A Third Option for Legacy Coins in a Post-Quantum Bitcoin

[Phlebas]

A Third Option for Legacy Coins in a Post-Quantum Bitcoin

One of the hardest problems in any post-quantum transition for Bitcoin is how to deal with existing coins that are not quantum-safe, especially older outputs where the public key is already exposed or can be derived once large-scale quantum computation becomes feasible.

Most proposals seem to cluster around two extremes:

• Let those coins be taken by whoever can break the keys
• Freeze them permanently once quantum becomes a practical threat

Both outcomes are undesirable.

The only attempt at solving this I found was in Jameson Lopp’s proposal and it was even marked optional (Phase C). However, it would not apply to very old coins whose private keys are not part of a hierarchical deterministic wallet structure. [1]

Outline of the idea

The core idea is to separate proving ownership from moving coins, and to do this before quantum attacks become practical.

Pre-quantum ownership commitment period

Starting at some point in the future, there would be a long grace period, effectively lasting until quantum attacks become a real concern, during which owners of legacy, non-quantum-safe coins can make a one-time on-chain commitment proving that they control the relevant private keys at that time.

This would not involve moving coins or revealing ownership publicly.
Instead, the owner would:

• generate a proof of control using the existing key material, demonstrating that the owner could have spent the specific UTXO under the pre-quantum consensus rules, without actually broadcasting such a transaction
• hash that proof
• commit the hash to the blockchain as a timestamped commitment

The proof itself remains private and is never published unless it is needed later.

Conditional fork

If, and only if, quantum attacks become a real threat, a fork could be activated at a predetermined future date.

After that point:

• non-quantum-safe legacy coins that never made a commitment become frozen
• coins that did make a prior commitment remain recoverable

If quantum never becomes practical, nothing changes and the fork never needs to activate.

Unlocking frozen coins

To spend a frozen legacy output after the fork, the owner would need to:

• reveal the preimage of the earlier commitment
• demonstrate that it was created before the cutoff
• transition the coins to a quantum-safe spending condition

Verification of the revealed preimage would ensure that the earlier commitment was tied to the ability to spend that specific output under the pre-quantum rules. This proves that the owner controlled the keys before quantum attacks were feasible, without requiring early disclosure or forced migration.

Why this seems preferable

• No forced movement of coins today, no early loss of privacy and the early mined coins can remain a mystery.
  Owners are not required to migrate funds or reveal linkages unless and until they actually want to spend. This could happen long after quantum computing becomes a reality.
• No unnecessary consensus change
  If quantum computing never becomes a practical threat, the system remains unchanged.

Open questions

There are many technical issues to get right, such as commitment format, binding proofs to specific UTXOs, and wallet support. Conceptually, however, it seems cleaner than either mass confiscation or allowing silent theft or some hypothetical recovery based on ZK proof of a BIP39 seed.

I am interested in feedback on whether this approach has been discussed before in a similar form, and whether there are obvious technical or economic objections I am missing.

[1] https://groups.google.com/g/bitcoindev/c/uEaf4bj07rE/m/wyzDA6tdBQAJ A Post Quantum Migration Proposal

If you like my work, you can donate to the following Bitcoin address: bc1qjadanncwanfhajwh57r4pjhlecd42a0l3msh5d

Donations are voluntary and anonymous.
They are intended solely to support my independent, non-commercial open-source work.
Donations do not create any entitlement to services, support, or deliverables.

[Phlebas]

This post was denied on the “Bitcoin Development Mailing List” because it was already proposed by another party [1].
I still however have no idea why nobody is actively working on this.

[1] https://gist.github.com/phyro/64f99a4b26b26e69a4092fc434b62e2f Silent transition to post-quantum Bitcoin outputs

[Борис Нагаев]

Hi,

if an owner of an old coin (protected by a pubkey not derived from HD wallet) can still prove ownership of a coin, they could just move a coin to a new type address (e.g. P2WPKH address whose pubkey is derived from HD wallet).

The only advantage of the commitment approach is that they can do it secretly until quantum threat is real. This means that if Satoshi is still alive, he could use the commitment scheme and nobody would know about this if quantum computers never evolve.

