J. Lopp's Post-Quantum Migration BIP

[d5000]

I wonder when exactly Satoshi's coins began to be considered "lost" or "frozen".

I believe in Lopp's argument that quantum "recovery" is a theft to all Bitcoin users is completely false. As I already wrote, these coins are part of the circulating supply.

Let's ask ourselves some questions. Would the following scenarios be considered "a theft from everyone"?

1) Satoshi reappearing and spending or selling his coins.
2) Another early Bitcoin user (or their heirs, like in the case of Hal Finney) appearing and moving the Patoshi coins, claiming that these weren't mined by Satoshi but by themselves.
3) Hackers stealing the Bitcoins from some of the Patoshi addresses, because they were able to hack the private key from somewhere (e.g. an old computer or server).
4) Hackers stealing the Bitcoins from some of the Patoshi addresses, because the RNG which generated the keys had a flaw / low entropy.

I think at least the first two are not even worth a discussion: they are completely legitimate Bitcoin transactions like all others, and would end demonstrating that these coins were always part of the circulating supply.

But the third and fourth case are things that have happened with millions of other coins (and above all case 3 is happening literally every week or so). And while these hacks are of course theft, they are not considered to be a threat to Bitcoin's value or a "theft to everyone". Because their original owners could have sold them too.

The gap between case 4 and a quantum theft is minimal.

Thus, the whole BIP is based on a completely flawed concept of Bitcoin's economy.

[Medusah]

Thus, the whole BIP is based on a completely flawed concept of Bitcoin's economy.

Maybe what I think is an oversimplification of reality, but here's how I explain this reasoning:  There's a perception, perhaps flawed, that what determines the consensus is dormant wallet holders.  This is not entirely flawed, because large holders do move the market value of bitcoin by selling the forks for bitcoin, and thus, play key role by being in the position to determine which fork remains the most valuable.  Certainly they are not the only entities that determine that, because their coins are valued that much, because people want it, and they want it, because it fits their definition of what's the "correct bitcoin" in the free market.  For example, if a few large holders gathered, all holding more than 10 million coins, and decided to introduce censorship on the protocol rules, that wouldn't pass because the demand for coins in a pro-censorship network would likely go down.  (And thus, would likely lose as "economic majority" by selling their bitcoin for their fork.)

I think there's a similar case with Satoshi-era coins and this dilemma.  People with dormant wallets might want to silently remove Satoshi-era coins from circulation, because they try to justify to themselves that those coins are lost, as they have a big conflict of interest.  On the other hand, I'm not sure how good idea it is to them, if many bitcoiners consider it a violation to first principles.  I think this issue requires a lot more discussion. 

[Pmalek]

I wonder when exactly Satoshi's coins began to be considered "lost" or "frozen".

It doesn't matter how people classify them or what tags they use when discussing those coins. It's all subjective. Those coins exist and perhaps someday the legitimate owner or a heir will appear with the right signing keys to spend them. No one has the right to point fingers and arbitrarily decide that some coins are lost just because they haven't moved for so long. Just recently we saw tens of thousands of bitcoins move from old addresses. Some were allegedly sold while others were moved to increase the security of them.

Everyone has the right never to move their bitcoin if they don't want to. That's ok just like it's ok to move them 100 times a year if you so please.
The BIP would only make sense if Phase C wasn't optional but absolutely mandatory. Still, I would love for there to be a mechanism to protect all or as many BTC as possible if and when a future come where a significant part of them becomes vulnerable.

[ABCbits]

He makes a few fair arguments in there.

"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone." - Jameson Lopp

This is true, and many other points raised are good. However, there is a existential level risk of establishing any precedent of freezing any kind of UTXOs. A much bigger risk than most people are able to understand. If the solutions to this problem all remain controversial, and many users do not support them, then what? Try to force the update, which would significantly aggravate the negative impact from this precedent?   This is why I am not necessarily trying to say that I don't want them to be frozen under any conditions. I am trying to say that if they do get compromised eventually, that it is not as bad as many parties try to make it seem and that we need to work on reframing this problem.

