"I don't see why old coins should be confiscated. The better option is to let those with quantum computers free up old coins. While this might have an inflationary impact on bitcoin's price, to use a turn of phrase, the inflation is transitory. Those with low time preference should support returning lost coins to circulation."
- Hunter Beast
"Of course they have to be confiscated. If and when (and that's a big if) the existence of a cryptography-breaking QC becomes a credible threat, the Bitcoin ecosystem has no other option than softforking out the ability to spend from signature schemes (including ECDSA and BIP340) that are vulnerable to QCs. The alternative is that millions of BTC become vulnerable to theft; I cannot see how the currency can maintain any value at all in such a setting. And this affects everyone; even those which diligently moved their coins to PQC-protected schemes."
- Pieter Wuille
Not your keys, not your coins.
Your keys, only your coins.
"Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone." - Satoshi Nakamoto
"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone." - Jameson Lopp
Hi!
What is your perspective on time-locked coins that become spendable
only after a set deadline? Unlike regular holders who can migrate
their funds in advance, owners of time-locked coins, such as those set
to unlock through an inheritance or a smart contract, have no way to
react before the deadline. Imagine you received an inheritance set to
unlock in 2030, only to find that the deadline for migration is set
for 2029. Would such cases be considered an acceptable loss, or is
there a way to account for them without violating Bitcoin’s
principles?
Boris
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.
--
Best regards,
Boris Nagaev
--
--
Allowing a quantum computer to access lost funds doesn't make those users any worse off than they were before, however it wouldhave a negative impact upon everyone who is currently holding bitcoin.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/E8269A1A-1899-46D2-A7CD-4D9D2B732364%40astrotown.de.
Hi everyone!
Seeing the discussions about transitioning to quantum-resistant signatures, I notice three main concerns:
What should be done with vulnerable funds? Freeze them or leave them exposed?
How can the transition be made without affecting Bitcoin’s stability or dividing the community?
How can we avoid market chaos if the transition is disorderly?
Personally, I believe the key is a gradual, well-planned transition based on incentives rather than abrupt changes that create uncertainty.
I can think of a three-phase approach:
🔹 First, allow users to add optional PQC keys to their Taproot addresses starting now.
🔹 Then, before the quantum threat becomes real, introduce a soft fork that disables vulnerable signatures, but with a long migration period (at least four years).
🔹 Finally, when the threat is imminent, gradually phase out old signatures instead of forcing a sudden change.
For this to work, adoption should be incentivized—for example, with lower fees for secure transactions and wallet tools that facilitate a smooth transition. Additionally, real-time monitoring of vulnerable addresses would help mitigate risks.
Another key point is to avoid panic. Instead of a sudden "D-Day" where everything changes at once, the deactivation of old UTXOs should be gradual, with clear communication so no one feels forced or disadvantaged.
In summary, this is not about imposing rules or confiscating anything, but about providing options for an orderly transition that doesn’t compromise Bitcoin’s philosophy.
-Javier Mateos
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADL_X_cF%3DUKVa7CitXReMq8nA_4RadCF%3D%3DkU4YG%2B0GYN97P6hQ%40mail.gmail.com.
This is the free-market way to solve problems without imposing rules on everyone.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYxw%2BmXQKjS%2Bh%2Br6mCoe1rwWUpa_yZDwmwx6U_eO5JhZLg%40mail.gmail.com.
Op 28 mei 2025, om 03:07 heeft waxwing/ AdamISZ <ekag...@gmail.com> het volgende geschreven:Hi all,I'd like to point out that the worst case scenarios here might be even worse than one naturally thinks.
Two more observations:(3) I do really like the "disabled NUMS" concept in regard to taproot external keys, for paving the way to PQC in tapleaf. This is one kind of censorship that cannot be controversial.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAJDmzYycnXODG_e9ATqTkooUu3C-RS703P1-RQLW5CdcCehsqg%40mail.gmail.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/893891ea-34ec-4d60-9941-9f636be0d747n%40googlegroups.com.