But do we want this actually? Why should we change a protocol to maintain this secret? If Satoshi is alive, he can move the coins to a newer address - why not? One can argue that Satoshi moving a bunch of coins would scare the market. But better to scare earlier than later! While Satoshi coins' destiny is unknown, markets still price in a probability that he may still be around.

Boris

[Phlebas]

>This means that if Satoshi is still alive, he could use the commitment scheme and nobody would know about this if quantum computers never evolve.

Even if quantum computing does become practical, nobody would know until the coins are actually moved.

The worst approach would be to let those coins be taken by whoever can break the keys. I see online that this is actually a fairly popular position, sometimes combined with some form of rate limiting. If this sets a precedent where Bitcoin effectively allows coins to be taken every few decades whenever new mathematics or technology emerges, that would be deeply problematic. If anything, I hope this proposal steers people away from that option.

If there is no option to address this without forcing coins to move, some properties of Bitcoin are lost unnecessarily. Some central banks allow unlimited exchange of old banknotes, while others, such as France and Italy, imposed exchange deadlines. Bitcoin should align with the former approach and make recovery possible to the greatest extent that is technically achievable. Mathematical or other breakthroughs should not be used as a justification to reveal secrets unnecessarily.

If you like my work, you can donate to the following Bitcoin address: bc1qjadanncwanfhajwh57r4pjhlecd42a0l3msh5d
Donations are voluntary and anonymous.
They are intended solely to support my independent, non-commercial open-source work.
Donations do not create any entitlement to services, support, or deliverables.

Op zaterdag 20 december 2025 om 19:50:38 UTC+1 schreef bna...@gmail.com:

[Борис Нагаев]

I'm not advocating for letting Satoshi's coins to be taken by someone with quantum computer.

I want to share a couple of proposals made on another list. Since you are working on a pre-commitment scheme, you might find them interesting.

1.

> hypothetical recovery based on ZK proof of a BIP39 seed

It is possible to make a commit-reveal scheme relying on BIP39, no ZK stuff:

https://groups.google.com/g/bitcoindev/c/uUK6py0Yjq0/m/pyZaNKnuBQAJ

The scheme was discussed/adjusted in other messages as well. In particular what should be kept in mind is resistance to miners' collusion to delay the reveal transaction and to make another commit tx to steal the funds in their own reveal transaction. Conduition and me came up with a way how to prevent this collusion.

It is a very solid proposal. It covers almost all the coins, even the ones on reused addresses. It doesn't let any stealing.

The scheme is very simple, no ZK, just a regular MAC.

2. An older commit-reveal proposal for all hash-protected non-BIP39 coins. It recovers more coins, but doesn't protect coins whose pubkeys are publicly known.

https://groups.google.com/g/bitcoindev/c/jr1QO95k6Uc/m/lsRHgIq_AAAJ

Neither of these two schemes lets Satoshi to recover his coins. On the other hand, these schemes do not demain doing something in advance to save the coins.

3. Finally, I want to share this pre-commitment proposal (Hourglass):

https://groups.google.com/g/bitcoindev/c/zmg3U117aNc/m/lDCMs9j7EAAJ

[Phlebas]

Very interesting, but all of those proposals fail to recover non-HD coins whose public keys are already exposed.

The Hourglass proposal is the one I really do not like. To quote the abstract:

-This BIP describes a new set of spending rules for Bitcoin called "Hourglass." The intent is to impose a throughput restriction on the number of P2PK spends to one per block-- to slow the inflationary impacts of potential quantum attacks on these addresses.-

Inflation is theft. Slower theft is still theft. In fact, this is exactly what fiat currencies have been doing since 1971: slow, controlled debasement so that markets do not immediately notice. I do not think Bitcoin should deliberately adopt additional inflation on top of the issuance scheme established at genesis.

Op zondag 21 december 2025 om 02:54:05 UTC+1 schreef bna...@gmail.com:

[Phlebas]

Although Bitcoin has not yet selected a post-quantum signature scheme, owners of coins with already-exposed public keys could already take action today.
In the absence of a post-quantum signature scheme or zero-knowledge proofs, such a migration would require two commitment transactions and a single reveal/spend transaction.

