Proposal for Quantum-Resistant Address Migration Protocol (QRAMP) BIP

[Agustin Cruz]

Dear Bitcoin Developers,

I am writing to share my proposal for a new Bitcoin Improvement Proposal (BIP) titled Quantum-Resistant Address Migration Protocol (QRAMP). The goal of this proposal is to safeguard Bitcoin against potential future quantum attacks by enforcing a mandatory migration period for funds held in legacy Bitcoin addresses (secured by ECDSA) to quantum-resistant addresses.

The proposal outlines:

• Reducing Vulnerabilities: Transitioning funds to quantum-resistant schemes preemptively to eliminate the risk posed by quantum attacks on exposed public keys.
• Enforcing Timelines: A hard migration deadline that forces timely action, rather than relying on a gradual, voluntary migration that might leave many users at risk.
• Balancing Risks: Weighing the non-trivial risk of funds being permanently locked against the potential catastrophic impact of a quantum attack on Bitcoin’s security.

Additionally, the proposal addresses common criticisms such as the risk of permanent fund loss, uncertain quantum timelines, and the potential for chain splits. It also details backwards compatibility measures, comprehensive security considerations, an extensive suite of test cases, and a reference implementation plan that includes script interpreter changes, wallet software updates, and network monitoring tools.

For your convenience, I have published the full proposal on my GitHub repository. You can review it at the following link:

Quantum-Resistant Address Migration Protocol (QRAMP) Proposal on GitHub

I welcome your feedback and suggestions and look forward to engaging in a constructive discussion on how best to enhance the security and resilience of the Bitcoin network in the quantum computing era.

Thank you for your time and consideration.

Best regards,

Agustin Cruz

[Dustin Ray]

Right off the bat I notice you are proposing that legacy funds become unspendable after a certain block height which immediately raises serious problems. A migration to quantum hard addresses in this manner would cause serious financial damage to anyone holding legacy funds, if I understand your proposal correctly.

--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/08a544fa-a29b-45c2-8303-8c5bde8598e7n%40googlegroups.com.

[Agustin Cruz]

Hi Dustin

To clarify, the intent behind making legacy funds unspendable after a certain block height is indeed a hard security measure—designed to mitigate the potentially catastrophic risk posed by quantum attacks on ECDSA. The idea is to force a proactive migration of funds to quantum-resistant addresses before quantum computers become capable of compromising the current cryptography.

The migration window is intended to be sufficiently long (determined by both block height and community input) to provide ample time for users and service providers to transition.

[Dustin Ray]

I think youre going to have a tough time getting consensus on this
proposal. It is an extraordinary ask of the community to instill a
change that will essentially void out a non-trivial part of the coin
supply, especially when funds behind unused P2PKH addresses are at
this point considered safe from a quantum adversary.

In my opinion, where parts of this proposal make sense is in a quantum
emergency in which an adversary is actively extracting private keys
from known public keys and a transition must be made quickly and
decisively. In that case, we might as well consider funds to be lost
anyways. In any other scenario prior to this hypothetical emergency
however, I have serious doubts that the community is going to consent
to this proposal as it stands.

[Agustin Cruz]

Hi Dustin:

I understand that the proposal is an extraordinary ask—it would indeed void a non-trivial part of the coin supply if users do not migrate in time, and under normal circumstances, many would argue that unused P2PKH funds are safe from a quantum adversary. However, the intent here is to be proactive rather than reactive.

The concern isn’t solely about funds in active wallets. Consider that if we don’t implement a proactive migration, any Bitcoin in lost wallets—including, hypothetically, Satoshi’s if he is not alive—will remain vulnerable. In the event of a quantum breakthrough, those coins could be hacked and put back into circulation. Such an outcome would not only disrupt the balance of supply but could also undermine the trust and security that Bitcoin has built over decades. In short, the consequences of a reactive measure in a quantum emergency could be far more catastrophic.

