Current and Future Threats to Bitcoin

[NotATether]

The OP is missing one very important category: scams. Scams, which need no introduction, are prevalent in all sorts of crypto and not only Bitcoin, and I would probably rate it High.

I would also lump hacks and scams together in the same category.

I believe that we might need another post on the current and future threat actors to Bitcoin as well. That would be interesting to read.

[d5000]

It does work in the sense that it verifies the outputs, but it loses the traceability of coins for better or worse. I don't also know how regulators would like this. In topics like tainted coins and stuff like that, would it not be harder to trace if history was not available? It will be interesting to see how this develops.

The history would be still available in the scenario I have in mind, only not in the original form. I.e. transactions/UTXOs would not be saved, but instead a proof that the transactions exist and the output scripts are valid and data on how to solve the script "challenge" -- but that for every transaction back to the genesis block. The blockchain size would be smaller but it wouldn't be a mini-blockchain or even an "UTXO hash" like some altcoins do.

I think we are in unprecedented legal territory here but I think a big corporation burning them is one of the better scenarios here.

I think this brings too many legal risks, apart from being very costly for the company, and thus I think no company would like to do this.

My opinion may be unpopular but I think the scenario of a redistribution by a malicious actor is perhaps not as bad as many think. Think of it as like it was a big exchange hack. Once the "hacker" has been detected, it wouldn't be easy for them to simply "dump" these coins. Most exchanges would probably block them or solicit an origin of funds, and small non-KYC exchanges / atomic swaps probably wouldn't have enough liquidity to process them.

This means that the hacker would probably have to send them through a long journey of mixers, swaps and other service providers in small chunks, which would take months or even years. The sales would almost not be impacting in the daily Bitcoin volume, although of course there can be a deep dip due to a psychological effect. And the hacker would expose themselves to be discovered with every step they do, as they will be followed by all chain analysis companies and hobbyist researchers and the slightest error would probably get them detected and put in risk to be jailed.

I think thus it's likely that the hacker will not be able to sell all coins in reasonable time, they may even chose to donate some of the coins to get rid of them eventually, or burn them silently once they got at least a tiny profit. There may be even an incentive to do that burning step publicly (i.e. use a well known Bitcoin Eater address), to raise the value of his remaining coins.

[Dogedegen]

I searched for a bit, and it appears that this happened before I was aware of Bitcoin. Interesting story to know. That being said, the nature of the companies in that scenario seems quite different from Strategy or other companies that bought tons of Bitcoin and publish their investment sheet. At least that's the impression I got from an article that I've read on this issue. If there's another controversial fork coming, do you think companies like the Japanese's Metaplanet will actively push miners to vote for one thing over another publicly, instead of waiting and buying more coins to anticipate a possible hard fork?

I don't think a controversial fork is going to come any time soon because we have defeated this enemy once and now we know better. In the long future there may be an attempt by industry and government to push for some changes but we hope that the game theory of Bitcoin balances the playing field before there is a chance for that to happen. Companies that buy and hold Bitcoin have even more to lose than exchanges like Coinbase, that's why Coinbase was corrupted during those fork things of the past. They make money if the price goes up or down and they make money from the shitcoins trade.

The OP is missing one very important category: scams. Scams, which need no introduction, are prevalent in all sorts of crypto and not only Bitcoin, and I would probably rate it High.

I would also lump hacks and scams together in the same category.

I like that but could you tell me more. How does this turn into a general threat for Bitcoin's existence or success? I think we have had a lot of scams so far but look at how far we have come! Do you think we will have more in the future? I understand their damage and they are doing it continuously but I am not sure whether it is on an existential level.

I believe that we might need another post on the current and future threat actors to Bitcoin as well. That would be interesting to read.

That would be an interesting read. D5000 maybe you could make that if you are interested? 

It does work in the sense that it verifies the outputs, but it loses the traceability of coins for better or worse. I don't also know how regulators would like this. In topics like tainted coins and stuff like that, would it not be harder to trace if history was not available? It will be interesting to see how this develops.

The history would be still available in the scenario I have in mind, only not in the original form. I.e. transactions/UTXOs would not be saved, but instead a proof that the transactions exist and the output scripts are valid and data on how to solve the script "challenge" -- but that for every transaction back to the genesis block. The blockchain size would be smaller but it wouldn't be a mini-blockchain or even an "UTXO hash" like some altcoins do.

Then I assume a blockchain explorer can be built that is solving these challenges on request and would work pretty much the same as the existing ones? At least for the user.

I think this brings too many legal risks, apart from being very costly for the company, and thus I think no company would like to do this.

Why costly? The cost is not the value foregone but rather the cost of the actually private key derivation. We can't know just how expensive it is going to be ahead of time.

My opinion may be unpopular but I think the scenario of a redistribution by a malicious actor is perhaps not as bad as many think. Think of it as like it was a big exchange hack. Once the "hacker" has been detected, it wouldn't be easy for them to simply "dump" these coins. Most exchanges would probably block them or solicit an origin of funds, and small non-KYC exchanges / atomic swaps probably wouldn't have enough liquidity to process them.

This means that the hacker would probably have to send them through a long journey of mixers, swaps and other service providers in small chunks, which would take months or even years. The sales would almost not be impacting in the daily Bitcoin volume, although of course there can be a deep dip due to a psychological effect. And the hacker would expose themselves to be discovered with every step they do, as they will be followed by all chain analysis companies and hobbyist researchers and the slightest error would probably get them detected and put in risk to be jailed.

I think thus it's likely that the hacker will not be able to sell all coins in reasonable time, they may even chose to donate some of the coins to get rid of them eventually, or burn them silently once they got at least a tiny profit. There may be even an incentive to do that burning step publicly (i.e. use a well known Bitcoin Eater address), to raise the value of his remaining coins.