I have a couple of detailed drafts I am currently working on, but here is my motivation and high-level sketch:

Pre-quantum phase (can be done now, no change to Bitcoin necessary):

1. The owner commits (in an unlinkable/private way) to:

   • a proof of pre-quantum ownership of the exposed-pubkey UTXO, and

   • a future hash-based spend path (effectively attaching a hashed-public-key–style control to that UTXO).

Post-quantum (or never):

2. The owner publishes a public commitment that links the protected UTXO to the earlier hidden commitment and commits to a specific recovery spend.

3. A final reveal unlocks the commitment and spends the coin.

Conceptually, steps (2) and (3) closely follow the structure of the existing commit-reveal proposal for all hash-protected non-BIP39 coins [1].

The motivation for this approach is not to force or assume migration of all such coins to quantum-safe addresses. In practice, many owners may choose to migrate early, while others may never be moved at all. Instead, the key objective is to allow owners to establish cryptographic continuity of ownership without revealing themselves.

By enabling owners to make private, time-stamped commitments before quantum attacks become practical, this approach changes the underlying game theory. Coins with exposed public keys would no longer be automatically assumed to be abandoned or unowned once quantum capabilities exist. As a result, proposals that implicitly rely on eventual confiscation or adversarial capture of such coins [2], rather than freezing and recovery, lose a crucial assumption: the inability to reliably distinguish a legitimate pre-quantum owner from a post-quantum attacker.

In other words, even if some coins are never recovered, the existence of pre-quantum commitments preserves long-term ambiguity about ownership. This ambiguity itself has value, as it removes the incentive to design protocol changes around the expectation that quantum attackers should ultimately be allowed to claim those coins.

[1] https://groups.google.com/g/bitcoindev/c/jr1QO95k6Uc/m/lsRHgIq_AAAJ
Commit-reveal proposal for all hash-protected non-BIP39 coins

[2] https://github.com/cryptoquick/bips/blob/hourglass/bip-hourglass.mediawiki
Hourglass spending rules

If you like my work, you can donate to the following Bitcoin address: bc1qjadanncwanfhajwh57r4pjhlecd42a0l3msh5d
Donations are voluntary and anonymous. They are intended solely to support my independent, non-commercial open-source work.
Donations do not create any entitlement to services, support, or deliverables.

Op zondag 21 december 2025 om 11:05:49 UTC+1 schreef Phlebas:

[conduition]

Hi Phlebas,

I think it'd be absurd to encourage people to publish commitments on-chain today based on the promise of a future soft fork which would be years away from even being standardized, let alone deployed. Any commitment they make today cannot fully commit to a reveal transaction's destination, because, as you said, we don't have fully quantum-resistant addresses yet. This is why you specified a 3-phase precommit/commit/reveal scheme in your most recent message, instead of a 2-phase commit/reveal scheme like the ones Boris has referenced.

For your proposal to mean anything, it assumes we must also eventually deploy quantum-safe addresses - otherwise where are you gonna send your coins to? If we have quantum-safe addresses with PQ signing schemes, and you are active and online, then what is the point in publishing some abstract commitment message, when you could just move your bitcoins to a quantum-safe address?

Ignoring the "quiet satoshi" question (satoshi being alive but hiding and unwilling to move coins), then the only people for whom this scheme would be worthwhile are those who are 

1. online and active today, 

2. want to protect themselves against future CRQCs, and

3. will be AFK when full PQ addresses become available

How many people do you think fit this description?

Alternatively, this scheme could be of use in a scenario where, having already fully deployed your scheme, we somehow fail to deploy post-quantum addresses in time before a mature CRQC appears and starts sniping high-value UTXOs. At that point, we'd be forced to make some tough choices about how to authenticate UTXOs going forward, and whether to enact a freeze while we work on a solution. I highly doubt this will happen, if for no other reason than the fact that BIP360 is already very mature and undergoing active review right now, whereas this even-more-complex proposal is still in its infancy.

An even more significant drawback is that, unlike other commit/reveal protocols, yours doesn't allow procrastinators to prove ownership of their coins after a potential future post-quantum freeze. It only works for UTXOs whose owners are active and online today, and willing to publish some data on-chain now as preemptive insurance. If you do not publish the first phase commitment in time, you are hooped. If we are going to implement any kind of commit/reveal protocol, I feel strongly that it should include procrastinators, so as to salvage as much of the authenticatable coin supply as theoretically possible.

