J. Lopp's Post-Quantum Migration BIP

[BlackHatCoiner]

I'm asking one of the most respected developers in BitcoinTalk, Gregory Maxwell, not my fellow plebs in the forum. Is Scott Aaronson's statement actually true, or more probable today?

I've yet to find a bitcoin developer who is competent enough to talk us about quantum computers. Most of them, including J. Lopp, don't really understand quantum computing. They just repeat what others, seemingly more technically competent than them, know.

What we know for sure, is that the quantum-safe math aren't tested enough, especially in comparison with elliptic curve cryptography. Hardforking to a quantum-safe bitcoin where quantum-resistant cryptography is suddenly broken by classical computers, without quantum computers even existing, would be massive failure, and it's definitely within the realms of possibility.

[d5000]

I'm a bit surprised that there has been no QC running Shor's algorithm so far, according to that blog post.

Hadn't they broken some very small RSA challenges already? Like in this news item from late 2024 (they "broke" 50 bit RSA back then, which is tiny, a classical computer can do that in miliseconds according to Google's AI).

OK he writes "fault tolerant", so that may be the novelty. But he doesn't write anything about the strength of the cryptography that could be broken. If he wrote "a quantum computer that breaks RSA 2048" or so, then it would be more scary.

[Mr Reporter]

I'm a bit surprised that there has been no QC running Shor's algorithm so far, according to that blog post.

Hadn't they broken some very small RSA challenges already? Like in this news item from late 2024 (they "broke" 50 bit RSA back then, which is tiny, a classical computer can do that in miliseconds according to Google's AI).

OK he writes "fault tolerant", so that may be the novelty. But he doesn't write anything about the strength of the cryptography that could be broken. If he wrote "a quantum computer that breaks RSA 2048" or so, then it would be more scary.

To some level of some understand  and little research work you have ask a great question. And your intuition is spot-on yes, from the looks of things there have been quantum demonstrations of factoring very small RSA keys, but they’re not really “breaking RSA” in any cryptographically meaningful way and that’s why people aren’t yet alarmed about a real Shor-based threat to real-world crypto.

https://www.livescience.com/technology/computing/chinese-scientists-claim-they-broke-rsa-encryption-with-a-quantum-computer-but-theres-a-catch?utm_source=chatgpt.com

Well when you made mention of “Fault Tolerance” was a bit confused to me but after some research I could say that “The blog post you read probably was referring to a cryptographically relevant quantum computer (CRQC) — that is, a quantum machine that’s large, accurate, and stable enough to break real cryptographic keys (e.g., RSA-2048).
https://forklog.com/en/quantum-computer-cracks-22-bit-rsa-encryption/

[NotFuzzyWarm]

re^^ at the bottom of the forklog article is a rebuttal from Adam Back https://forklog.com/en/adam-back-dismisses-quantum-threat-to-bitcoin-as-overstated/ putting things in better perspective.

    Probably not for 20-40 years, if then. And there are quantum secure signatures, NIST standardized SLH-DSA last year. Bitcoin can add over time, as the evaluation continues and be quantum ready, long before cryptographically relevant quantum computers arrive.

    — Adam Back (@adam3us) November 15, 2025

He puts the timeline at 20-40 years away before QC's can be scaled up enough to crack RSA256 encryption. Given the pace of (very incremental) QC advancements that fits my guess as well.

[Phoebehappy]

This whole proposal is definitely interesting, but also a bit worrying. Quantum security is important, but the changes required here are massive. Even the signature size alone would have a huge impact on fees and the mempool.

I understand the need to prepare early, but forcing everyone to migrate under a strict deadline seems risky, especially for long-term cold storage holders. There are many coins that haven’t moved for years, and they might get permanently “locked” if the owners don’t upgrade in time.

I think the idea of improving security is good, but a more gradual and flexible approach would be safer. Maybe making the old format non-standard first would be better than instantly invalidating it. That would reduce the chance of accidentally burning good UTXOs.

I’m also curious how wallets and exchanges would coordinate this if it ever happens, because that seems like the biggest challenge of all.

[fillippone]

re^^ at the bottom of the forklog article is a rebuttal from Adam Back https://forklog.com/en/adam-back-dismisses-quantum-threat-to-bitcoin-as-overstated/ putting things in better perspective.

