One of the best technical discussions I’ve heard in a while. Real signal on Core, regulation, and quantum risk.

Corallo, you fill my disk with spam. No ones cares about Quantum.

wow, get this fucking karen @Matt Corallo away from my bitcoin. go work for a project where you can be in charge of taking care of everyone’s shit without being asked. “bitcoin is fucked” -matt

Me listening to Odell's explanations in the very beginning

LoooooL!

The value prop of bitcoin dies the moment coins get frozen

That's right. If someone nefariously accesses private keys, then so be it. Free market.

It already happens, it's called shotgun KYC. Go try to swap an OFAC sanctioned UTXO on Fixedfloat or another exchange.

Absolutely, let the coins that don’t merge be taken by quantum if it ever happens.

I guess we know were the strategic reserve is going to come from.

holy hell i can barely stomach listening to this guy. so much mental gymnastics

stolen bitcoin reserve

has greenland any bitcoin? asking for a friend living in a white house

Wei’d just fork it

Quantum or no quantum: 2 things will happen: 1) There will be 'soft' forks (likely many from time to time) in the future that 'freeze' coins; and 2) should any of those 'soft' forks ever get anywhere close to becoming relevent, conventional bitcoin will hard fork away from that freezing of coins. As such, the conventional bitcoin value prop will carry on regardless; but, there will also be corrupted chains that have been coopted for one special interest or another. Choose wisely.

Sounds like Corallo is mainly interested in the fiat price and is willing to fork Bitcoin to lower the supply just so the price goes up. What an insane precedent such a fork would set. I'm surprised Saylor isn't more concerned because they'll be coming for his coins next. In reality if it's proven devs can freeze coins at will, Bitcoin is dead. We need devs who will defend Bitcoin, not attack it.

I don’t think you listened to anything I said.

In that case there is literally nothing we can do to prepare. If/when a CRQC appears Bitcoin will simply fail as it becomes easy to steal and no longer represents a hard asset.

So you’d rather steal them instead? One way or another they’re not gonna be satoshi’s anymore. Better they be burned to give the entire Bitcoin community more than let some private VC company steal them to enrich their VCs. Seems kinda obvious really.

47:06 "someone will write the fork..." Yeah, that's your pal Jameson Lopp. Already wrote a BIP for it, and I've seen you defending it. And then you go on to say at 48:27 the fork with less supply (i.e. what you Lopp and other devs are advocating for) will win. On the path you want Bitcoin to go down, forks become a way to manipulate the Bitcoin supply and then "let the market decide" which one to follow. In your own words "that million and a half bitcoin are about to be on the market, whether immediately or over the next however many years, depressing the price over however many years. I do not buy for a second that argument doesn't win." Your argument for seizing Satoshi's coins boils down to fiat number go up so people will be ok with it. The slippery slope this creates is absolutely unacceptable. The prospect of the coins going to a quantum research team is much more acceptable then setting the precedent that devs can manipulate the available supply in any way.

lol what kind of slop is this

Ah there it is, the condescending core dev. The slop is your own words.

Devs like blue haired Matt Carallo want control over the supply of Bitcoin. Quantum FUD is just a convenient way to scare us into giving it to them. We must fight back and stop this madness. View quoted note →

GREAT COUNTERPOINT

Haven’t listened yet, just shitposting. I don’t agree with the premise of this reply (CRQC not inevitable + disagree with the subjective judgment that some “pirate VC” getting the coins is net worse for bitcoin long run than a preemptive seizure) but you and I went back and forth on this a couple weeks ago so prob no need to re-litigate here. I look forward to listening to the full rip.

🤣🤣

Damn this goes hard. A quant that can meme is a dangerous combination

Notice how he uses “community” as a positive and “private” as a negative.

Addendum: Read this while groggy and just realized you wrote “private” rather than “pirate,” which makes more sense but is a significantly less entertaining image

Yes, collectivist thinking. Shun!

Right, one thing we agreed on in our discussion is that there won’t be (and likely shouldn’t be) consensus in the bitcoin community to freeze coins unless it’s *very* clear that a CRQC is coming in the imminent future. I highly doubt anyone supports any kind of “preemptive” freezing. This is only an interesting discussion if at some point we’re starting at a 95+% chance of a CRQC in 3-5 years. I’m quite confident that if a CRQC becomes a thing, we’ll get that kind of notice, Odell disagrees but not much of something that can be carefully debated.

This is standard pro-state-speak. “Private” has been made to be a very dirty word and “public” its benevolent counterweight. Very effective psyop.

Core devs sound more and more like central planners at the Fed every day.

I’d laugh my ass off if this upgrade happens and those coins move first and sit there forever again lmfao

😂😁

Criminally underfollowed

🤝🤣

I would change the perspective completely. It's not about who will steal Satoshi's coins. It's about wether the bitcoin holders want to sponsor the race towards quantum computing or not. "Satoshi's coins" are either still owned by somebody or they are lost. Owned coins can prepare a migration - even without publicly revealing they prepared - and lost coins are never stolen.

