From: Boris Nagaev <bnagaev@gmail•com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Against Allowing Quantum Recovery of Bitcoin
Date: Sat, 12 Jul 2025 18:39:01 -0700 (PDT) [thread overview]
Message-ID: <1ae281cd-20a8-4b50-98b7-c228f090ad7an@googlegroups.com> (raw)
In-Reply-To: <CADL_X_dz6Zuoh6T=p+531kQkgVUbr5iKHeLNe01s5=QDp6iw9g@mail.gmail.com>
[-- Attachment #1.1: Type: text/plain, Size: 47952 bytes --]
> If a supermajority of sovereign actors decide they need to protect
themselves from negative consequences of quantum capable adversaries, I
wouldn't expect the threat of lawsuits to stop them.
Given that a PQ address type exists, individuals forming such a
supermajority are free to move their funds to PQ addresses. At that point,
the remaining minority of vulnerable funds no longer poses a systemic risk.
That said, I believe it would be better to first implement a PQ address
type and evaluate its fee costs. Current NIST-approved schemes are quite
expensive in terms of block space. Whether a broad adoption of PQ addresses
is justified depends on trade-offs users face. Without concrete data on
those trade-offs, it's premature to discuss enforcing such a move.
Even if PQ addresses turn out to be as space-efficient as P2TR, enforcing
their use would still constitute a form of central planning, imposing a
particular choice on all users. The situation becomes even more problematic
if these addresses are more expensive. It risks resembling scenarios where
governments mandate actions like mandatory insurance in the name of
collective safety. In this case, users who don't view quantum computing as
a credible threat would be compelled not only to move their funds (at some
cost) but also to pay more for each subsequent transaction. That feels
contrary to Bitcoin's foundational principles.
If a secure and efficient PQ address format becomes available, I will
personally move my funds to it. But I don't believe I (or anyone else) have
the right to force others to do the same. A group of individuals has no
more rights than the sum of the individuals within it. This is a
fundamental principle of individual liberty and runs counter to
collectivism. Even a majority shouldn't be able to impose such a
requirement. What we can do is offer tools and economic incentives (like
the segwit discount) to encourage voluntary adoption.
On Sunday, June 8, 2025 at 11:08:58 AM UTC-3 Jameson Lopp wrote:
> if developers make a conscious decision to make a code change that
confiscates funds, even with a reasonable heads-up, I feel like some
lawyers might be tempted to make an argument that those developers should
be held responsible for any losses.
Anyone can sue anyone for anything, so the mere potential for a lawsuit
isn't something that I believe should be taken into consideration with
regard to protocol changes.
But such an argument would be fundamentally flawed, because developers
don't actually enforce changes to the protocol. Enforcement must be
performed by miners and node operators. I suspect lawyers would have a
tough time finding and suing all of them. Suing someone for running
software you dislike also sounds like a pretty weak position; at least in
America I'd expect to be protected by freedom of speech. Remember that
anyone who might desire to do so is still free to write and run software
that rejects those changes.
Bitcoin is "trustless" if you validate the state of the network with your
own independently controlled full node. But, on the flip side, you must
"trust" the rest of the network not to coordinate changes to the network
that are to your personal detriment. If a supermajority of sovereign actors
decide they need to protect themselves from negative consequences of
quantum capable adversaries, I wouldn't expect the threat of lawsuits to
stop them.
On Sat, Jun 7, 2025 at 9:55 AM waxwing/ AdamISZ <ekag...@gmail•com> wrote:
> I'm not a lawyer, but if developers make a conscious decision to make a
code change that confiscates funds, even with a reasonable heads-up, I feel
like some lawyers might be tempted to make an argument that those
developers should be held responsible for any losses. As everyone knows,
Bitcoin has been under legal attacks before, and I'm not sure that anyone
would (or should) be willing to sign off on a change that might potentially
open them up to several billion dollars worth of personal responsibility -
especially if the "bonded courier" actually shows up and reveals a private
key that would have unlocked funds under the pre-QC scheme.
Coincidentally, Peter Todd has just made the same point in another
(apparently unrelated) thread, here:
https://groups.google.com/g/bitcoindev/c/bmV1QwYEN4k/m/kkHQZd_BAwAJ
For me it's very clear, that it's not an accident that such "unexpected"
side effects exist. It's a feature that I'd whimsically call "ethical
impedance-mismatch" (the term impedance mismatch has been used in
computing/programming, which itself borrowed it from the real meaning, in
physics). People have a moral/ethical desire to make bitcoin function as
well as possible, and see a failure mode in those using it for other
purposes, but that line of thought clashes with the essential, basic
principle of censorship-resistance.
So we see technical borked-ness like failure to get accurate fee rates and
the like, from doing something (attempting to filter at p2p level) that it
is intrinsically counter to the foundational ethical, functional purpose of
the system: censorship-resistance. And then we see "cascading failures" of
the type discussed here: if the devs are working to break bitcoin's ethical
promise of censorship-resistance, then thugs^H^H politicians and lawyers,
will seek to take control of that "break" for their own purposes.