It is unpopular. We try to avoid that if we can, why would we not? Only if we really can't do anything would I also cede to that as our backup resolution.

[Dogedegen]

Any takers? I think there is no way to add some poll to this thread now?

[d5000]

Oh, I saw I forgot to answer some of your questions.

That would be an interesting read. D5000 maybe you could make that if you are interested? 

A list of threat actors imo isn't that straightforward than a list of threats. Of course we can mention some general categories (economic actors, e.g. those who want to short Bitcoin, scammers, governments, personalities like Dr. Faketoshi ...) but most of what already happened can be derived from common sense, above all if we want to predict the future behavior, things become very speculative.

I'll think about it, if I have an interesting idea how to frame this, maybe I start such a thread.

Then I assume a blockchain explorer can be built that is solving these challenges on request and would work pretty much the same as the existing ones? At least for the user.

Yes, of course. Blockchain explorers can store everything they want, and they could also "reconstruct" the transactions and UTXOs.
The idea is that this kind of data would not be necessary to operate a Bitcoin node.

Why costly? The cost is not the value foregone but rather the cost of the actually private key derivation. We can't know just how expensive it is going to be ahead of time.

We can assume that it will be very costly: they are using a bleeding edge computation paradigm, with extremely expensive hardware (with supraconducting components, for example), and the result should be just "thrown away".

They could instead use this hardware for useful purposes (e.g. very costly process optimization in different industries or in medicine) or for criminal purposes (hacking banks ...), and thus the opportunity cost to use the hardware just to "burn coins" would be huge.

(we were talking here about an idea to have big corporations "grabbing" Satoshi's coins with quantum computers and then burning them).

It is unpopular. We try to avoid that if we can, why would we not? Only if we really can't do anything would I also cede to that as our backup resolution.

For me confiscation even of a couple of coins is still worse, and we maybe never will know who's the legit owner of these old P2PK coins.

If there was a recovery mechanism for P2PK and similar outputs, of course it should be used, but I simply can't imagine it. There is not enough information in these outputs to create such a recovery mechanism.

[Dogedegen]

Oh, I saw I forgot to answer some of your questions.

Happy you found your way back, unfortunately a big thread like this does not get much attention for some reason.

A list of threat actors imo isn't that straightforward than a list of threats. Of course we can mention some general categories (economic actors, e.g. those who want to short Bitcoin, scammers, governments, personalities like Dr. Faketoshi ...) but most of what already happened can be derived from common sense, above all if we want to predict the future behavior, things become very speculative.

I'll think about it, if I have an interesting idea how to frame this, maybe I start such a thread.

It is considerably harder that is why I passed the suggestion to you. You have more experience and many more threads. I don't want to start a project that is beyond my capabilities. If you are interested in it, try because I would definitely want to read it.

Yes, of course. Blockchain explorers can store everything they want, and they could also "reconstruct" the transactions and UTXOs.
The idea is that this kind of data would not be necessary to operate a Bitcoin node.

Then I am more accepting of this idea. As long as most or all blockchain explorers act as archival nodes and there is an easy option to turn your own node back into archival mode, similar to how there is pruning now then it could be good. I wonder if this is really the direction that the developers want to take? I would want to read some discussions on that, I wish that they posted more here.

Why costly? The cost is not the value foregone but rather the cost of the actually private key derivation. We can't know just how expensive it is going to be ahead of time.

We can assume that it will be very costly: they are using a bleeding edge computation paradigm, with extremely expensive hardware (with supraconducting components, for example), and the result should be just "thrown away".

They could instead use this hardware for useful purposes (e.g. very costly process optimization in different industries or in medicine) or for criminal purposes (hacking banks ...), and thus the opportunity cost to use the hardware just to "burn coins" would be huge.

(we were talking here about an idea to have big corporations "grabbing" Satoshi's coins with quantum computers and then burning them).

In your scenario I understand where you are coming from. Mine is slightly different, well it has different assumptions. Let's say that we reach the point that deriving the private key of those addresses is almost trivial. Then you would not amortize the cost of all of the hardware or say the opportunity cost is huge, if cracking the key takes minutes or even seconds? In this scenario it would be quite a good outcome if a beneficial actor reaches this level of quantum computing first and then burns them or makes them not spendable. Do you agree?

If the assumptions of your scenario end up being true then I do agree, it is very costly in that case. I think as of today we can't be sure which way it is going to go.

It is unpopular. We try to avoid that if we can, why would we not? Only if we really can't do anything would I also cede to that as our backup resolution.

For me confiscation even of a couple of coins is still worse, and we maybe never will know who's the legit owner of these old P2PK coins.

If there was a recovery mechanism for P2PK and similar outputs, of course it should be used, but I simply can't imagine it. There is not enough information in these outputs to create such a recovery mechanism.

Well I did not mean to imply that if we avoid the idea somehow that we would fall back on confiscation as the alternative. I do not know if a solution can be developed that does not involve confiscation, but if it can then I meant to say that we'd collectively prefer going with that method than to let someone take them and sell them onto the market.

My other view but more like a wish is that cracking the keys becomes possible but that it is relatively slow and expensive. This would create a secondary mining like race, but the dump of the coins would be gradual and to some extend predictable. Then I think even many of the naysayers would be more accepting of this idea where those that get the keys dump the coins on the market.

[d5000]

Then I am more accepting of this idea. As long as most or all blockchain explorers act as archival nodes and there is an easy option to turn your own node back into archival mode, similar to how there is pruning now then it could be good. I wonder if this is really the direction that the developers want to take?

