> You received this message because you are subscribed to the Google=20
>>>> Groups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>>> an email to bitcoindev+...@googlegroups.com.
>>>> To view this discussion visit=20
>>>> https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq=
8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
>>>> .
>>>>
>>>> --=20
>>>> You received this message because you are subscribed to the Google=20
>>>> Groups "Bitcoin Development Mailing List" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>>> an email to bitcoindev+...@googlegroups.com.
>>>> To view this discussion visit=20
>>>> https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4=
D9D2B732364%40astrotown.de
>>>> .
>>>
>>>
>>>> --=20
>>> You received this message because you are subscribed to the Google=20
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>> an email to bitcoindev+...@googlegroups.com.
>>> To view this discussion visit=20
>>> https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br=
6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com
>>> .
>>>
>>>
>>> --=20
>>> You received this message because you are subscribed to the Google=20
>>> Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send=
=20
>>> an email to bitcoindev+...@googlegroups.com.
>>> To view this discussion visit=20
>>> https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvf=
XniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXL=
miCJOY%3D%40proton.me=20
>>> <https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCv=
fXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAX=
LmiCJOY%3D%40proton.me?utm_medium=3Demail&utm_source=3Dfooter>
>>> .
>>>
>>

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
c568cc33-abba-4010-ac65-42c84dae6eb8n%40googlegroups.com.

------=_Part_7069_1578773686.1748394476949
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div>Hi all,</div><div><br /></div><div>I'd like to point out that the wors=
t case scenarios here might be even worse than one naturally thinks.</div><=
div><br /></div><div>(1) The first part is obvious: even though unlikely, i=
t's possible that a certain group gains access to this functionality well i=
n advance of the general state of the art, and not only that, but decides t=
o steal coins only surreptitiously. This may be economically optimal for th=
e thieves, but may also be negative-optimal (pessimal?) for the rest of us:=
 because there will be continuous controversy about whether the theft happe=
ned, which relates to the unobvious point:</div><div><br /></div><div>(2) T=
he second part is somehow even way worse: that a well funded (but not havin=
g to spend money) attacker (not thief) on the system creates panic by prete=
nding to have its coins stolen, even though it does not have access to an E=
CDLP break. This would be most likely in taproot, because they cannot prepa=
re this attack in advance on coins created in 2009-10. Their only task is t=
o create credibility amongst the general Bitcoin public, and thus force suf=
ficient controversy for perhaps a chain split based on disagreeing with how=
 to deal with the threat. I admit this is fairly fanciful, but imagine it o=
ccurring in combination with a heavily pushed proposal for a technically un=
sound solution to the problem which actually undermines Bitcoin's safety.</=
div><div><br /></div><div>Notice that this second observation illustrates t=
he sense in which this is crucially very different from the DAO as Jameson =
suggests: the act of theft is not unambiguously visible. (well to be fair t=
he phrase was "*some* similarities" ! :) ).</div><div><br /></div><div>Two =
more observations:</div><div><br /></div><div>(3) I do really like the "dis=
abled NUMS" concept in regard to taproot external keys, for paving the way =
to PQC in tapleaf. This is one kind of censorship that cannot be controvers=
ial.</div><div><br /></div><div>(4) (in this I agree with Saulo Fonseca): m=
y second observation might be unpopular but I think that a burning coins so=
ftfork will be appallingly hard to come to consensus on, and probably shoul=
dn't even be attempted ((2) is relevant here). I don't think it's going to =
happen. I think we need some cryptographic chicanery that allows spending c=
urrently-hashed utxos safely, along the lines of what Tim Ruffing, Adam Bac=
k and others have discussed in the past, and that P2PK that is untouched ev=
en during a transition is just a lost cause. (I also think that this is ver=
y very far in the future but that is 100% opinion, not fact).</div><br /><d=
iv class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">On Sunday, =
May 25, 2025 at 9:48:19=E2=80=AFPM UTC-3 Agustin Cruz wrote:<br/></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1p=
x solid rgb(204, 204, 204); padding-left: 1ex;"><div dir=3D"auto">Hi everyo=
ne,<div dir=3D"auto"><br></div><div dir=3D"auto">QRAMP proposal aims to man=
age the quantum transition responsibly without disrupting Bitcoin=E2=80=99s=
 core principles.</div><div dir=3D"auto"><br></div><div dir=3D"auto">QRAMP =
has three phases:</div><div dir=3D"auto"><br></div><div dir=3D"auto">1. All=
ow wallets to optionally include PQC keys in Taproot outputs. This enables =
early adoption without forcing anyone.</div><div dir=3D"auto"><br></div><di=
v dir=3D"auto">2. Announce a soft fork to disable vulnerable scripts, with =
a long (~4-year) grace period. This gives ample time to migrate and avoids =
sudden shocks.</div><div dir=3D"auto"><br></div><div dir=3D"auto">3. Gradua=
lly deactivate vulnerable outputs based on age or inactivity. This avoids a=
 harsh cutoff and gives time for adaptation.</div><div dir=3D"auto"></div><=
div dir=3D"auto"><br></div><div dir=3D"auto">We can also allow exceptions v=
ia proof-of-possession, and delay restrictions on timelocked outputs to avo=
id harming future spenders.</div><div dir=3D"auto"><br></div><div dir=3D"au=
to">QRAMP is not about confiscation or control. It=E2=80=99s about aligning=
 incentives, maintaining security, and offering a clear, non-coercive upgra=
de path.</div><div dir=3D"auto"><br></div><div dir=3D"auto">Best,</div><div=
 dir=3D"auto">Agustin Cruz</div><div dir=3D"auto"><br></div><div dir=3D"aut=
o"><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D=
"gmail_attr">El dom, 25 de may de 2025, 7:03=E2=80=AFp.m., Dustin Ray &lt;<=
a href data-email-masked rel=3D"nofollow">dustinvo...@gmail.com</a>&gt; esc=
ribi=C3=B3:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"auto">The d=
ifference between the ETH/ETC split though was that no one had anything con=
fiscated except the DAO hacker, everyone retained an identical number of to=