While I agree that a forced migration during an active quantum attack scenario might be more acceptable (since funds would likely be considered lost anyway), waiting until such an emergency arises leaves us with little margin for error. By enforcing a migration now, we create a window for the entire community to transition safely—assuming we set the deadline generously and provide ample notifications, auto-migration tools, and, if necessary, emergency extensions.

[Hunter Beast]

I don't see why old coins should be confiscated. The better option is to let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the inflation is transitory. Those with low time preference should support returning lost coins to circulation.

Also, I don't see the urgency, considering the majority of coins are in either P2PKH, P2WPKH, P2SH, and P2WSH addresses. If PQC signatures aren't added, such as with BIP-360, there will be some concern around long exposure attacks on P2TR coins. For large amounts, it would be smart to modify wallets to support broadcasting transactions to private mempool services such as Slipstream, to mitigate short exposure attacks. Those will also be rarer early on since a CRQC capable of a long exposure attack is much simpler than one capable of pulling off a short exposure attack against a transaction in the mempool.

Bitcoin's Q-day likely won't be sudden and obvious. It will also take time to coordinate a soft fork activation. This shouldn't be rushed.

In the interest of transparency, it's worth mentioning that I'm working on a BIP-360 implementation for Anduro. Both Anduro and Slipstream are MARA services.

[Pieter Wuille]

On Wednesday, February 19th, 2025 at 11:06 AM, Hunter Beast <hun...@surmount.systems> wrote:

I don't see why old coins should be confiscated. The better option is to let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the inflation is transitory. Those with low time preference should support returning lost coins to circulation.

Of course they have to be confiscated. If and when (and that's a big if) the existence of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosystem has no other option than softforking(*) out the ability to spend from signature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The alternative is that millions of BTC become vulnerable to theft; I cannot see how the currency can maintain any value at all in such a setting. And this affects everyone; even those which diligently moved their coins to PQC-protected schemes.

Also, I don't see the urgency, considering the majority of coins are in either P2PKH, P2WPKH, P2SH, and P2WSH addresses. If PQC signatures aren't added, such as with BIP-360, there will be some concern around long exposure attacks on P2TR coins.

There were literally millions of BTC locked in outputs whose public keys are already known to the public, long before P2TR. Either because of they're in P2PK outputs, because they're in hashed addresses which have been reused and already using for spending, or because they're been spent in forked chains. There are likely substantially more BTC in outputs whose public keys are known to multiple parties (multisig, lightning channels, escrow services, ...) but not to the entire world.

I certainly agree there is no urgency right now, but if (and only if) cryptography-breaking QCs become a reality, the ecosystem has no choice but disabling(*) the spending of coins through schemes that become broken, and needs to have done so before such a machine exists.

(*) There may exist ways of retaining the ability to spend coins in vulnerable schemes, if they involve a PQC proof of knowledge of some additional secret, e.g. the xprv the key was derived with. It's a significant complication, not and applicable to everything, but might be an option.

-- 

Pieter

[Agustin Cruz]

Hi Hunter,

I appreciate the work you’re doing on BIP-360 for Anduro. Your point about not “confiscating” old coins and allowing those with quantum capabilities to free them up is certainly a valid one, and I understand the argument that any inflationary impact could be transitory.

From my viewpoint, allowing quantum-capable adversaries to reintroduce dormant coins (e.g., Satoshi’s if those keys are lost) could have unintended consequences that go beyond transient inflation. It could fundamentally alter trust in Bitcoin’s fixed supply and disrupt economic assumptions built around the current distribution of coins. While some might view these dormant coins as “fair game,” their sudden reappearance could cause lasting market shocks and undermine confidence. The goal of a proactive migration is to close the door on such a scenario before it becomes imminent.

I agree that Q-day won’t necessarily be a single, catastrophic moment. It will likely be gradual and subtle, giving the network some time to adapt. That said, one challenge is ensuring we don’t find ourselves in an emergency scramble the moment a capable quantum machine appears. A forced or proactive migration is an admittedly strong measure, but it attempts to address the scenario where a slow, creeping capability becomes a sudden attack vector once it matures. In that sense, “rushing” isn’t ideal, but neither is waiting until the threat is undeniably present.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f9e233e0-9d87-4e71-9a9f-3310ea242194n%40googlegroups.com.