> If a supermajority of sovereign actors decide they need to protect themselves from negative consequences of quantum capable adversaries, I wouldn't expect the threat of lawsuits to stop them.Given that a PQ address type exists, individuals forming such a supermajority are free to move their funds to PQ addresses. At that point, the remaining minority of vulnerable funds no longer poses a systemic risk.
That said, I believe it would be better to first implement a PQ address type and evaluate its fee costs. Current NIST-approved schemes are quite expensive in terms of block space. Whether a broad adoption of PQ addresses is justified depends on trade-offs users face. Without concrete data on those trade-offs, it's premature to discuss enforcing such a move.
Even if PQ addresses turn out to be as space-efficient as P2TR, enforcing their use would still constitute a form of central planning, imposing a particular choice on all users. The situation becomes even more problematic if these addresses are more expensive. It risks resembling scenarios where governments mandate actions like mandatory insurance in the name of collective safety. In this case, users who don't view quantum computing as a credible threat would be compelled not only to move their funds (at some cost) but also to pay more for each subsequent transaction. That feels contrary to Bitcoin's foundational principles.
If a secure and efficient PQ address format becomes available, I will personally move my funds to it. But I don't believe I (or anyone else) have the right to force others to do the same. A group of individuals has no more rights than the sum of the individuals within it. This is a fundamental principle of individual liberty and runs counter to collectivism. Even a majority shouldn't be able to impose such a requirement. What we can do is offer tools and economic incentives (like the segwit discount) to encourage voluntary adoption.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1ae281cd-20a8-4b50-98b7-c228f090ad7an%40googlegroups.com.
Allowing a quantum computer to access lost funds doesn't make those users any worse off than they were before, however it would have a negative impact upon everyone who is currently holding bitcoin.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ba994ea8-b089-4f0d-a7a3-e5845d2890ean%40googlegroups.com.
> Is the approach taken by Bitcoiners fundamentally different?I do not yet have an opinion here on burn vs. not-burning but I wanted to present a thought experiment about why freezing is not the same as confiscation:
Let's say instead of freezing vulnerable outputs we simply limited them to only be spent to vulnerable outputs, e.g., a txn with a P2PK input can only produce P2PK outputs, etc... Nothing has been confiscated. After this change, if you want to live in the quantum vulnerable world you can, you are just prevented from harming the rest of Bitcoin.
In practice, what miner would accept quantum vulnerable fees? What exchange would accept coins which could be stolen at any time? Would you accept coins as payment that could be stolen back later? Such a change would create two classes of Bitcoin outputs: worthless quantum vulnerable coins and actually valuable quantum resistant coins.
That is, quantum vulnerable outputs, in the presence of a quantum computer, have already had their value destroyed. They no longer function as property, but instead function as an inflationary reward for owning a quantum computer. Freezing them simply reflects this reality and protects quantum resistant coins from the inflation caused by quantum attacks.
As Jameson has pointed out elsewhere some of these outputs may be able to prove ownership via BIP-39 HD Seed proofs. Protecting these outputs from theft by freezing them is probably the least confiscatory since it prevents theft.
> I attempted to make it clear in my original post that the incentives of individual holders, miners, businesses, etc appear to align and give them logical reasons to desire NOT operating on a network that allows for massive redistribution of wealth via theft and effective inflation of the circulating money supply via resurrection of lost coins. If a wide swath of diverse individuals happens to agree upon something, they may choose to take action as a "collective" of sorts, but I don't find that to be the same as "collectivism" in which a small group tells a large group "this is what's good for you, so you'd better do it."The Migration Proposal outlines incentives for different actors. Your reasoning seems valid for miners, exchanges, and institutions, but does it truly apply to everyday users? You mention "self-sovereign peace of mind." I would respectfully disagree here. To maintain self-sovereignty, it is sufficient for an individual to move their own funds to a PQ address.
