Bitcoin Forum

If there was a vulnerability in ECDSA/Schnorr (maybe because of a quantum computer but it can be any other reason - lattice attacks, etc.) and there would be alternative - new safe locking scripts - and people would start moving their coins into them.
What do you think would happen to those UTXOs that don't move at all (lost coins/Satoshi’s coins/etc.)?

Do you think the consensus would be to let them be stolen OR to soft-fork them out (remove from circulation - e.g. “you have 10 years to move your UTXOs, otherwise they will become invalid”)?

The first option is better in my opinion but flooding the market with so many coins could be massively disruptive.
The second option would probably not be able to reach consensus but the effect on price would not be so disastrous.

Some people touched this in the following thread but I didn't want to continue there as this was a little bit off topic:
https://bitcointalk.org/index.php?topic=5400954.0 (https://bitcointalk.org/index.php?topic=5400954.0)

It is not possible to predict what the consensus is going to be because there hasn't been any serious discussion about this possibility yet and the various smaller discussions that have taken place among users have never reached any consensus. There are two sides and some say they shouldn't be locked or anything and another side says they should be burnt.

In my opinion if some day in the far away future we come to the conclusion that ECC is obsolete we should define a migration period after which any coins left in the old algorithm becomes unspendable.

It will be very difficult to reach a consensus either way, as there are strongly held beliefs on both sides. I am very much of the opinion that it is better to let these coins be stolen than it is to do anything to lock them or make them otherwise unspendable. It is better to take the short term price hit from lost coins re-entering the market than it is to destroy a core principle of bitcoin and allow a small group of devs or a small subsection of the community start to decide what happens to coins which do not belong to them.

It is worth noting that not all vulnerable addresses will be hacked at once, but rather, it will happen gradually over months or even years. There are a multitude of reason in which coins which are not lost may not move for long periods of times. Perhaps the owner is in a different country to their wallet. Perhaps they are in prison. Perhaps the private keys are locked up in some kind of inheritance or trust. Perhaps there is a timelocked transaction waiting to be broadcast at a certain date. If we set a fixed date and lock all these coins, then we will absolutely be depriving some users of their coins against their will. At that point, bitcoin is no longer decentralized nor trustless.

If you are careless and fail to look after your private keys or move your coins in time, then they will be stolen. Far better that than the devs say "Since you are careless, we are going to take your coins away from you." You can't be your bank if someone else can unilaterally remove that privilege from you.

---

As I mentioned in another thread, I would only support locking coins if there was some way for the real owner to prove ownership and unlock them again, such as by providing a zero knowledge proof that they own the seed phrase which generated the relevant private keys. But this does not solve the problem of truly lost coins or early coins in P2PK addresses.

I think there are two options. First: they will never move, because even if some keys are vulnerable, other, fully random keys may be good enough to resist many attacks. Second: they will move somewhere by providing a valid signature. That second option could have many variants: they could move into OP_RETURN, they could move as a fee, and be burned in the coinbase transaction, they could be timelocked to the future, and taken later by miners, or they could be stolen once, and then the system will be safe again, after moving to the new address type. In case of the second option, if a lot of coins will be moved at once, then I think burning will reach consensus quicker than other ideas, so the chain where they will be burned, will be followed, and will stay the heaviest.

The only unacceptable thing is moving coins without providing any valid signature. All other cases are good enough, and it is possible to reach consensus, when coins will be not moved, or moved by valid transactions (then, that second option depends on the destination).

That's why I think if someone will suddenly move a lot of coins, then the consensus will quickly form around burning all of them, by providing valid signatures. In economical sense, other forks could be just cheaper and lose Proof of Work support from miners.

Why not? I read many posts saying that "burning is acceptable" or "locking by soft-fork is acceptable". I think reaching consensus on burning someone else's coins would be easier, than forming any consensus on stealing them, even if only once.

Which should in theory mitigate the effect of the short term price hit, due to panic, and the fact there's new coins being reintroduced to the economy. However, it likely means you'll see a smaller effect, for a longer time since they'll be gradually taken, and reintroduce rather than all at once.

