Matt Corallo's avatar
Matt Corallo matt@bitcoin.ninja 1 month ago
> First, stop assuming they're Satoshi's. We don't know that. Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though. > Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation. Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices: * disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type * allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system. I find it *incredibly* unlikely that the market decides to value fork b over fork a. > Third, there is no "we" to make such a choice. There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides. > No group of people have the right to confiscate coins, no matter how rational the reason. In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo. > And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't. Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork. > Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.
↑ Parent

Replies (2)

waxwing's avatar
waxwing 1 month ago
I disagree about fork choice. People will choose a version of bitcoin where there is zero human governance over coin issuance and coin ownership. If my bet is wrong there is very little value left in bitcoin as a system. It doesn't matter if Bitcoin "looks like chumps" or whatever. It matters that it has integrity as a system. "Miraculously" it has somehow maintained that for a long time. I do agree though that it'll be a disaster if we don't have any viable migration by the time QC hits, but, meh, it seems ridiculously far off. Glad some people are working on it.
1 replies ↓
Matt Corallo's avatar
Matt Corallo matt@bitcoin.ninja 1 month ago
Maybe to emphasize the important point - if we have to move quickly, disabling insecure spend paths and allowing seedphrase proofs to spend coins is likely to recover substantially more coins than would be burned. Let’s say we wake up tomorrow to a breakthrough and a CRQC is clearly only a few years away now (highly unlikely but who knows). Given the low level of coins which would be able to migrate in time, it seems like seedphrase proofs are a *way* better option than just letting everything be stolen! It depends so much on the specific scenario though - if it’s been 20 years since wallet started universally using some PQC scheme, the calculus is very different. This is also why it’s important to emphasize that we really can’t decide anything today and it’s up to a market to decide when/if these issues become real.