Yes, of course you could still always decide to turn back to the old model.

The Utreexo developers (which would be a part of that scheme) have recently published a draft BIP (https://github.com/utreexo/biptreexo/). They have acceptance by several developers afaik. But Utreexo does not change the way the blockchain is stored, only the UTXO set, but that would already be a first step. Zero-knowledge blockchain storage instead is less discussed, as far as I know, but there are groups developing it aside from Core like ZeroSync.

I could however also imagine a much simpler scheme: that "normal" nodes simply ignore OP_RETURN outputs, while storing all other types of outputs. They would only need a proof that the TXID and the merkle tree from the transactions with OP_RETURN are valid.

Let's say that we reach the point that deriving the private key of those addresses is almost trivial.

That will not happen for a long time. And at that point it's almost for sure a criminal will have already stolen the coins.

Just think about it: One of the old P2PK outputs like Satoshi's with 50 coins on them is worth about 5 million dollars now. Roughly it would make sense for a quantum criminal to steal it if he only has to invest significantly less than that amount. So if he has to invest $100,000 for example, and has access to the machine, he could try it as he would have a good profit expectation.

That means basically that if the cost is less than these 100,000$, there would be enough incentives for the coins to be "quantum-hacked", and it's only a matter of time they will. 100k$ per output is still a high cost just for burning the coins if we're talking about 25,000 of these outputs that would have been burnt. Who would pay that?

My other view but more like a wish is that cracking the keys becomes possible but that it is relatively slow and expensive. This would create a secondary mining like race, but the dump of the coins would be gradual and to some extend predictable.

This is the most likely scenario. A quantum computer with few thousands or even dozens of thousands of qubits would take months or years for a single output. Having a QC with millions of qubits will take decades, and only these would be able to crack keys in less than a day.

[gmaxwell]

1) User Apathy:

User anxiety is a far greater risk than Apathy.  If people are apathetic Bitcoin can probably sail on fine with little attention.  But people in a constant state of anxiety after being bombarded by media and advertisements tuned to maximize interest and vigilance, and influencers who don't exist unless they are riling people up--  are constantly looking to make a disaster out of every possible issue.  Most of the time "do nothing" is the correct response, but the anxious mind constantly jumps at every shadow.

Most of the concerns in your post are legitimate-- including apathy-- sure, but I expect for many reader the net effect is harmful-- because they weren't serious concerns and the anxiety seriously compromises people's judgement.

We can see this playing out right now with numerous people supporting "BIP444" -- a half brained scheme which would totally lobotomize Bitcoin's programmable functionality, functionally confiscate funds, and would have rendered the vast majority of historical blocks invalid.  Some people are so deranged by their spam anxiety that they delusionally believe this radical and obviously immoral change to bitcoin is not just a justified loss but that it is *uncontroversial* and think that it will obviously be adopted.

Mass sociogenic illness in this form of anxious culty behavior pushing for radical "emergency" changes is probably one of the more significant risks to Bitcoin.

[Btcloop]

The OP is missing one very important category: scams. Scams, which need no introduction, are prevalent in all sorts of crypto and not only Bitcoin, and I would probably rate it High.

I would also lump hacks and scams together in the same category.

If you combine these two systems, you will see that everyone will be aware of these two things at the same time. Hacking usually involves technical advantage—the act of breaking into a digital system, network, or device without the user's knowledge or consent to steal data, disrupt services, or gain unauthorized access (e.g., malware, phishing attempts that lead to a data breach).

[Dogedegen]

Yes, of course you could still always decide to turn back to the old model.

The Utreexo developers (which would be a part of that scheme) have recently published a draft BIP (https://github.com/utreexo/biptreexo/). They have acceptance by several developers afaik. But Utreexo does not change the way the blockchain is stored, only the UTXO set, but that would already be a first step. Zero-knowledge blockchain storage instead is less discussed, as far as I know, but there are groups developing it aside from Core like ZeroSync.

That sounds interesting to me. I assume this is a rather large stepping stone towards the path that you outline. I'm interested to hear in an user understandable way just how much would this speed up some aspects of Bitcoin like synchronization  time? Is there any practical data on it yet or it is still more theoretical?

I could however also imagine a much simpler scheme: that "normal" nodes simply ignore OP_RETURN outputs, while storing all other types of outputs. They would only need a proof that the TXID and the merkle tree from the transactions with OP_RETURN are valid.

How much data would this save?

Let's say that we reach the point that deriving the private key of those addresses is almost trivial.

That will not happen for a long time. And at that point it's almost for sure a criminal will have already stolen the coins.

Just think about it: One of the old P2PK outputs like Satoshi's with 50 coins on them is worth about 5 million dollars now. Roughly it would make sense for a quantum criminal to steal it if he only has to invest significantly less than that amount. So if he has to invest $100,000 for example, and has access to the machine, he could try it as he would have a good profit expectation.

While I tend to agree with you I am a bit more conservative on making statements of certainty here, that is why I like to explore different scenarios regardless of their probabilities. As long as they are realistically possible one day, I'm interested in analyzing what could happen.

That means basically that if the cost is less than these 100,000$, there would be enough incentives for the coins to be "quantum-hacked", and it's only a matter of time they will. 100k$ per output is still a high cost just for burning the coins if we're talking about 25,000 of these outputs that would have been burnt. Who would pay that?

I would not consider $100k per output trivial as my scenario demands, I meant more trivial like generating a 4 character vanity address on your CPU.   But yes in the way that you have described it it would be expensive to burn.

This is the most likely scenario. A quantum computer with few thousands or even dozens of thousands of qubits would take months or years for a single output. Having a QC with millions of qubits will take decades, and only these would be able to crack keys in less than a day.