Depending on your perspective, both scenarios have their pros, and cons. Ultimately, the very long term probably isn't effected.

If you can burn or lock coins for arbitrary reasons, then you have proven that you can manipulate the ledger, after which it will never be long until censorship rears its regular head.

But how do you distinguish legitimate users from "thieves"? The legitimate/stealing transactions will both have a valid signature.
If there is ever a consensus to lock the coins I guess the only way would be to block the UTXOs (to block all coins with vulnerable signatures, not just some chosen coins) after a long period of alert (e.g. a decade) before the attack itself, not after the coins have already moved. After some block height, only coins on new and safe addresses will be movable. But even for this scenario I can't imagine reaching a consensus for the reason below:


No one knows if the key break will take minutes, hours, weeks, years but I suppose it won't be one entity takes it all with a single attack in a single day.
And if the stealing lasts years or decades in small chunks nobody can prevent inflation pressure on Bitcoin, unfortunately.


Reaching consensus on burning someone else's coins is hard but "sacrifice" the coins (let them be stolen) doesn't require forming a new consensus. It is what the current code says, basically.

There's no realistic way an entity suddenly gains power to break ECDLP within a few minutes.

Inflation pressure? There's no inflation pressure, and will never be. Provably lost coins are lost, gone, removed from circulation. Period. Non-provably lost coins aren't removed, they're just trapped. No one should assume they won't return into circulation, and in fact, we, overtime, observe some decade-old, dusted, 50 BTC worth outputs being spent, which reveals that these coins are falsely assumed as lost.

The system begun with the presumption that someday it'd reach a number less than 21 million coins, without any arbitrary monetary policy, and so it is.

Well, it's very unlikely its going to be quick, i.e a few minutes. Besides, you'll have a gradual build up to this. We aren't anywhere near the capability of doing it right now, and even when you factor in exponential growth there's going to be a long, long time before something is capable of doing it within minutes. Despite, the exponential growth, it'll still we somewhat gradual in the time that it takes to break it.

By the time something is capable of breaking it within minutes, Bitcoin could have well have moved on so much, that the old chain is considered obsolete, or alternatives people themselves might have found an alternative to Bitcoin. What I'm saying is there's just too much unknown factors to even realistically talk about it. Hence, why the discussions around it have been what ifs, rather than anything substantial. We'll get there, when we get there.

You are absolutely correct, inflation was not a right word at all. But let's say the market counts non-provably lost coins as provably lost-coins (and might be surprised one day).

Well, I suppose (and hope) that the UTXO set (or basically the "ownership database" in any future form) will be preserved even if there is a completely new technology and this new "system" moves the Bitcoin's UTXO set into it. But that is for another discussion :)

It doesn't matter what the consensus is; we can't force whoever owns the private key to these coins to actually burn them, whether that's the real owner or an attacker. The only other option would be for a large entity such a mining pool to buy their own quantum computers to steal and burn these coins, although I would imagine most mining pools would take the coins as profit long before burning them.

The surprise to the system would be similar to Satoshi or some other early miner returning and suddenly moving a few hundred thousand or even million bitcoin which have been dormant for 12+ years. And that could happen at literally any time, and there is nothing we can or should do to prevent it. Assuming that coins which have not moved in a long time are lost permanently is wrong, although I'll concede that many users in the market do assume just that.

Totally agree with that. And Satoshi selling all his coins would be destructive as well.
But we assume it won’t happen (selling, not moving). But would it be the case for anybody else?
Would this selling pressure be recoverable?

Naturally, being a Bitcoin supporter I would lean to yeah. However, these things can be unpredictable, and it really does depend on what's happening in the world, and everyone's view on Bitcoin. There's just so many possibilities that could happen to benefit or even undermine Bitcoin.

What can be said, the idea behind Bitcoin works, and for me has the most appeal out of any other currency on the market. Will that change in the future, who knows.