kens on each chain. The proposal for BTC is very different in that some hol=
ders will lose access to their coins during the PQ migration under the conf=
iscation approach. Just wanted to point that out.</div><div><br><div class=
=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, May 25, 2025=
 at 3:06=E2=80=AFPM &#39;conduition&#39; via Bitcoin Development Mailing Li=
st &lt;<a href rel=3D"noreferrer nofollow" data-email-masked>bitco...@googl=
egroups.com</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;=
padding-left:1ex;border-left-color:rgb(204,204,204)"><div style=3D"font-fam=
ily:Arial,sans-serif;font-size:14px">Hey Saulo,</div><div style=3D"font-fam=
ily:Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-family:Ar=
ial,sans-serif;font-size:14px">You&#39;re right about the possibility of an=
 ugly split. Laggards who don&#39;t move coins to PQ address schemes will b=
e incentivized to follow any chain where they keep their coins. But those w=
ho do migrate will be incentivized to follow the chain where unmigrated pre=
-quantum coins are frozen.=C2=A0</div><div style=3D"font-family:Arial,sans-=
serif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;=
font-size:14px">While you&#39;re comparing this event to the ETH/ETC split,=
 we should remember that ETH remained the dominant chain despite their heav=
y-handed rollback. Just goes to show, confusion and face-loss is a lesser e=
vil than allowing an adversary to pwn the network.=C2=A0</div><div style=3D=
"font-family:Arial,sans-serif;font-size:14px"><br></div><blockquote style=
=3D"border-left-width:3px;border-left-style:solid;padding-left:10px;border-=
color:rgb(200,200,200);color:rgb(102,102,102)"><div style=3D"font-family:Ar=
ial,sans-serif;font-size:14px">This is the free-market way to solve problem=
s without imposing rules on everyone.<br></div></blockquote><div style=3D"f=
ont-family:Arial,sans-serif;font-size:14px"><br></div><div style=3D"font-fa=
mily:Arial,sans-serif;font-size:14px">It&#39;d still be a free market even =
if quantum-vulnerable coins are frozen. The only way to test the relative v=
alue of quantum-safe vs quantum-vulnerable coins is to split the chain and =
see how the market reacts.=C2=A0</div><div style=3D"font-family:Arial,sans-=
serif;font-size:14px"><br></div><div style=3D"font-family:Arial,sans-serif;=
font-size:14px">IMO, the &quot;free market way&quot; is to give people opti=
ons and let their money flow to where it works best. That means people shou=
ld be able to choose whether they want their money to be part of a system t=
hat allows quantum attack, or part of one which does not. I know which I wo=
uld choose, but neither you nor I can make that choice for everyone.</div><=
div style=3D"font-family:Arial,sans-serif;font-size:14px"><br></div><div st=
yle=3D"font-family:Arial,sans-serif;font-size:14px">regards,</div><div styl=
e=3D"font-family:Arial,sans-serif;font-size:14px">conduition</div><div>
        On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz &lt;<a href re=
l=3D"noreferrer nofollow" data-email-masked>agusti...@gmail.com</a>&gt; wro=
te:<br>
        <blockquote type=3D"cite">
            <div dir=3D"ltr"><div dir=3D"ltr">I=E2=80=99m against letting q=
uantum computers scoop up funds from addresses that don=E2=80=99t upgrade t=
o quantum-resistant. <br>Saulo=E2=80=99s idea of a free-market approach, le=
aving old coins up for grabs if people don=E2=80=99t move them, sounds fair=
 at first. Let luck decide, right? But I worry it=E2=80=99d turn into a mes=
s. If quantum machines start cracking keys and snagging coins, it=E2=80=99s=
 not just lost Satoshi-era stuff at risk. Plenty of active wallets, like th=
ose on the rich list Jameson mentioned, could get hit too. Imagine millions=
 of BTC flooding the market. Prices tank, trust in Bitcoin takes a dive, an=
d we all feel the pain. Freezing those vulnerable funds keeps that chaos in=
 check.<br>Plus, =E2=80=9Cyour keys, your coins=E2=80=9D is Bitcoin=E2=80=
=99s heart. If quantum tech can steal from you just because you didn=E2=80=
=99t upgrade fast enough, that promise feels shaky. Freezing funds after a =
heads-up period (say, four years) protects that idea better than letting te=
ch giants or rogue states play vampire with our network. It also nudges peo=
ple to get their act together and move to safer addresses, which strengthen=
s Bitcoin long-term.<br>Saulo=E2=80=99s right that freezing coins could con=
fuse folks or spark a split like Ethereum Classic. But I=E2=80=99d argue qu=
antum theft would look worse. Bitcoin would seem broken, not just strict. A=
 clear plan and enough time to migrate could smooth things over. History=E2=
=80=99s on our side too. Bitcoin=E2=80=99s fixed bugs before, like SegWit. =
This feels like that, not a bailout.<br>So yeah, I=E2=80=99d rather see vul=
nerable coins locked than handed to whoever builds the first quantum rig. I=
t=E2=80=99s less about coddling people and more about keeping Bitcoin solid=
 for everyone. What do you all think?<br>Cheers,<br>Agust=C3=ADn<br><br></d=
iv><br><div class=3D"gmail_quote"><div class=3D"gmail_attr" dir=3D"ltr">On =
Sun, Mar 23, 2025 at 10:29=E2=80=AFPM AstroTown &lt;<a href rel=3D"noreferr=
er nofollow noopener noreferrer" data-email-masked>sa...@astrotown.de</a>&g=
t; wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t-width:1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(=
204,204,204)" class=3D"gmail_quote"><div dir=3D"auto"><div dir=3D"ltr"><spa=
n style=3D"color:rgb(0,0,0)">I believe that having some entity announce the=
 decision to freeze old UTXOs would be more damaging to Bitcoin=E2=80=99s i=
mage (and its value) than having them gathered by QC. This would create ano=
ther version of Bitcoin, similar to Ethereum Classic, causing confusion in =
the market.</span><div dir=3D"ltr"><div style=3D"color:rgb(0,0,0)"><br></di=
v><div style=3D"color:rgb(0,0,0)">It would be better to simply implement th=
e possibility of moving funds to a PQC address without a deadline, allowing=
 those who fail to do so to rely on luck to avoid having their coins stolen=
. Most coins would be migrated to PQC anyway, and in most cases, only the l=
ost ones would remain vulnerable. This is the free-market way to solve prob=
lems without imposing rules on everyone.</div><div style=3D"color:rgb(0,0,0=
)"><br></div><div style=3D"color:rgb(0,0,0)">Saulo Fonseca</div><div style=
=3D"color:rgb(0,0,0)"><br></div><div style=3D"color:rgb(0,0,0)"><br><blockq=
uote type=3D"cite"><div>On 16. Mar 2025, at 15:15, Jameson Lopp &lt;<span d=
ir=3D"ltr"><a href rel=3D"noreferrer nofollow noopener noreferrer" data-ema=
il-masked>jameso...@gmail.com</a></span>&gt; wrote:</div><br><div><div dir=