That's why I'm not against "quantum recovery" as per the title of this
thread. Recovery, independent of outside control, *is* bitcoin's function.
If half a million btc get spent by someone who has "recovered" in an
unexpected way, tough titties. If the entire system collapses because we
can't get our act together before 2085 (OK I know some think it's 2035, I
don't, but whatever), then it is what it is. That is a huge unknown. But
Bitcoin will 100% fail if confiscation of *any* type becomes a thing.
Cheers,
AdamISZ/waxwing
On Wednesday, June 4, 2025 at 4:56:53 AM UTC-3 ArmchairCryptologist wrote:
Hi,
With the longer grace period and selective deactivation, this seems more
sensible, but there is one elephant in the room that I haven't seen
mentioned here - namely, the legal aspect. (If it was, sorry I missed it.)
I'm not a lawyer, but if developers make a conscious decision to make a
code change that confiscates funds, even with a reasonable heads-up, I feel
like some lawyers might be tempted to make an argument that those
developers should be held responsible for any losses. As everyone knows,
Bitcoin has been under legal attacks before, and I'm not sure that anyone
would (or should) be willing to sign off on a change that might potentially
open them up to several billion dollars worth of personal responsibility -
especially if the "bonded courier" actually shows up and reveals a private
key that would have unlocked funds under the pre-QC scheme.
The only safe-ish way I can see to do this is to have it only affect funds
that are very likely to be lost in the first place. So at the very least,
it could not affect UTXOs that could potentially be encumbered with a
timelock (i.e. P2SH/P2WSH), and it could only affect UTXOs that have not
moved for a very long time (say 15-20 years).
If quantum computers capable of practical attacks against Bitcoin are ever
known to actually exist, *sending* to non-PQC addresses should of course
be disabled immediately. But I feel that the nature of a permissionless
system implies a large degree of self-responsibility, so if someone chooses
to keep using non-PQC addresses even after PQC addresses have become
available and practical quantum attacks are suspected to be an imminent
danger, it's not necessarily up to the developers to tell them they can't,
only that they really shouldn't.
--
Regards,
ArmchairCryptologist
Sent with Proton Mail <https://proton.me/mail/home> secure email.
On Monday, May 26th, 2025 at 2:48 AM, Agustin Cruz <agusti...@gmail•com>
wrote:
Hi everyone,
QRAMP proposal aims to manage the quantum transition responsibly without
disrupting Bitcoin’s core principles.
QRAMP has three phases:
1. Allow wallets to optionally include PQC keys in Taproot outputs. This
enables early adoption without forcing anyone.
2. Announce a soft fork to disable vulnerable scripts, with a long
(~4-year) grace period. This gives ample time to migrate and avoids sudden
shocks.
3. Gradually deactivate vulnerable outputs based on age or inactivity. This
avoids a harsh cutoff and gives time for adaptation.
We can also allow exceptions via proof-of-possession, and delay
restrictions on timelocked outputs to avoid harming future spenders.
QRAMP is not about confiscation or control. It’s about aligning incentives,
maintaining security, and offering a clear, non-coercive upgrade path.
Best,
Agustin Cruz
El dom, 25 de may de 2025, 7:03 p.m., Dustin Ray <dustinvo...@gmail•com>
escribió:
The difference between the ETH/ETC split though was that no one had
anything confiscated except the DAO hacker, everyone retained an identical
number of tokens on each chain. The proposal for BTC is very different in
that some holders will lose access to their coins during the PQ migration
under the confiscation approach. Just wanted to point that out.
On Sun, May 25, 2025 at 3:06 PM 'conduition' via Bitcoin Development
Mailing List <bitco...@googlegroups•com> wrote:
Hey Saulo,
You're right about the possibility of an ugly split. Laggards who don't
move coins to PQ address schemes will be incentivized to follow any chain
where they keep their coins. But those who do migrate will be incentivized
to follow the chain where unmigrated pre-quantum coins are frozen.
While you're comparing this event to the ETH/ETC split, we should remember
that ETH remained the dominant chain despite their heavy-handed rollback.
Just goes to show, confusion and face-loss is a lesser evil than allowing
an adversary to pwn the network.
This is the free-market way to solve problems without imposing rules on
everyone.
It'd still be a free market even if quantum-vulnerable coins are frozen.
The only way to test the relative value of quantum-safe vs
quantum-vulnerable coins is to split the chain and see how the market
reacts.
IMO, the "free market way" is to give people options and let their money
flow to where it works best. That means people should be able to choose
whether they want their money to be part of a system that allows quantum
attack, or part of one which does not. I know which I would choose, but
neither you nor I can make that choice for everyone.
regards,
conduition
On Monday, March 24th, 2025 at 7:19 AM, Agustin Cruz <agusti...@gmail•com>
wrote:
I’m against letting quantum computers scoop up funds from addresses that
don’t upgrade to quantum-resistant.
