[tl;dr:] At this point in time I feel comfortable with continuing to wait and see how quantum hardware development advances before making any decision about whether or not to change bitcoin proof of work (and if so, how) in response to CRQCs.
The first half of this article is not as good as the last half, and it's long -- so if you are going to read only a portion, read the @lightcoin's quantum anti-roadmap. It's pretty darn reasonable.
This is my “anti-roadmap” for PQ bitcoin, projects that I propose should be explicitly out of scope for consensus responses to the quantum threat:
- Disabling spending of QV coins
- Throttling spending of QV coins
- Forced migration to PQ addresses via “zkPKS”
- Non-interactive block-wide PQ signature aggregation
I like the way Light sets some ground rules (which are really the same ground rules Bitcoin has always had) and uses them as guidance for how to evaluate quantum resistance proposals.
For instance, of proposals that eventually disable the spending of quantum vulnerable (QV) coins -- such as BIP 361 (#1471384), Light says:
The problem with all of these concerns, and why, despite understanding them, I am still opposed to disabling the spending of QV coins, is that the same arguments could be made today about any of the number of ways that people are already storing their coins insecurely. For instance, how many hundreds of thousands (millions?) of coins have been stolen from centralized exchange over the years? Yet there are still nearly 2.5 million BTC held on centralized exchanges. Should we disable spending of those coins just because they might get hacked or otherwise expropriated? If another big exchange hack does happen again, should we disable the ability for any other exchange’s coins to be spent just in case?
And as to Satoshi's coins:
Since these “Satoshi coins” haven’t moved in over 15 years, people speculate that the owner is dead and the private keys are irretrievable (without a CRQC). But this is only speculation. We truly don’t know anything about the owner(s), or their intentions for not moving the coins. For all we know, they intentionally left the coins there as a bounty for a CRQC. The point I’m getting at is: not your keys, not your problem. Mind your own coins!
I like this refrain: mind your own coins! Bitcoiners don't need to worry about other people's coins. We say Not your keys, not your coins. We do not say: what other people do with their coins is my problem. Mind your own coins.
we don’t interfere with other people’s spending conditions, and certainly not as a kind of “plunge protection” mechanism.5 No amount of throttling of other people’s spending capability is acceptable. Mind your own damn coins!!
From the first half of this article, Light does have this pretty savage description of Taproot address's vulnerability to quantum computers:
Taproot addresses are known to be uniquely QV in a way that every other bitcoin address format (aside from the long-disused P2PK) is not: Taproot embeds a QV public key directly into the address. Using Shor’s algorithm, a CRQC could perform a key reversal attack, brute forcing the private key to this public key and spending the BTC held in the address using the key path, even if the original address creator only ever intended on using the script path. Taproot was designed this way to save 1 byte when spending using the key path, thereby making Taproot the more blockspace-efficient option relative to other address formats and incentivizing Taproot adoption.
And he points out that several soft fork proposals that are not specifically "quantum resistance" proposals could nevertheless be of use:
BIP-347 (OP_CAT in Tapscript) enables the verification of PQ signatures in Script, including Lamport and Winternitz signatures. BIP-441 (the Great Script Restoration, which includes OP_CAT) goes even further, enabling the verification of PQ validity proofs in a standard bitcoin transaction (validity proofs are useful here because they can be used to aggregate PQ signatures). There is also research being done into PQ signature algorithms that can be added to bitcoin in future BIPs, such as FALCON, SHRIMPS, and Guy Fawkes signatures (the latter of which are less signature algorithm, more like a protocol… but still relevant here).
I like the anti-roadmap. Not sure if I agree with the bridge idea simply because that's not a permanent solution; it's a could-have for me. Also could-haves: CAT/GSR, Cleanup. P2MR may be a should-have now and a must-have in 3-4 years if we were to believe the Googs of the world. Merging that may offer a path to combine with GSR and take that in while we're forking anyway.
what do you mean about the bridge idea not being a permanent solution?
It fractures, so when it is needed, without a PQ solution on L1, how are you going to exit the bridge to, say, open a lightning channel? How is LN going to function at all? How do I send sats to someone on another bridge? And so on, and so on.
So the bridge is imho a stopgap measure, not a permanent fix.
the post says PQ signatures on L1 are one of the items in scope
presumably using something like Boltz, or going through L1
I understand this, and I think that the bridge makes sense if the only protective workaround available on "Q-day" are extremely bloaty signature schemes. I really think that that would be an engineering failure on L1 though, because even the stateful schemes provide imho a better tradeoff than using
OP_CATto protect the masses (which, how I understand it, is also stateful); the mempool pressure would be insane, even with bridges.So that's why I'm saying could-have. It can work as a hedge against the worst case scenario, but it shouldn't be the solution that says: "yo we can chill now, all is taken care of".
I'm still in favor of GSR, and still in favor of P2MR. Just I want to be extremely cautious about what we label a
solutionand what we label aworkaround.concept-ACK
What's the steelman argument for messing with other people's coins?
I think I've heard Lopp say:
one of Bitcoin's value propositions is that other people can't steal people's coins. If quantum computers make it possible to steal people's coins, it becomes a question of which value proposition of bitcoin is worse to violate.
Ok, so there’s not some good argument that I’m unaware of.
I don’t recall that being one of the core value propositions and it certainly doesn’t hold up to scrutiny.
My boyfriends bigger than your boyfriend
https://twiiit.com/isabelfoxenduke/status/2021919293722833206
The "mind your own coins" framing is solid but folks keep talking about quantum risk in the abstract without putting a number on it. Roughly 4-5 million BTC sit in P2PK outputs where the public key is right there on-chain, bare for anyone to see. That's early mining rewards, Satoshi's coins, the whole first year of the network. Add in reused P2PKH addresses (where the pubkey got exposed on the first spend) and you're looking at maybe 6+ million BTC with exposed keys total. Taproot's exposure is real but it's a drop in the bucket compared to that legacy surface.
What I find interesting is Hal Finney flagged this exact problem on bitcointalk back in 2010. His suggestion was basically "when quantum gets close, migrate to a new address type and let the old ones sunset naturally." Lightcoin's anti-roadmap lands in the same neighborhood 16 years later. Sometimes the first answer is still the right one.