=3D"ltr">The quantum computing debate is heating up. There are many controv=
ersial aspects to this debate, including whether or not quantum computers w=
ill ever actually become a practical threat.<div><br>I won&#39;t tread into=
 the unanswerable question of how worried we should be about quantum comput=
ers. I think it&#39;s far from a crisis, but given the difficulty in changi=
ng Bitcoin it&#39;s worth starting to seriously discuss. Today I wish to fo=
cus on a philosophical quandary related to one of the decisions that would =
need to be made if and when we implement a quantum safe signature scheme.<b=
r><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Several Scenarios<br></fo=
nt>Because this essay will reference game theory a fair amount, and there a=
re many variables at play that could change the nature of the game, I think=
 it&#39;s important to clarify the possible scenarios up front.<br><br>1. Q=
uantum computing never materializes, never becomes a threat, and thus every=
thing discussed in this essay is moot.<br>2. A quantum computing threat mat=
erializes suddenly and Bitcoin does not have quantum safe signatures as par=
t of the protocol. In this scenario it would likely make the points below m=
oot because Bitcoin would be fundamentally broken and it would take far too=
 long to upgrade the protocol, wallet software, and migrate user funds in o=
rder to restore confidence in the network.<br>3. Quantum computing advances=
 slowly enough that we come to consensus about how to upgrade Bitcoin and p=
ost quantum security has been minimally adopted by the time an attacker app=
ears.<br>4. Quantum computing advances slowly enough that we come to consen=
sus about how to upgrade Bitcoin and post quantum security has been highly =
adopted by the time an attacker appears.<br><br>For the purposes of this po=
st, I&#39;m envisioning being in situation 3 or 4.<br><br><font size=3D"6" =
style=3D"color:rgb(0,0,0)">To Freeze or not to Freeze?<br></font>I&#39;ve s=
tarted seeing more people weighing in on what is likely the most contentiou=
s aspect of how a quantum resistance upgrade should be handled in terms of =
migrating user funds. Should quantum vulnerable funds be left open to be sw=
ept by anyone with a sufficiently powerful quantum computer OR should they =
be permanently locked?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex=
;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote"=
>&quot;I don&#39;t see why old coins should be confiscated. The better opti=
on is to let those with quantum computers free up old coins. While this mig=
ht have an inflationary impact on bitcoin&#39;s price, to use a turn of phr=
ase, the inflation is transitory. Those with low time preference should sup=
port returning lost coins to circulation.&quot; </blockquote><blockquote st=
yle=3D"margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,=
204,204)" class=3D"gmail_quote">- Hunter Beast</blockquote><div><br></div>O=
n the other hand:</div><div><br><blockquote style=3D"margin:0px 0px 0px 0.8=
ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quot=
e">&quot;Of course they have to be confiscated. If and when (and that&#39;s=
 a big if) the existence of a cryptography-breaking QC becomes a credible t=
hreat, the Bitcoin ecosystem has no other option than softforking out the a=
bility to spend from signature schemes (including ECDSA and BIP340) that ar=
e vulnerable to QCs. The alternative is that millions of BTC become vulnera=
ble to theft; I cannot see how the currency can maintain any value at all i=
n such a setting. And this affects everyone; even those which diligently mo=
ved their coins to PQC-protected schemes.&quot;<br>- Pieter Wuille</blockqu=
ote><br>I don&#39;t think &quot;confiscation&quot; is the most precise term=
 to use, as the funds are not being seized and reassigned. Rather, what we&=
#39;re really discussing would be better described as &quot;burning&quot; -=
 placing the funds <b>out of reach of everyone</b>.<br><br>Not freezing use=
r funds is one of Bitcoin&#39;s inviolable properties. However, if quantum =
computing becomes a threat to Bitcoin&#39;s elliptic curve cryptography, <b=
>an inviolable property of Bitcoin will be violated one way or another</b>.=
<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Fundamental Properties =
at Risk<br></font>5 years ago I attempted to comprehensively categorize all=
 of Bitcoin&#39;s fundamental properties that give it value. <a href=3D"htt=
ps://nakamoto.com/what-are-the-key-properties-of-bitcoin/" rel=3D"noreferre=
r nofollow noopener noreferrer" target=3D"_blank" data-saferedirecturl=3D"h=
ttps://www.google.com/url?hl=3Den&amp;q=3Dhttps://nakamoto.com/what-are-the=
-key-properties-of-bitcoin/&amp;source=3Dgmail&amp;ust=3D1748461116499000&a=
mp;usg=3DAOvVaw1-s88JStgiDkZE3SIFkXyD">https://nakamoto.com/what-are-the-ke=
y-properties-of-bitcoin/<br></a><br>The particular properties in play with =
regard to this issue seem to be:<br><br><b>Censorship Resistance</b> - No o=
ne should have the power to prevent others from using their bitcoin or inte=
racting with the network.<br><br><b>Forward Compatibility</b> - changing th=
e rules such that certain valid transactions become invalid could undermine=
 confidence in the protocol.<br><br><b>Conservatism</b> - Users should not =
be expected to be highly responsive to system issues.<br><br>As a result of=
 the above principles, we have developed a strong meme (kudos to Andreas An=
tonopoulos) that goes as follows:<br><br><blockquote style=3D"margin:0px 0p=
x 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"g=
mail_quote">Not your keys, not your coins.</blockquote><br>I posit that the=
 corollary to this principle is:<br><br><blockquote style=3D"margin:0px 0px=
 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gm=
ail_quote">Your keys, only your coins.</blockquote><br>A quantum capable en=
tity breaks the corollary of this foundational principle. We secure our bit=
coin with the mathematical probabilities related to extremely large random =
numbers. Your funds are only secure because truly random large numbers shou=
ld not be guessable or discoverable by anyone else in the world.<br><br>Thi=
s is the principle behind the motto <i>vires in numeris</i> - strength in n=
umbers. In a world with quantum enabled adversaries, this principle is null=
 and void for many types of cryptography, including the elliptic curve digi=
tal signatures used in Bitcoin.<br><br><font size=3D"6" style=3D"color:rgb(=
0,0,0)">Who is at Risk?<br></font>There has long been a narrative that Sato=
shi&#39;s coins and others from the Satoshi era of P2PK locking scripts tha=
