J. Lopp's Post-Quantum Migration BIP

[j2002ba2]

Here Google giving a crack at RSA 2048
https://thequantuminsider.com/2025/05/24/google-researcher-lowers-quantum-bar-to-crack-rsa-encryption/

"The analysis relies on algorithmic improvements and efficient system designs, including approximate arithmetic and compressed error-correction layouts, to lower the number of qubits needed."

Good to see they aren't currently enclosing this research. But once they hit something meaningful how long untill they disclose it?

Take a look at the needed Toffoli gates, it's more than 10^9.
Are this some kind of magical things, not injecting noise?
Why almost every paper omits the noise from these gates?
Well, of course, to get more funding.
Snake oil, as always.

Since it became a little obvious QC wouldn't work, now it all switched to "AI".
As if by multiplying matrices intelligence appears out of nowhere, suddenly the matrix becomes understanding.
This gives a funny meaning to "The Matrix" movie.

[Pmalek]

Quantum risk is created when someone Spends coins and their Public Key is published on the blockchain.In the case of unspent coins, only the Public Key Hash is visible from which it is not possible to extract the Private Key.Even with a Quantum Computer, Satoshis Coins have never been Spent.The Public Key has never been published, So there is no Opportunity for Attack. If you don't Spend,There is no Quantum risk.If you spend,quantum risk is created.satoshis risk.

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

[BayAreaCoins]

Quantum risk is created when someone Spends coins and their Public Key is published on the blockchain.In the case of unspent coins, only the Public Key Hash is visible from which it is not possible to extract the Private Key.Even with a Quantum Computer, Satoshis Coins have never been Spent.The Public Key has never been published, So there is no Opportunity for Attack. If you don't Spend,There is no Quantum risk.If you spend,quantum risk is created.satoshis risk.

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

Good luck with that, give it a shot... I know plenty of fellas who have been for a long time.

The interesting thing about harvesting priv keys is that the difficulty goes down as you get faster and with time.

(They *have* found addresses that have been used, but no coins yet)

Tis life, split your stash up across multiple addresses.  It's been like this forever.

[Satofan44]

Back in the days when satoshi mined his coins, the created BTC was sent to P2PK addresses. The outputs were Pay to Public Key, not ...Public Key Hash. The public keys of those early 2009/2010 addresses are already exposed publicly and visible on the blockchain. It is believed that satoshi mined 1 million bitcoin, and I guess the majority of them were sent to P2PK outputs. Since he never transferred his coins anywhere else, neither to P2PKH or Segwit addresses, those coins could be a target if a strong-enough quantum computer ever gets created.

Good luck with that, give it a shot... I know plenty of fellas who have been for a long time.

The interesting thing about harvesting priv keys is that the difficulty goes down as you get faster and with time.

(They *have* found addresses that have been used, but no coins yet)

Guessing private keys has nothing to do with what he is talking about. Those addresses have their public key exposed, and with a practical and large enough quantum computer they will come under a targeted attack. The attacker will derive the private key directly from the public key, and yes with a quantum computer this will be feasible. It is completely different from random guessing private keys and hoping you find something.

What you are referring to is traditional brute-force guessing. But with quantum computers they will use Shor's algorithm to derive the private key more efficiently from the public key. Eventually it will be possible, the question is mostly about when and under what conditions -- how large do the computers have to be and how many resources do they have to expend for a single key.

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

[fillippone]

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

I don't want ot oderail the discussion here.
Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

[Pmalek]

Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

What you are saying makes sense. However, the most attractive treasure chest and the whole reason of this drama are the bitcoins being associated with satoshi from his mining days. It's more than likely that those coins aren't going anywhere. They won't be shared amongst multiple new addresses. If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer. 

[fillippone]

Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

What you are saying makes sense. However, the most attractive treasure chest and the whole reason of this drama are the bitcoins being associated with satoshi from his mining days. It's more than likely that those coins aren't going anywhere. They won't be shared amongst multiple new addresses. If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer. 

I perfectly understood the point, and I was referring to the ones that have this choice.
I remember, for example, that Bitwise used to hold all their Bitcoin banking the ETF on a single address.
I am pretty sure that, after the criticism about this choice (also by an Italian bitcoiner) they moved the bitcoins on various addresses.
Regarding Satoshi stash, I am sure it is spread over many addresses, but I have no idea on the characteristics of the addresses.

[BlackHatCoiner]

(They *have* found addresses that have been used, but no coins yet)

This is not true, unless you refer to addresses with purposefully weak generated private keys. (less than 40 bits, or used in treasure hunts.)

Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer.  

Or maybe someone who is not Satoshi, did not steal them from Satoshi, does not own a quantum computer, and simply happened to mine them during the early days! Just saying.  

Regarding Satoshi stash, I am sure it is spread over many addresses, but I have no idea on the characteristics of the addresses.

The myth is based on what's known as "Patoshi pattern." It is the nonce values in block templates that seemingly follow a pattern, not the addresses.