Let's hope that it happens so. A gradual mining of the keys is much better than any kind of freezing of confiscation. In the meantime I wonder if any technical solutions can be deployed to minimize address reuse even further. Something stricter than just plain warnings and leaving it up to wallet developers to decide how to deal with it. It would help more people to have coins on addresses that are already quantum safe as their key is not exposed anyway. It could be one of those smaller measures for which benefits will add up over time until the problem becomes real.

1) User Apathy:

User anxiety is a far greater risk than Apathy.  If people are apathetic Bitcoin can probably sail on fine with little attention.  But people in a constant state of anxiety after being bombarded by media and advertisements tuned to maximize interest and vigilance, and influencers who don't exist unless they are riling people up--  are constantly looking to make a disaster out of every possible issue.  Most of the time "do nothing" is the correct response, but the anxious mind constantly jumps at every shadow.

That is a very interesting point! I believe that apathy deserves its own space because people continue to become more apathetic towards really important things as they are distracted by all kinds of comfort. However I do believe that you are right in the sense that anxiety is an even bigger issue. From what I can observe looking at social media platforms it is very easy to generate all sorts of feelings in people who are in this industry. Even if we just focus on the topic of quantum computers, it has generated anxiety far too many times given how remote the whole thing still is.

Most of the concerns in your post are legitimate-- including apathy-- sure, but I expect for many reader the net effect is harmful-- because they weren't serious concerns and the anxiety seriously compromises people's judgement.

My idea was to present an amateur style version of this topic, which is a topic that is maybe quite suitable for a research paper. I would not call it objective because it is me who does the selection of threats and who provides the threat assessment. That is always going to be at least a little bit subjective. I really do not want to generate any FUD or anxiety.

If someone has ideas on how to limit the negatives of such a thread let me know. Maybe a disclaimer on the top or something? I would like to add the point about user anxiety in the appropriate section anyway. I would also consider locking this topic if that is beneficial. Thank you.

Mass sociogenic illness in this form of anxious culty behavior pushing for radical "emergency" changes is probably one of the more significant risks to Bitcoin.

That is quite well written.

[JaredIbrahim]

If Satoshi is alive and quantum computers threaten to cause major damage to Bitcoin, then Satoshi Nakamoto will definitely become active and protect Bitcoin.
Again, the way large companies and firms (MSTR, METAPLANET, Strive, Capital B etc) are increasing their holdings in Bitcoin is also a kind of bad sign for Bitcoin.
However, the way Satoshi created Bitcoin, supercomputers and quantum computers cannot do any harm, and especially since Bitcoin is millions of times more powerful than supercomputers, if quantum computers really become a threat to Bitcoin, then Satoshi himself will certainly not be active.

Based. This guy gets it.

Satoshi returning would be the worst thing for Bitcoin. It would create a central point of failure, a leader to attack or worship. The whole beauty is that the founder is irrelevant. The system runs itself.

Quantum? The devs aren't sleeping. It's a known variable. The network will adapt and harden, like it always has. It's antifragile.

Corpos buying is the ultimate proof of work. They're screaming to the world that this is the hardest asset in history. They're making our sats rarer.

The hero is the 21 million limit. The hero is your node. Keep the faith in the code, not in a person.

[d5000]

Just re-visited this thread and saw there were some open questions still ...

I'm interested to hear in an user understandable way just how much would this speed up some aspects of Bitcoin like synchronization  time? Is there any practical data on it yet or it is still more theoretical?

Synchronization would not be accelerated much by Utreexo, because Utreexo only affects the UTXO set.

But a zero knowledge proof based synchronization like ZeroSync could be a massive speed boost. On Bitcoin these techniques are still more of a theoretic concept afaik, but in altcoins like Ethereum it seems to be already working. In the whitepaper you find a description of the basic mechanism:

Naively, users can sync in three simple steps: Verify the current chain state using a proof, then download the corresponding UTXO set (≈ 5 GB of data), copy it into the “chainstate” folder, and run Bitcoin Core as usual. This procedure allows users to bootstrap a (pruned) full node without having to download and verify 500 GB of historical blockchain data. It reduces the initial sync time from many hours (or even days) to minutes.

While they don't give exact numbers, a sync time of "minutes" for the whole Bitcoin (!) chain looks like a dramatic speedup. They also mention Utreexo and claim that with this technique syncing would be even faster.

How much data would this save?

(Here we were talking about nodes being able to ignore OP_RETURN outputs and only storing the merkle tree and a proof hash.)

This would depend entirely how much OP_RETURN transactions are in the chain. Currently, they make up between about 5 and 30%, but in the Runes wave in 2024 it was 50% or more during some weeks. See also this thread. So for the whole blockchain I think the syncing time improvement would not be that important (perhaps 10%). But the essence here is that nodes could be sure that they don't store any unwanted data, at least via OP_RETURN.

While I tend to agree with you I am a bit more conservative on making statements of certainty here, that is why I like to explore different scenarios regardless of their probabilities. As long as they are realistically possible one day, I'm interested in analyzing what could happen.

The thing is that quantum computer progress will not come out of thin air. What you are assuming in this scenario is that somebody is able to make a leap of let's say from 1000-2000 qubits (the current maximum, not counting "adiabatic" QCs which can't run Shor's algorithm) to millions of qubits without anybody noticing, and this criminal could then crack wallets "trivially" "like current VanityGen". This is more or less impossible. (A recent Google research paper has claimed that about a million qubits may be sufficient for running Shor's algorithm to crack RSA-2048 [which is not the same than Bitcoin's ECDSA but in the same order of magnitude when it comes to security] in a week. Before, they thought 20 million were necessary.)