[Dustin Ray]

It's worth considering a hypothetical but as of yet unknown middle ground solution, again nothing like this exists currently but conceptually it would be interesting to explore:

1. At some block height deemed appropriate, modify consensus so that any pre-quantum unspent funds are restricted from being spent as normal.

2. Develop a new transaction type whose sole purpose is to migrate funds from a quantum unsafe address to a safe one.

3. This new transaction type is a quantum safe digital signature, but here's the hypothetical: It is satisfied by developing a mechanism by which a private key from a quantum-unsafe scheme can be repurposed as a private key for a pq-safe scheme. It may also be possible that since we know the hash of the public key, perhaps we can invent some mechanism whereby a quantum safe signature is created from an ecdsa private key that directly implies knowledge of a secret key that derived the known public key.

In this way, we create a kind of turnstile that can safely transition funds from unsafe addresses into safe ones. Such turnstiles have been used in blockchains before, a notable example is in the zcash network as part of an audit of shielded funds. 

There are likely hidden complexities in this idea that may cause it to be completely unworkable, but a theoretical transition mechanism both prevents a heavy handed confiscation of funds and also prevents funds from being stolen and injected back into the supply under illegitimate pretenses.

This only works for p2pkh, anything prior to this is immediately vulnerable to key inversion, but Satoshi owns most of those coins as far as we know, so confiscating them might not be as controversial.

I'm typing this on my phone so sorry for the lack of detailed references. I think the core idea is clear though.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYz%3D52MGGLE0ZWm5tmfLUAZEo2tYQutHb4sMvjKbayOAHg%40mail.gmail.com.

[Dustin Ray]

To be clear, the turnstile approach is definitely a forced migration. It just means that instead of permanently confiscating funds and removing them from circulation, you force the rightful owners of those funds to move them into quantum safe addresses, assuming the existence of a hypothetical turnstile mechanism. There's too many hypotheticals with this idea right now to give it any more than a cursory glance, but turnstiles have been built before and could potentially be built again in this scenario.

For further clarification, I'm suggesting that we enforce migration of unspent funds in p2pkh addresses because they are already secured by hashes which are currently conjectured to remain safe against a quantum adversary. Pre-p2pkh addresses are probably the most vulnerable but few of these had seen use comparatively and may require confiscation.

If your idea is to simply lock down and confiscate any pre-pq safe funds, I resolutely disagree with that decision and I am fairly confident that consensus will fail to materialize around that. What I'm suggesting however is that your idea is realistic and sound if we assume the existence of some mechanism that allows rightful owners of pre-pq funds the opportunity to do nothing except migrate to safe addresses which then resolves the issue.

On Wed, Feb 19, 2025 at 1:07 PM Agustin Cruz <agusti...@gmail.com> wrote:

Hi Dustin,

I remain convinced that a forced migration mechanism—with a clear block height deadline after which quantum-unsafe funds become unspendable—is the more robust and secure approach. Here’s why:

A forced migration approach is unambiguous. By establishing a definitive deadline, we eliminate the need for an additional transitional transaction type, thereby reducing complexity and potential attack vectors. Additional complexity could inadvertently open up new vulnerabilities that a more straightforward deadline avoids.

If we don’t enforce a hard migration, any Bitcoin in lost wallets—including coins in addresses that no longer have active private key management, such as potentially Satoshi’s—could eventually be compromised by quantum adversaries. If these coins were hacked and put back into circulation, the resulting market shock would be catastrophic. The forced migration mechanism is designed to preempt such a scenario by ensuring that only quantum-safe funds can be spent once the deadline is reached.

