J. Lopp's Post-Quantum Migration BIP

[j2002ba2]

Here Google giving a crack at RSA 2048
https://thequantuminsider.com/2025/05/24/google-researcher-lowers-quantum-bar-to-crack-rsa-encryption/

"The analysis relies on algorithmic improvements and efficient system designs, including approximate arithmetic and compressed error-correction layouts, to lower the number of qubits needed."

Good to see they aren't currently enclosing this research. But once they hit something meaningful how long untill they disclose it?

Take a look at the needed Toffoli gates, it's more than 10^9.
Are this some kind of magical things, not injecting noise?
Why almost every paper omits the noise from these gates?
Well, of course, to get more funding.
Snake oil, as always.

Since it became a little obvious QC wouldn't work, now it all switched to "AI".
As if by multiplying matrices intelligence appears out of nowhere, suddenly the matrix becomes understanding.
This gives a funny meaning to "The Matrix" movie.

[Pmalek]

Quantum risk is created when someone Spends coins and their Public Key is published on the blockchain.In the case of unspent coins, only the Public Key Hash is visible from which it is not possible to extract the Private Key.Even with a Quantum Computer, Satoshis Coins have never been Spent.The Public Key has never been published, So there is no Opportunity for Attack. If you don't Spend,There is no Quantum risk.If you spend,quantum risk is created.satoshis risk.

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

[BayAreaCoins]

Quantum risk is created when someone Spends coins and their Public Key is published on the blockchain.In the case of unspent coins, only the Public Key Hash is visible from which it is not possible to extract the Private Key.Even with a Quantum Computer, Satoshis Coins have never been Spent.The Public Key has never been published, So there is no Opportunity for Attack. If you don't Spend,There is no Quantum risk.If you spend,quantum risk is created.satoshis risk.

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

Good luck with that, give it a shot... I know plenty of fellas who have been for a long time.

The interesting thing about harvesting priv keys is that the difficulty goes down as you get faster and with time.

(They *have* found addresses that have been used, but no coins yet)

Tis life, split your stash up across multiple addresses.  It's been like this forever.

[Satofan44]

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

Good luck with that, give it a shot... I know plenty of fellas who have been for a long time.

The interesting thing about harvesting priv keys is that the difficulty goes down as you get faster and with time.

(They *have* found addresses that have been used, but no coins yet)

Guessing private keys has nothing to do with what he is talking about. Those addresses have their public key exposed, and with a practical and large enough quantum computer they will come under a targeted attack. The attacker will derive the private key directly from the public key, and yes with a quantum computer this will be feasible. It is completely different from random guessing private keys and hoping you find something.

What you are referring to is traditional brute-force guessing. But with quantum computers they will use Shor's algorithm to derive the private key more efficiently from the public key. Eventually it will be possible, the question is mostly about when and under what conditions -- how large do the computers have to be and how many resources do they have to expend for a single key.

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

[fillippone]

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

I don't want ot oderail the discussion here.
Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

[Pmalek]

Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

What you are saying makes sense. However, the most attractive treasure chest and the whole reason of this drama are the bitcoins being associated with satoshi from his mining days. It's more than likely that those coins aren't going anywhere. They won't be shared amongst multiple new addresses. If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer. 

[fillippone]

Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

What you are saying makes sense. However, the most attractive treasure chest and the whole reason of this drama are the bitcoins being associated with satoshi from his mining days. It's more than likely that those coins aren't going anywhere. They won't be shared amongst multiple new addresses. If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer. 

I perfectly understood the point, and I was referring to the ones that have this choice.
I remember, for example, that Bitwise used to hold all their Bitcoin banking the ETF on a single address.
I am pretty sure that, after the criticism about this choice (also by an Italian bitcoiner) they moved the bitcoins on various addresses.
Regarding Satoshi stash, I am sure it is spread over many addresses, but I have no idea on the characteristics of the addresses.

[BlackHatCoiner]

(They *have* found addresses that have been used, but no coins yet)

This is not true, unless you refer to addresses with purposefully weak generated private keys. (less than 40 bits, or used in treasure hunts.)

Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer.  

Or maybe someone who is not Satoshi, did not steal them from Satoshi, does not own a quantum computer, and simply happened to mine them during the early days! Just saying.  

Regarding Satoshi stash, I am sure it is spread over many addresses, but I have no idea on the characteristics of the addresses.

The myth is based on what's known as "Patoshi pattern." It is the nonce values in block templates that seemingly follow a pattern, not the addresses.

[Satofan44]

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

I don't want ot oderail the discussion here.
Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

Yes, you are absolutely correct. I was referring to the last part, where he seems to imply at least to me that this risk -- the same risk -- has existed forever. It has not, it is an entirely new issue.

If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer.  

If he does not do this soon, there will never be a way to cryptographically prove that someone is satoshi. Once the keys are compromised, the quest for the identity of satoshi will be pretty much over -- at least for those that want real evidence. This is all assuming that he is not dead. The more likely scenario is that those addresses will get compromised over time.

Or maybe someone who is not Satoshi, did not steal them from Satoshi, does not own a quantum computer, and simply happened to mine them during the early days! Just saying.  

This is possible too, but that would be a mistake on their part. There is no reason to keep coins in addresses that are less safe.