A fork that involves confiscating funds, even if well-intentioned, would set a dangerous precedent, one that reduces everyone's self-sovereignty. From that point on, it would be seen as acceptable to seize funds in the name of system-wide safety.
Consider a related example: the freezing of stolen funds on blockchain level (e.g., AML enforcement via smart contracts). This practice exists in many crypto projects, though never in Bitcoin. One could argue that holders of such tokens have voluntarily given up part of their self-sovereignty for collective protection. The very act of using those tokens may imply acceptance of that trade-off.
Is the approach taken by Bitcoiners fundamentally different?
To me, the possibility of confiscating funds from legitimate owners crosses a critical line. A system that permits such actions doesn't prevent theft -- it institutionalizes it. Mass confiscation is organized theft.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ba994ea8-b089-4f0d-a7a3-e5845d2890ean%40googlegroups.com.
hash160(pubkey(ec_secret)) == <hash>
hash160(pubkey) == <hash>
Spending Hashed UTXOs: To spend a hashed UTXO, the user signs it with a key-lifted signature (see Section 2.2).Spending Derived UTXOs: To spend a derived UTXO, the user signs it with a seed-lifted signature (see Section 2.3).
hash160(pubkey) == <hash>
by classical re-computation. This exposes the EC pubkey, which would let a QC attacker forge new key-lifted signatures. Thus, sadly, we can't rely on key-lifted signatures.After the commitment has been posted, the spender has a limited time to post a reveal of the commitment to the blockchain. If they fail to do so, the miner can post the proof of ownershipto claim the entire UTXO, making spam attempts costly
The fee paid for including tx is split equally between the miner who included tx and the miner who included (H(tx))
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f17de19d-a6f5-46b3-abcd-09c056d9bd64n%40googlegroups.com.
Thanks for pointing this out Or. For those not familiar with Or's approach, it would share many of the same properties as the folklore BIP39 zk-STARK approach discussed elsewhere. It uses Picnic in the same way, to prove (in zero-knowledge) either:
- (For UTXOs whose pubkeys are exposed) I know a BIP39 seed that derives an EC secret key such that hash160(pubkey(ec_secret)) == <hash>
- (For UTXOs whose pubkeys are still secret) I know a public key such that hash160(pubkey) == <hash>
From Or's paper, section 2.5:Spending Hashed UTXOs: To spend a hashed UTXO, the user signs it with a key-lifted signature (see Section 2.2).Spending Derived UTXOs: To spend a derived UTXO, the user signs it with a seed-lifted signature (see Section 2.3).I see a couple problems with this. We won't be able to straight-up replace the EC signature with a Picnic signature without a hard fork. Old Bitcoin clients will still need to see a valid EC signature and verify hash160(pubkey) == <hash> by classical re-computation. This exposes the EC pubkey, which would let a QC attacker forge new key-lifted signatures. Thus, sadly, we can't rely on key-lifted signatures.
That said, we don't always require a hard fork as you note in the paper. It's totally fine to expose the EC signature and pubkey if we also have a way to prove honest derivation of the EC secret key from a seed, and as long as that proof commits to the same transaction. Either seed-lifted Picnic signatures or ZK-STARKs could satisfy this. To get soft-fork backwards-compatibility, we'd introduce a new transaction data field to carry the proof, much like segwit added the witness data field. Then we require new clients to reject any EC signatures unless accompanied by this "proof-of-seed-derivation". Old clients still see valid EC spend TXs. Soft fork achieved.As for the "Lifted FawkesCoin" commit/reveal protocol, it has some issues. I think it'd require a hard fork to implement as there are some properties of the protocol which we can't enforce without relaxing consensus rules. For example, letting miners claim UTXOs using the post-quantum proofs of ownership:After the commitment has been posted, the spender has a limited time to post a reveal of the commitment to the blockchain. If they fail to do so, the miner can post the proof of ownershipto claim the entire UTXO, making spam attempts costlyThis is impossible without relaxing consensus rules on existing UTXOs' script pubkeys. Donating half of a TX's mining fees to an unrelated miner would also need a hard fork:The fee paid for including tx is split equally between the miner who included tx and the miner who included (H(tx))
(though this might be fixable if you modify the protocol to instead require direct payment to the address of the miner who mined the H(tx) commitment.)