Saulo’s idea of a free-market approach, leaving old coins up for grabs if
people don’t move them, sounds fair at first. Let luck decide, right? But I
worry it’d turn into a mess. If quantum machines start cracking keys and
snagging coins, it’s not just lost Satoshi-era stuff at risk. Plenty of
active wallets, like those on the rich list Jameson mentioned, could get
hit too. Imagine millions of BTC flooding the market. Prices tank, trust in
Bitcoin takes a dive, and we all feel the pain. Freezing those vulnerable
funds keeps that chaos in check.
Plus, “your keys, your coins” is Bitcoin’s heart. If quantum tech can steal
from you just because you didn’t upgrade fast enough, that promise feels
shaky. Freezing funds after a heads-up period (say, four years) protects
that idea better than letting tech giants or rogue states play vampire with
our network. It also nudges people to get their act together and move to
safer addresses, which strengthens Bitcoin long-term.
Saulo’s right that freezing coins could confuse folks or spark a split like
Ethereum Classic. But I’d argue quantum theft would look worse. Bitcoin
would seem broken, not just strict. A clear plan and enough time to migrate
could smooth things over. History’s on our side too. Bitcoin’s fixed bugs
before, like SegWit. This feels like that, not a bailout.
So yeah, I’d rather see vulnerable coins locked than handed to whoever
builds the first quantum rig. It’s less about coddling people and more
about keeping Bitcoin solid for everyone. What do you all think?
Cheers,
Agustín
On Sun, Mar 23, 2025 at 10:29 PM AstroTown <sa...@astrotown•de> wrote:
I believe that having some entity announce the decision to freeze old UTXOs
would be more damaging to Bitcoin’s image (and its value) than having them
gathered by QC. This would create another version of Bitcoin, similar to
Ethereum Classic, causing confusion in the market.
It would be better to simply implement the possibility of moving funds to a
PQC address without a deadline, allowing those who fail to do so to rely on
luck to avoid having their coins stolen. Most coins would be migrated to
PQC anyway, and in most cases, only the lost ones would remain vulnerable.
This is the free-market way to solve problems without imposing rules on
everyone.
Saulo Fonseca
On 16. Mar 2025, at 15:15, Jameson Lopp <jameso...@gmail•com> wrote:
The quantum computing debate is heating up. There are many controversial
aspects to this debate, including whether or not quantum computers will
ever actually become a practical threat.
I won't tread into the unanswerable question of how worried we should be
about quantum computers. I think it's far from a crisis, but given the
difficulty in changing Bitcoin it's worth starting to seriously discuss.
Today I wish to focus on a philosophical quandary related to one of the
decisions that would need to be made if and when we implement a quantum
safe signature scheme.
Several Scenarios
Because this essay will reference game theory a fair amount, and there are
many variables at play that could change the nature of the game, I think
it's important to clarify the possible scenarios up front.
1. Quantum computing never materializes, never becomes a threat, and thus
everything discussed in this essay is moot.
2. A quantum computing threat materializes suddenly and Bitcoin does not
have quantum safe signatures as part of the protocol. In this scenario it
would likely make the points below moot because Bitcoin would be
fundamentally broken and it would take far too long to upgrade the
protocol, wallet software, and migrate user funds in order to restore
confidence in the network.
3. Quantum computing advances slowly enough that we come to consensus about
how to upgrade Bitcoin and post quantum security has been minimally adopted
by the time an attacker appears.
4. Quantum computing advances slowly enough that we come to consensus about
how to upgrade Bitcoin and post quantum security has been highly adopted by
the time an attacker appears.
For the purposes of this post, I'm envisioning being in situation 3 or 4.
To Freeze or not to Freeze?
I've started seeing more people weighing in on what is likely the most
contentious aspect of how a quantum resistance upgrade should be handled in
terms of migrating user funds. Should quantum vulnerable funds be left open
to be swept by anyone with a sufficiently powerful quantum computer OR
should they be permanently locked?
"I don't see why old coins should be confiscated. The better option is to
let those with quantum computers free up old coins. While this might have
an inflationary impact on bitcoin's price, to use a turn of phrase, the
inflation is transitory. Those with low time preference should support
returning lost coins to circulation."
- Hunter Beast
On the other hand:
"Of course they have to be confiscated. If and when (and that's a big if)
the existence of a cryptography-breaking QC becomes a credible threat, the
Bitcoin ecosystem has no other option than softforking out the ability to
spend from signature schemes (including ECDSA and BIP340) that are
vulnerable to QCs. The alternative is that millions of BTC become
vulnerable to theft; I cannot see how the currency can maintain any value
at all in such a setting. And this affects everyone; even those which
diligently moved their coins to PQC-protected schemes."
- Pieter Wuille
I don't think "confiscation" is the most precise term to use, as the funds
are not being seized and reassigned. Rather, what we're really discussing
would be better described as "burning" - placing the funds *out of reach of
everyone*.
Not freezing user funds is one of Bitcoin's inviolable properties. However,
if quantum computing becomes a threat to Bitcoin's elliptic curve
cryptography, *an inviolable property of Bitcoin will be violated one way
or another*.