   Probably not for 20-40 years, if then. And there are quantum secure signatures, NIST standardized SLH-DSA last year. Bitcoin can add over time, as the evaluation continues and be quantum ready, long before cryptographically relevant quantum computers arrive.

    — Adam Back (@adam3us) November 15, 2025

He puts the timeline at 20-40 years away before QC's can be scaled up enough to crack RSA256 encryption. Given the pace of (very incremental) QC advancements that fits my guess as well.

When speaking about quantum attacks, there are to consider Satoshi's bitcoin, which are way more vulnerable to Quantum attacks compared to all the other bitcoins around here.
What to do with Satoshi's bitcoin? This is another "existential threat" to Bitcoin, indirectly linked to quantum Computers.

[Satofan44]

re^^ at the bottom of the forklog article is a rebuttal from Adam Back https://forklog.com/en/adam-back-dismisses-quantum-threat-to-bitcoin-as-overstated/ putting things in better perspective.

    Probably not for 20-40 years, if then. And there are quantum secure signatures, NIST standardized SLH-DSA last year. Bitcoin can add over time, as the evaluation continues and be quantum ready, long before cryptographically relevant quantum computers arrive.

    — Adam Back (@adam3us) November 15, 2025

He puts the timeline at 20-40 years away before QC's can be scaled up enough to crack RSA256 encryption. Given the pace of (very incremental) QC advancements that fits my guess as well.

Sounds better, but even that is optimistic. I don't like these timelines because they can never properly factor in everything that we don't know, and we don't know many things about QCs. I've said it before, it is possible that they eventually hit some roadblock that we don't even know is possible at this point in time.

re^^ at the bottom of the forklog article is a rebuttal from Adam Back https://forklog.com/en/adam-back-dismisses-quantum-threat-to-bitcoin-as-overstated/ putting things in better perspective.

   Probably not for 20-40 years, if then. And there are quantum secure signatures, NIST standardized SLH-DSA last year. Bitcoin can add over time, as the evaluation continues and be quantum ready, long before cryptographically relevant quantum computers arrive.

    — Adam Back (@adam3us) November 15, 2025

He puts the timeline at 20-40 years away before QC's can be scaled up enough to crack RSA256 encryption. Given the pace of (very incremental) QC advancements that fits my guess as well.

When speaking about quantum attacks, there are to consider Satoshi's bitcoin, which are way more vulnerable to Quantum attacks compared to all the other bitcoins around here.
What to do with Satoshi's bitcoin? This is another "existential threat" to Bitcoin, indirectly linked to quantum Computers.

It is not an existential threat and they are not the only coins that will remain vulnerable. Some people will fail to upgrade to addresses that don't have their public keys exposed over time. This is inevitable. These are the possibilities:

1) Freeze temporarily or permanently (they can't be moved under any conditions).
2) Confiscate (reintroduce back into supply for some reason, say mining schedule).
3) Leave them as they are and let them get taken and reintroduced into the market.

I don't think there is anything existential about this especially if we are talking about a Bitcoin that is 30, 40 years old or longer. This has been addressed in many threads, you can check out d5000's posts on this matter. The likely solution is that they will be left as they are and eventually once the market absorbs them this "existential" problem goes away forever. This is considered better than doing a freeze/confiscation as that would change what Bitcoin is. As soon as there is even 1 case where this was "justified" then eventually there will be another case where it may also be "justified". We'd essentially turn Bitcoin into Ethereum-lite, from a decentralized network to one where confiscation by the direction of the "managers" is possible.

The trade off is not worth it.

[fillippone]

It is not an existential threat and they are not the only coins that will remain vulnerable. Some people will fail to upgrade to addresses that don't have their public keys exposed over time. This is inevitable. These are the possibilities:

1) Freeze temporarily or permanently (they can't be moved under any conditions).
2) Confiscate (reintroduce back into supply for some reason, say mining schedule).
3) Leave them as they are and let them get taken and reintroduced into the market.

The trade off is not worth it.

Well, I think anything that differs from 3 is an existential threat to Bitcoin, as it introduces censorship into the protocol. And when you introduce censorship for a valid reason, it quickly becomes an introduction to censorship for ANY reason.
Censorship of Bitcoin is an existential threat.

[Satofan44]

It is not an existential threat and they are not the only coins that will remain vulnerable. Some people will fail to upgrade to addresses that don't have their public keys exposed over time. This is inevitable. These are the possibilities:

1) Freeze temporarily or permanently (they can't be moved under any conditions).
2) Confiscate (reintroduce back into supply for some reason, say mining schedule).
3) Leave them as they are and let them get taken and reintroduced into the market.

The trade off is not worth it.

Well, I think anything that differs from 3 is an existential threat to Bitcoin, as it introduces censorship into the protocol. And when you introduce censorship for a valid reason, it quickly becomes an introduction to censorship for ANY reason.
Censorship of Bitcoin is an existential threat.

Sure, I can agree that that a potential solution could become an existential threat (instead of QCs and satoshi's coins themselves). However, I think that the chances for option 1 or 2 are practically near zero. Such a move would go against the core views of radicals, maximalists, and even moderate Bitcoiners. Some people who own Bitcoin and shitcoins may be in favor, but they are irrelevant and don't even usually run nodes.

Don't listen to J. Lopp, he's very similar to Peter Todd. Both are big loud mouths so their perceived influence and support is significantly greater than it really is. Overall, most people and entities are ignoring both of them. Why wouldn't they? Gloria contributes more to Bitcoin than both of them do together, and she's very new. 

[fillippone]

Don't listen to J. Lopp, he's very similar to Peter Todd.

If there is something that Bitcoin taught me is that you should be ready to kill your idols.
The only hero Bitcoin ever needed actually killed himself.
I respect Jameson for the quantity of thoroughful cogitations that he was able to inspire in me.

[vapourminer]

The only hero Bitcoin ever needed actually killed himself.

?

[philipma1957]

The only hero Bitcoin ever needed actually killed himself.

?

Satoshi

[Wind_FURY]

I'm asking one of the most respected developers in BitcoinTalk, Gregory Maxwell, not my fellow plebs in the forum. Is Scott Aaronson's statement actually true, or more probable today?

I've yet to find a bitcoin developer who is competent enough to talk us about quantum computers. Most of them, including J. Lopp, don't really understand quantum computing. They just repeat what others, seemingly more technically competent than them, know.

What we know for sure, is that the quantum-safe math aren't tested enough, especially in comparison with elliptic curve cryptography. Hardforking to a quantum-safe bitcoin where quantum-resistant cryptography is suddenly broken by classical computers, without quantum computers even existing, would be massive failure, and it's definitely within the realms of possibility.

But as actual Computer Scientists, and as Bitcoin developers that have actually contributed in building/improving Bitcoin, then they probably have more knowledge on "what might be" on the matter, no?

By the way, there are laughable people in X that have started to say that ZCash "meaningful mitigations" against the "Quantum Threat".

Although, I agree that if indeed the Quantum Threat happens in a few years, it MIGHT be harder for the Bitcoin community to coordinate for a timely hard fork to Quantum Resistance.

- Bitcoin governance strongly resists major cryptographic upgrades and may not coordinate a timely migration.

https://x.com/_tomhoward/status/1991544753821790401

[Pmalek]

Although, I agree that if indeed the Quantum Threat happens in a few years, it MIGHT be harder for the Bitcoin community to coordinate for a timely hard fork to Quantum Resistance.

Those who don't act in time will suffer the consequences if the threat proves to be as devastating as some predict. That unfortunately means that we will all suffer the same consequences because a bitcoin user can't migrate to a quantum-resistant algorithm on their own. The best way to mitigate a future problem is to not keep any bitcoin at addresses from which you have spent BTC in the past because their public keys are exposed. Better yet, never reuse addresses to receive multiple payments.

[BlackHatCoiner]

But as actual Computer Scientists, and as Bitcoin developers that have actually contributed in building/improving Bitcoin, then they probably have more knowledge on "what might be" on the matter, no?

They have knowledge on security, how to mitigate potential problems, and how to propose changes in the software, but how quantum computers work and how reliably they can break ECDLP in real times is not into any computer science class. This is something entirely new, and we're yet to see a quantum computer than can factor anything beyond 3 bits, AFAIK.

- Bitcoin governance strongly resists major cryptographic upgrades and may not coordinate a timely migration.

This is a feature, not a bug. The problem is not only if or when quantum computers become tangibly dangerous for bitcoin, but what is the solution that is tested and reviewed enough for all of us to completely trust it.

[WhyFhy]

But as actual Computer Scientists, and as Bitcoin developers that have actually contributed in building/improving Bitcoin, then they probably have more knowledge on "what might be" on the matter, no?

They have knowledge on security, how to mitigate potential problems, and how to propose changes in the software, but how quantum computers work and how reliably they can break ECDLP in real times is not into any computer science class. This is something entirely new, and we're yet to see a quantum computer than can factor anything beyond 3 bits, AFAIK.

- Bitcoin governance strongly resists major cryptographic upgrades and may not coordinate a timely migration.

This is a feature, not a bug. The problem is not only if or when quantum computers become tangibly dangerous for bitcoin, but what is the solution that is tested and reviewed enough for all of us to completely trust it.

I think this is the problem too, the testing and reviewing portion cant be too slow and cant be implemented too quick. 2017 was an important upgrade but there wasn't a unknown deadline so finding the goldilocks zone happened naturally.
This upgrade needs more precision and all hands on deck in my opinion.

[Satofan44]

By the way, there are laughable people in X that have started to say that ZCash "meaningful mitigations" against the "Quantum Threat".

ZCash is a big-nosed bankster spyware coin that has been recently shilled by the "cabal" on X that pumped random memecoins, it is not worth looking at. You may have missed it but I think some shitcoins already tried to ride the wave of being "quantum secure" but it didn't gain traction like some of the other buzzwords that were used over the years, so this is nothing new.

Although, I agree that if indeed the Quantum Threat happens in a few years, it MIGHT be harder for the Bitcoin community to coordinate for a timely hard fork to Quantum Resistance.

- Bitcoin governance strongly resists major cryptographic upgrades and may not coordinate a timely migration.
https://x.com/_tomhoward/status/1991544753821790401

I disagree with this view. Nobody can say for certain how long it would take us to coordinate a hard fork if there was an emergency of existential proportions. It could be months, it could be weeks, it could be days. We simply (luckily) didn't have a situation with the current people/ecosystem that required this kind of "all hands on deck" approach from every group that is involved with Bitcoin. What would be helpful is to have some ready-to-push implementations of quantum resistant signature algorithms, even ones that are not optimal, just in case. Other than that, we can wait more for better algorithm candidates.

I think this is the problem too, the testing and reviewing portion cant be too slow and cant be implemented too quick. 2017 was an important upgrade but there wasn't a unknown deadline so finding the goldilocks zone happened naturally.
This upgrade needs more precision and all hands on deck in my opinion.

I would say that SegWit was a much more major change than a change of the signature algorithm would be. Again, this view is also incorrect as it misses something important. If there is no deadline to do something or there is a very long deadline, most people will work completely differently then when they are under pressure. They will work much slower! That does not mean that the work will always be significantly better than when they work fast (other than when they work too fast).

A situation that requires ASAP by everyone or has a very short deadline will ramp up productivity to unseen numbers. Yes, there is a higher chance of causing some error but it is not as high as you think it is (again, as long as the work is not too fast). I've regularly experienced this with colleagues. They tend to postpone work to near the end of a long deadline whenever they can, that does not mean that they are very busy and couldn't do it sooner/faster.  

[suzanne5223]

I'm asking one of the most respected developers in BitcoinTalk, Gregory Maxwell, not my fellow plebs in the forum. Is Scott Aaronson's statement actually true, or more probable today?

I've yet to find a bitcoin developer who is competent enough to talk us about quantum computers. Most of them, including J. Lopp, don't really understand quantum computing. They just repeat what others, seemingly more technically competent than them, know.

What we know for sure, is that the quantum-safe math aren't tested enough, especially in comparison with elliptic curve cryptography. Hardforking to a quantum-safe bitcoin where quantum-resistant cryptography is suddenly broken by classical computers, without quantum computers even existing, would be massive failure, and it's definitely within the realms of possibility.

But as actual Computer Scientists, and as Bitcoin developers that have actually contributed in building/improving Bitcoin, then they probably have more knowledge on "what might be" on the matter, no?



Although, I agree that if indeed the Quantum Threat happens in a few years, it MIGHT be harder for the Bitcoin community to coordinate for a timely hard fork to Quantum Resistance.

Although we haven't seen people like J. Lopp make a bold statement about a quantum computer, but when I go through this discussion, the questions I ask myself is:
Does this mean the research by Quside, which claimed to have received NIST certification on quantum based entropy sources, is void or may I the only that's aware about it on this forum?
Is what Willy Woo said about preparation for post quantum should be ignored?

By the way, there are laughable people in X that have started to say that ZCash "meaningful mitigations" against the "Quantum Threat".

I never heard about the  ZCash statement until now, but it is just one of the hype usually posted on X, and it could be the reason why the privacy coin experienced a surge days ago.

[Wind_FURY]

Although, I agree that if indeed the Quantum Threat happens in a few years, it MIGHT be harder for the Bitcoin community to coordinate for a timely hard fork to Quantum Resistance.

Those who don't act in time will suffer the consequences if the threat proves to be as devastating as some predict. That unfortunately means that we will all suffer the same consequences because a bitcoin user can't migrate to a quantum-resistant algorithm on their own. The best way to mitigate a future problem is to not keep any bitcoin at addresses from which you have spent BTC in the past because their public keys are exposed. Better yet, never reuse addresses to receive multiple payments.

It won't merely be the problem of coordinating the community. I believe that one of the biggest problems might be Satoshi's wallet, or wallets. If he indeed burned his private keys, then he himself can't send those large amounts of Bitcoin to a Quantum Resistant address.

Plus even if a Quantum Attack is mitigated because the "public key isn't exposed", there's still that threat which will make Bitcoin "unsafe" as a Store Of Valie.

[Satofan44]

Although we haven't seen people like J. Lopp make a bold statement about a quantum computer, but when I go through this discussion, the questions I ask myself is:
Does this mean the research by Quside, which claimed to have received NIST certification on quantum based entropy sources, is void or may I the only that's aware about it on this forum?

This has literally nothing to do with the challenges that Bitcoin faces in this context. The vulnerability that Bitcoin faces comes directly from the use of ECDSA, the algorithm itself and not the quality of the randomness that is used in key generation. It is irrelevant.

Is what Willy Woo said about preparation for post quantum should be ignored?

It has been addressed in different ways throughout different threads. Do more research. He just proposed a solution that he thinks is good. Whether it is indeed good or whether it will be done is a separate matter. Everyone likes to share their "thoughts" these days.

I never heard about the  ZCash statement until now, but it is just one of the hype usually posted on X, and it could be the reason why the privacy coin experienced a surge days ago.

It is a shitcoin, don't mention it here anymore.

It won't merely be the problem of coordinating the community. I believe that one of the biggest problems might be Satoshi's wallet, or wallets. If he indeed burned his private keys, then he himself can't send those large amounts of Bitcoin to a Quantum Resistant address.

It has been addressed in various posts and topics too. Even on this very page.

It is not an existential threat and they are not the only coins that will remain vulnerable. Some people will fail to upgrade to addresses that don't have their public keys exposed over time. This is inevitable. These are the possibilities:

1) Freeze temporarily or permanently (they can't be moved under any conditions).
2) Confiscate (reintroduce back into supply for some reason, say mining schedule).
3) Leave them as they are and let them get taken and reintroduced into the market.

I don't think there is anything existential about this especially if we are talking about a Bitcoin that is 30, 40 years old or longer. This has been addressed in many threads, you can check out d5000's posts on this matter. The likely solution is that they will be left as they are and eventually once the market absorbs them this "existential" problem goes away forever. This is considered better than doing a freeze/confiscation as that would change what Bitcoin is. As soon as there is even 1 case where this was "justified" then eventually there will be another case where it may also be "justified". We'd essentially turn Bitcoin into Ethereum-lite, from a decentralized network to one where confiscation by the direction of the "managers" is possible.

The trade off is not worth it.

You can't do options 1 and 2 anyway without supermajority consensus, so even a relatively small share of the ecosystem rejecting those views is sufficient for us to have to go with the third option.

Plus even if a Quantum Attack is mitigated because the "public key isn't exposed", there's still that threat which will make Bitcoin "unsafe" as a Store Of Value.

Coins are compromised and hacked all the time -- this does not remove the function of Store of Value. A one-time hack that involves a quantum computer is not much different other than that it may (read may, we don't know) compromise a large amount of coins at once. However, once it has done it then it is over. Everything else is safe and the quantum threat is over.