[Agustin Cruz]

Hi Dustin,

I remain convinced that a forced migration mechanism—with a clear block height deadline after which quantum-unsafe funds become unspendable—is the more robust and secure approach. Here’s why:

A forced migration approach is unambiguous. By establishing a definitive deadline, we eliminate the need for an additional transitional transaction type, thereby reducing complexity and potential attack vectors. Additional complexity could inadvertently open up new vulnerabilities that a more straightforward deadline avoids.

If we don’t enforce a hard migration, any Bitcoin in lost wallets—including coins in addresses that no longer have active private key management, such as potentially Satoshi’s—could eventually be compromised by quantum adversaries. If these coins were hacked and put back into circulation, the resulting market shock would be catastrophic. The forced migration mechanism is designed to preempt such a scenario by ensuring that only quantum-safe funds can be spent once the deadline is reached.

[Agustin Cruz]

Hi Dustin,

My proposal is not about locking down or confiscating funds. It is about ensuring that vulnerable pre-P2PKH funds are migrated to quantum-safe addresses before any quantum adversary can exploit them. Even though P2PKH addresses are secured by hashes that are currently considered safe, relying solely on that safety may leave us exposed in the future, especially as quantum capabilities continue to evolve. Without a forced migration, we risk leaving a significant portion of the coin supply vulnerable. Consider the possibility that if we don’t act, any Bitcoin in lost wallets could eventually be hacked and put back into circulation. Such a scenario would be catastrophic for the network.

I believe that by enforcing a deadline for migration, we provide rightful owners with a clear, non-negotiable opportunity to secure their funds. This approach is not merely hypothetical. It is a proactive measure that addresses the imminent risk of quantum attacks. While turnstile mechanisms have been considered and might have merit under certain conditions, I remain committed to the idea that a forced migration, with sufficient notice and robust safeguards, is both realistic and necessary to protect the long-term security of Bitcoin.

[Dustin Ray]

I don't disagree personally with most of what you're saying except where the real catastrophe lies. Id argue it's catastrophic for the value proposition of a blockchain to effectively seize funds, which is what your proposal does in case anyone fails to migrate before the deadline.

On the other hand, it's equally catastrophic for digital signatures to be broken and funds lost in any scenario. So it seems we are staring down two extremely untenable outcomes, both of which see the fundamental properties of a blockchain shattered in one way or another.

I hope it doesn't come down to having to choose one or the other. There is very serious financial harm that will occur in either scenario. I dearly hope there is a practical technological solution that allows for safe and fair migration, and in my mind and experience, I don't think we have to resign ourselves to a zero sum game just yet. But I appreciate your proposal and the proactive nature of this discussion, it's important to have these conversations now rather than later.

[Agustin Cruz]

Hi everyone,

I wanted to kick off a discussion on how the Quantum-Resistant Address Migration Protocol (QRAMP), could integrate smoothly with the existing BIP-360 (Pay to Quantum Resistant Hash) proposal. Both of these proposals aim to protect Bitcoin from potential quantum computing threats, but they approach the problem from slightly different angles. I believe they could complement each other nicely.

The QRAMP proposal introduces a mandatory migration period after which spending from legacy ECDSA-based addresses becomes invalid. The goal is to push users proactively towards quantum-resistant addresses, ensuring older, potentially vulnerable public keys are phased out before quantum computing poses a real threat.

Meanwhile, BIP-360 defines a new quantum-resistant address format and associated transaction validation rules. It introduces hash-based and hybrid post-quantum signatures, designed specifically to integrate smoothly with Bitcoin’s current infrastructure, avoiding sudden disruptions or significantly increased block sizes.

Together, I see QRAMP and BIP-360 forming a robust approach. QRAMP provides a clear timeline and incentive for users to migrate their funds, while BIP-360 provides the technical standard and address types to which users can securely transition. Wallets and infrastructure could offer clear user guidance throughout the transition period, supporting both legacy and quantum-resistant addresses simultaneously. Once QRAMP's deadline passes, the network smoothly moves forward with only quantum-resistant addresses being valid.