I agree with your statement. As for scenario of forcing change, it reminds me of when ETH rollback DAO hack through hard-coded logic. While majority of ETH community support the rollback, i certainly hope the opposite would happen in this scenario.

I believe in Lopp's argument that quantum "recovery" is a theft to all Bitcoin users is completely false. As I already wrote, these coins are part of the circulating supply.

I think you may missed context of his statement. IMO he attempt to counter flawed argument with different flawed argument.

We can wax philosophical until the cows come home, but what are the actual incentives for existing Bitcoin holders regarding this decision?

    "Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone." - Satoshi Nakamoto

If true, the corollary is:

    "Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone." - Jameson Lopp

[d5000]

There's a perception, perhaps flawed, that what determines the consensus is dormant wallet holders.  This is not entirely flawed, because large holders do move the market value of bitcoin by selling the forks for bitcoin, and thus, play key role by being in the position to determine which fork remains the most valuable.

Interesting perspective. I think it has some truth in it, but only if you count holders which actually could sell their coins at some fork, and it's not clear if this applies to Satoshi.

One could see it this way: If Satoshi has lost access to his coins (for whatever reason) then he would of course not longer be in that "consensus-relevant" holder category. If an post-quantum cryptography feature was added, we could probably witness if Satoshi is still present (=has access to the coins) because he probably would move the coins eventually if he has still access, even if the feature was optional.

If he doesn't move the coins, which I think has 80%+ likelihood at this point (because Satoshi of course knows that he can make the coins more quantum safe already by transferring them to "modern" addresses), and the quantum threat becomes real, then there are two possibilities for the fate of these coins: one, that a large part is hacked by a single group, and the other one, that most of the coins are distributed relatively evenly by several hacker groups. Only in the first case there would be really an incidence for consensus, and I consider it relatively unlikely; I think while some entity could have a first mover advantage with QCs, technology tends to spread rapidly (and there are several companies active in QC research), And as the first "quantum hackers" would probably take years to hack a single address, it is likely that when the first few addresses were hacked, other groups would have already joined that race.

Of course there could be the idea that Satoshi's coins are a kind of "insurance against bad development decisions", i.e. if for example a big group of holders are pushing for censorship features, Satoshi could magically appear and sell his coins on the "censorship fork". However also this is only the case if he is still able to access the coins, and as written above, the likelihood seems to be quite low because I'd expect him to move his coins out of the vulnerable P2PK UTXOs.

There's also the possibility that Satoshi is holding back his coins deliberately to not cause market disruptions. There are however possible strategies for him to prevent that, such a signing a message with one of his addresses with a message like "I'm Satoshi, and I will move my coins in the next weeks, but they will not be sold, only moved to a safer UTXO." Or "I'm an early miner" instead of "I'm Satoshi" if he want to preserve his identity.

tl;dr: I think the probability that quantum hacks have incidence on consensus (outside of side effects by market disruptions) is quite low probably.


@ABCbits: Thanks for the context, I vaguely remember that part of the blog post. But I think this isn't that important. What I think is, to say it bluntly, that Lopp and those agreeing with him are simply greedy and want to contract the supply even more, for Bitcoin to moon even faster. We don't know if (most) lost coins are really lost, and thus we don't know if there was a donation. So if the coins return to circulation we also can't say that this was a theft.

[Satofan44]

@ABCbits: Thanks for the context, I vaguely remember that part of the blog post. But I think this isn't that important. What I think is, to say it bluntly, that Lopp and those agreeing with him are simply greedy and want to contract the supply even more, for Bitcoin to moon even faster. We don't know if (most) lost coins are really lost, and thus we don't know if there was a donation. So if the coins return to circulation we also can't say that this was a theft.

You got it. They've spent too much time on X and similar platforms and their brain gets corrupted by shitcoin propaganda. Occasionally you see people these days also doubting the security model of Bitcoin precisely because of this, even though there is yet not a single sign that it will be a problem. Anyhow, another unfortunate (even if minor) side effect of this kind of locking is that it would put an end to those happy "I've found Bitcoin in a 10 year old wallet" stories.  I love those.