t exposed the public key directly on the blockchain will be those that get =
scooped up by a quantum &quot;miner.&quot; But unfortunately it&#39;s not t=
hat simple. If I had a powerful quantum computer, which coins would I targe=
t? I&#39;d go to the Bitcoin rich list and find the wallets that have expos=
ed their public keys due to re-using addresses that have previously been sp=
ent from. You can easily find them at <a href=3D"https://bitinfocharts.com/=
top-100-richest-bitcoin-addresses.html" rel=3D"noreferrer nofollow noopener=
 noreferrer" target=3D"_blank" data-saferedirecturl=3D"https://www.google.c=
om/url?hl=3Den&amp;q=3Dhttps://bitinfocharts.com/top-100-richest-bitcoin-ad=
dresses.html&amp;source=3Dgmail&amp;ust=3D1748461116499000&amp;usg=3DAOvVaw=
3lbf0zR3kQnmj5Crd0-b2U">https://bitinfocharts.com/top-100-richest-bitcoin-a=
ddresses.html</a><br><br>Note that a few of these wallets, like Bitfinex / =
Kraken / Tether, would be slightly harder to crack because they are multisi=
g wallets. So a quantum attacker would need to reverse engineer 2 keys for =
Kraken or 3 for Bitfinex / Tether in order to spend funds. But many are sin=
gle signature.<br><br>Point being, it&#39;s not only the really old lost BT=
C that are at risk to a quantum enabled adversary, at least at time of writ=
ing. If we add a quantum safe signature scheme, we should expect those wall=
ets to be some of the first to upgrade given their incentives.<br><br><font=
 size=3D"6" style=3D"color:rgb(0,0,0)">The Ethical Dilemma: Quantifying Har=
m<br></font>Which decision results in the most harm?<br><br>By making quant=
um vulnerable funds unspendable we potentially harm some Bitcoin users who =
were not paying attention and neglected to migrate their funds to a quantum=
 safe locking script. This violates the &quot;conservativism&quot; principl=
e stated earlier. On the flip side, we prevent those funds plus far more lo=
st funds from falling into the hands of the few privileged folks who gain e=
arly access to quantum computers.<br><br>By leaving quantum vulnerable fund=
s available to spend, the same set of users who would otherwise have funds =
frozen are likely to see them stolen. And many early adopters who lost thei=
r keys will eventually see their unreachable funds scooped up by a quantum =
enabled adversary.<br><br>Imagine, for example, being James Howells, who ac=
cidentally threw away a hard drive with 8,000 BTC on it, currently worth ov=
er $600M USD. He has spent a decade trying to retrieve it from the landfill=
 where he knows it&#39;s buried, but can&#39;t get permission to excavate. =
I suspect that, given the choice, he&#39;d prefer those funds be permanentl=
y frozen rather than fall into someone else&#39;s possession - I know I wou=
ld.<br><br>Allowing a quantum computer to access lost funds doesn&#39;t mak=
e those users any worse off than they were before, however it <i>would</i>h=
ave a negative impact upon everyone who is currently holding bitcoin.<br><b=
r>It&#39;s prudent to expect significant economic disruption if large amoun=
ts of coins fall into new hands. Since a quantum computer is going to have =
a massive up front cost, expect those behind it to desire to recoup their i=
nvestment. We also know from experience that when someone suddenly finds th=
emselves in possession of 9+ figures worth of highly liquid assets, they te=
nd to diversify into other things by selling.<br><br>Allowing quantum recov=
ery of bitcoin is <i>tantamount to wealth redistribution</i>. What we&#39;d=
 be allowing is for bitcoin to be redistributed from those who are ignorant=
 of quantum computers to those who have won the technological race to acqui=
re quantum computers. It&#39;s hard to see a bright side to that scenario.<=
br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Is Quantum Recovery Good=
 for Anyone?</font><br><br>Does quantum recovery HELP anyone? I&#39;ve yet =
to come across an argument that it&#39;s a net positive in any way. It cert=
ainly doesn&#39;t add any security to the network. If anything, it greatly =
decreases the security of the network by allowing funds to be claimed by th=
ose who did not earn them.<br><br>But wait, you may be thinking, wouldn&#39=
;t quantum &quot;miners&quot; have earned their coins by all the work and r=
esources invested in building a quantum computer? I suppose, in the same se=
nse that a burglar earns their spoils by the resources they invest into sur=
veilling targets and learning the skills needed to break into buildings. Wh=
at I say &quot;earned&quot; I mean through productive mutual trade.<br><br>=
For example:<br><br>* Investors earn BTC by trading for other currencies.<b=
r>* Merchants earn BTC by trading for goods and services.<br>* Miners earn =
BTC by trading thermodynamic security.<br>* Quantum miners don&#39;t trade =
anything, they are vampires feeding upon the system.<br><br>There&#39;s no =
reason to believe that allowing quantum adversaries to recover vulnerable b=
itcoin will be of benefit to anyone other than the select few organizations=
 that win the technological arms race to build the first such computers. Pr=
obably nation states and/or the top few largest tech companies.<br><br>One =
could certainly hope that an organization with quantum supremacy is benevol=
ent and acts in a &quot;white hat&quot; manner to return lost coins to thei=
r owners, but that&#39;s incredibly optimistic and foolish to rely upon. Su=
ch a situation creates an insurmountable ethical dilemma of only recovering=
 lost bitcoin rather than currently owned bitcoin. There&#39;s no way to pr=
ecisely differentiate between the two; anyone can claim to have lost their =
bitcoin but if they have lost their keys then proving they ever had the key=
s becomes rather difficult. I imagine that any such white hat recovery effo=
rts would have to rely upon attestations from trusted third parties like ex=
changes.<br><br>Even if the first actor with quantum supremacy is benevolen=
t, we must assume the technology could fall into adversarial hands and thus=
 think adversarially about the potential worst case outcomes. Imagine, for =
example, that North Korea continues scooping up billions of dollars from ha=
cking crypto exchanges and decides to invest some of those proceeds into bu=
ilding a quantum computer for the biggest payday ever...<br><br><font size=
=3D"6" style=3D"color:rgb(0,0,0)">Downsides to Allowing Quantum Recovery</f=
ont><br>Let&#39;s think through an exhaustive list of pros and cons for all=
owing or preventing the seizure of funds by a quantum adversary.<br><br><fo=
nt size=3D"4" style=3D"color:rgb(0,0,0)">Historical Precedent</font><br>Pre=