Fundamental Properties at Risk
5 years ago I attempted to comprehensively categorize all of Bitcoin's
fundamental properties that give it value.
https://nakamoto.com/what-are-the-key-properties-of-bitcoin/
The particular properties in play with regard to this issue seem to be:
*Censorship Resistance* - No one should have the power to prevent others
from using their bitcoin or interacting with the network.
*Forward Compatibility* - changing the rules such that certain valid
transactions become invalid could undermine confidence in the protocol.
*Conservatism* - Users should not be expected to be highly responsive to
system issues.
As a result of the above principles, we have developed a strong meme (kudos
to Andreas Antonopoulos) that goes as follows:
Not your keys, not your coins.
I posit that the corollary to this principle is:
Your keys, only your coins.
A quantum capable entity breaks the corollary of this foundational
principle. We secure our bitcoin with the mathematical probabilities
related to extremely large random numbers. Your funds are only secure
because truly random large numbers should not be guessable or discoverable
by anyone else in the world.
This is the principle behind the motto *vires in numeris* - strength in
numbers. In a world with quantum enabled adversaries, this principle is
null and void for many types of cryptography, including the elliptic curve
digital signatures used in Bitcoin.
Who is at Risk?
There has long been a narrative that Satoshi's coins and others from the
Satoshi era of P2PK locking scripts that exposed the public key directly on
the blockchain will be those that get scooped up by a quantum "miner." But
unfortunately it's not that simple. If I had a powerful quantum computer,
which coins would I target? I'd go to the Bitcoin rich list and find the
wallets that have exposed their public keys due to re-using addresses that
have previously been spent from. You can easily find them at
https://bitinfocharts.com/top-100-richest-bitcoin-addresses.html
Note that a few of these wallets, like Bitfinex / Kraken / Tether, would be
slightly harder to crack because they are multisig wallets. So a quantum
attacker would need to reverse engineer 2 keys for Kraken or 3 for Bitfinex
/ Tether in order to spend funds. But many are single signature.
Point being, it's not only the really old lost BTC that are at risk to a
quantum enabled adversary, at least at time of writing. If we add a quantum
safe signature scheme, we should expect those wallets to be some of the
first to upgrade given their incentives.
The Ethical Dilemma: Quantifying Harm
Which decision results in the most harm?
By making quantum vulnerable funds unspendable we potentially harm some
Bitcoin users who were not paying attention and neglected to migrate their
funds to a quantum safe locking script. This violates the "conservativism"
principle stated earlier. On the flip side, we prevent those funds plus far
more lost funds from falling into the hands of the few privileged folks who
gain early access to quantum computers.
By leaving quantum vulnerable funds available to spend, the same set of
users who would otherwise have funds frozen are likely to see them stolen.
And many early adopters who lost their keys will eventually see their
unreachable funds scooped up by a quantum enabled adversary.
Imagine, for example, being James Howells, who accidentally threw away a
hard drive with 8,000 BTC on it, currently worth over $600M USD. He has
spent a decade trying to retrieve it from the landfill where he knows it's
buried, but can't get permission to excavate. I suspect that, given the
choice, he'd prefer those funds be permanently frozen rather than fall into
someone else's possession - I know I would.
Allowing a quantum computer to access lost funds doesn't make those users
any worse off than they were before, however it *would*have a negative
impact upon everyone who is currently holding bitcoin.
It's prudent to expect significant economic disruption if large amounts of
coins fall into new hands. Since a quantum computer is going to have a
massive up front cost, expect those behind it to desire to recoup their
investment. We also know from experience that when someone suddenly finds
themselves in possession of 9+ figures worth of highly liquid assets, they
tend to diversify into other things by selling.
Allowing quantum recovery of bitcoin is *tantamount to wealth
redistribution*. What we'd be allowing is for bitcoin to be redistributed
from those who are ignorant of quantum computers to those who have won the
technological race to acquire quantum computers. It's hard to see a bright
side to that scenario.
Is Quantum Recovery Good for Anyone?
Does quantum recovery HELP anyone? I've yet to come across an argument that
it's a net positive in any way. It certainly doesn't add any security to
the network. If anything, it greatly decreases the security of the network
by allowing funds to be claimed by those who did not earn them.
But wait, you may be thinking, wouldn't quantum "miners" have earned their
coins by all the work and resources invested in building a quantum
computer? I suppose, in the same sense that a burglar earns their spoils by
the resources they invest into surveilling targets and learning the skills
needed to break into buildings. What I say "earned" I mean through
productive mutual trade.
For example:
* Investors earn BTC by trading for other currencies.
* Merchants earn BTC by trading for goods and services.
* Miners earn BTC by trading thermodynamic security.
* Quantum miners don't trade anything, they are vampires feeding upon the
system.
There's no reason to believe that allowing quantum adversaries to recover
vulnerable bitcoin will be of benefit to anyone other than the select few
organizations that win the technological arms race to build the first such
computers. Probably nation states and/or the top few largest tech companies.