[dkbit98]

I am sure this won't be popular proposal especially for people who don't want to move their coins from original addresses.
If change becomes mandatory than I am sure we are going to see another Bitcoin fork as result.
This would also effectively ''wipe'' a bunch of old coins from supply, including Satoshi coins.

[NeuroticFish]

Imho Phase A is fine since it brings a plus. But Phase B is unnecessary (overkill) and Phase C becomes a must if Phase B is done (but then why Phase B at all?).

"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone." - Jameson Lopp

I don't disagree with this, but imho this cannot be prevented 100%. And if so, any enforcing we'd attempt doesn't help. People who wants to move funds to improved safety will have the means to do so and the rest... face the risks (which imho are in 2025 still overrated).

[Pmalek]

I agree with your statement. As for scenario of forcing change, it reminds me of when ETH rollback DAO hack through hard-coded logic. While majority of ETH community support the rollback, i certainly hope the opposite would happen in this scenario.

There is a significant difference. After the DAO hack, a rollback was proposed by those who lost money to it. It was the Ethereum Foundation and people close to the project. They wanted a redo and to go back to a post where they don't lose their money. But no hack or brute force has happened here from quantum computers. There is no fake governance structure attempting to recover what they have lost unless there is a reason to believe that J. Lopp and the other authors of the BIP are in fact satoshi, wanting to regain access to bitcoin whose keys they lost.

[Satofan44]

I agree with your statement. As for scenario of forcing change, it reminds me of when ETH rollback DAO hack through hard-coded logic. While majority of ETH community support the rollback, i certainly hope the opposite would happen in this scenario.

There is a significant difference. After the DAO hack, a rollback was proposed by those who lost money to it. It was the Ethereum Foundation and people close to the project. They wanted a redo and to go back to a post where they don't lose their money. But no hack or brute force has happened here from quantum computers. There is no fake governance structure attempting to recover what they have lost unless there is a reason to believe that J. Lopp and the other authors of the BIP are in fact satoshi, wanting to regain access to bitcoin whose keys they lost.

It is the closest comparison in terms of governance and forcing a change though. It is important to know that a rollback of individual addresses is not possible in Bitcoin so there will never be something similar like the DAO situation in terms of the details. However, in terms of governance it is the closest thing. The DAO situation was quite controversial even if it had majority support that was carefully engineered by its leader and other key people with financial interests. Here I would also like to now that the ability to rollback individual addresses is a bug and not a feature as altcoin proponents believe. This creates a very bad precedent for creating collusive quick forks in order to bail out individuals as it was already the case. With Bitcoin a hard fork would undo everything that has happened after the block to which we are rolling back and thus such an action would have a lot more extensive and unknown implications. This serves as an additional deterrent to those that may consider such idiotic ideas of the old financial system.

If the solutions to this problem all remain controversial, and many users do not support them, then what? Try to force the update, which would significantly aggravate the negative impact from this precedent?  
It would be easy if we could reach strong consensus, but this is not going to happen with proposals that involve freezing. How we approach this lack of consensus will have a bigger impact on Bitcoin's future than any amount of "stolen coins" could ever have.

There is a strong chance that even a simple majority consensus will be impossible on this (not to even mention the supermajority consensus requirement that is traditionally required or desired in Bitcoin), so the key question will be "What then?". My cypherpunk sense tells me that there will be many people who will reject any proposal in these lines. As a compromise I could maybe accept freezing of P2PK addresses as those were a flaw in the original design of the system, but not more than that. Whoever still has such an address is using Bitcoin wrong.

Edit: Thanks d5000, fixed typo regarding address types.

[PrivacyG]

I see a lot of arguments for or against whether the Satoshi era coins are lost or not.  It does not matter and it should not matter.  This subject shall be treated in the least subjective way possible.  For that to happen, we have to imagine the blockchain is private for a second.