Sadly you missed a huge group of coins - forgotten wallets and non-bitcoiners. People often forget they had Bitcoin or just don’t care enough to check in on it for *years*. The only way to ensure they get their money is to disable insecure spend paths but allow them to claim via a seedphrase ZK proof. The side effect of this is that you also burn coins not held in a seedphrase-derived wallet (very old coins and a select tiny minority of wallet software).

Why would you assume I forgot about those? The transition has to take years and you can have different strategies for different coins. Satoshi's coins for example could be saved in a non-revealing way by embedding commitments to transactions spending from those UTXOs in the blockchain.

Sure, that would be another reasonable thing the Bitcoin community might do to allow some folks to not spend but also not have their coins burned. It still leaves someone who forgot about their Bitcoin with it burned even though their next-of-kin might have found it. There’s always a burn risk, just a question of whether the future Bitcoin community will decide they’d rather do that or not.

Sure. But I'd still push back on the theft analogy. Burning coins is never theft but a quantum attack sure would be theft. So by burning coins we strictly reduce theft.

In general I agree with you. I think the disagreement between Odell and I was primarily of the “how likely is it that the bitcoin community will have clear visibility into the soon-existence of a CRQC”. I think it’s highly likely so burning coins is a substantially better outcome, like you. He thought it’s unlikely so instead you’d be burning without proof a CRQC exists/will exist soon.

I see several things wrong with this pov. First, stop assuming they're Satoshi's. We don't know that. Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation. Third, there is no "we" to make such a choice. No group of people have the right to confiscate coins, no matter how rational the reason. And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't. Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it

> First, stop assuming they're Satoshi's. We don't know that. Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though. > Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation. Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices: * disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type * allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system. I find it *incredibly* unlikely that the market decides to value fork b over fork a. > Third, there is no "we" to make such a choice. There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides. > No group of people have the right to confiscate coins, no matter how rational the reason. In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo. > And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't. Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork. > Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.

Yes, IF someone could steal them, it would be better for the market to know some old bitcoin can be stolen and brought to market than know a dev or group of devs can freeze someone’s bitcoin. Seems kinda obvious really.

Will the market see it that way? I doubt it. View quoted note →

What an idea

I disagree about fork choice. People will choose a version of bitcoin where there is zero human governance over coin issuance and coin ownership. If my bet is wrong there is very little value left in bitcoin as a system. It doesn't matter if Bitcoin "looks like chumps" or whatever. It matters that it has integrity as a system. "Miraculously" it has somehow maintained that for a long time. I do agree though that it'll be a disaster if we don't have any viable migration by the time QC hits, but, meh, it seems ridiculously far off. Glad some people are working on it.

Maybe to emphasize the important point - if we have to move quickly, disabling insecure spend paths and allowing seedphrase proofs to spend coins is likely to recover substantially more coins than would be burned. Let’s say we wake up tomorrow to a breakthrough and a CRQC is clearly only a few years away now (highly unlikely but who knows). Given the low level of coins which would be able to migrate in time, it seems like seedphrase proofs are a *way* better option than just letting everything be stolen! It depends so much on the specific scenario though - if it’s been 20 years since wallet started universally using some PQC scheme, the calculus is very different. This is also why it’s important to emphasize that we really can’t decide anything today and it’s up to a market to decide when/if these issues become real.

It depends so much on the exact scenario. I believe we’re imagining radically different QC development scenarios rather than disagreeing on specifics. Eg see below. Bitcoin has maintained its neutrality precisely because it only has value if it maintains its neutrality - the market in general will sell any fork that isn’t clearly in line with the properties of Bitcoin that matter. But there are other market dynamics like supply that matter too. As Pieter puts it, Bitcoin only works if everyone in Bitcoin can agree to the secure set of cryptographic primitives in the system - for those not okay with pre-QC crypto and okay with “you had ten years to move your coins, and even if you forgot we’ll make sure you can still get them in every case we can”, they’ll strongly prefer the fork with fewer coins being sold (not just total supply, coins on the market!). IMO that’s a *very* reasonable position (again, as always, depending on exactly when/how/etc a CRQC is discovered/built), especially because that position *allows more bitcoiners to retain access to their bitcoin*. View quoted note →

s/especially because that position/especially if that position/ Depends on the QC scenario :)

i disagree with that framing at the end, it feels illogical. it's not necessary for everyone to agree on what level of security to use, it's a lot more nuanced than that (trivial example: hashed addresses vs not, pre-QC consideration; it was never a trivial question. Remember Nicolas Courtois' scaremongering?). And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget. And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals.