[Satofan44]

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

I don't want ot oderail the discussion here.
Lowering the amount of BTC held in a single address reduces the attractiveness to an attacker.
Having 1,000,000 BTC on a single private key is much more risky in the event of a quantum computer breakthrough than having 1,000,000 private keys, each with a single BTC.

Yes, you are absolutely correct. I was referring to the last part, where he seems to imply at least to me that this risk -- the same risk -- has existed forever. It has not, it is an entirely new issue.

If satoshi is still around and has control of his private keys, I think he will move his BTC from P2PK outputs to a segwit or multisig script. Then we would see a new level of speculation: was it satoshi that moved his coins, someone who stole them from him, or has someone been successful in creating a strong-enough quantum computer.  

If he does not do this soon, there will never be a way to cryptographically prove that someone is satoshi. Once the keys are compromised, the quest for the identity of satoshi will be pretty much over -- at least for those that want real evidence. This is all assuming that he is not dead. The more likely scenario is that those addresses will get compromised over time.

Or maybe someone who is not Satoshi, did not steal them from Satoshi, does not own a quantum computer, and simply happened to mine them during the early days! Just saying.  

This is possible too, but that would be a mistake on their part. There is no reason to keep coins in addresses that are less safe.

[Satofan44]

One thing this thread makes very clear is that the hardest part of a post-quantum migration is not choosing which signature scheme to use, but dealing with long-lived key exposure and mandatory coordination.

Larger PQ signatures (SPHINCS+, FALCON, etc.) are an unavoidable cost if we keep the current model of static public keys that persist indefinitely on-chain. The real tension here isn’t “which algorithm”, but whether the protocol should continue to rely on permanent key material at all.

From a research perspective, many of the Phase B / Phase C dilemmas disappear if keys are treated as ephemeral by design: frequent rotation, unlinkability, and proofs of authorization that don’t require revealing reusable public keys. In that model, quantum resistance becomes a gradual property, not a cliff.

What you have written here is only partially relevant to Bitcoin. There is not going to be a complete redesign of what Bitcoin is, that is the one kind of outcome to this situation that is never going to happen. Furthermore, there are limitations to what we can actually do with a hard fork but a shitcoiner like yourself wouldn't know that.

https://www.allianza.tech
https://testnet.allianza.tech/
https://github.com/allianzatech/blockchainallianza

Not proposing this as a Bitcoin change — just sharing a different framing that might be useful when thinking about post-quantum threat models.

This is another shitcoin that is capitalizing on the currently trendy things, "quantum-resistance", "RWA" and other useless gimmicks that nobody asked for. That is not relevant to Bitcoin and don't post it here, especially not using AI. It is completely irrelevant and looks like you are just trying to promote your shitcoin. Discussions about Bitcoin related solutions should be limited to what can actually be done in practice.

[bnavf]

I think here is the solution which allows any currently valid UTXO does not matter how old is that be spendable forever even after post-quantum address migration:
https://bitcointalk.org/index.php?topic=5571348.0

[WhyFhy]

How's that %5 looking?

https://www.skywatertechnology.com/ionq-to-acquire-skywater/

[BayAreaCoins]

(They *have* found addresses that have been used, but no coins yet)

This is not true, unless you refer to addresses with purposefully weak generated private keys. (less than 40 bits, or used in treasure hunts.)

Why would I lie?  I've seen it.

I still definitely don't buy into the quantum bullshit at all... but it is possible and always has been.  The difficulty goes down as the years move on as well for the people trying. (Which is an interesting concept)

Tis life, split your stash up across multiple addresses.  It's been like this forever.

No it has not.

Yes, it has. Avoiding address collisions has *always* been a thing by spreading out your liabilities across multiple keys.

Fake quantum computing scams or not.


I remember back in the day the old Bitcoin propaganda pictures of how much energy of the universe it would take.

[Agiravax]

What does everyone think about this BIP?

The main disruptive event is the quantum signatures (QS) introduction.

This will be the no-return point after which QS will start being adopted, turn irreversible in practice and congestion starts to blow up into progressive economic exclusion.

Even with delayed/deffered/hybrid mecanisms, custodians and institutions would almost instantly adopt it for compliance...

Congestion may then show up extremely quickly and actual consequences be felt almost immediatly.

It is such a disruptive outcome that a Protective "Sovereign BTC" Hardfork looks as disruptive if not even appealing...

[Wind_FURY]

(They *have* found addresses that have been used, but no coins yet)

This is not true, unless you refer to addresses with purposefully weak generated private keys. (less than 40 bits, or used in treasure hunts.

Why would I lie?  I've seen it.

I still definitely don't buy into the quantum bullshit at all... but it is possible and always has been.  The difficulty goes down as the years move on as well for the people trying. (Which is an interesting concept)

What makes you believe that it's "bullshit" if the leading researchers in the Quantum Computing field are getting more and more optimistic because of the latest milestones/developments that have been made?

But developers like Matt Corralo gives us plebs some confidence that everything will be OK.

 👍

Quantum won't kill bitcoin, we have options.

https://x.com/thebluematt/status/2021005552688804156

[WhyFhy]

Maybe yall can solve for granularity while your at it.