If Monero had this subject discussed, there would be no way of knowing whether old coins have moved and which precisely.  It is dangerous to introduce a mandatory migration because it is a precedent and it significantly lessens the credibility of Bitcoin and the bit of our community that feels safe with Bitcoin.  If this becomes mandatory, as much as I love Bitcoin I will likely move on to Monero or just quit.

The world provokes enough stress.  I do not want to move from the stress of my bank freezing my funds for no reason to the stress of my Bitcoin turning to the void when I lack the time to migrate my coins in time.  Because who knows what other threat comes after Bitcoin, and if we made Quantum Computer resistant Bitcoin mandatory when why not make the next threat a mandatory change too!

Imagine the headlines of all news outlets.  They would thrive off this subject, it would keep many people distant from Bitcoin.  People who do not understand Bitcoin entirely may get out of it scared that one day they may not have access to their coins any more.

More over.  I do not understand why this has to affect the early adopters when it could simply affect the people who are not responsible enough or are just unlucky enough to not find access to their keys before a Quantum Computer successfully generates or breaks it.  One of them definitely affects a lot of UTXOs, the other is simply a possibility.  Why affect the UTXOs?

And then, by giving the Bitcoin users more time to migrate IF they will, this means a lot more UTXOs will move to the Quantum Computer resistant addresses before Quantum Computers get to actually do damage to Bitcoin.  IF they ever even get to damage it in any way.

To me, not obliging everybody to do this is a win win situation.  If Quantum Computers do damage then the 'rewards' will be way less, if they do not then a lot more people have the opportunity to move their coins before a situation like this occurs.

Man.  James Howells would pull his hair out of anger if the migration becomes mandatory.  And so would I, for the lack of sense this would make.

[d5000]

There is no fake governance structure attempting to recover what they have lost unless there is a reason to believe that J. Lopp and the other authors of the BIP are in fact satoshi, wanting to regain access to bitcoin whose keys they lost.

There could be other types of Conflicts of Interest involved, even without an "explicit" governance structure like Ethereum's. For example, those who support the BIP could be heavily invested in an entity which is in great danger to get into trouble if Bitcoin's price crashed harder than in other recent bear markets. Smaller ETF/ETP providers, Strategy etc.

My impression is that they want to try to completely remove the "Satoshi Coins sellout scenario", declaring his coins lost forever. And if there are entities which benefit from the removal of this volatility risk, then they would be probably in favour of that change and that would result in COIs.

As a compromise I could maybe accept freezing of P2PKH addresses as those were a flaw in the original design of the system, but not more than that. Whoever still has such an address is using Bitcoin wrong.

I think you mean P2PK, not P2PKH. What I would agree is to not freeze those addresses (because in fact that's where Satoshi's coins reside), but to declare new P2PK scripts invalid, so new ones aren't created anymore.

P2TR is another problem. I wonder if Taproot could be changed in a way to remove the exposure of the public key, e.g. removing the key path?

[Not in Town]

I see a lot of arguments for or against whether the Satoshi era coins are lost or not.  It does not matter and it should not matter.  This subject shall be treated in the least subjective way possible.  For that to happen, we have to imagine the blockchain is private for a second.

If Monero had this subject discussed, there would be no way of knowing whether old coins have moved and which precisely.  It is dangerous to introduce a mandatory migration because it is a precedent and it significantly lessens the credibility of Bitcoin and the bit of our community that feels safe with Bitcoin.  If this becomes mandatory, as much as I love Bitcoin I will likely move on to Monero or just quit.

The world provokes enough stress.  I do not want to move from the stress of my bank freezing my funds for no reason to the stress of my Bitcoin turning to the void when I lack the time to migrate my coins in time.  Because who knows what other threat comes after Bitcoin, and if we made Quantum Computer resistant Bitcoin mandatory when why not make the next threat a mandatory change too!

Imagine the headlines of all news outlets.  They would thrive off this subject, it would keep many people distant from Bitcoin.  People who do not understand Bitcoin entirely may get out of it scared that one day they may not have access to their coins any more.

More over.  I do not understand why this has to affect the early adopters when it could simply affect the people who are not responsible enough or are just unlucky enough to not find access to their keys before a Quantum Computer successfully generates or breaks it.  One of them definitely affects a lot of UTXOs, the other is simply a possibility.  Why affect the UTXOs?

And then, by giving the Bitcoin users more time to migrate IF they will, this means a lot more UTXOs will move to the Quantum Computer resistant addresses before Quantum Computers get to actually do damage to Bitcoin.  IF they ever even get to damage it in any way.

To me, not obliging everybody to do this is a win win situation.  If Quantum Computers do damage then the 'rewards' will be way less, if they do not then a lot more people have the opportunity to move their coins before a situation like this occurs.

Man.  James Howells would pull his hair out of anger if the migration becomes mandatory.  And so would I, for the lack of sense this would make.

Agreed. Furthermore, wallets would display a warning if your funds were in vulnerable addresses. Anyone with bitcoin would know that they have to move their funds to quantum resistant addresses in order to be up to date with security, for the information would be blasted everywhere. It has to be voluntary, though.

If successful attacks have been perpetrated on vulnerable addresses and people still decide not to migrate only to see themselves become victims at a later point in time, it's pretty safe to say the loss of their bitcoin is on them. They would have had plenty of time to migrate.

[Pmalek]

I see a lot of arguments for or against whether the Satoshi era coins are lost or not.  It does not matter and it should not matter.

I agree. No one has the right to point fingers and determine these coins are lost but these here aren't.  

This subject shall be treated in the least subjective way possible. For that to happen, we have to imagine the blockchain is private for a second.

But it isn't. Pretending it is won't change that.

It is dangerous to introduce a mandatory migration because it is a precedent and it significantly lessens the credibility of Bitcoin and the bit of our community that feels safe with Bitcoin.

How safe would everyone feel knowing that exposing your public Bitcoin key can potentially result in your funds being stolen? People have been told not to reuse addresses for privacy reasons from the start and it still happens a lot. In the future the threat could be to our security, not just privacy. Still, many people would do the easier thing and reuse old addresses rather than generate a new one for every transaction. Yes, I know, it's their fault, but still...    

I do not want to move from the stress of my bank freezing my funds for no reason to the stress of my Bitcoin turning to the void when I lack the time to migrate my coins in time.

True, that would be horrible.

Imagine the headlines of all news outlets.  They would thrive off this subject, it would keep many people distant from Bitcoin.  People who do not understand Bitcoin entirely may get out of it scared that one day they may not have access to their coins any more.

I can also see that fear happening if the headlines said something like, quantum computers can now break Bitcoin encryption and steal your coins. Since media is nefarious, they will deliberately make it vague like that, without explaining which coins are potentially under a threat.

[Medusah]

It is dangerous to introduce a mandatory migration because it is a precedent and it significantly lessens the credibility of Bitcoin and the bit of our community that feels safe with Bitcoin.

I don't see anyone proposing a "mandatory migration", nor can I see how this is possible in practice.  You can't force people to migrate to quantum-safe addresses.  You can only point them how to do it, after a soft fork is passed.  The "dilemma" is whether to freeze coins that do not migrate after year 20XY, or leave them in their fate.  I would find many reasons why the former would result in a much worse network that people would lose trust to.  In either case, people who do not get informed about the emerged threat, years into the future, will lose access to their coins, in either case, frozen or not frozen. 

[ABCbits]

I agree with your statement. As for scenario of forcing change, it reminds me of when ETH rollback DAO hack through hard-coded logic. While majority of ETH community support the rollback, i certainly hope the opposite would happen in this scenario.

There is a significant difference. After the DAO hack, a rollback was proposed by those who lost money to it. It was the Ethereum Foundation and people close to the project. They wanted a redo and to go back to a post where they don't lose their money. But no hack or brute force has happened here from quantum computers. There is no fake governance structure attempting to recover what they have lost unless there is a reason to believe that J. Lopp and the other authors of the BIP are in fact satoshi, wanting to regain access to bitcoin whose keys they lost.

I get your point. But as stated by @Satofan44, it's closest comparison (that i know and remember) regarding forcing change that involve protocol change and relative big amount of coin.