One could certainly hope that an organization with quantum supremacy is
benevolent and acts in a "white hat" manner to return lost coins to their
owners, but that's incredibly optimistic and foolish to rely upon. Such a
situation creates an insurmountable ethical dilemma of only recovering lost
bitcoin rather than currently owned bitcoin. There's no way to precisely
differentiate between the two; anyone can claim to have lost their bitcoin
but if they have lost their keys then proving they ever had the keys
becomes rather difficult. I imagine that any such white hat recovery
efforts would have to rely upon attestations from trusted third parties
like exchanges.
Even if the first actor with quantum supremacy is benevolent, we must
assume the technology could fall into adversarial hands and thus think
adversarially about the potential worst case outcomes. Imagine, for
example, that North Korea continues scooping up billions of dollars from
hacking crypto exchanges and decides to invest some of those proceeds into
building a quantum computer for the biggest payday ever...
Downsides to Allowing Quantum Recovery
Let's think through an exhaustive list of pros and cons for allowing or
preventing the seizure of funds by a quantum adversary.
Historical Precedent
Previous protocol vulnerabilities weren’t celebrated as "fair game" but
rather were treated as failures to be remediated. Treating quantum theft
differently risks rewriting Bitcoin’s history as a free-for-all rather than
a system that seeks to protect its users.
Violation of Property Rights
Allowing a quantum adversary to take control of funds undermines the
fundamental principle of cryptocurrency - if you keep your keys in your
possession, only you should be able to access your money. Bitcoin is built
on the idea that private keys secure an individual’s assets, and
unauthorized access (even via advanced tech) is theft, not a legitimate
transfer.
Erosion of Trust in Bitcoin
If quantum attackers can exploit vulnerable addresses, confidence in
Bitcoin as a secure store of value would collapse. Users and investors rely
on cryptographic integrity, and widespread theft could drive adoption away
from Bitcoin, destabilizing its ecosystem.
This is essentially the counterpoint to claiming the burning of vulnerable
funds is a violation of property rights. While some will certainly see it
as such, others will find the apathy toward stopping quantum theft to be
similarly concerning.
Unfair Advantage
Quantum attackers, likely equipped with rare and expensive technology,
would have an unjust edge over regular users who lack access to such tools.
This creates an inequitable system where only the technologically elite can
exploit others, contradicting Bitcoin’s ethos of decentralized power.
Bitcoin is designed to create an asymmetric advantage for DEFENDING one's
wealth. It's supposed to be impractically expensive for attackers to crack
the entropy and cryptography protecting one's coins. But now we find
ourselves discussing a situation where this asymmetric advantage is
compromised in favor of a specific class of attackers.
Economic Disruption
Large-scale theft from vulnerable addresses could crash Bitcoin’s price as
quantum recovered funds are dumped on exchanges. This would harm all
holders, not just those directly targeted, leading to broader financial
chaos in the markets.
Moral Responsibility
Permitting theft via quantum computing sets a precedent that technological
superiority justifies unethical behavior. This is essentially taking a
"code is law" stance in which we refuse to admit that both code and laws
can be modified to adapt to previously unforeseen situations.
Burning of coins can certainly be considered a form of theft, thus I think
it's worth differentiating the two different thefts being discussed:
1. self-enriching & likely malicious
2. harm prevention & not necessarily malicious
Both options lack the consent of the party whose coins are being burnt or
transferred, thus I think the simple argument that theft is immoral becomes
a wash and it's important to drill down into the details of each.
Incentives Drive Security
I can tell you from a decade of working in Bitcoin security - the average
user is lazy and is a procrastinator. If Bitcoiners are given a "drop dead
date" after which they know vulnerable funds will be burned, this pressure
accelerates the adoption of post-quantum cryptography and strengthens
Bitcoin long-term. Allowing vulnerable users to delay upgrading
indefinitely will result in more laggards, leaving the network more exposed
when quantum tech becomes available.
Steel Manning
Clearly this is a complex and controversial topic, thus it's worth thinking
through the opposing arguments.
Protecting Property Rights
Allowing quantum computers to take vulnerable bitcoin could potentially be
spun as a hard money narrative - we care so greatly about not violating
someone's access to their coins that we allow them to be stolen!
But I think the flip side to the property rights narrative is that burning
vulnerable coins prevents said property from falling into undeserving
hands. If the entire Bitcoin ecosystem just stands around and allows
quantum adversaries to claim funds that rightfully belong to other users,
is that really a "win" in the "protecting property rights" category? It
feels more like apathy to me.
As such, I think the "protecting property rights" argument is a wash.
Quantum Computers Won't Attack Bitcoin
There is a great deal of skepticism that sufficiently powerful quantum
computers will ever exist, so we shouldn't bother preparing for a
non-existent threat. Others have argued that even if such a computer was
built, a quantum attacker would not go after bitcoin because they wouldn't
want to reveal their hand by doing so, and would instead attack other
infrastructure.