Instead with more than 99.9999% likelihood there will be gradual improvements. Even an exponential increase of 20% or even 50% more qubits per year will give the Bitcoin community a lot of time to react. It would mean that we would know eventually that when the biggest quantum computer reaches 100,000 qubits and can operate for a day continuously (which is another challenge besites of the number of qubits), then the "period of danger" begins, i.e. in the next years after this happens there should be some progress adopting quantum resistant cryptography, because there "may" be that someone achieves a 1000% progress in quantum computing making "wallet stealing" feasible with Shor's algorithm.

[Dogedegen]

Just re-visited this thread and saw there were some open questions still ...

I think there is no end to the things that could be discussed under this topic.

Synchronization would not be accelerated much by Utreexo, because Utreexo only affects the UTXO set.

But a zero knowledge proof based synchronization like ZeroSync could be a massive speed boost. On Bitcoin these techniques are still more of a theoretic concept afaik, but in altcoins like Ethereum it seems to be already working. In the whitepaper you find a description of the basic mechanism:

Naively, users can sync in three simple steps: Verify the current chain state using a proof, then download the corresponding UTXO set (≈ 5 GB of data), copy it into the “chainstate” folder, and run Bitcoin Core as usual. This procedure allows users to bootstrap a (pruned) full node without having to download and verify 500 GB of historical blockchain data. It reduces the initial sync time from many hours (or even days) to minutes.

While they don't give exact numbers, a sync time of "minutes" for the whole Bitcoin (!) chain looks like a dramatic speedup. They also mention Utreexo and claim that with this technique syncing would be even faster.

Alright that sounds excellent but the benefits are limited to a pruned node. This does not affect full nodes or any potential on-chain transaction capability right? Those are the things that I would be interested, but I don't see how we can speed those up any more than we already have. I wonder how we could speed up full nodes or improve the transactions per second capability or transaction speed. Some may not want scaling on layer 1, but I think scaling should be done on all layers. Upgrades when possible and when they are mature.

How much data would this save?

(Here we were talking about nodes being able to ignore OP_RETURN outputs and only storing the merkle tree and a proof hash.)

This would depend entirely how much OP_RETURN transactions are in the chain. Currently, they make up between about 5 and 30%, but in the Runes wave in 2024 it was 50% or more during some weeks. See also this thread. So for the whole blockchain I think the syncing time improvement would not be that important (perhaps 10%). But the essence here is that nodes could be sure that they don't store any unwanted data, at least via OP_RETURN.

Currently they make up between 5 and 30%? That is very wide estimate. Isn't it possible to get the data on this correctly and in a pretty precise way?

While I tend to agree with you I am a bit more conservative on making statements of certainty here, that is why I like to explore different scenarios regardless of their probabilities. As long as they are realistically possible one day, I'm interested in analyzing what could happen.

The thing is that quantum computer progress will not come out of thin air. What you are assuming in this scenario is that somebody is able to make a leap of let's say from 1000-2000 qubits (the current maximum, not counting "adiabatic" QCs which can't run Shor's algorithm) to millions of qubits without anybody noticing, and this criminal could then crack wallets "trivially" "like current VanityGen". This is more or less impossible. (A recent Google research paper has claimed that about a million qubits may be sufficient for running Shor's algorithm to crack RSA-2048 [which is not the same than Bitcoin's ECDSA but in the same order of magnitude when it comes to security] in a week. Before, they thought 20 million were necessary.)

Instead with more than 99.9999% likelihood there will be gradual improvements. Even an exponential increase of 20% or even 50% more qubits per year will give the Bitcoin community a lot of time to react. It would mean that we would know eventually that when the biggest quantum computer reaches 100,000 qubits and can operate for a day continuously (which is another challenge besites of the number of qubits), then the "period of danger" begins, i.e. in the next years after this happens there should be some progress adopting quantum resistant cryptography, because there "may" be that someone achieves a 1000% progress in quantum computing making "wallet stealing" feasible with Shor's algorithm.

Maybe I didn't write what I wanted to say here. While your idea of gradual improvements is much more likely, I don't want to go with the view that this is what will certainly happen and dismiss any other scenarios. I want to consider scenarios that are realistic or possible even if they have a low probability. So I would not say that it is 99.9999% more likely that there will only be gradual improvements with certainty, I don't know that probability to be specific. I could only say relative probabilities, in this case that a gradual improvement scenario is much more likely than an exponential jump scenario.

I am also always interested in the how. We are here mostly talking about the rate of improvement and the standard Shor's or Grover's algorithm. Is there no other way that quantum computers could attack these problems or discover something unexpected? That would be interesting to think about!

[Dogedegen]

I wish for more activity in this thread. I hope some people read it.

[Son Of Blockchain (SOB)]

If Satoshi is alive and quantum computers threaten to cause major damage to Bitcoin, then Satoshi Nakamoto will definitely become active and protect Bitcoin.
Again, the way large companies and firms (MSTR, METAPLANET, Strive, Capital B etc) are increasing their holdings in Bitcoin is also a kind of bad sign for Bitcoin.
However, the way Satoshi created Bitcoin, supercomputers and quantum computers cannot do any harm, and especially since Bitcoin is millions of times more powerful than supercomputers, if quantum computers really become a threat to Bitcoin, then Satoshi himself will certainly not be active.

I have this feeling that the supercomputer threat is just an agenda to discourage people from using Bitcoin but it's a failed agenda cause over the years, Bitcoin has proved that it's able to handle tough challenges including security challenges, users can only lose their coin through human errors like inability to secure their wallet or exposing keys to a third party.
 Yes, Bitcoin is very secured which is why it's blockchain haven't experienced any hack since it was created, Satoshi was very futuristic and prepared his invention for future challenges including the potential quantum hack which is a mere hype.