vious protocol vulnerabilities weren=E2=80=99t celebrated as &quot;fair gam=
e&quot; but rather were treated as failures to be remediated. Treating quan=
tum theft differently risks rewriting Bitcoin=E2=80=99s history as a free-f=
or-all rather than a system that seeks to protect its users.<br><br><font s=
ize=3D"4" style=3D"color:rgb(0,0,0)">Violation of Property Rights</font><br=
>Allowing a quantum adversary to take control of funds undermines the funda=
mental principle of cryptocurrency - if you keep your keys in your possessi=
on, only you should be able to access your money. Bitcoin is built on the i=
dea that private keys secure an individual=E2=80=99s assets, and unauthoriz=
ed access (even via advanced tech) is theft, not a legitimate transfer.<br>=
<br><font size=3D"4" style=3D"color:rgb(0,0,0)">Erosion of Trust in Bitcoin=
</font><br>If quantum attackers can exploit vulnerable addresses, confidenc=
e in Bitcoin as a secure store of value would collapse. Users and investors=
 rely on cryptographic integrity, and widespread theft could drive adoption=
 away from Bitcoin, destabilizing its ecosystem.<br><br>This is essentially=
 the counterpoint to claiming the burning of vulnerable funds is a violatio=
n of property rights. While some will certainly see it as such, others will=
 find the apathy toward stopping quantum theft to be similarly concerning.<=
br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Unfair Advantage</font><=
br>Quantum attackers, likely equipped with rare and expensive technology, w=
ould have an unjust edge over regular users who lack access to such tools. =
This creates an inequitable system where only the technologically elite can=
 exploit others, contradicting Bitcoin=E2=80=99s ethos of decentralized pow=
er.<br><br>Bitcoin is designed to create an asymmetric advantage for DEFEND=
ING one&#39;s wealth. It&#39;s supposed to be impractically expensive for a=
ttackers to crack the entropy and cryptography protecting one&#39;s coins. =
But now we find ourselves discussing a situation where this asymmetric adva=
ntage is compromised in favor of a specific class of attackers.<br><br><fon=
t size=3D"4" style=3D"color:rgb(0,0,0)">Economic Disruption</font><br>Large=
-scale theft from vulnerable addresses could crash Bitcoin=E2=80=99s price =
as quantum recovered funds are dumped on exchanges. This would harm all hol=
ders, not just those directly targeted, leading to broader financial chaos =
in the markets.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Moral Re=
sponsibility</font><br>Permitting theft via quantum computing sets a preced=
ent that technological superiority justifies unethical behavior. This is es=
sentially taking a &quot;code is law&quot; stance in which we refuse to adm=
it that both code and laws can be modified to adapt to previously unforesee=
n situations.<br><br>Burning of coins can certainly be considered a form of=
 theft, thus I think it&#39;s worth differentiating the two different theft=
s being discussed:<br><br>1. self-enriching &amp; likely malicious<br>2. ha=
rm prevention &amp; not necessarily malicious<br><br>Both options lack the =
consent of the party whose coins are being burnt or transferred, thus I thi=
nk the simple argument that theft is immoral becomes a wash and it&#39;s im=
portant to drill down into the details of each.<br><br><font size=3D"4" sty=
le=3D"color:rgb(0,0,0)">Incentives Drive Security</font><br>I can tell you =
from a decade of working in Bitcoin security - the average user is lazy and=
 is a procrastinator. If Bitcoiners are given a &quot;drop dead date&quot; =
after which they know vulnerable funds will be burned, this pressure accele=
rates the adoption of post-quantum cryptography and strengthens Bitcoin lon=
g-term. Allowing vulnerable users to delay upgrading indefinitely will resu=
lt in more laggards, leaving the network more exposed when quantum tech bec=
omes available.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Steel Ma=
nning<br></font>Clearly this is a complex and controversial topic, thus it&=
#39;s worth thinking through the opposing arguments.<br><br><font size=3D"4=
" style=3D"color:rgb(0,0,0)">Protecting Property Rights</font><br>Allowing =
quantum computers to take vulnerable bitcoin could potentially be spun as a=
 hard money narrative - we care so greatly about not violating someone&#39;=
s access to their coins that we allow them to be stolen!<br><br>But I think=
 the flip side to the property rights narrative is that burning vulnerable =
coins prevents said property from falling into undeserving hands. If the en=
tire Bitcoin ecosystem just stands around and allows quantum adversaries to=
 claim funds that rightfully belong to other users, is that really a &quot;=
win&quot; in the &quot;protecting property rights&quot; category? It feels =
more like apathy to me.<br><br>As such, I think the &quot;protecting proper=
ty rights&quot; argument is a wash.<br><br><font size=3D"4" style=3D"color:=
rgb(0,0,0)">Quantum Computers Won&#39;t Attack Bitcoin</font><br>There is a=
 great deal of skepticism that sufficiently powerful quantum computers will=
 ever exist, so we shouldn&#39;t bother preparing for a non-existent threat=
. Others have argued that even if such a computer was built, a quantum atta=
cker would not go after bitcoin because they wouldn&#39;t want to reveal th=
eir hand by doing so, and would instead attack other infrastructure.<br><br=
>It&#39;s quite difficult to quantify exactly how valuable attacking other =
infrastructure would be. It also really depends upon when an entity gains q=
uantum supremacy and thus if by that time most of the world&#39;s systems h=
ave already been upgraded. While I think you could argue that certain entit=
ies gaining quantum capability might not attack Bitcoin, it would only dela=
y the inevitable - eventually somebody will achieve the capability who deci=
des to use it for such an attack.<br><br><font size=3D"4" style=3D"color:rg=
b(0,0,0)">Quantum Attackers Would Only Steal Small Amounts</font><br>Some h=
ave argued that even if a quantum attacker targeted bitcoin, they&#39;d onl=
y go after old, likely lost P2PK outputs so as to not arouse suspicion and =
cause a market panic.<br><br>I&#39;m not so sure about that; why go after 5=
0 BTC at a time when you could take 250,000 BTC with the same effort as 50 =
BTC? This is a classic &quot;zero day exploit&quot; game theory in which an=
 attacker knows they have a limited amount of time before someone else disc=
overs the exploit and either benefits from it or patches it. Take, for exam=
ple, the recent ByBit attack - the highest value crypto hack of all time. L=
azarus Group had compromised the Safe wallet front end JavaScript app and t=
