Thread

it would be "for the greater good" (i don't agree)

even though I don’t agree with hard fork camp I’d say being ‘innocent’ shouldn’t relieve someone of taking gradual and necessary steps toward self sovereignty/custody/responsibility in light of such a looming threat

Nobody is promised that their keys will always be safe. Bitcoin doesn’t promise that there are easy backups or your wallet is secure from any hack or possible vulnerability. The only promise Bitcoin gives is that you are responsible, it’s permissionless, your coins won’t be frozen for political reasons, and there are only 21 million. The DO have the responsibility to move their coins if QC ever threatens ECDSA, but that has nothing to do with the decision to freeze their coins if they don’t. We have coins on chain today that we can tell were created from old vulnerable wallets and entropy. They get stole by bots brute forcing those keys. Why don’t we freeze those coins

You have two choices - let a CRQC company steal their coins or freeze them and let those with a seedphrase (which is most modern wallets!) get their money back. It seems really dumb to cut off our nose to spite our face here.

It seems really dumb to freeze coins that aren’t stolen preemptively that we don’t even know can be stolen. There are vulnerable keys on bitcoin all the time. If anyone has problems with confiscating >1000 sat UTXOs with some proposal like the cat (which I agree is way too far, btw), then I can’t see how freezing coins - not because QC is here - but because enough people are afraid that it’s eminent that we are going to go ahead and essentially cause the very harm that others would be vulnerable to (losing their coins) before the quantum attacker does it.

That’s supposed to be *less than* 1000 sats but I’m typing with one hand holding a baby 😆

Isn’t all coins. Active, passive, lost or whatever among the 21 mill coins? I actually don’t understand the problem. Stealing is not ok, but if they are lost it should be ok looking for them in my opinion.

This doesn’t have anything to do with the 21 million limit. I only bring it up in the context that the notion of not freezing other people’s bitcoin is

It sounds like you’re assuming I’m advocating for freezing at any point soon or prior to it being incredibly obvious that a CRQC is a short-term reality and largely unavoidable. I’m not.

… is at the same level of importance as the 21 million limit when it comes to Bitcoin’s fundamental principles (my kids are making it hard to type and I dropped my phone which sen the half typed message 🤦🏻‍♂️)

Lopp’s proposal is the only one I know of on this topic that’s sort of concrete in when it’s saying to freeze coins, and every suggestion I have heard is prior to QC being able to do so (as the theft of Satoshis coins would be the obvious and huge first lost to the problem). But even in that context I still land on the “we don’t freeze coins” conclusion because who knows how many people might still be able to move coins and want to come back before any QC decides to go after their UTXOs, etc. I don’t think it is reasonable to assume any QC even after decades of being able to break one with a ton of energy or work, would be able to quickly or in a matter of moments, just break signatures wantonly. Which leaves a massive gap between “they spent 5 years breaking Satoshi’s coins” and “everyone else is immediately vulnerable” landscape. In other, other words, I still think it is very likely that almost everyone save for the highest and most obvious balances would potentially still have years to move their own coins *after* Satoshi’s were already broken.

Two points. First of all, I’m somewhat confident we’ll learn that a CRQC is imminent with some time left prior to theft being actually possible, see View quoted note → Secondly, I would be surprised, though it’s certainly possible, if a QC is only able to steal coins after a year of constant compute. While they won’t be instant, maintaining coherence for long is one of the key challenges, so compute being longer than minutes to break a key (with some probability, maybe it takes some number of tries, though) seems somewhat unlikely. Finally, its worth pointing out that one of the best ways we have to ensure people retain access to their bitcoin (allowing proof-of-seedphrase to allow for spends) *requires* that we freeze vulnerable spend paths before they can be otherwise stolen. So I think that should weigh pretty heavily in favor of freezing. Of course, however, we cannot decide this for any future community and I think we agree it’s *highly* dependent on the particulars of what public information is available and what the timelines look like. The best we can do is speculate on likely scenarios and then decide what we think should happen in them. Sadly, the freeze-vs-not decision is important today, because it impacts what choices we have available to begin preparing - if freezing is highly likely, we can “hide” QC safety in taproot leaves today without impacting wallets. If it’s not, it has to be a separate address type which has *huge* deployment timeline challenges (there’s *still* exchanges that can’t send to taproot addresses, for example…)

Err, guess that was more than two points.

>has unfuckable property We should fuck the property Makes sense

Because the supply of Bitcoin available on markets suddenly 10xing impacts everyone.

Is the main argument you're making for "freezing" vulnerable coins just based on what will happen to the price if they all get dumped at once?

So what? Still not your coins!

Even in this very improbable scenario.

You can either freeze vulnerable spend paths and let a majority of owners reclaim their coins (via seedphrase) or you can let some QC startup steal a ton of lost coins and dump them on the market, impacting everyone. This is a really obvious choice…

Stop thinking you have a problem to solve here. Bitcoin is wild, your opinion doesn't matter (neither mine). If (AND A BIG IF HERE) QC one day evolves to this point, whoever had their coins vulnerable will pay for being negligent and those who invested in QC to retrieve this bounty will have their pay.

You’re confusing a core principle of bitcoin for the way the core principle was written down. It’s (obviously) a core principle of Bitcoin that coins never be frozen or stolen by any action aside from a mistake by their owners. However, that’s not the question we face if a CRQC becomes reality. The coins *will* be stolen or frozen, there is no other option [1]. In the face of that, you either pick that they be stolen by some QC startup, or you pick that they be frozen by fork. Also… [1] There is actually one other option. If the keys for the coins were created with a seedphrase-based wallet, we can allow them to be recovered by their owners, but *only* if we freeze vulnerable spend modes!

Freezing is stealing. It's extremely dishonest of you to frame it as others are stealing but you're not. Call it stealing for the greater good if you like, but it is still stealing.

This is 100% correct.

Yo, I feel ya on the core principle vibe, but let’s break it down! 🤔 If we’re stuck choosing between getting our coins snatched by a QC startup or freezing them by a fork, what’s the play? Is there a way to keep it decentralized and still protect our assets? #Bitcoin #CryptoTalk

Freezing other people’s bitcoins is wrong, no matter what the motivation. In my view there is only one way to preserve Bitcoin’s censorship‑resistance without violating that principle: Introduce quantum‑resistant addresses - By adding a new address format that is provably secure against any foreseeable quantum attack, users who consider quantum computers a real threat can voluntarily move their funds to those addresses. The choice remains entirely in the hands of the coin holder. If a holder decides not to migrate —whether because they have lost the private‑key, because they distrust the new format, or for any other personal reason — then they accept the associated risk. The potential loss is a direct consequence of their own decision, not of an imposed freeze. Should quantum computing enable the reactivation of old Bitcoin addresses, their influx may cause a crash in the price, but the price can recover. A temporary price-correction is not a reason to compromise the protocol’s core guarantees. Preserving Bitcoin’s immutable, permission‑less nature must remain the highest priority.

Exactly. Sets a dangerous precedent and moves the Overton window for even more censorship. The coins would be back in circulation in no time. Let the quantum cracker have his private jets, yachts and lambos and whatever.. who cares. Bitcoin’s credibility is more important.

Except it’s not quite! If you freeze vulnerable spend paths then you can allow coins which were stored in wallets with seed phrases to be recovered. You cannot otherwise.

IOW, you can allow (probably) a good majority of (not-lost) funds to be recovered, but *only* if you freeze other spend paths!

So you want to steal coins for the greater good.

You didn’t meaningfully engage with any of my arguments, which is a bit sad, but you know that isn’t going to happen. Any QC startup that gets that far is going to have investors that want paid back. They’ll sell about as quickly as they can.

its a social problem masked as a technical problem i dont think preemptively stealing coin because they may theoretically get stolen in the future makes sense once you go down that route it’s a slippery slope

so... the "social problem" is a (perhaps manufactured) crisis? for example, nobody here can gauge the likelihood of QC in the next 10 yrs. how is anybody deficient in information supposed to decide if they support a technical solution to a problem that may not exist? so your slippery slope is an issue becoming precedent for making *technical changes* in response to threats we cant actually measure.

I agree it’s not a technical problem, but of course technical details impact the available options and should be considered. Yes, we agree that “preemptively stealing coins because they may theoretically get stolen in the future” is a terrible idea. Considering such a change at any time prior to when it’s clear that a CRQC is on the immediate horizon and clearly going to happen would be absolutely insane. But once you do reach that point, some vulnerable coins are not going to be claimable by their owners no matter what you do. I prefer to allow some of the owners to get their funds back by freezing and enabling claims via a ZK proof of seedphrase over letting some QC startup steal all the coins. Seems kinda obvious that the community would prefer that to me, but I guess maybe not.

> when it’s clear that a CRQC is on the immediate horizon not sure how we would be able to know this?

No one is advocating freezing QC-vulnerable spend paths any time soon. And if no CRQC ever appears, then no such freezing should ever occur! The question is only what to do if a CRQC is clearly going to exist within a relatively short time period - do you freeze and let people with seed phrases get their money, or do you let the CRQC operator steal it all?

The current QC research world is quite open, and I see little reason to think that that will change any time soon. It’s possible it does, of course, but the companies and scientists working to build them want credit, to attract investment, to attract customers (once they have something useful), etc.