[DeeppRockk]

If Satoshi is alive and quantum computers threaten to cause major damage to Bitcoin, then Satoshi Nakamoto will definitely become active and protect Bitcoin.
Again, the way large companies and firms (MSTR, METAPLANET, Strive, Capital B etc) are increasing their holdings in Bitcoin is also a kind of bad sign for Bitcoin.
However, the way Satoshi created Bitcoin, supercomputers and quantum computers cannot do any harm, and especially since Bitcoin is millions of times more powerful than supercomputers, if quantum computers really become a threat to Bitcoin, then Satoshi himself will certainly not be active.

I have this feeling that the supercomputer threat is just an agenda to discourage people from using Bitcoin but it's a failed agenda cause over the years, Bitcoin has proved that it's able to handle tough challenges including security challenges, users can only lose their coin through human errors like inability to secure their wallet or exposing keys to a third party.
 Yes, Bitcoin is very secured which is why it's blockchain haven't experienced any hack since it was created, Satoshi was very futuristic and prepared his invention for future challenges including the potential quantum hack which is a mere hype.

Hmm, that's an interesting perspective on the supercomputer threat. I'm not totally sure how serious that risk really is, to be honest. I mean, Bitcoin has handled a lot of challenges so far, as you said.

[d5000]

Alright that sounds excellent but the benefits are limited to a pruned node. This does not affect full nodes or any potential on-chain transaction capability right?

Of course if you want to run an archival node which can transmit full data of old blocks and transactions to other nodes you have to download the whole blockchain.

However, if more nodes use ZeroSync, there will be increasingly less need for nodes asking for old block data. In the end, we could have a network with a much higher proportion of pruned nodes, which would be enough for most needs. Only in special cases (e.g. spawning other archival node) you would have to connect to an archival node, otherwise you can always use the ZeroSync approach. This would mean the network would have less traffic but with the same utility. The initial block download / long sync [e.g. if you disconnect for weeks] cost would drastically reduce.

I don't see how we can speed those up any more than we already have. I wonder how we could speed up full nodes or improve the transactions per second capability or transaction speed. Some may not want scaling on layer 1, but I think scaling should be done on all layers.

I think Utreexo/ZeroSync combi is the most that would work on Layer 1 without crippling the blockchain functionality.

However, if this combination leads to less network traffic, it could be an opportunity for a slight block size increase (not more than doubling). I still prefer the layer-2 approach though, and in addition, a blocksize increase would perhaps drive transaction fees down to unhealthy levels if we take into account the security budget (51% attack cost) in the long term (after the next 5-10 halvings, when block rewards would be very low already).

Currently they make up between 5 and 30%? That is very wide estimate. Isn't it possible to get the data on this correctly and in a pretty precise way?

This is not an "estimate". It varies because it depends mainly on the transaction fees per block. I could set up a variation of my query on dune.org where I could estimate an average per week or so.

Maybe I didn't write what I wanted to say here. While your idea of gradual improvements is much more likely, I don't want to go with the view that this is what will certainly happen and dismiss any other scenarios. I want to consider scenarios that are realistic or possible even if they have a low probability.

Yes but then we should also discuss the probability for world peace or post-scarcity The probabilties for these events to happen are as low as a "drastic jump" from 2000 to 1 million qubits in a single year or so. Quantum computers are highly complex machines, they need superconducting parts which have to be cooled down to less than -200 degrees Celsius. It is probably much easier to build a humanoid robot which can replace 90% of the workers in the world and would be cheaper than a human salary, for example.

We are here mostly talking about the rate of improvement and the standard Shor's or Grover's algorithm. Is there no other way that quantum computers could attack these problems or discover something unexpected?

Of course it is possible that a new kind of attack or vulnerability of a cryptographic scheme is found, and that could involve new algorithms usable by quantum computers.

But quantum computers are not magic. They are machines that can do certain tasks very well, but in most other fields they will be much slower than conventional computers probably for decades or even forever.

I think I mentioned in this thread already, but even if quantum computers crack ECDSA in less than 10 minutes and this happens "from one day to another", we can simply update Bitcoin to post-quantum cryptography and require Tadge Dryjas's recovery algorithm to move coins which sit in "old" (quantum-vulnerable) addresses. That's not magic, but quite simple tech. The reason post-quantum cryptography isn't used in Bitcoin currently is that there is no consensus which candidate cryptosystem is the best one, so it's best to wait until PQC either 1) matures or 2) there is really a threat looming in the background. But option 3) - wait until the first coins were hacked - is also not catastrophic. Only those who have re-used addresses or use outdated transactions like P2PK would be affected instantly.

[Dogedegen]

If Satoshi is alive and quantum computers threaten to cause major damage to Bitcoin, then Satoshi Nakamoto will definitely become active and protect Bitcoin.
Again, the way large companies and firms (MSTR, METAPLANET, Strive, Capital B etc) are increasing their holdings in Bitcoin is also a kind of bad sign for Bitcoin.
However, the way Satoshi created Bitcoin, supercomputers and quantum computers cannot do any harm, and especially since Bitcoin is millions of times more powerful than supercomputers, if quantum computers really become a threat to Bitcoin, then Satoshi himself will certainly not be active.