Yeah, although lets say that a hard fork did occur (either necessary or deemed the best choice) to escape this sort of scenario. Those on the old chain wouldn't be able to easily prove they owned the coins on the new chain. At least, I don't think there would be a easy way of doing it. Maybe, but probably beyond my understanding, at least at this stage. I thin we're still in the stage of thinking of thinking about solutions, since it's too far away right now that there's not a whole lot of urgency needed.

Whatever the circumstances, there's going to be a lot of split opinions when it comes to the proper discussion definitely. I don't want to see old coins released back in, and I don't want to see the destroyed. I probably am of the same opinion of o_e_l_e_o, but I'd rather see them broken into, and stolen than forcibly from a Bitcoin perspective force remove them or redistribute. There's too many worms, and not enough cans.  

Irrelevant arguments here because we are not talking about some "arbitrary reasons" we are talking about a serious one that would make the very thing that made bitcoin secure becoming obsolete.
It's not all about price either, in fact not preventing old UTXOs from being spent would be against the fundamentals of bitcoin where your coins are only yours to spend not everyone's.

Then move the coins to a quantum-safe algorithm by then. It's your money, your responsibility after all. Freezing P2PK outputs (for example) endangers the significance of self-custody. Nobody should touch any coin, but only inform about the weaknesses. The coins that aren't provably burned, exist, and can, therefore, enter the market at anytime.

Moving the coins, alone, doesn't de-anonymize, though.

Which is why I think what will probably happen is the scenario I've described above, where lost coins are gradually stolen and re-enter circulation. If we can't reach a consensus on some other solution, then this is the default position which will happen if we do nothing, as Adam_xx points out above.

I disagree. If the community can decide that you cannot be trusted to look after your coins and move them to a quantum resistant address before they are stolen, then the community can also decide that you cannot be trusted when it comes to any other scenario, and can therefore censor you.

It took me a bit to understand what you were saying, and I thought you might have meant the reverse initially - mostly because my view is the opposite.
 
Such censorship, deleting, and blocking of addresses would make bitcoin obsolete. If the arguments about censoring old coin ever succeed, then bitcoin would have already failed because it would show that bitcoin is not a long term store of value, in which case, the idealogues should move on.

It's not that any reasons for censorship are arbitrary reasons, but they are ones that I don't think will ever result in anything because the results are much more unpredictable than the scenarios in this thread. The product of old addresses being cracked is no different than them being re-engaged in by the original owners (or their inheritors), the latter of which could happen at any time. The very top thread assumes two scenarios which I think would happen in exactly the opposite fashion -- someone who has been holding onto coin for ages has little reason to sell them immediately or quickly because they have 'enough'. Their sale pressure is pretty low, so the scenario given above is unlikely. Even if such old coin are sold by crackers or original owners, then it results in a more distributed coin, which adds long term value to the network and is a necessary part for sustainability and growth.

I agree with that. Let's say there are even 2-3 mil. coins that are lost (nobody has private keys anymore). If the stealing lasts 10 years it's like mining with current block subsidy at that time (approx. 328.500 BTC is currently mined per year). And to be honest, I don't think that many coins are lost and thus would stay on vulnerable addresses.

Of course, if the attacker manages to crack keys from dozens of thousands P2PK UTXOs within a couple of months it could be disastrous (pricewise).
And there are also other UTXOs with revealed pubkeys (reused addresses, P2TR, etc.).
FYI: there is currently 1.73 mil. BTC on 48.000 P2PK UTXOs.

That's a big assumption. There are millions of bitcoins to P2PK outputs, many of which get spent frequently throughout the years. Definitely people lost a fortune back in 2009 due to some accident, but it's no way millions. Perhaps few hundreds of thousands have been non-provably lost. Impossible to know exactly nor to approach it effectively.

Note that there are addresses with revealed public keys that do have a balance and aren't P2PK outputs, such as 1P5ZEDWTKTFGxQjZphgWPQUpe554WKDfHQ. Those are in the same danger as well if their owners don't move them to a quantum-safe address.

Yeah, I know, as stated in my post.
Also P2TR outputs are in the same danger.
So maybe altogether 2-3 mil. is accurate.

The damage (of course if that happens at all) depends on the speed of breaking the keys.

My logic is that if something is considered vulnerable then it must be removed from the Bitcoin protocol. For example if OP_CAT has a weakness then it is removed from the code entirely even if someone had used it in a script. Which is exactly what happened, this OP code and a handful of others were completely removed.
Similarly if OP_CHECKSIG becomes vulnerable then it must be removed from the code not still remain there and let people choose to use it or not!

It can only be seen from this thread that opinions on this are very different (relevant points on both sides).
For this reason, I think that forming a new consensus would not be reached and the default situation (letting the coins be stolen) is the most likely outcome.
Or the situation is resolved by two separate forks and market valuation.

It's closer to 4 million vulnerable coins, according to this study: https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html

It was done around 2 years ago, but you can see from the graph halfway down the page that the number has fluctuated around the 4 million mark for ~8 years, so I suspect it is still around the same. P2PK outputs are essentially constant and unchanging, while reused P2PKH addresses have slowly fallen as reused P2WPKH addresses have slowly increased. And of course we can now add in P2TR outputs as well.

This is the most convincing argument for the opposite position to mine, I think. But it is worth pointing out that nobody's coins were made unspendable when OP_CAT was removed, compared to the millions of coins which would be made unspendable if OP_CHECKSIG is removed.

4 million currently vulnerable but people would migrate.
Not all 4 million from the study are coins with lost private keys.
If it is e.g. 2 million coins being stolen in small chunks for 10 years, the effect on price would not be so significant.
What do you think?

Coins are not going to be stolen in small chunks like that, they're either going to be stolen in quick succession because commercial quantum computers can in fact break SHA256, or they are not going to be stolen at all, because as it turns out, quantum computers cannot break SHA256 yet.

There are only two possible outcomes.

SHA-256 is not quantum endangered as far as I understand the topic (just a little speedup with Grover's algorithm).
We are talking here about ECC vulnerabilities (Shor's algorithm/lattice attacks).
And breaking each key can be quite a long process (= it is not the winner takes it all in "quick succession").

ECDLP rather than SHA256 as Adam_xx has pointed out, but regardless, I don't think they would be stolen in quick succession.

It will not be the case that ECDLP goes from "unsolvable" to "trivial to break" in a single step. If ECDLP does become broken, then the first time someone breaks it it will be because they ran a quantum computer for days or even weeks to break it, meaning they can at most empty a single address. Then they will have to start again for another address, and then another, and then another, and there are tens of thousands of vulnerable addresses to be attacked.

Quantum computers will get faster and more efficient as time goes on, so eventually it may well be possible to crack an address in a few seconds or minutes, but that certainly won't be the case to begin with.

I see that you like my idea. :)


Mulling this, I am quite confident that a practical post-quantum ZK proof emergency salvage system could be designed not based on seed derivations, but for all UTXOs that require unrevealed public keys.  This includes P2SH/P2WSH.  The only coins that could not be safely salvaged are those in addresses with known public keys:  Reused P2PKH/P2WPKH, all P2TR, reused P2SH/P2WSH multisig, etc.  (About those, I absolutely agree with you that coins vulnerable to theft cannot be locked or seized; the idea flies in the face of all that Bitcoin means!)

Following the above-quoted posts, I was working on refining this idea, thinking towards writing this up—for the forum and/or bitcoin-dev, and also for proper documentation of prior art.  (I am afraid that my idea, or some aspects of it may potentially constitute patentable methods; as a precaution, I want to create solid public documentation of prior art, with strong evidence of invention date.)  I have been interrupted and distracted (https://bitcointalk.org/index.php?topic=178336.msg60364284#msg60364284) for the past week or so, but I should get back to this soon.

Meanwhile, I wish to reassure Adam_xx and any others worried about quantum computers.  With a nod to Clarke:  Any sufficiently advanced cryptography is indistinguishable from magic.  My zero-knowledge proof coin-salvaging system can be done.  The question is if it will be done in Bitcoin; and given that this is open-source software, I really oughtn’t just sit around idly dreaming about it.

---

A few little scratch-notes:

AFAIK, zk-STARKS (not SNARKs) are post-quantum for soundness.  (zk-SNARKs may arguably (?) be sound for zero-knowledgeness in a post-quantum world; but IIUC, they will lack soundness against forgery by a quantum computer.)

zk-STARKs are rarely used in practice, because their proof sizes are three orders of magnitude larger than zk-SNARK proofs—far too big for ordinary “send some money” types of blockchain transactions!  Ethereum already tolerates that cost for one of their major L2 systems, which amortizes the cost of an on-chain zk-STARK verification across large numbers of L2 transactions.  For onetime emergency salvage in Bitcoin, the transaction size cost would be worthwhile—perhaps even with a fee rebate supported by miners, who have the long-term incentive to mine emergency transactions for free or cheap to help keep Bitcoin alive through a hypothetical Quantum Apocalypse.

I have significant concerns about how computationally expensive this would be.  Although anything that can be computed theoretically can have its computation proved in zero knowledge, in practice, protocols based on zero-knowledge proofs need to choose carefully what they will run inside the ZK proving arithmetic circuit.  Some even design their own cryptographic primitives such as hashes, etc.; designing primitives that run efficiently inside a ZK arithmetic circuit seems to be a very narrow subspeciality in the field of cryptography.  Some of the primitives that Bitcoin uses are notoriously bad for this.  Again, however, I anticipate that a onetime emergency salvage system could probably consider that cost less painful than letting Bitcoin be destroyed by a hypothetical Quantum Apocalypse.

I also remind any readers that quantum computers capable of cracking Bitcoin do not currently exist, and there is no proof that they are possible in practice.  It is good to think about these things now, but I do not want to feed FUD.  IMO, the threat of a potential Quantum Apocalypse is much, much worse for PGP, Tor, the HTTPS in your browser, and anything else that could be retrospectively decrypted.  That could be catastrophic—and there is no way to fix it with some sort of a salvage system!

Well, it's a good idea if implemented safely, but I won't let you take all the credit, since I've discussed such a thing in the past:


On a wider scale, although it would be great to have such a thing implemented, and it would be a prerequisite to me being comfortable with some coins being "locked" by consensus, it would only serve to make a small difference in the event that quantum computers can break the ECDLP. Assuming that the majority of addresses which are being actively reused would migrate to quantum-proof addresses, and that the 1.73 million BTC in P2PK addresses will be stolen regardless, then this system would only serve to protect coins in non-reused non-P2PK addresses which are inaccessible to the owner. We cannot place an accurate figure on this group, but I believe it to be significantly smaller than all the estimates bandied about by people who simply assume that any coin which hasn't moved in >5 years (for example) has been lost, since (for example) such a category includes the majority of my coins, which are absolutely not lost.

It's certainly worth doing for the individuals it would protect, but it will make little difference I think to the overall impact on bitcoin.

But what about all those other UTXOs (lost reused P2PKH/P2WPKH, lost P2TR, lost reused P2SH/P2WSH multisig)? I think that is the main dilemma here. I would quote Pieter Wuille here: "If a QC can ever spend lost ECC-locked coins, I believe it's game over for Bitcoin. How can an asset maintain value if an attacker has the ability to flood the market with the significant portion of the entire supply?".

I don't like the idea of some coins being locked by consensus, however, Pieter has a point that the economical impact of flooding the market with all these coins could be unsurvivable.

Thanks for the link.  I hadn’t seen that.

Why do you focus on the extended private key or seed phrase?  If a ZK system were implemented that ran Bitcoin consensus rules (including Bitcoin script, and everything else) inside a proving circuit, then people could simply publish proofs that they had validated their own transactions spending the coins.  The transaction inputs and outputs would not be hidden, so there is no need to worry about double-spends (the reason for Zcash’s nullifier system).  IMO, it would be a terrific engineering effort to get this working right; and computational costs may be not insignificant.  But in theory, it can surely be done; and in practice, an emergency would probably justify the costs.

(Bonus, another thing I have been wanting to investigate and post about:  Perhaps the engineering effort could also be repurposed to make a succinct version of Bitcoin, for light clients to attain full-node security simply by validating a proof that someone else had validated the entire blockchain up to the current tip.  I do not know if this is feasible in practice.  Mina had to invent their own cryptographic primitives, for efficiency reasons.)


One of the great things about Bitcoin is that people are never under time pressure to move their coins.  You can go into a coma or get shipwrecked on an island, and reclaim your bitcoins when you are available to claim them.

Anyone who deals with altcoins eventually has the experience, “You must upgrade/do this claim procedure/exchange old tokens for new tokens” with a deadline to avoid losing your money.  Not so much in the more credible altcoins, but it is disturbingly common in others.  It is horrible, and it is all the more reason to appreciate Bitcoin.

With the type of system that I describe, most people who follow best practices for avoiding address reuse could upgrade and move coins at their leisure.  If you so choose, you could leave your >5-year-old coins untouched for another 30 years—then publish a proof to spend them.

---

That could surely cause an extreme bear market.  How much worse of a bear market could be caused by calling into question Bitcoin’s fundamental trustworthiness?

A major part of Bitcoin’s fundamental value is that you can trust that nobody will ever change the rules to seize your coins or divert their value.  (This sometimes happens in alts—e.g., Juno, or Terra.)  And as o_e_l_e_o has noted, there is no way to know if a coin has been lost.  “Lost coins” statistics are guesses, and probably bad ones.

It is difficult for me to imagine that a consensus on this would be somehow reached. I have been asking this theoretical question for a couple of months now and the community is divided almost like 50/50. Even the developers have different opinions (Pieter Wuille/Adam Back would probably prefer locking the coins, Jimmy Song favors letting them be stolen, etc.). So if the situation occurs anytime in the future there will be a huge controversy. If attacking the keys is slow the result would be probably "just" a bear market. If it is fast and huge amount of coins will flood the market I am afraid it would really endanger the existence of Bitcoin.

Perhaps I misunderstand, but in the scenario in which two people both have access to the relevant private key (the true owner and an attacker who has reversed ECDLP and obtained the private key), how does providing a ZK validation of a transaction solve the problem, given that either party could produce such a proof? Surely the true owner needs to provide a ZK proof that they can derive the private key from some parent key/seed/number/etc., which the attacker would be unable to do. Please correct me if I'm wrong.

I'm sure a consensus will be reached when it becomes worth reaching. Such a scenario is decades away, while bitcoin itself is only 13 years old. There are far more pressing things to discuss and develop than to work on some quantum computing solutions which will almost certainly be hugely outdated by the time they are relevant.

I think when an exploit happens in a centralized system.... a centralized "authority" will make decisions on behalf of the affected users or customers... but in a decentralized monetary system.... consensus is required for changes to happen. So I reckon different solutions (forks) will be offered and the owners of those coins, will have to abide by what the consensus would be.

This will obviously have to happen very quickly, because an exploit like this will affect a lot of other people ...that have control over their tokens. (The previous Bitcoin forks was very hostile ......so I reckon a decision to do this, will cause a lot of troubles in the community)  ::)

I will suggest that a redundancy plan goes into a vote before this happens.... and then when it happens, it can quickly be implemented before the breach can be exploited too much.  ::)

Another factor that would affect the decision whether to lock the coins or not would be the total amount that would be affected by the vulnerability. It is not just P2PK outputs, it is all the reused addresses that have revealed their public key and still have a balance and all the new outputs that start using public keys again like P2TR outputs or any other output type that contains public key like P2MS. For example if it affects a quarter of bitcoin total supply (5-6 million BTC) then it is a serious issue to let them be "stolen".

I think that would be one of the worst possible outcomes, similar to what happened with ETH and ETC. Some people decide that the principles of bitcoin should be protected and therefore we do nothing to these coins, while some people decide that these coins should be locked to protect the markets. Not only would there be no consensus on which path to take, there would also be no consensus as to which fork gets to keep the BTC ticker and which becomes an altcoin. Not that I actually care about Ethereum, but as far as I am concerned ETC is the true Ethereum and ETH is the fork in which a small group of developers decided to unilaterally reverse someone's transactions.