hey could have simply had it reassign ownership of everyone&#39;s Safe wall=
ets as they were interacting with their wallet. But instead they chose to o=
nly specifically target ByBit&#39;s wallet with $1.5 billion in it because =
they wanted to maximize their extractable value. If Lazarus had started ste=
aling from every wallet, they would have been discovered quickly and the Sa=
fe web app would likely have been patched well before any billion dollar wa=
llets executed the malicious code.<br><br>I think the &quot;only stealing s=
mall amounts&quot; argument is strongest for Situation #2 described earlier=
, where a quantum attacker arrives before quantum safe cryptography has bee=
n deployed across the Bitcoin ecosystem. Because if it became clear that Bi=
tcoin&#39;s cryptography was broken AND there was nowhere safe for vulnerab=
le users to migrate, the only logical option would be for everyone to liqui=
date their bitcoin as quickly as possible. As such, I don&#39;t think it ap=
plies as strongly for situations in which we have a migration path availabl=
e.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">The 21 Million Coin S=
upply Should be in Circulation</font><br>Some folks are arguing that it&#39=
;s important for the &quot;circulating / spendable&quot; supply to be as cl=
ose to 21M as possible and that having a significant portion of the supply =
out of circulation is somehow undesirable.<br><br>While the &quot;21M BTC&q=
uot; attribute is a strong memetic narrative, I don&#39;t think anyone has =
ever expected that it would all be in circulation. It has always been under=
stood that many coins will be lost, and that&#39;s actually part of the gam=
e theory of owning bitcoin!<br><br>And remember, the 21M number in and of i=
tself is not a particularly important detail - it&#39;s not even mentioned =
in the whitepaper. What&#39;s important is that the supply is well known an=
d not subject to change.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)"=
>Self-Sovereignty and Personal Responsibility</font><br>Bitcoin=E2=80=99s d=
esign empowers individuals to control their own wealth, free from centraliz=
ed intervention. This freedom comes with the burden of securing one&#39;s p=
rivate keys. If quantum computing can break obsolete cryptography, the faul=
t lies with users who didn&#39;t move their funds to quantum safe locking s=
cripts. Expecting the network to shield users from their own negligence und=
ermines the principle that you, and not a third party, are accountable for =
your assets.<br><br>I think this is generally a fair point that &quot;the c=
ommunity&quot; doesn&#39;t owe you anything in terms of helping you. I thin=
k that we do, however, need to consider the incentives and game theory in p=
lay with regard to quantum safe Bitcoiners vs quantum vulnerable Bitcoiners=
. More on that later.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Co=
de is Law</font><br>Bitcoin operates on transparent, immutable rules embedd=
ed in its protocol. If a quantum attacker uses superior technology to deriv=
e private keys from public keys, they=E2=80=99re not &quot;hacking&quot; th=
e system - they&#39;re simply following what&#39;s mathematically permissib=
le within the current code. Altering the protocol to stop this introduces s=
ubjective human intervention, which clashes with the objective, determinist=
ic nature of blockchain.<br><br>While I tend to agree that code is law, one=
 of the entire points of laws is that they can be amended to improve their =
efficacy in reducing harm. Leaning on this point seems more like a pro-ossi=
fication stance that it&#39;s better to do nothing and allow harm to occur =
rather than take action to stop an attack that was foreseen far in advance.=
<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Technological Evolution=
 as a Feature, Not a Bug</font><br>It&#39;s well known that cryptography te=
nds to weaken over time and eventually break. Quantum computing is just the=
 next step in this progression. Users who fail to adapt (e.g., by adopting =
quantum-resistant wallets when available) are akin to those who ignored tec=
hnological advancements like multisig or hardware wallets. Allowing quantum=
 theft incentivizes innovation and keeps Bitcoin=E2=80=99s ecosystem dynami=
c, punishing complacency while rewarding vigilance.<br><br><font size=3D"4"=
 style=3D"color:rgb(0,0,0)">Market Signals Drive Security</font><br>If quan=
tum attackers start stealing funds, it sends a clear signal to the market: =
upgrade your security or lose everything. This pressure accelerates the ado=
ption of post-quantum cryptography and strengthens Bitcoin long-term. Coddl=
ing vulnerable users delays this necessary evolution, potentially leaving t=
he network more exposed when quantum tech becomes widely accessible. Theft =
is a brutal but effective teacher.<br><br><font size=3D"4" style=3D"color:r=
gb(0,0,0)">Centralized Blacklisting Power</font><br>Burning vulnerable fund=
s requires centralized decision-making - a soft fork to invalidate certain =
transactions. This sets a dangerous precedent for future interventions, ero=
ding Bitcoin=E2=80=99s decentralization. If quantum theft is blocked, what=
=E2=80=99s next - reversing exchange hacks? The system must remain neutral,=
 even if it means some lose out.<br><br>I think this could be a potential s=
lippery slope if the proposal was to only burn specific addresses. Rather, =
I&#39;d expect a neutral proposal to burn all funds in locking script types=
 that are known to be quantum vulnerable. Thus, we could eliminate any subj=
ectivity from the code.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">=
Fairness in Competition</font><br>Quantum attackers aren&#39;t cheating; th=
ey&#39;re using publicly available physics and math. Anyone with the resour=
ces and foresight can build or access quantum tech, just as anyone could mi=
ne Bitcoin in 2009 with a CPU. Early adopters took risks and reaped rewards=
; quantum innovators are doing the same. Calling it =E2=80=9Cunfair=E2=80=
=9D ignores that Bitcoin has never promised equality of outcome - only equa=
lity of opportunity within its rules.<br><br>I find this argument to be a m=
ischaracterization because we&#39;re not talking about CPUs. This is more a=
kin to talking about ASICs, except each ASIC costs millions if not billions=
 of dollars. This is out of reach from all but the wealthiest organizations=
.<br><br><font size=3D"4" style=3D"color:rgb(0,0,0)">Economic Resilience</f=
ont><br>Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and=
 emerged stronger. The market can absorb quantum losses, with unaffected us=