I think this combined approach could provide a secure, user-friendly transition path, reducing the potential disruption to the network while effectively mitigating quantum risks. I'd really appreciate your thoughts, concerns, or ideas on how we could refine this integration.

Regards,

Agustín Cruz 

[Michal Kolesár]

Dear Agustin,

enforcement in general doesn’t seem like a good choice to me. If I were to compare it to the real world, it’s as if people had money or jewelry in bank vaults that were unbreakable at the time they were stored. After a certain period, it’s discovered that these vaults could be breached, and we’d tell everyone they have to buy new vaults and move their diamonds, gold, and banknotes into them. If they don’t do it, everything in their old vaults would be confiscated and destroyed. Surely, it’s normal that people would naturally buy new vaults (or move to safer ones) if they’re informed well in advance and loudly enough about the outdated vaults. And if they decide not to replace them, someone will eventually break in sooner or later and become the new owner of their "wealth." That’s how it works in the real world, after all. Yes, perhaps if someone steals a large amount of Bitcoin en masse, it might temporarily lower its value. But that’s fine—it would just redistribute old, lost, or unused Bitcoins into new ownership, where someone would start using them. It’s like finding a lost treasure from the past at the bottom of the ocean.

Best regards,

Michal

[Agustin Cruz]

Hi Michal,

I completely understand your point of view. However, the concern with QRAMP isn’t about arbitrarily punishing users or confiscating assets without reason. Rather, it’s about mitigating a very real, systemic risk. If a significant amount of funds remains in legacy addresses and a quantum breakthrough occurs, the attack wouldn’t be a one-off incident targeting a few unlucky individuals. Instead, it could compromise the security of the entire network, affecting countless users and shaking confidence in Bitcoin as a whole.

The enforcement aspect of QRAMP is intended as a last-resort safety mechanism after a long and well-communicated migration period. It’s designed to ensure that by the time any quantum-capable adversary comes along, almost everyone’s funds are protected by quantum-resistant cryptography. The goal is to preempt a scenario where the vulnerability becomes so widespread that a malicious actor could trigger a massive, destabilizing reallocation of wealth.

The enforced migration is less about penalizing users and more about preserving the long-term security and stability of the network for everyone.

Best regards,
Agustin

--

You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/83e89408-a20c-4297-96eb-3ca353be02abn%40googlegroups.com.

[ArmchairCryptologist]

One major issue with a mandatory transition to quantum-resistant addresses that I haven't seen brought up is that block size is limited. In such a scenario, it could be highly beneficial for parties that benefit from high fees to flood the network with bogus transactions to force the fees arbitrarily high, since people would then be forced to either pay exorbitant fees to move their funds by the deadline, or lose their funds entirely. As such, this does not seem like a good idea in general, at least unless the transition period is extremely long (say 10 years or more).

A less drastic proposal could be to (at least initially) only disable spending from the less common outputs that have no inherent quantum resistance by virtue of having a hashed public key, such as P2PK and P2TR, while leaving the safer variants with hashed public keys like P2PKH and P2WPKH spendable. Most analyses of quantum algorithms I have read suggest that at least initially, they would take a significant amount of time to calculate a private key even if the public key is known, which means that even if there were a quantum breakthrough, there should be a relatively low chance of having funds intercepted between broadcasting it (which would of course reveal the public key) and having it included in a block. Furthermore, there would always be the option of only revealing the transaction to a trusted miner rather than broadcasting it, foregoing the risk entirely.

UTXOs with hashed public keys might still need to be disabled at some point, seeing as a non-insignificant number of them have a revealed public key due to address reuse, and that quantum computers might eventually reach the point where the chance of breaking a private key after broadcasting but before block inclusion is non-insignificant, but this should at least alleviate the initial rush of disabling everything at once.

--

Best,

ArmchairCryptologist

To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxAv8ahPOoTVryqy6oE8nUX0%2B49BHHhO%3D%3DM1HpZCuMNbQ%40mail.gmail.com.