I have this feeling that the supercomputer threat is just an agenda to discourage people from using Bitcoin but it's a failed agenda cause over the years, Bitcoin has proved that it's able to handle tough challenges including security challenges, users can only lose their coin through human errors like inability to secure their wallet or exposing keys to a third party.
 Yes, Bitcoin is very secured which is why it's blockchain haven't experienced any hack since it was created, Satoshi was very futuristic and prepared his invention for future challenges including the potential quantum hack which is a mere hype.

Supercomputers were never a threat to Bitcoin, and they will never be. The machines that mine Bitcoin are optimized to do only 1 task, and that is to solve the mining challenge. This is why general purpose supercomputers are irrelevant to this, it does not matter if it is a CPU or GPU cluster. On the other hand, the argument that Bitcoin is not vulnerable to quantum computers because Satoshi created it is invalid. This is something like an appeal to authority or even appeal to traditions fallacy. No person can forecast anything, actually most people who try to forecast anything 5 years from now will get it wrong on average. Instead of writing about this part in such a general way you should actually read what I wrote in the quantum computers section of the first post.

However, if more nodes use ZeroSync, there will be increasingly less need for nodes asking for old block data. In the end, we could have a network with a much higher proportion of pruned nodes, which would be enough for most needs. Only in special cases (e.g. spawning other archival node) you would have to connect to an archival node, otherwise you can always use the ZeroSync approach. This would mean the network would have less traffic but with the same utility. The initial block download / long sync [e.g. if you disconnect for weeks] cost would drastically reduce.

Is this really the direction that we want to take or do we have no other choice? I think I have seen some altcoins proclaim themselves to have solved scaling, but they have implement something similar but probably less comprehensive. They just keep some part of the blockchain history, and only a few archival nodes contain the rest. What are your observations on that, have you seen developers indicating that they would like this future or not? Even if it were without any downsides, it still kind of is a radical change compared to how we are operating Bitcoin these days.

I don't see how we can speed those up any more than we already have. I wonder how we could speed up full nodes or improve the transactions per second capability or transaction speed. Some may not want scaling on layer 1, but I think scaling should be done on all layers.

I think Utreexo/ZeroSync combi is the most that would work on Layer 1 without crippling the blockchain functionality.

However, if this combination leads to less network traffic, it could be an opportunity for a slight block size increase (not more than doubling). I still prefer the layer-2 approach though, and in addition, a blocksize increase would perhaps drive transaction fees down to unhealthy levels if we take into account the security budget (51% attack cost) in the long term (after the next 5-10 halvings, when block rewards would be very low already).

I guess we have a complicated problem here, as I do remember I think you saying as well that Bitcoin does not exist in a bubble. If layer 1 is completely limited, then we are losing out some important users to altcoins. Surely those that value objective decentralization are never going to go to that side, but there are many people in between those and the other extreme who does not care about anything that Bitcoin really offers and are here just to make money in whichever way. These users are often disappointed in L1 when they need to do something during high traffic time, something that they can do using other chains and for which they may no require or value the decentralization aspect of Bitcoin enough to avoid using altcoins even in this case. On the other side of this as you said, even if scalability were to be somehow not relevant here as in that we could do 1GB blocks without any issues there is the problem of fees. Having so much block space would invite some new users to offset some of that oversupply of space, but the fees would probably plummet. I actually am not sure what is the best way to solve this dilemma. I am skeptical on relying on suffocating layer 1 capability to keep the fees sufficient when there is competition for many use cases. Now we have technically 4 MB blocks, but imagine the future. The year is 2050 and we have 8 MB blocks? I just don't see how or why unless technology stalls completely, 25 years ago most people were on dial up and 32 bit computers if they had a computer or internet at all.   Please do share what you think about all of this.

Currently they make up between 5 and 30%? That is very wide estimate. Isn't it possible to get the data on this correctly and in a pretty precise way?

This is not an "estimate". It varies because it depends mainly on the transaction fees per block. I could set up a variation of my query on dune.org where I could estimate an average per week or so.

I get what you mean with the range now, but I meant historically, how much data would it remove with the current state of the blockchain?

Maybe I didn't write what I wanted to say here. While your idea of gradual improvements is much more likely, I don't want to go with the view that this is what will certainly happen and dismiss any other scenarios. I want to consider scenarios that are realistic or possible even if they have a low probability.

Yes but then we should also discuss the probability for world peace or post-scarcity The probabilties for these events to happen are as low as a "drastic jump" from 2000 to 1 million qubits in a single year or so. Quantum computers are highly complex machines, they need superconducting parts which have to be cooled down to less than -200 degrees Celsius. It is probably much easier to build a humanoid robot which can replace 90% of the workers in the world and would be cheaper than a human salary, for example.

Probably it is, you are right! Still I would like to explore many different scenarios to better be able to understand what are the obstacles and why do they have low probabilities. You have given an excellent example there describing the difficulties with quantum computers, I am sure that many people who mostly get this news from the media expect that things could go fast like with Moore's law and traditional hardware.

I think I mentioned in this thread already, but even if quantum computers crack ECDSA in less than 10 minutes and this happens "from one day to another", we can simply update Bitcoin to post-quantum cryptography and require Tadge Dryjas's recovery algorithm to move coins which sit in "old" (quantum-vulnerable) addresses. That's not magic, but quite simple tech. The reason post-quantum cryptography isn't used in Bitcoin currently is that there is no consensus which candidate cryptosystem is the best one, so it's best to wait until PQC either 1) matures or 2) there is really a threat looming in the background. But option 3) - wait until the first coins were hacked - is also not catastrophic. Only those who have re-used addresses or use outdated transactions like P2PK would be affected instantly.