ers continuing to hold and new entrants buying in at lower prices. Fear of =
economic collapse overestimates the impact - the network=E2=80=99s antifrag=
ility thrives on such challenges.<br><br>This is a big grey area because we=
 don&#39;t know when a quantum computer will come online and we don&#39;t k=
now how quickly said computers would be able to steal bitcoin. If, for exam=
ple, the first generation of sufficiently powerful quantum computers were s=
tealing less volume than the current block reward then of course it will ha=
ve minimal economic impact. But if they&#39;re taking thousands of BTC per =
day and bringing them back into circulation, there will likely be a noticea=
ble market impact as it absorbs the new supply.<br><br>This is where the ci=
rcumstances will really matter. If a quantum attacker appears AFTER the Bit=
coin protocol has been upgraded to support quantum resistant cryptography t=
hen we should expect the most valuable active wallets will have upgraded an=
d the juiciest target would be the 31,000 BTC in the address 12ib7dApVFvg82=
TXKycWBNpN8kFyiAN1dr which has been dormant since 2010. In general I&#39;d =
expect that the amount of BTC re-entering the circulating supply would look=
 somewhat similar to the mining emission curve: volume would start off very=
 high as the most valuable addresses are drained and then it would fall off=
 as quantum computers went down the list targeting addresses with less and =
less BTC.<br><br>Why is economic impact a factor worth considering? Miners =
and businesses in general. More coins being liquidated will push down the p=
rice, which will negatively impact miner revenue. Similarly, I can attest f=
rom working in the industry for a decade, that lower prices result in less =
demand from businesses across the entire industry. As such, burning quantum=
 vulnerable bitcoin is good for the entire industry.<br><br><font size=3D"4=
" style=3D"color:rgb(0,0,0)">Practicality &amp; Neutrality of Non-Intervent=
ion</font><br>There=E2=80=99s no reliable way to distinguish =E2=80=9Ctheft=
=E2=80=9D from legitimate &quot;white hat&quot; key recovery. If someone lo=
ses their private key and a quantum computer recovers it, is that stealing =
or reclaiming? Policing quantum actions requires invasive assumptions about=
 intent, which Bitcoin=E2=80=99s trustless design can=E2=80=99t accommodate=
. Letting the chips fall where they may avoids this mess.<br><br><font size=
=3D"4" style=3D"color:rgb(0,0,0)">Philosophical Purity</font><br>Bitcoin re=
jects bailouts. It=E2=80=99s a cold, hard system where outcomes reflect pre=
paration and skill, not sentimentality. If quantum computing upends the gam=
e, that=E2=80=99s the point - Bitcoin isn=E2=80=99t meant to be safe or fai=
r in a nanny-state sense; it=E2=80=99s meant to be free. Users who lose fun=
ds to quantum attacks are casualties of liberty and their own ignorance, no=
t victims of injustice.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">=
Bitcoin&#39;s DAO Moment</font><br>This situation has some similarities to =
The DAO hack of an Ethereum smart contract in 2016, which resulted in a for=
k to stop the attacker and return funds to their original owners. The game =
theory is similar because it&#39;s a situation where a threat is known but =
there&#39;s some period of time before the attacker can actually execute th=
e theft. As such, there&#39;s time to mitigate the attack by changing the p=
rotocol.<br><br>It also created a schism in the community around the true m=
eaning of &quot;code is law,&quot; resulting in Ethereum Classic, which dec=
ided to allow the attacker to retain control of the stolen funds.<br><br>A =
soft fork to burn vulnerable bitcoin could certainly result in a hard fork =
if there are enough miners who reject the soft fork and continue including =
transactions.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Incentives=
 Matter</font><br>We can wax philosophical until the cows come home, but wh=
at are the actual incentives for existing Bitcoin holders regarding this de=
cision?<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;padding-left:1=
ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote">&quot;Lost coi=
ns only make everyone else&#39;s coins worth slightly more. Think of it as =
a donation to everyone.&quot; - Satoshi Nakamoto</blockquote><br>If true, t=
he corollary is:<br><br><blockquote style=3D"margin:0px 0px 0px 0.8ex;paddi=
ng-left:1ex;border-left-color:rgb(204,204,204)" class=3D"gmail_quote">&quot=
;Quantum recovered coins only make everyone else&#39;s coins worth less. Th=
ink of it as a theft from everyone.&quot; - Jameson Lopp</blockquote><br>Th=
us, assuming we get to a point where quantum resistant signatures are suppo=
rted within the Bitcoin protocol, what&#39;s the incentive to let vulnerabl=
e coins remain spendable?<br><br>* It&#39;s not good for the actual owners =
of those coins. It disincentivizes owners from upgrading until perhaps it&#=
39;s too late.<br>* It&#39;s not good for the more attentive / responsible =
owners of coins who have quantum secured their stash. Allowing the circulat=
ing supply to balloon will assuredly reduce the purchasing power of all bit=
coin holders.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Forking Ga=
me Theory</font><br>From a game theory point of view, I see this as incenti=
vizing users to upgrade their wallets. If you disagree with the burning of =
vulnerable coins, all you have to do is move your funds to a quantum safe s=
ignature scheme. Point being, I don&#39;t see there being an economic major=
ity (or even more than a tiny minority) of users who would fight such a sof=
t fork. Why expend significant resources fighting a fork when you can just =
move your coins to a new address?<br><br>Remember that blocking spending of=
 certain classes of locking scripts is a tightening of the rules - a soft f=
ork. As such, it can be meaningfully enacted and enforced by a mere majorit=
y of hashpower. If miners generally agree that it&#39;s in their best inter=
est to burn vulnerable coins, are other users going to care enough to put i=
n the effort to run new node software that resists the soft fork? Seems unl=
ikely to me.<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">How to Exec=
ute Burning</font><br>In order to be as objective as possible, the goal wou=
ld be to announce to the world that after a specific block height / timesta=
mp, Bitcoin nodes will no longer accept transactions (or blocks containing =
such transactions) that spend funds from any scripts other than the newly i=
nstituted quantum safe schemes.<br><br>It could take a staggered approach t=
