BIP-361

[dkbit98]

What do you think about newly proposed BIP-361 for Post Quantum Migration and Legacy Signature Sunset?
Several bitcoin developers and Jameson Lopp are supporting this proposal that would freeze quantum vulnerable wallets, including dormant coins for Satoshi Nakamoto and everyone else.
It is estimated that around 6.7 million BTC is currently held in legacy wallet addresses, that is almost 32% of bitcoin supply!

There are three offered proposals:

Phase A: Disallows sending of any funds to quantum-vulnerable addresses, hastening the adoption of PQ address types.

Phase B: Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day five years after activation.

Phase C (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.

You can read Bip-361 github page here:
https://github.com/bitcoin/bips/blob/master/bip-0361.mediawiki

[LoyceV]

First: I'm far from an expert on quantum decryption, but I've read things

It is estimated that around 6.7 million BTC is currently held in legacy wallet addresses, that is almost 32% of bitcoin supply!

As far as I understand, those are only at risk after exposing the public key, although given fast enough quantum decryption that could be enough time to replace a transaction after it's broadcasted and before it's confirmed.

Phase B: Renders ECDSA/Schnorr spends invalid, preventing all spending of funds in quantum-vulnerable UTXOs. This is triggered by a well-publicized flag-day five years after activation.

I was surprised when I saw that Taproot addresses introduced risks that Segwit fixed. But those 5 years, in some scenarios, may even be too late.

Phase C (TBD): Pending further research, a separate BIP proposing a method to allow quantum safe recovery of legacy UTXOs, likely via zero knowledge proof of possession of a corresponding BIP-39 seed phrase.

How's that going to work for addresses that don't have a corresponding seed phrase? Or just funds sent to pubkey, like Satoshi's mined coins?

[nc50lc]

I was surprised when I saw that Taproot addresses introduced risks that Segwit fixed. But those 5 years, in some scenarios, may even be too late.

Which risks specifically?

Several bitcoin developers and Jameson Lopp are supporting this proposal that would freeze quantum vulnerable wallets, including dormant coins for Satoshi Nakamoto and everyone else.
It is estimated that around 6.7 million BTC is currently held in legacy wallet addresses, that is almost 32% of bitcoin supply!

Not just legacy, SegWit v0 uses ECDSA signature as well,
So every bitcoin users will be affected by this if they wont move their bitcoins to the new quantum resistant address during 'Phase A'.

[satscraper]

I was surprised when I saw that Taproot addresses introduced risks

Just for the sake of prove that it is true for Taproot :

Yeah, those keys are tweaked, but the tweak is nothing more than mapping secp256k1 points using the same secp256k1 arithmetic, which is believed to be easily reversed by quantum computers with the help of Shor’s algorithm. So the tweak adds nothing toward security.

[flapduck]

The specific risk is simple enough: Taproot leaves the pubkey sitting on-chain from day one, while P2WPKH and old P2PKH hide it behind HASH160 until you spend. That is the part SegWit improved, and Taproot gave back in exchange for other benefits. So no, the exposure profile is not identical across all script types, and saying that every user is equally at risk right now, this muddies the picture. They are all living under the same eventual PQ cloud, sure, but some are standing in the rain already and some only get wet when they spend.

[LoyceV]

Which risks specifically?

I was told (by listening to the Dutch Cryptocast) that Taproot introduced a vulnerability for quantum decryption comparable to legacy addresses with exposed public key.

@flapduck: have an avatar