The best thing that users can do today to ensure their bitcoin is safe against a future CRQC is to move their coins to unused P2WPKH wallets, derived with at least one step of hardened BIP32 (almost all modern wallets do this). That protects you against long-exposure attacks by hiding your public key behind a hash, and also gives a passable way to prove ownership down the line if any kind of freeze were ever to be deployed. Protection against short exposure attacks will need a soft fork of some kind. I am bullish on BIP360, and follow up work is underway to standardize post-quantum signing schemes, probably by redefining OP_SUCCESS opcodes in tapscript.

regards,

conduition

[Phlebas]

Hi conduition,

I have no problem with BIP360; it is Hourglass [1] that I am strongly against. My proposal is a direct alternative to the Hourglass [1] proposal.

> what is the point in publishing some abstract commitment message, when you could just move your bitcoins to a quantum-safe address?

Precommit, phase 1 in my proposal, can be done now; no change to Bitcoin is necessary. This has several advantages.

1. People can act now in stealth and completely private. The stealth and private option is especially important.

2. Yes, without phases 2 and 3 these coins cannot be moved, but cryptographic proof of pre-quantum control is still possible even without any change to Bitcoin.

3. The existence of pre-quantum commitments preserves long-term ambiguity about ownership. This ambiguity itself has value. It removes the incentive to design protocol changes around the expectation that quantum attackers should ultimately be allowed to claim those coins like with Hourglass [1].

> An even more significant drawback is that, unlike other commit/reveal protocols, yours doesn't allow procrastinators to prove ownership of their coins after a potential future post-quantum freeze. 

I have seen no protocol to prove ownership after a post-quantum freeze for the coins that I’m targeting. All of those proposals fail to recover non-HD coins whose public keys are already exposed.

> It only works for UTXOs whose owners are active and online today, and willing to publish some data on-chain now as preemptive insurance.

My proposal not only works for the owners who are active today. It also helps in the case of coins that may be lost (or not provably burned), because the ambiguity is preserved post-quantum.
Ambiguity and game theory are the whole point of this proposal.

[1] https://github.com/cryptoquick/bips/blob/hourglass/bip-hourglass.mediawiki
Hourglass spending rules

regards,

Phlebas

If you like my work, you can donate to the following Bitcoin address: bc1qjadanncwanfhajwh57r4pjhlecd42a0l3msh5d
Donations are voluntary and anonymous.
They are intended solely to support my independent, non-commercial open-source work.
Donations do not create any entitlement to services, support, or deliverables.

Op maandag 19 januari 2026 om 01:03:58 UTC+1 schreef conduition:

[Phlebas]

I'm not getting a lot of positive feedback on this yet, but I’m continuing to work through the implications.

One reassuring signal is that large Bitcoin holders like Michael Saylor are also opposed to simply allowing quantum attackers to seize vulnerable coins (e.g. proposals like Hourglass[1]).

If this ever leads to a chain split (which I hope it doesn’t), I think the economic outcome is relatively clear.

Consider two scenarios:

Chain A: vulnerable coins are frozen once quantum attacks become feasible
Chain B: vulnerable coins can be claimed by whoever breaks the keys (Hourglass[1] style)

In Chain B, you would have two major sources of sell pressure:

• quantum attackers selling stolen coins
• large holders exiting Chain B

If both groups dump Chain B and rotate into Chain A, liquidity and price on Chain B would likely collapse quickly.

In that scenario, Chain A becomes the focal point the market coordinates on as “real Bitcoin,” and Chain B economically fails.

[1] https://github.com/cryptoquick/bips/blob/hourglass/bip-hourglass.mediawiki Hourglass spending rules

If you like my work, you can donate to the following Bitcoin address: bc1qjadanncwanfhajwh57r4pjhlecd42a0l3msh5d

Donations are voluntary and anonymous.
They are intended solely to support my independent, non-commercial open-source work.
Donations do not create any entitlement to services, support, or deliverables.

Op maandag 19 januari 2026 om 23:30:19 UTC+1 schreef Phlebas: