Hi
While I generally agree that "freeze" beats "steal", and that a lot of lead time is good, I don't think this plan is viable.
To me the biggest problem is that it ties activation of a PQ output type to *de*activation of EC output types. That would mean that someone who wants to keep using all the great stuff in libsecp256k1 should try to prevent BIP360 from being activated.
Sure, there can be risks from CRQCs. But this proposal would go the other direction, disabling important functionality and even destroying coins preemptively, in anticipation of something that may never happen.
Also, how do you define "quantum-vulnerable UTXO"? Would any P2PKH, or P2WPKH output count? Or only P2PKH / P2WPKH outputs where the public key is already known? I can understand disabling spends from known-pubkey outputs, but for addresses where the public key has never been revealed, commit/reveal schemes (like the one I posted about & am working on a follow-up post for) should safely let people spend from those outputs indefinitely.
With no evidence of a QRQC, I can see how there would be people who'd say "We might never really know if a CRQC exists, so we need to disable EC spends out of caution" and others who'd say "Don't disable EC spends, since that's destroying coins", and that could be a persistent disagreement. But I hope if we did in fact have a proof that a CRQC has broken secp256k1, there would be significant agreement on freezing known-pubkey EC outputs.-TadgeOn Saturday, July 12, 2025 at 8:46:09 PM UTC-4 Jameson Lopp wrote:Building upon my earlier essay against allowing quantum recovery of bitcoin I wish to formalize a proposal after several months of discussions.
This proposal does not delve into the multitude of issues regarding post quantum cryptography and trade-offs of different schemes, but rather is meant to specifically address the issues of incentivizing adoption and migration of funds after consensus is established that it is prudent to do so.
As such, this proposal requires P2QRH as described in BIP-360 or potential future proposals.
Abstract
This proposal follows the implementation of post-quantum (PQ) output type (P2QRH) and introduces a pre-announced sunset of legacy ECDSA/Schnorr signatures. It turns quantum security into a private incentive: fail to upgrade and you will certainly lose access to your funds, creating a certainty where none previously existed.
Phase A: Disallows sending of any funds to quantum-vulnerable addresses, hastening the adoption of P2QRH address types.
Phase B: Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day roughly five years after activation.
Phase C (optional): Pending further research and demand, a separate BIP proposing a fork to allow recovery of legacy UTXOs through ZK proof of possession of BIP-39 seed phrase.
Motivation
We seek to secure the value of the UTXO set and minimize incentives for quantum attacks. This proposal is radically different from any in Bitcoin’s history just as the threat posed by quantum computing is radically different from any other threat in Bitcoin’s history. Never before has Bitcoin faced an existential threat to its cryptographic primitives. A successful quantum attack on Bitcoin would result in significant economic disruption and damage across the entire ecosystem. Beyond its impact on price, the ability of miners to provide network security may be significantly impacted.
Accelerating quantum progress.
NIST ratified three production-grade PQ signature schemes in 2024; academic road-maps now estimate a cryptographically-relevant quantum computer as early as 2027-2030. [McKinsey]
Quantum algorithms are rapidly improving
The safety envelope is shrinking by dramatic increases in algorithms even if the pace of hardware improvements is slower. Algorithms are improving up to 20X, lowering the theoretical hardware requirements for breaking classical encryption.
Bitcoin’s exposed public keys.
Roughly 25% of all bitcoin have revealed a public key on-chain; those UTXOs could be stolen with sufficient quantum power.
We may not know the attack is underway.
Quantum attackers could compute the private key for known public keys then transfer all funds weeks or months later, in a covert bleed to not alert chain watchers. Q-Day may be only known much later if the attack withholds broadcasting transactions in order to postpone revealing their capabilities.
Private keys become public.
Assuming that quantum computers are able to maintain their current trajectories and overcome existing engineering obstacles, there is a near certain chance that all P2PK (and other outputs with exposed pubkeys) private keys will be found and used to steal the funds.
Impossible to know motivations.
Prior to a quantum attack, it is impossible to know the motivations of the attacker. An economically motivated attacker will try to remain undetected for as long as possible, while a malicious attacker will attempt to destroy as much value as possible.
Upgrade inertia.
Coordinating wallets, exchanges, miners and custodians historically takes years.
The longer we postpone migration, the harder it becomes to coordinate wallets, exchanges, miners, and custodians. A clear, time-boxed pathway is the only credible defense.
Coordinating distributed groups is more prone to delay, even if everyone has similar motivations. Historically, Bitcoin has been slow to adopt code changes, often taking multiple years to be approved.
Benefits at a Glance
Resilience: Bitcoin protocol remains secure for the foreseeable future without waiting for a last-minute emergency.
Certainty: Bitcoin users and stakeholders gain certainty that a plan is both in place and being implemented to effectively deal with the threat of quantum theft of bitcoin.
Clarity: A single, publicized timeline aligns the entire ecosystem (wallets, exchanges, hardware vendors).
Supply Discipline: Abandoned keys that never migrate become unspendable, reducing supply, as Satoshi described.
Specification
Rationale
Even if Bitcoin is not a primary initial target of a cryptographically relevant quantum computer, widespread knowledge that such a computer exists and is capable of breaking Bitcoin’s cryptography will damage faith in the network .
An attack on Bitcoin may not be economically motivated - an attacker may be politically or maliciously motivated and may attempt to destroy value and trust in Bitcoin rather than extract value. There is no way to know in advance how, when, or why an attack may occur. A defensive position must be taken well in advance of any attack.
Bitcoin’s current signatures (ECDSA/Schnorr) will be a tantalizing target: any UTXO that has ever exposed its public key on-chain (roughly 25 % of all bitcoin) could be stolen by a cryptographically relevant quantum computer.
Existing Proposals are Insufficient.
Any proposal that allows for the quantum theft of “lost” bitcoin is creating a redistribution dilemma. There are 3 types of proposals:
Allow anyone to steal vulnerable coins, benefitting those who reach quantum capability earliest.
Allow throttled theft of coins, which leads to RBF battles and ultimately miners subsidizing their revenue from lost coins.
Allow no one to steal vulnerable coins.
Minimizes attack surface
By disallowing new spends to quantum vulnerable script types, we minimize the attack surface with each new UTXO.
Upgrades to Bitcoin have historically taken many years; this will hasten and speed up the adoption of new quantum resistant script types.
With a clear deadline, industry stakeholders will more readily upgrade existing infrastructure to ensure continuity of services.
Minimizes loss of access to funds
If there is sufficient demand and research proves possible, submitting a ZK proof of knowledge of a BIP-39 seed phrase corresponding to a public key hash or script hash would provide a trustless means for legacy outputs to be spent in a quantum resistant manner, even after the sunset.
Key Insight: As mentioned earlier, the proposal turns quantum security into a private incentive to upgrade.
This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself and its interests against those who would prefer to do nothing and allow a malicious actor to destroy both value and trust.
"Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone." - Satoshi NakamotoIf true, the corollary is:
"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone."The timelines that we are proposing are meant to find the best balance between giving ample ability for account owners to migrate while maintaining the integrity of the overall ecosystem to avoid catastrophic attacks.
Backward Compatibility
As a series of soft forks, older nodes will continue to operate without modification. Non-upgraded nodes, however, will consider all post-quantum witness programs as anyone-can-spend scripts. They are strongly encouraged to upgrade in order to fully validate the new programs.
Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets until Phase A. After Phase A, they can no longer receive from any other wallets and can only send to upgraded wallets. After Phase B, both senders and receivers will require upgraded wallets. Phase C would likely require a loosening of consensus rules (a hard fork) to allow vulnerable funds recovery via ZK proofs.