💯 "clear", "(R)elevant", and "immediate horizon" all just seem way to vague in this context to me. As such, forming any kind of consensus on when this has happened seems unrealistic to me... and that's in addition to forming a consensus regarding freezing coins at all.

presumably if a crqc becomes within reach that will all go dark, no?

yes that makes sense. My point is about information availability and social consensus about it. you're assuming people have shared *trusted* information sources to evaluate threats. I'm thinking Matts point of view is developed from an assumption people do not share trusted information sources. As a result, social consensus about the reality of a threat could not emerge. So instead of accurately measuring the real likelihood of a threat, people can also get hype about a threat that is actually very low probability or people can get information that minimizes what may actually be a high probability threat. Thinking that everyone shares your trust in the information sources you prefer is soooo mid-2000s 😂 its unfortunate. but its the information space we live in now.

Certainly possible, yes. I’d be fairly surprised, though. Yes, if a CRQC becomes realistic there may be an incentive to hide it so that you can complete it and go steal a bunch of bitcoin, but generally conspiracies don’t really scale - it seems to me it would be incredibly unlikely that a large team of expert scientists (not to mention investors and executives and support staff) would not be able to keep quite that they’re within shooting distance of a CRQC. More generally, while it’s possible that this happens via some huge breakthrough, that isn’t what we’ve seen so far with QCs - they’ve been very slow deliberate progress iterating in small public steps. A startup making good progress for 5 years then suddenly going dark without shutting down may well also be an indication of something. Ultimately this gets into the “it’s hard to speculate what a future community might do” because there is so much detail to any potential scenario that would go into such a decision. In my (fairly strong) opinion, the community is likely to have enough information to be relatively confident that a CRQC is highly likely at least 1-5 years prior to it existing (where the range is mostly uncertainty about the rate, not uncertainty about the state of things), but it certainly could happen that I’m wrong. Ultimately we can’t decide for the future community, but we do need to at least somewhat predict what they’re going to do because it’s important to understand it to help us decide what to do today to prepare. This all somewhat ignores the possibility that a government gets a CRQC first. I’m admittedly not incredibly concerned about that, both because so far it appears the most advancements have been in private companies willing to throw money at this, but even if that changes, a government leaking that they have a CRQC by stealing Bitcoin doesn’t seem super likely to me either.

Would you expect to know if a government was making advancements towards a CRQC?

Do you have a good source for this? I hear this sometimes but I would like to know how the "quantum attack is impossible" crowd came to this conclusion? I do agree that burning is not the way though.

There are basically three camps, as I understand it, who all agree this is impossible. 1. Gil Kalai and friends who buy QM but says there is "correlated-noise" that will limit scale even with perfect engineering 2. Roger Penrose and friends who don't buy QM as it stands but have another model and would say there is "self-decoherence" because of gravity and such 3. The aristotelian/common sense camp (which I agree with) that says that quantum weirdness is a total misunderstanding because materialists are looking at the world upside down Whoever has the right model, there are more people than you might think who agree it's obviously not physically possible. That doesn't mean we dont think the eimnginers are good enough. It means it is not possible because reality has rules and those rules called physics make it fundamentally totally impossible. I think from a non-insane point of view, as things get bigger you end up with a normal universe and not a quantum weird universe. Have you ever violated the principle of non-contradiction in real life? Have you ever known a cat that was both alive and dead? Whatever the details are, the result is the same. If you are a "Believe the Science" type, rather than a common sense person, I suggest Gil Kalai. They've been running these experiments for a long time and never proven his math or his point wrong this whole time. I am pretty sure a lot of the researchers secretly think he is probably right by now, but what are they going to do? I don't want to burn any coins either, though I have not looked hard enough at The Cat yet to decide if I think it is valid to kill the spam and dust. I do not agree with supporting non-menetary abuses of the network. So maybe that makes sense but I I'm not taking a hard position right now and I'm not focused on that and haven't dug in enough. What I do care about is that doing anything about QC right now is objectively very destructive to Bitcoin and freedom tech in general. ECC is our best weapon and we shouldn't give it up based on an an unfalsifiable and unoroven belief that QC is even possible, much less eminent. If they crack a key with shor we will have plenty of time to deal with it before it becomes and economically viable threat. Which will never happen anyway. So let's shut this FUD attack down for now. There are a lot of bad incentives for promoting this scare and it is all bullshit.

I tend to agree with your conclusion. Talking about and generating new ideas is fine, but until seriously threatened, making any changes now or bip’s without thoughtful application of NIST-tested methods, etc., it’s primarily an academic exercise and shouldn’t be anywhere near bitcoin code.