The other problem is incentives. Why would miners ever mine a Lifted FawkesCoin reveal TX if they could simply wait and claim the pre-quantum UTXO themselves using the proof of ownership? The protocol seems to rely on miners ignoring this opportunity, or at least that the major mining pools won't collude to exploit it.
The "Restrictive FawkesCoin" protocol would seem to fix this problem though.
Finally, the consensus implementation complexity for any Fawkescoin implementation would be enormous. There are so many context-specific validation steps. The modifications described in section 3.3 and section 4 only further exacerbate this. Sections 3 thru 5 describe all the various Fawkescoin protocols and modifications, and in total they are 16 pages long. I don't expect anyone could push that much protocol complexity into consensus in the next decade.We're having a hard enough time coming to consensus on the "to freeze or not to freeze" debate, the OP_CTV debate, the OP_CAT debate, etc. I don't see a future where Bitcoin users can even comprehend all the rules and parameters included in the final FawkesCoin-driven protocol, let alone a world where we can all agree on them. We need something simpler, more closely aligned with existing consensus rules, that can be implemented and slotted into existing BIPs and UX neatly.Personally I think the answer is to require a proof-of-seed-knowledge to spend any EC-signature-locked UTXO, and to implement it as a soft fork. It'd be expensive, and throughput would be low, but it'd also be far better than the bikeshed hell which we'd doubtless find ourselves in if we try to push the hulking mass of Fawkescoin into consensus. There'd be no complex timelock conditions, no commit/reveal protocols; just one new encumbrance added to old EC script pubkeys. Existing wallets can be upgraded without any time-sensitive migration procedures.
So then we're left with this question: What primitive should we use to prove seed knowledge: Seed-lifted Picnic signatures or zk-STARKs?
Cards on the table: I'm not very familiar with Picnic, but I am with zk-STARKs. I know zk-STARKs would be very useful to have on-hand as a primitive available to consensus, especially in a post-quantum world. They work for any general computation, with arbitrary private and public inputs. They are quick to verify but take a lot of work to produce. They are usually large, measured in tens of kilobytes, but that's similar to Picnic.Maybe it'd be worthwhile for someone to do some quantitative benchmarking and qualitative compare/contrast research between zk-STARKs and Picnic signatures (and maybe other alternatives too?), specifically for the case of BIP39 seed derivation proofs. I'm especially curious if an optimized zk-STARK circuit for BIP39/BIP32 derivation can be designed to reduce proving runtime and proof size. I'd also love to know if Picnic signatures could be reused for other things like rollups, IBD speedup, etc, as I know zk-STARKs could be used for.In any case, while I don't think commit/reveal protocols like Lifted FawkesCoin or its variants are appropriate for a bitcoin consensus upgrade, I do really appreciate all the research that went into your paper Or. It is a perfect resource for anyone interested in PQ commit/reveal protocols and contains many nuggets of wisdom in that realm.
Are you asking what happens if the “reveal” part of a Lifted FawkesCoin is censored by all the miners?Indeed, if all miners collude and decide to censor the "reveal" part of the transaction, they will be able to claim the pre-quantum OTXO themselves. But even today, if all (or a majority of) miners collude, double-spends are already possible.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/6326b5d0-df6b-4f40-9d15-9ed502278397n%40googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/c56b179f-2753-4f1c-80a4-14969e737d37n%40googlegroups.com.
We only need a symmetric equivalent of a digital signature (i.e. MAC) and a secure hash function. This is very exciting! The scheme can function as a backup plan in case we don't find a way to scale regular post-quantum signatures. Imagine the future in which we use expensive SPHINCS+ signatures for time-sensitive stuff and a cheap commit-reveal scheme for slow transactions.
We need to ensure that the scheme accepts only a single xpriv+path value. If there are multiple combinations possible (i.e. starting from different levels of derivation), then a validator wouldn't be able to determine if a commit is valid afterwards.
Coins whose private key is not a child of BIP32. One important instance is MuSig2 coins.
X = H(L, A)*A + H(L, B)*B
then a QC cannot practically compute a valid key set L = [A, B]
. So you could make a commit/reveal scheme for MuSig keys by committing to (and then revealing) the key set L
. Nodes verify the group key X
was computed correctly from L
. We'd have to assume that key set L
is not available to a quantum attacker. No secret key sharing is needed for this.Some xpubs may have too many coins to sweep in a single transaction.
Note that the BIP32 scheme requires attaching additional data (xprivs + derivation paths) to a reveal transaction. ... We can make another Merkle tree similar to Segwit and put it there.
Both of them can be provided but the pubkey-based scheme will be blocked for coins whose pubkeys were exposed in the past. All such coins can be found once, at the fork time, and future pubkey exposures can be ignored.
Hey Boris,I've been doing more research into ZK-STARK solutions, and the more i read, the more I am warming to the idea of BIP32 commit/reveal as a recovery mechanism. The smallest concrete zk-STARK proofs I could find were hundreds of kilobytes for even something as simple as a SHA512 hash preimage. BIP32 proofs would need that, plus secp256k1 arithmetic.
We only need a symmetric equivalent of a digital signature (i.e. MAC) and a secure hash function. This is very exciting! The scheme can function as a backup plan in case we don't find a way to scale regular post-quantum signatures. Imagine the future in which we use expensive SPHINCS+ signatures for time-sensitive stuff and a cheap commit-reveal scheme for slow transactions.Don't get too excited - Commit/reveal protocols on bitcoin presuppose the availability of a post-quantum signature scheme. Otherwise, how do you publish the commitment TX securely? The commitment phase itself is a published BTC transaction, and if that TX is secured via EC signatures, then its inputs could be swiped by a fast CRQC.
We need to ensure that the scheme accepts only a single xpriv+path value. If there are multiple combinations possible (i.e. starting from different levels of derivation), then a validator wouldn't be able to determine if a commit is valid afterwards.I'm not sure I understand the problem... Wouldn't this just mean that there can be more than one valid commitment for the same UTXO? That's always going to be possible because the owner could commit to more than one reveal transaction. We can't verify commitments for reveal TXs which are never published. Which is fine - validators just care whether the sender knew a valid parent xpriv before the reveal TX was published.
Now that I think about it, we safely can omit the bip32 key paths from the HMAC commitment. They serve no purpose there.
Coins whose private key is not a child of BIP32. One important instance is MuSig2 coins.Also FROST keys, ECDSA threshold MPC keys, paper wallets, and many others. I'm really not sure how we'd handle these. The lazy dev inside me wants to ignore them and focus on BIP32 wallets as that probably will make up the bulk volume of coins affected by an EC freeze.MuSig is an interesting special case, because the aggregation of the group key is actually a quantum resistant one-way function. More concretely, given the musig group keyX = H(L, A)*A + H(L, B)*B
then a QC cannot practically compute a valid key setL = [A, B]
. So you could make a commit/reveal scheme for MuSig keys by committing to (and then revealing) the key setL
. Nodes verify the group keyX
was computed correctly fromL
. We'd have to assume that key setL
is not available to a quantum attacker. No secret key sharing is needed for this.FROST is not so fortunate. A FROST key is just the constant term of a polynomial. Any quantum attacker could invert a public key, and then forge an arbitrary polynomial with that key as its constant term.I wouldn't worry too much about untrusting multisig groups though - such wallets are usually actively managed, so the parties involved would likely be active enough to migrate their coins to post-quantum addresses before any EC-restricting soft forks occur. Then again, this is just an opinion, no hard data to work with here.
Ancient paper wallet holders on the other hand are much more at risk, since these keys were often generated without BIP39 or BIP32. This might be one reason why allowing commit/reveal with bare pubkeys could be beneficial, but IDK if it outweighs the complexity costs.Some xpubs may have too many coins to sweep in a single transaction.This should be a pretty rare edgecase - but even in those cases, as you say, we can work around it by splitting up the reveal TX into multiple transactions and committing to each of them. Then wait a few blocks, and publish all reveal TXs at once.Note that the BIP32 scheme requires attaching additional data (xprivs + derivation paths) to a reveal transaction. ... We can make another Merkle tree similar to Segwit and put it there.Same would be true of any PICNIC or zk-STARK based solution. It's unavoidable if we want an EC recovery soft fork.
Both of them can be provided but the pubkey-based scheme will be blocked for coins whose pubkeys were exposed in the past. All such coins can be found once, at the fork time, and future pubkey exposures can be ignored.This scan would miss a lot of exposed pubkeys - xpubs and other public keys shared off-chain for high-value wallets would become highly valuable commodities that could be sold to quantum attackers. But i guess it is doable. I'm not sure if its benefits outweigh its drawbacks. Basically it's a pick-your-poison choice between (1) allowing QCs to steal from pubkeys exposed off-chain, or (2) destroying the coins of paper/brain wallet hodlers (or anyone else who didn't use BIP32).
We can't let multiple commits per UTXO be valid. Remember the original problem you posted a couple of messages ago: miners can collude and delay reveal transaction confirmation, so we need to make sure that the commitment of this reveal tx is the first valid commitment for this UTXO
It doesn't have to be in EC recovery soft fork, we can enable it in phase B, since it is very simple and we have plenty of time to implement and test it. Also it doesn't block anyone and therefore it is much more likely to be adopted than the original approach (block first, recover later, maybe)
- array of MACs in the order of EC operations in the witness script
Hi Boris,
We can't let multiple commits per UTXO be valid. Remember the original problem you posted a couple of messages ago: miners can collude and delay reveal transaction confirmation, so we need to make sure that the commitment of this reveal tx is the first valid commitment for this UTXOAh i see what you mean now. Your suggestion of requiring one and only one hardened derivation step is probably the easiest option to fix that. That way, for any set of EC keys, there exists at most one matching parent xpriv. Revealing that xpriv doesn't give observers any valid alternative HMAC keys.It doesn't have to be in EC recovery soft fork, we can enable it in phase B, since it is very simple and we have plenty of time to implement and test it. Also it doesn't block anyone and therefore it is much more likely to be adopted than the original approach (block first, recover later, maybe)That won't work - If you deploy phase B (restricting EC outputs) with bare pubkey commit/reveal without also supporting BIP32 commit/reveal for exposed pubkeys, then adding BIP32 commit/reveal later will be a hard fork. You'd be relaxing consensus rules to allow spending of outputs with exposed pubkeys.
- array of MACs in the order of EC operations in the witness scriptMakes sense. At first i was going to suggest to merge the pubkeys together into one single MAC, but that'd create opportunity for miner collusion. You would indeed need one commitment hash per EC operation for watertight security.
For single-party BIP32 commit/reveal on the other hand, you'd probably never need more than 1 MAC per commitment, since the xpriv would probably cover every EC operation in the reveal TX (even across multiple UTXOs), and any given pubkey has at most one matching parent xpriv (if hardening is done only once).
To confirm, when validating a commitment that contains multiple MACs, the validator would need to assert that every MAC is the earliest valid MAC, right? If even one pubkey was exposed and committed earlier, it'd render the whole reveal TX invalid.
I propose to simplify this by using just one MAC with all the pubkeys as a single key. If you know why this is a bad idea, please share.
(utxo, witness_hash)
. We no longer need to publish the TXID in the commitment, because witness_hash
indirectly commits to it. You'd compute the witness hash by simply concatenating and hashing all the witness data for each input in consensus order.To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAFC_Vt7a1O9vCdycRtUmTAQyL%3DifZAZt3Wzx-YBTQ1cKyJq55w%40mail.gmail.com.