That sounds like a good way to have a counter measure in place, I think that we need to promote this recovery algorithm to give some users more confidence. As gmaxwell rightfully pointed out earlier in this thread, user anxiety is its own separate issue. From what I can observe in quantum related threads basically nobody is mentioning that as an option for even a worst case scenario. We need to spread this knowledge wide so that even the average user who may not fully understand all the technical aspects of it will bring it up when they participate in such conversations. Here it was.

User anxiety is a far greater risk than Apathy.  If people are apathetic Bitcoin can probably sail on fine with little attention.  But people in a constant state of anxiety after being bombarded by media and advertisements tuned to maximize interest and vigilance, and influencers who don't exist unless they are riling people up--  are constantly looking to make a disaster out of every possible issue.  Most of the time "do nothing" is the correct response, but the anxious mind constantly jumps at every shadow.

I've actually just finally added this to the relevant group and I put it as number one, because I agree with you that it is more dangerous than apathy even if groups are not really ordered by danger priority but readers could subconsciously interpret it this way. User apathy is more a long-term risk, and anxiety is a short-term risk because users could behave in impulsive ways during difficult events or challenges that we face during Bitcoin's journey.

[Rgram]

The OP is missing one very important category: scams. Scams, which need no introduction, are prevalent in all sorts of crypto and not only Bitcoin, and I would probably rate it High.

I would also lump hacks and scams together in the same category.

I believe that we might need another post on the current and future threat actors to Bitcoin as well. That would be interesting to read.

These are indeed some of the issues faced today by cryptocurrency users and investors. Although, these could be viewed as secondary given that, they could come under a quick fix or solution by awareness. Victims of scams and hacks are mostly due to misinformation and lack of awareness of the tricks used by these tricksters and the trust some of the cryptocurrency users or investors have in centralized systems within the space like exchanges to the point of having large sums in Bitcoin stored on them. Still, awareness could tackle this to a good extent.

The issue with quantum computers, it’s hardly an issue at this time and should private keys or seed phrase security be an issue here, then we ought to be rest assured that, no security system across all fields would be enough or safe from quantum computers.

I have the impression that, there would be a lot of regulations to this and it’s not a carry on computer which means, it wouldn’t be available for everyone therefore the threat might be none existent .

[d5000]

Is this really the direction that we want to take or do we have no other choice? I think I have seen some altcoins proclaim themselves to have solved scaling, but they have implement something similar but probably less comprehensive. They just keep some part of the blockchain history, and only a few archival nodes contain the rest. What are your observations on that, have you seen developers indicating that they would like this future or not?

Well there are two possible approaches:
- not keeping anything about the old history, only the UTXO set and a few days or weeks of current blocks. Such as the mini-blockchain scheme or Kaspa.
- keeping a record of the old history, but in a very compressed form. This is how I understand the ZeroSync approach.

The first option indeed isn't what I would like for Bitcoin. And if we advance into systems like Utreexo where the UTXOs are normally kept by the involved parties, some nodes that know about the old history should still exist if the UTXO get lost. While you could argument that you should keep your UTXOs safe like your private keys, it's practically different above all for offline storage, as UTXOs would have to be stored too, alongside seed phrases or raw keys. You would have to print or annotate a lot of data on your paper offline storage.

But what I think I can assure is that there's no "systemic" need for archival storage of data outputs (OP_RETURN and fake public keys). So even the archival nodes that only want to "help Utreexo users who lost their UTXOs" can discard a lot of data, and just the data which may be "risky" if they fear to store any illegal stuff.

However the good thing is that the Bitcoin blockchain grows slowly and thus storage costs even for the whole chain are not high. While we have currently a SSD bubble due to AI demand, I guess in 1-2 years the prices for storage will again go down. Many nodes could opt to sync with ZeroSync but later re-download the whole blockchain, just to stay even safer. And if there's really scarcity of archival nodes eventually, they could take money for the service (i.e. for those Utreexo users who lost the UTXOs) and that would again ensure incentives are there.

I actually am not sure what is the best way to solve this dilemma. I am skeptical on relying on suffocating layer 1 capability to keep the fees sufficient when there is competition for many use cases. Now we have technically 4 MB blocks, but imagine the future. The year is 2050 and we have 8 MB blocks?

I also don't think we should "suffocate" Layer 1 by "ossifying" the 4MB blocks. However, as I wrote in the previous paragraph, it's a blessing that Bitcoin's full storage requirements grow only slowly, so archival nodes would never be too expensive.

So my take on this is: If we see another congestion phase, increase the block size slowly, but via softforks (witness discount increase). 8 MB or 16 MB could be the target value for 2050 indeed. Bitcoin is 17 years old now and we saw only one block size increase (a x2 in Segwit). In 17 more years we have 2042. Until then, 1-2 similar increases like Segwit could take place. Then we have technologies like Cross-Input signature aggregation which would allow further optimizations, above all for CoinJoins (don't know if I already mentioned this in this thread).

I get what you mean with the range now, but I meant historically, how much data would it remove with the current state of the blockchain?

I made a Dune query for OP_RETURN. I've currently no data for fake pubkeys and such methods.

A quick look had as a result 940 MB of OP_RETURN data in 2025. That's honestly much less than I thought, as the blockchain grew from 627 GB to 710 GB in the same timeframe (by 83 GB), so it's a little bit over 1%. This is only the size of the outputs, but it doesn't make sense to add the change output and signature because these have to be stored for the blockchain state (the 5-30% I mentioned earlier was based on the size of the whole data transactions in mempool.space including inputs and outputs of OP_RETURN txes, but they included Taproot envelopes and other stuff).

DdmrDdmr had made a similar graph for the Ordinals Taproot envelopes here. I have updated at least the query for the weight (not sizes) by day. I will probably fork that query to have data per day and also data for the real size in MB/GB.