It's quite difficult to quantify exactly how valuable attacking other
infrastructure would be. It also really depends upon when an entity gains
quantum supremacy and thus if by that time most of the world's systems have
already been upgraded. While I think you could argue that certain entities
gaining quantum capability might not attack Bitcoin, it would only delay
the inevitable - eventually somebody will achieve the capability who
decides to use it for such an attack.
Quantum Attackers Would Only Steal Small Amounts
Some have argued that even if a quantum attacker targeted bitcoin, they'd
only go after old, likely lost P2PK outputs so as to not arouse suspicion
and cause a market panic.
I'm not so sure about that; why go after 50 BTC at a time when you could
take 250,000 BTC with the same effort as 50 BTC? This is a classic "zero
day exploit" game theory in which an attacker knows they have a limited
amount of time before someone else discovers the exploit and either
benefits from it or patches it. Take, for example, the recent ByBit attack
- the highest value crypto hack of all time. Lazarus Group had compromised
the Safe wallet front end JavaScript app and they could have simply had it
reassign ownership of everyone's Safe wallets as they were interacting with
their wallet. But instead they chose to only specifically target ByBit's
wallet with $1.5 billion in it because they wanted to maximize their
extractable value. If Lazarus had started stealing from every wallet, they
would have been discovered quickly and the Safe web app would likely have
been patched well before any billion dollar wallets executed the malicious
code.
I think the "only stealing small amounts" argument is strongest for
Situation #2 described earlier, where a quantum attacker arrives before
quantum safe cryptography has been deployed across the Bitcoin ecosystem.
Because if it became clear that Bitcoin's cryptography was broken AND there
was nowhere safe for vulnerable users to migrate, the only logical option
would be for everyone to liquidate their bitcoin as quickly as possible. As
such, I don't think it applies as strongly for situations in which we have
a migration path available.
The 21 Million Coin Supply Should be in Circulation
Some folks are arguing that it's important for the "circulating /
spendable" supply to be as close to 21M as possible and that having a
significant portion of the supply out of circulation is somehow undesirable.
While the "21M BTC" attribute is a strong memetic narrative, I don't think
anyone has ever expected that it would all be in circulation. It has always
been understood that many coins will be lost, and that's actually part of
the game theory of owning bitcoin!
And remember, the 21M number in and of itself is not a particularly
important detail - it's not even mentioned in the whitepaper. What's
important is that the supply is well known and not subject to change.
Self-Sovereignty and Personal Responsibility
Bitcoin’s design empowers individuals to control their own wealth, free
from centralized intervention. This freedom comes with the burden of
securing one's private keys. If quantum computing can break obsolete
cryptography, the fault lies with users who didn't move their funds to
quantum safe locking scripts. Expecting the network to shield users from
their own negligence undermines the principle that you, and not a third
party, are accountable for your assets.
I think this is generally a fair point that "the community" doesn't owe you
anything in terms of helping you. I think that we do, however, need to
consider the incentives and game theory in play with regard to quantum safe
Bitcoiners vs quantum vulnerable Bitcoiners. More on that later.
Code is Law
Bitcoin operates on transparent, immutable rules embedded in its protocol.
If a quantum attacker uses superior technology to derive private keys from
public keys, they’re not "hacking" the system - they're simply following
what's mathematically permissible within the current code. Altering the
protocol to stop this introduces subjective human intervention, which
clashes with the objective, deterministic nature of blockchain.
While I tend to agree that code is law, one of the entire points of laws is
that they can be amended to improve their efficacy in reducing harm.
Leaning on this point seems more like a pro-ossification stance that it's
better to do nothing and allow harm to occur rather than take action to
stop an attack that was foreseen far in advance.
Technological Evolution as a Feature, Not a Bug
It's well known that cryptography tends to weaken over time and eventually
break. Quantum computing is just the next step in this progression. Users
who fail to adapt (e.g., by adopting quantum-resistant wallets when
available) are akin to those who ignored technological advancements like
multisig or hardware wallets. Allowing quantum theft incentivizes
innovation and keeps Bitcoin’s ecosystem dynamic, punishing complacency
while rewarding vigilance.
Market Signals Drive Security
If quantum attackers start stealing funds, it sends a clear signal to the
market: upgrade your security or lose everything. This pressure accelerates
the adoption of post-quantum cryptography and strengthens Bitcoin
long-term. Coddling vulnerable users delays this necessary evolution,
potentially leaving the network more exposed when quantum tech becomes
widely accessible. Theft is a brutal but effective teacher.
Centralized Blacklisting Power
Burning vulnerable funds requires centralized decision-making - a soft fork
to invalidate certain transactions. This sets a dangerous precedent for
future interventions, eroding Bitcoin’s decentralization. If quantum theft
is blocked, what’s next - reversing exchange hacks? The system must remain
neutral, even if it means some lose out.
I think this could be a potential slippery slope if the proposal was to
only burn specific addresses. Rather, I'd expect a neutral proposal to burn
all funds in locking script types that are known to be quantum vulnerable.
Thus, we could eliminate any subjectivity from the code.
Fairness in Competition
Quantum attackers aren't cheating; they're using publicly available physics
and math. Anyone with the resources and foresight can build or access
quantum tech, just as anyone could mine Bitcoin in 2009 with a CPU. Early
adopters took risks and reaped rewards; quantum innovators are doing the
same. Calling it “unfair” ignores that Bitcoin has never promised equality
of outcome - only equality of opportunity within its rules.
I find this argument to be a mischaracterization because we're not talking
about CPUs. This is more akin to talking about ASICs, except each ASIC
costs millions if not billions of dollars. This is out of reach from all
but the wealthiest organizations.
Economic Resilience
Bitcoin has weathered thefts before (MTGOX, Bitfinex, FTX, etc) and emerged
stronger. The market can absorb quantum losses, with unaffected users
continuing to hold and new entrants buying in at lower prices. Fear of
economic collapse overestimates the impact - the network’s antifragility
thrives on such challenges.
This is a big grey area because we don't know when a quantum computer will
come online and we don't know how quickly said computers would be able to
steal bitcoin. If, for example, the first generation of sufficiently
powerful quantum computers were stealing less volume than the current block
reward then of course it will have minimal economic impact. But if they're
taking thousands of BTC per day and bringing them back into circulation,
there will likely be a noticeable market impact as it absorbs the new
supply.
This is where the circumstances will really matter. If a quantum attacker
appears AFTER the Bitcoin protocol has been upgraded to support quantum
resistant cryptography then we should expect the most valuable active
wallets will have upgraded and the juiciest target would be the 31,000 BTC
in the address 12ib7dApVFvg82TXKycWBNpN8kFyiAN1dr which has been dormant
since 2010. In general I'd expect that the amount of BTC re-entering the
circulating supply would look somewhat similar to the mining emission
curve: volume would start off very high as the most valuable addresses are
drained and then it would fall off as quantum computers went down the list
targeting addresses with less and less BTC.
Why is economic impact a factor worth considering? Miners and businesses in
general. More coins being liquidated will push down the price, which will
negatively impact miner revenue. Similarly, I can attest from working in
the industry for a decade, that lower prices result in less demand from
businesses across the entire industry. As such, burning quantum vulnerable
bitcoin is good for the entire industry.
Practicality & Neutrality of Non-Intervention
There’s no reliable way to distinguish “theft” from legitimate "white hat"
key recovery. If someone loses their private key and a quantum computer
recovers it, is that stealing or reclaiming? Policing quantum actions
requires invasive assumptions about intent, which Bitcoin’s trustless
design can’t accommodate. Letting the chips fall where they may avoids this
mess.
Philosophical Purity
Bitcoin rejects bailouts. It’s a cold, hard system where outcomes reflect
preparation and skill, not sentimentality. If quantum computing upends the
game, that’s the point - Bitcoin isn’t meant to be safe or fair in a
nanny-state sense; it’s meant to be free. Users who lose funds to quantum
attacks are casualties of liberty and their own ignorance, not victims of
injustice.
Bitcoin's DAO Moment
This situation has some similarities to The DAO hack of an Ethereum smart
contract in 2016, which resulted in a fork to stop the attacker and return
funds to their original owners. The game theory is similar because it's a
situation where a threat is known but there's some period of time before
the attacker can actually execute the theft. As such, there's time to
mitigate the attack by changing the protocol.
It also created a schism in the community around the true meaning of "code
is law," resulting in Ethereum Classic, which decided to allow the attacker
to retain control of the stolen funds.
A soft fork to burn vulnerable bitcoin could certainly result in a hard
fork if there are enough miners who reject the soft fork and continue
including transactions.
Incentives Matter
We can wax philosophical until the cows come home, but what are the actual
incentives for existing Bitcoin holders regarding this decision?
"Lost coins only make everyone else's coins worth slightly more. Think of
it as a donation to everyone." - Satoshi Nakamoto
If true, the corollary is:
"Quantum recovered coins only make everyone else's coins worth less. Think
of it as a theft from everyone." - Jameson Lopp
Thus, assuming we get to a point where quantum resistant signatures are
supported within the Bitcoin protocol, what's the incentive to let
vulnerable coins remain spendable?
* It's not good for the actual owners of those coins. It disincentivizes
owners from upgrading until perhaps it's too late.
* It's not good for the more attentive / responsible owners of coins who
have quantum secured their stash. Allowing the circulating supply to
balloon will assuredly reduce the purchasing power of all bitcoin holders.
Forking Game Theory
From a game theory point of view, I see this as incentivizing users to
upgrade their wallets. If you disagree with the burning of vulnerable
coins, all you have to do is move your funds to a quantum safe signature
scheme. Point being, I don't see there being an economic majority (or even
more than a tiny minority) of users who would fight such a soft fork. Why
expend significant resources fighting a fork when you can just move your
coins to a new address?
Remember that blocking spending of certain classes of locking scripts is a
tightening of the rules - a soft fork. As such, it can be meaningfully
enacted and enforced by a mere majority of hashpower. If miners generally
agree that it's in their best interest to burn vulnerable coins, are other
users going to care enough to put in the effort to run new node software
that resists the soft fork? Seems unlikely to me.
How to Execute Burning
In order to be as objective as possible, the goal would be to announce to
the world that after a specific block height / timestamp, Bitcoin nodes
will no longer accept transactions (or blocks containing such transactions)
that spend funds from any scripts other than the newly instituted quantum
safe schemes.
It could take a staggered approach to first freeze funds that are
susceptible to long-range attacks such as those in P2PK scripts or those
that exposed their public keys due to previously re-using addresses, but I
expect the additional complexity would drive further controversy.
How long should the grace period be in order to give the ecosystem time to
upgrade? I'd say a minimum of 1 year for software wallets to upgrade. We
can only hope that hardware wallet manufacturers are able to implement post
quantum cryptography on their existing hardware with only a firmware update.
Beyond that, it will take at least 6 months worth of block space for all
users to migrate their funds, even in a best case scenario. Though if you
exclude dust UTXOs you could probably get 95% of BTC value migrated in 1
month. Of course this is a highly optimistic situation where everyone is
completely focused on migrations - in reality it will take far longer.
Regardless, I'd think that in order to reasonably uphold Bitcoin's
conservatism it would be preferable to allow a 4 year migration window. In
the meantime, mining pools could coordinate emergency soft forking logic
such that if quantum attackers materialized, they could accelerate the
countdown to the quantum vulnerable funds burn.
Random Tangential Benefits
On the plus side, burning all quantum vulnerable bitcoin would allow us to
prune all of those UTXOs out of the UTXO set, which would also clean up a
lot of dust. Dust UTXOs are a bit of an annoyance and there has even been a
recent proposal for how to incentivize cleaning them up.
We should also expect that incentivizing migration of the entire UTXO set
will create substantial demand for block space that will sustain a fee
market for a fairly lengthy amount of time.
In Summary
While the moral quandary of violating any of Bitcoin's inviolable
properties can make this a very complex issue to discuss, the game theory
and incentives between burning vulnerable coins versus allowing them to be
claimed by entities with quantum supremacy appears to be a much simpler
issue.
I, for one, am not interested in rewarding quantum capable entities by
inflating the circulating money supply just because some people lost their
keys long ago and some laggards are not upgrading their bitcoin wallet's
security.
We can hope that this scenario never comes to pass, but hope is not a
strategy.
I welcome your feedback upon any of the above points, and contribution of
any arguments I failed to consider.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com
.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de
.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com
.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/zyx7G6H1TyB2sWVEKAfIYmCCvfXniazvrhGlaZuGLeFtjL3Ky7B-9nBptC0GCxuHMjjw8RasO7c3ZX46_6Nerv0SgCP0vOi5_nAXLmiCJOY%3D%40proton.me
.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com
.
--
You received this message because you are subscribed to the Google Groups
"Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to bitcoindev+...@googlegroups•com.
To view this discussion visit
https://groups.google.com/d/msgid/bitcoindev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com
<https://groups.google.com/d/msgid/bitcoindev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com?utm_medium=email&utm_source=footer>
.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1ae281cd-20a8-4b50-98b7-c228f090ad7an%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 59042 bytes --]
next prev parent reply other threads:[~2025-07-13 1:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-22 19:02 AstroTown
2025-03-24 11:19 ` Agustin Cruz
2025-05-25 19:03 ` 'conduition' via Bitcoin Development Mailing List
2025-05-25 23:03 ` Dustin Ray
2025-05-26 0:32 ` Agustin Cruz
2025-05-26 15:40 ` 'ArmchairCryptologist' via Bitcoin Development Mailing List
2025-06-07 13:28 ` waxwing/ AdamISZ
2025-06-08 14:04 ` Jameson Lopp
2025-07-13 1:39 ` Boris Nagaev [this message]
2025-07-13 12:34 ` Jameson Lopp
2025-05-28 1:07 ` waxwing/ AdamISZ
2025-05-28 7:46 ` Sjors Provoost
2025-05-28 21:15 ` waxwing/ AdamISZ
-- strict thread matches above, loose matches on Subject: below --
2025-03-16 14:15 Jameson Lopp
2025-03-16 18:03 ` Chris Riley
2025-03-16 19:44 ` Nagaev Boris
2025-03-16 21:25 ` Jameson Lopp
2025-03-16 22:56 ` IdeA
2025-03-17 13:28 ` Jameson Lopp
2025-03-17 12:00 ` Matt Corallo
2025-03-18 12:48 ` Sjors Provoost
2025-03-25 1:06 ` Matt Corallo
2025-03-25 8:16 ` Sjors Provoost
2025-03-28 20:00 ` Matt Corallo
2025-03-30 22:23 ` Javier Mateos
2025-04-04 4:49 ` 'Ben Sigman' via Bitcoin Development Mailing List
2025-04-06 14:07 ` Nadav Ivgi
2025-04-30 15:40 ` Michael Tidwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ae281cd-20a8-4b50-98b7-c228f090ad7an@googlegroups.com \
--to=bnagaev@gmail$(echo .)com \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox