Thanks. I agree with you. The best possible attack is probably simply the brute-forcing process which could be potentially (if QC will ever be that powerful enough) dangerous for 12word mnemonic seeds (Grover's algorithm could brute-force a 128-bit symmetric cryptographic key in roughly 2^64 iterations). Using 24word seed is probably safe.

Let's just focus on those seed words, not ECDSA security. If we assume there will be some post-quantum cryptography and we will make a new wallet, will it be safe to generate the new wallet from the old seed? That is my point.

Is it possible to somehow calculate how many SHA-256 hashes have all the miners calculated for the entire history of Bitcoin?

Last numbers I have seen from Pieter Wuille are from 2020:
With block 632874, around a day ago, the expected cumulative work in the Bitcoin blockchain surpassed 2^92 double-SHA256 hashes (with a standard deviation around 1.4*2^83).

If a user wants to use the mnemonic seed words for his wallet even in a few years/decades/..., will the same 24word seed be safe even in the post-quantum era? According to the BIP39 standard, it is protected by the HMAC SHA-512 hash function, so we assume that it is quantum-resistant (at least 256 bits of security post-quantum?). Let's not talk if QC are a real "threat", what the PQC will look like but just discuss the safety of those 24 words.

1) Do you think that from a UX point of view it will be possible to keep the existing seed and just generate a new PQC keys with a new derivation path?

2) I assume users with 12 words (128 bits of entropy without passphrase) would have to migrate to 24 words (256 bits of entropy) as 128 bits entropy is probably reduced to only 64 bits with Grover's algorithm.

That is the purpose of ZKP, isn't it? You provide a proof that you know some information without actually revealing it (and so nobody can duplicate it if you are the only one who knows the hash).

So the default was that the mining reward of 50 BTC was sent to a different public key each time?
It would favor the scenario of "gradual breaking" the keys rather than "grab all at once".

That is why i think only these two scenarios are realistically possible:

---

Also what comes into my mind at the moment - it is true that a huge amount of coins are sitting in P2PK outputs in chunks of 50 BTC coins, however, it an attacker manages to get a private key from one of the early public keys (on which there are these chunks of 50 BTC coins) he would be able to steal a big portion of coins at once.

But I am not sure how P2PK worked. Has the public key changed every time for early wallets?

There is probably a solution for reused addresses if they are a part of HD wallets so the problem might be "just" with very old P2PK and reused addresses from non-HD wallets. That is currently at least 2 mil. coins but not all of them are lost. The breaking process will probably not be so fast as o_e_l_e_o pointed out, at least in the beginning (and if ever, of course). The economical effect could really be similar to mining. If we look at exchange inflows for the last couple of days the amount of coins changing hands is huge (and still survivable). If BTC can survive such scenario without need to lock the coins (or lock but introduce a way to claim them by ZKP) it would be good.

There is a quote from Adam Back's tweet:

also I think (fairly new thought) that HD keys that were reused could be soft-forked to require a Zero Knowledge proof of knowledge of the chain code and master even if the coin private key was public information. (and soft-fork made not be spendable with direct ECDSA.).

-----

Of course there is a problem that chain code / master is sometimes known by the wallet providers, etc. and also who will distinguish which coin is a part of HD wallets/which not (and thus which coins can be locked for ECC signing). And the issue with P2PK and non-HD coins still persists. But at the same time I suppose this claiming process will not be used so much because every rational person would move their coins way long before they become vulnerable. But the option to move coins even when ECDSA is no longer supported would be nice.

Or ECDSA/Schnorr will be phased-out much sooner before it is dangerous to use (e.g. a couple of decades) and when we get to the situation of a quantum computer attacking the old coins the consensus for locking the old outputs will be much easier to reach.

Or we just let all the coins like they are. And the market will absorb the multi-year lasting inflow of stolen coins.

It is difficult for me to imagine that a consensus on this would be somehow reached. I have been asking this theoretical question for a couple of months now and the community is divided almost like 50/50. Even the developers have different opinions (Pieter Wuille/Adam Back would probably prefer locking the coins, Jimmy Song favors letting them be stolen, etc.). So if the situation occurs anytime in the future there will be a huge controversy. If attacking the keys is slow the result would be probably "just" a bear market. If it is fast and huge amount of coins will flood the market I am afraid it would really endanger the existence of Bitcoin.

But what about all those other UTXOs (lost reused P2PKH/P2WPKH, lost P2TR, lost reused P2SH/P2WSH multisig)? I think that is the main dilemma here. I would quote Pieter Wuille here: "If a QC can ever spend lost ECC-locked coins, I believe it's game over for Bitcoin. How can an asset maintain value if an attacker has the ability to flood the market with the significant portion of the entire supply?".

I don't like the idea of some coins being locked by consensus, however, Pieter has a point that the economical impact of flooding the market with all these coins could be unsurvivable.

SHA-256 is not quantum endangered as far as I understand the topic (just a little speedup with Grover's algorithm).
We are talking here about ECC vulnerabilities (Shor's algorithm/lattice attacks).
And breaking each key can be quite a long process (= it is not the winner takes it all in "quick succession").

4 million currently vulnerable but people would migrate.
Not all 4 million from the study are coins with lost private keys.
If it is e.g. 2 million coins being stolen in small chunks for 10 years, the effect on price would not be so significant.
What do you think?

It can only be seen from this thread that opinions on this are very different (relevant points on both sides).
For this reason, I think that forming a new consensus would not be reached and the default situation (letting the coins be stolen) is the most likely outcome.
Or the situation is resolved by two separate forks and market valuation.

Yeah, I know, as stated in my post.
Also P2TR outputs are in the same danger.
So maybe altogether 2-3 mil. is accurate.

The damage (of course if that happens at all) depends on the speed of breaking the keys.

I agree with that. Let's say there are even 2-3 mil. coins that are lost (nobody has private keys anymore). If the stealing lasts 10 years it's like mining with current block subsidy at that time (approx. 328.500 BTC is currently mined per year). And to be honest, I don't think that many coins are lost and thus would stay on vulnerable addresses.

Of course, if the attacker manages to crack keys from dozens of thousands P2PK UTXOs within a couple of months it could be disastrous (pricewise).
And there are also other UTXOs with revealed pubkeys (reused addresses, P2TR, etc.).
FYI: there is currently 1.73 mil. BTC on 48.000 P2PK UTXOs.

Totally agree with that. And Satoshi selling all his coins would be destructive as well.
But we assume it won’t happen (selling, not moving). But would it be the case for anybody else?
Would this selling pressure be recoverable?

Well, I suppose (and hope) that the UTXO set (or basically the "ownership database" in any future form) will be preserved even if there is a completely new technology and this new "system" moves the Bitcoin's UTXO set into it. But that is for another discussion

You are absolutely correct, inflation was not a right word at all. But let's say the market counts non-provably lost coins as provably lost-coins (and might be surprised one day).

But how do you distinguish legitimate users from "thieves"? The legitimate/stealing transactions will both have a valid signature.
If there is ever a consensus to lock the coins I guess the only way would be to block the UTXOs (to block all coins with vulnerable signatures, not just some chosen coins) after a long period of alert (e.g. a decade) before the attack itself, not after the coins have already moved. After some block height, only coins on new and safe addresses will be movable. But even for this scenario I can't imagine reaching a consensus for the reason below:


No one knows if the key break will take minutes, hours, weeks, years but I suppose it won't be one entity takes it all with a single attack in a single day.
And if the stealing lasts years or decades in small chunks nobody can prevent inflation pressure on Bitcoin, unfortunately.


Reaching consensus on burning someone else's coins is hard but "sacrifice" the coins (let them be stolen) doesn't require forming a new consensus. It is what the current code says, basically.

If there was a vulnerability in ECDSA/Schnorr (maybe because of a quantum computer but it can be any other reason - lattice attacks, etc.) and there would be alternative - new safe locking scripts - and people would start moving their coins into them.
What do you think would happen to those UTXOs that don't move at all (lost coins/Satoshi’s coins/etc.)?

Do you think the consensus would be to let them be stolen OR to soft-fork them out (remove from circulation - e.g. “you have 10 years to move your UTXOs, otherwise they will become invalid”)?

The first option is better in my opinion but flooding the market with so many coins could be massively disruptive.
The second option would probably not be able to reach consensus but the effect on price would not be so disastrous.

Some people touched this in the following thread but I didn't want to continue there as this was a little bit off topic:
https://bitcointalk.org/index.php?topic=5400954.0