As a compromise I could maybe accept freezing of P2PK addresses as those were a flaw in the original design of the system, but not more than that. Whoever still has such an address is using Bitcoin wrong.

I don't think there are wallet (that receive update until recently) that support generate P2PK address from GUI these days. Besides, people who re-use their address also facing same issue about their public key got exposed.

[Satofan44]

It is dangerous to introduce a mandatory migration because it is a precedent and it significantly lessens the credibility of Bitcoin and the bit of our community that feels safe with Bitcoin.

I don't see anyone proposing a "mandatory migration", nor can I see how this is possible in practice.  You can't force people to migrate to quantum-safe addresses.  You can only point them how to do it, after a soft fork is passed.  The "dilemma" is whether to freeze coins that do not migrate after year 20XY, or leave them in their fate.  I would find many reasons why the former would result in a much worse network that people would lose trust to.  In either case, people who do not get informed about the emerged threat, years into the future, will lose access to their coins, in either case, frozen or not frozen.  

Am I missing something or did you not read the original post? That is the key point of the whole proposal. To be precise you can't force someone to migrate per say but by disallowing the spending of previous signature types you are in practice doing just that, forcing them to migrate or lose their coins.  

Phase B
- A deadline will be announced after which it won't be possible to spend and sign using legacy ECDSA/Schnorr signatures.
- This requires a consensus rule change, where nodes will reject the old signature formats.
- Quantum-vulnerable UTXOs become unspendable.
- The recommended deadline is around 5 years after the activation of Phase A.

As a compromise I could maybe accept freezing of P2PK addresses as those were a flaw in the original design of the system, but not more than that. Whoever still has such an address is using Bitcoin wrong.

I don't think there are wallet (that receive update until recently) that support generate P2PK address from GUI these days. Besides, people who re-use their address also facing same issue about their public key got exposed.

I sure hope not, but maybe there are people who keep some of those addresses for the sake of vanity (pride or proof of being there at that time) or something like that.

[stwenhao]

I sure hope not, but maybe there are people who keep some of those addresses for the sake of vanity or something like that.

Vanity addresses were historically based on 160-bit hashes, because when people used P2PK, then they did it directly through pay-to-IP. And if someone has vanity public key, then it can be used inside P2TR. Also, vanity addresses, based on 160-bit hashes, can be still nested inside TapScript, if someone needs it.

[Medusah]

Am I missing something or did you not read the original post? That is the key point of the whole proposal. To be precise you can't force someone to migrate per say but by disallowing the spending of previous signature types you are in practice doing just that, forcing them to migrate or lose their coins.

Yes, apologies.  What I meant is that some of us are not in favor of a "mandatory migration", but rather an optional one.  To not freeze any coin, but leave them on the fate of their security. 

[Satofan44]

I sure hope not, but maybe there are people who keep some of those addresses for the sake of vanity or something like that.

Vanity addresses were historically based on 160-bit hashes, because when people used P2PK, then they did it directly through pay-to-IP. And if someone has vanity public key, then it can be used inside P2TR. Also, vanity addresses, based on 160-bit hashes, can be still nested inside TapScript, if someone needs it.

I meant the literal word vanity, not vanity addresses. A sort of "I've been there" trophy.

Definition: Excessive pride in one's appearance or accomplishments.

Sorry for the confusion! Post updated.

Am I missing something or did you not read the original post? That is the key point of the whole proposal. To be precise you can't force someone to migrate per say but by disallowing the spending of previous signature types you are in practice doing just that, forcing them to migrate or lose their coins.

Yes, apologies.  What I meant is that some of us are not in favor of a "mandatory migration", but rather an optional one.  To not freeze any coin, but leave them on the fate of their security.  

All clear now! Yes I agree with you even if I mentioned a last resort compromise in my previous proposal. It really depends on how this "war" will play out within the community. If there happens to be a majority NO to any kind of freezing or mandatory migration, I would not consider any compromise at all with those that propose these things. Let them fork themselves away to their own "Bitcoin Quantum Safe", they take the the BQS ticker.