I really don't think so. It will be decades before (if?) a quantum computer is capable of realistically threatening the ECDLP. It will be years more before it can actually steal coins from a single address. It will be years more before they are capable of breaking an address in matter of hours instead of matter of days. We have plenty of time to reach a consensus when it becomes apparent that we should, but there are plenty of other more pressing things to work on first.

I think in general people are far less careless with their wallets and their private keys than they were 10-12 years ago. Addresses which are actively being reused just now as well as anyone starting to use P2TR are highly likely to still have access to these addresses when the time comes and be able to migrate their coins to whatever new quantum proof address type we end up with.

Ooft. That fiat hyperinflation has finally come for bitcoin too! :P

There is probably a solution for reused addresses if they are a part of HD wallets so the problem might be "just" with very old P2PK and reused addresses from non-HD wallets. That is currently at least 2 mil. coins but not all of them are lost. The breaking process will probably not be so fast as o_e_l_e_o pointed out, at least in the beginning (and if ever, of course). The economical effect could really be similar to mining. If we look at exchange inflows for the last couple of days the amount of coins changing hands is huge (and still survivable). If BTC can survive such scenario without need to lock the coins (or lock but introduce a way to claim them by ZKP) it would be good.

There is a quote from Adam Back's tweet:

also I think (fairly new thought) that HD keys that were reused could be soft-forked to require a Zero Knowledge proof of knowledge of the chain code and master even if the coin private key was public information. (and soft-fork made not be spendable with direct ECDSA.).

-----

Of course there is a problem that chain code / master is sometimes known by the wallet providers, etc. and also who will distinguish which coin is a part of HD wallets/which not (and thus which coins can be locked for ECC signing). And the issue with P2PK and non-HD coins still persists. But at the same time I suppose this claiming process will not be used so much because every rational person would move their coins way long before they become vulnerable. But the option to move coins even when ECDSA is no longer supported would be nice.

Or ECDSA/Schnorr will be phased-out much sooner before it is dangerous to use (e.g. a couple of decades) and when we get to the situation of a quantum computer attacking the old coins the consensus for locking the old outputs will be much easier to reach.

Or we just let all the coins like they are. And the market will absorb the multi-year lasting inflow of stolen coins.

If your master private key is already known by your wallet provider, then your coins are already unsafe and could be stolen at any time. Quantum computing doesn't change this.

This is impossible to do. You either lock them all and accept that some of them will remain locked forever even if the true owner returns, or you lock none of them.

That is why i think only these two scenarios are realistically possible:

---

Also what comes into my mind at the moment - it is true that a huge amount of coins are sitting in P2PK outputs in chunks of 50 BTC coins, however, it an attacker manages to get a private key from one of the early public keys (on which there are these chunks of 50 BTC coins) he would be able to steal a big portion of coins at once.

But I am not sure how P2PK worked. Has the public key changed every time for early wallets?

I wonder how something like this could work considering the fact that any information provided based on hashes that could reproduce the keys could be duplicated by the other parties that are trying to steal the same coins.

The same as any other output script but instead of using hash of public key you use the same public key. It could be reused or the wallet could produce a new pubkey for every new payment (which was the default).

So the default was that the mining reward of 50 BTC was sent to a different public key each time?
It would favor the scenario of "gradual breaking" the keys rather than "grab all at once".

Correct.

The public key with the largest amounts of coins stored in a P2PK output that I am aware of is:

This corresponds to the following uncompressed address: https://blockchair.com/bitcoin/address/1PTYXwamXXgQoAhDbmUf98rY2Pg1pYXhin

Note that all the dust outputs which follow are P2PKH outputs paying to the address, not the public key. Only the very first output is P2PK, meaning 3,233.17 BTC are locked behind that public key.

That is the purpose of ZKP, isn't it? You provide a proof that you know some information without actually revealing it (and so nobody can duplicate it if you are the only one who knows the hash).