> it's not necessary for everyone to agree on what level of security to use, it's a lot more nuanced than that (trivial example: hashed addresses vs not, pre-QC consideration; it was never a trivial question. Remember Nicolas Courtois' scaremongering?). Of course it’s a lot more nuanced, sure, but I hope we agree that if I think a CRQC exists today (obviously it doesn’t, but as an example) then I should obviously sell all my bitcoin - a break in the cryptography that secures the vast, vast majority of Bitcoin doesn’t just impact my coin, but the value of the system overall (economic and otherwise). In the extreme, it’s simply too naive to pretend that a break which allows a substantial majority of coin to be stolen doesn’t impact people who happen to not rely on that crypto. Assuming we agree on that, we’re really just arguing thresholds and relative importance. > And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget. Sure but to my knowledge it’s also not recently been a material risk that a huge number of coins would simply trivial be stolen. I do not think we can discount how unique this situation is in recent memory. The only other comparable example in Bitcoin’s history i can think of is early 2010/2011. At that point the vast majority of Bitcoin was held in wxBitcoin/bitcoind wallets many of which were online and reachable over the public internet. During that period I often worried that we’d have a 0day in bitcoind which resulted in some malicious party stealing private keys for 50-75% of the total bitcoin supply. My view at the time (and AFAIU this was at least somewhat accepted) was that if this were to happen Bitcoin would simply fail and never recover. Not only would the malicious party’s control of that much coin result in massive loss of trust but a reasonable conclusion would have been that the science of software engineering was simply not ready to build something like a cryptocurrency. As much as Bitcoin has a history of operations now, I think in the extreme a CRQC stealing coin could result in the same outcome. Again, there are a lot of shades of grey here but I hope we agree on the extreme example. Finally, it is worth pointing to the DAO hack here. Obviously at the time bitcoiners ridiculed the ethereum ecosystem over the theft of something like 80% of all eth, but the same market dynamics would apply to bitcoin (again, in an extreme example). Ultimately there was ETC and ETH and the market decisively picked ETH (for many reasons that might not all apply to bitcoin, sure, but the biggest reason imo was simply that 80% of coins were going to be held by a demonstrably-malicious entity). > And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals. Sure you might not but the point is about the market, because the only thing that really matters is what the market values. In your replies I haven’t yet seen you contend with my point about relative theft, so curious to get your specific take on it. In the scenario I raised in my previous post, I noted that disabling insecure spend paths would result in *vastly* more bitcoin going to its owners than coins that would be burned. Do you really think that it’s ethically wrong to prevent, say, 70% of Bitcoin from being stolen just to avoid burning, say, 10% of Bitcoin? And more generally do you really think that Bitcoin would survive 80% of total supply being stolen? I suspect I know the answers to these questions which means that we really arguing degrees and likely scenarios, and not really arguing about actual correct decisions.

On the DAO,ETC,ETH and my "bet": excellent point to raise, there. There is no doubt that the opposite side to my argument won. At the time as you'll remember it was just as obvious that it wouldn't have happened in BTC because of the "DNA" of what bitcoin even is, being so tied to uncensorability (let's not forget that it's a bit murky whether anything like "consensus" was actually reached in the ETH community; it might even be possible to characterise it as the equivalent to the new york agreement winning in btc's case; but I'd be willing to cede the opposite is possible, that the DAO coin "reassignment" was a community consensus). The DAO disaster just showed that there was a profound divergence between the communities at a not just technical but philosophical level. So yeah, another project which has a different less pure concept of decentralization might reasonably define cutoff dates, but I don't think BTC should. It's against its nature and purpose. Concretely, the tradeoffs bitcoin's design makes (e.g. no onchain obfuscation; no onchain global state and complex contracting; slow block times; etc) are all in service of that. I know that this is a retelling of history - SN didn't seem to see it quite like that, but somehow designed it like that despite himself, lol.

About extreme scenarios like 80% of btc stolen (- I'm going to ignore the "how do you measure it" part, though I suspect that'll come back to bite us at some point!): i mean there is presumably a failure mode where trust breaks down, but it's not really about a specific number or ratio. It's about whether there's any credibility that going forward, the system will be trustworthy. Anything above 30-40% is presumably disaster-level and the project *might* just kind of fall apart. But I really don't know. I just know that if you violate the core principle of private property you've mostly already lost. Maybe I'm wrong and everyone would love it, but what's the point in bitcoin in that case, I don't see it.

> It's about whether there's any credibility that going forward, the system will be trustworthy. Anything above 30-40% is presumably disaster-level and the project *might* just kind of fall apart. But I really don't know. Right I guess part of my point is I don’t buy that there’s any credibility left in the system at all even if just 1M coins are stolen. Maybe that’s the biggest disagreement? > I just know that if you violate the core principle of private property you've mostly already lost. Maybe I'm wrong and everyone would love it, but what's the point in bitcoin in that case, I don't see it. I still haven’t seen you contend with the relative loss issue - by freezing some coins you lose the ability to recover potentially many more. I just don’t see how this is a good tradeoff.

Errr by freezing some coins you *get* the ability to recover potentially many more.

Final point I’ll raise that I think is impotent to consider - in practice Bitcoin wallets don’t adopt new features basically ever. Even if we ship PQC support tomorrow in every possible form, I’m willing to bet there will still be popular wallets out there not using it in a decade or two. If a CRQC is a material risk then (quite possible!) then the analysis in the previous post isn’t just a weird hypothetical, it’s reality!