o first freeze funds that are susceptible to long-range attacks such as tho=
se in P2PK scripts or those that exposed their public keys due to previousl=
y re-using addresses, but I expect the additional complexity would drive fu=
rther controversy.<br><br>How long should the grace period be in order to g=
ive the ecosystem time to upgrade? I&#39;d say a minimum of 1 year for soft=
ware wallets to upgrade. We can only hope that hardware wallet manufacturer=
s are able to implement post quantum cryptography on their existing hardwar=
e with only a firmware update.<br><br>Beyond that, it will take at least 6 =
months worth of block space for all users to migrate their funds, even in a=
 best case scenario. Though if you exclude dust UTXOs you could probably ge=
t 95% of BTC value migrated in 1 month. Of course this is a highly optimist=
ic situation where everyone is completely focused on migrations - in realit=
y it will take far longer.<br><br>Regardless, I&#39;d think that in order t=
o reasonably uphold Bitcoin&#39;s conservatism it would be preferable to al=
low a 4 year migration window. In the meantime, mining pools could coordina=
te emergency soft forking logic such that if quantum attackers materialized=
, they could accelerate the countdown to the quantum vulnerable funds burn.=
<br><br><font size=3D"6" style=3D"color:rgb(0,0,0)">Random Tangential Benef=
its</font><br>On the plus side, burning all quantum vulnerable bitcoin woul=
d allow us to prune all of those UTXOs out of the UTXO set, which would als=
o clean up a lot of dust. Dust UTXOs are a bit of an annoyance and there ha=
s even been a recent proposal for how to incentivize cleaning them up.<br><=
br>We should also expect that incentivizing migration of the entire UTXO se=
t will create substantial demand for block space that will sustain a fee ma=
rket for a fairly lengthy amount of time.<br><br><font size=3D"6" style=3D"=
color:rgb(0,0,0)">In Summary</font><br>While the moral quandary of violatin=
g any of Bitcoin&#39;s inviolable properties can make this a very complex i=
ssue to discuss, the game theory and incentives between burning vulnerable =
coins versus allowing them to be claimed by entities with quantum supremacy=
 appears to be a much simpler issue.<br><br>I, for one, am not interested i=
n rewarding quantum capable entities by inflating the circulating money sup=
ply just because some people lost their keys long ago and some laggards are=
 not upgrading their bitcoin wallet&#39;s security.<br><br>We can hope that=
 this scenario never comes to pass, but hope is not a strategy.<br><br>I we=
lcome your feedback upon any of the above points, and contribution of any a=
rguments I failed to consider.</div></div><div><br></div>-- <br>You receive=
d this message because you are subscribed to the Google Groups &quot;Bitcoi=
n Development Mailing List&quot; group.<br>To unsubscribe from this group a=
nd stop receiving emails from it, send an email to <a href rel=3D"noreferre=
r nofollow noopener noreferrer" data-email-masked>bitcoindev+...@googlegrou=
ps.com</a>.<br>To view this discussion visit <a href=3D"https://groups.goog=
le.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B=
0GYN97P6hQ%40mail.gmail.com" rel=3D"noreferrer nofollow noopener noreferrer=
" target=3D"_blank" data-saferedirecturl=3D"https://www.google.com/url?hl=
=3Den&amp;q=3Dhttps://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%253DUK=
Va7CitXReMq8nA_4RadCF%253D%253DkU4YG%252B0GYN97P6hQ%2540mail.gmail.com&amp;=
source=3Dgmail&amp;ust=3D1748461116500000&amp;usg=3DAOvVaw2GONfUVQpUYYz1n-Q=
7k8A5">https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXRe=
Mq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com</a>.</div></blockquot=
e></div><div dir=3D"ltr"></div></div></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href rel=3D"noreferrer nofollow noopener noreferrer" data-email-=
masked>bitcoindev+...@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de" rel=3D"nore=
ferrer nofollow noopener noreferrer" target=3D"_blank" data-saferedirecturl=
=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://groups.google.com/d/=
msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%2540astrotown.de&amp;=
source=3Dgmail&amp;ust=3D1748461116500000&amp;usg=3DAOvVaw1E7l85XcUnPe-IZru=
JVKIf">https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD=
-4D9D2B732364%40astrotown.de</a>.</blockquote></div></div></blockquote></di=
v><div><blockquote type=3D"cite"><div dir=3D"ltr"><div class=3D"gmail_quote=
"><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;borde=
r-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,204)" cla=
ss=3D"gmail_quote"><br>
</blockquote></div></div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href rel=3D"noreferrer nofollow noopener noreferrer" data-email-=
masked>bitcoindev+...@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail=
.gmail.com" rel=3D"noreferrer nofollow noopener noreferrer" target=3D"_blan=
k" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps=
://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%252BmXQKjS%252Bh%252Br6mC=
oe1rwWUpa_yZDwmwx6U_eO5JhZLg%2540mail.gmail.com&amp;source=3Dgmail&amp;ust=
=3D1748461116500000&amp;usg=3DAOvVaw3D_tCMWkjBXBI-4mzvSpf9">https://groups.=
google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmw=
x6U_eO5JhZLg%40mail.gmail.com</a>.<br>

        </blockquote><br>
    </div>

<p></p>

-- <br>
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br>
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href rel=3D"noreferrer nofollow" data-email-masked>bitcoindev+..=
.@googlegroups.com</a>.<br>
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuH=
Mjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me?utm_medium=3Dema=
il&amp;utm_source=3Dfooter" rel=3D"noreferrer nofollow" target=3D"_blank" d=
ata-saferedirecturl=3D"https://www.google.com/url?hl=3Den&amp;q=3Dhttps://g=
roups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZu=
GLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%253D%2=
540proton.me?utm_medium%3Demail%26utm_source%3Dfooter&amp;source=3Dgmail&am=
p;ust=3D1748461116500000&amp;usg=3DAOvVaw1OfZs84Zfa7H5C8nwPK-1Z">https://gr=
oups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuG=
LeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40pr=
oton.me</a>.<br>
</blockquote></div></div>
</blockquote></div>
</blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/c568cc33-abba-4010-ac65-42c84dae6eb8n%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/c568cc33-abba-4010-ac65-42c84dae6eb8n%40googlegroups.com</a>.<br />

------=_Part_7069_1578773686.1748394476949--

------=_Part_7068_1573834767.1748394476949--