BIP-361

[ABCbits]

But if you are faithless or don't believe me, you can go this path specified below... we consider it one of the best qc attack mitigation.

You are free to freeze all relevant addresses, but their owners should be able to unfreeze them once they setup up security questions and answers, which is an additional security layer. But the feature has to first be implemented  by developers before questions and answers can be setup by address owners.

Inputing a private keys (whether correct keys or not) without the security question shows: "this account is frozen to protect it from sophisticated attack, please setup  security question and answer to further secure the account and unfreeze it". Once the security is setup and the private keys is correct, the account unlocks..
This method is QC and brute force proof because even if the right private key is guess, it does nothing until a security question is setup. An attackers will have to manually setup a security question for each private keys in order to find the right keys that unlocks the account. But If it is done too fast or automatically with AI or bot the system could get the attacker to solve puzzles .. This slows things down, and will likely take forever to guess the right keys even with the fastest QC ever invented


This solution does not violate the censorship resistant principle of Bitcoin

How would work on Bitcoin or other decentralized system? There are some concern, such as
1. Where and how the security question/answer stored?
2. How do the system know the one who setup it is the actual owner? Making the owner to sign it with their private key?
3. On protocol level, there's no thing such as account or address.
4. Even if puzzle exist to slow down attacker, large scale attacker still have benefit to write optimized puzzle solver on GPU or FPGA.

Maybe I don't agree fully with BIP-361 proposal, but doing nothing and just hoping quantum won't affect bitcoin sounds terrible to me.

I agree, this is why I'm closely following QC-related proposals to see which one looks more promising.
Although I'm skeptical on Quantum Computers (hardware-specific), it wouldn't hurt for the network to be ready.

Even if QC not exist, old estimation of 256-bit ECDSA only good enogh until 2040.

Security level Symmetric ECC DSA/RSA Protects to year
80 80 160 1024 2010
112 112 224 2048 2030
128 128 256 3072 2040
192 192 384 7680 2080
256 256 512 15360 2120
Table 3: Comparable key sizes

It's enough to make some people concerned in different way, although the year estimation based on naive assumption.

The protection lifetimes of security levels have been extrapolated from similar NIST recommenda-
tions. The extrapolations are also loosely based on a simple assumption similar to Moore’s law:
computing power will grow by a factor of about 216 every decade. Therefore, the minimum ade-
quate security level must increase by 16 bits every 10 years. Future revisions of this standard may
amend this.

[NotATether]

Fuck this. I'll go back to the mailing list and Github and argue against it until all these ideas are withdrawn.

I have always been an opponent of disabling people's addresses. We are not Microsoft or some software company. Why should we have to 'sunset' things? This is a protocol.

Let it be the responsibility of the users to make a simple transaction to a new type of address (that doesn't even exist yet).

[elbill]

From: https://github.com/bitcoin/bips/blob/master/bip-0361.mediawiki

This is not an offensive attack, rather, it is defensive: our thesis is that the Bitcoin ecosystem wishes to defend itself and its interests against those who would prefer to do nothing and allow a malicious actor to destroy both value and trust.

"Lost coins only make everyone else's coins worth slightly more. Think of it as a donation to everyone." - Satoshi Nakamoto

If true, the corollary is:

"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone."

The comparison between “lost coins” and “quantum-recovered coins” is a false equivalence.

Lost coins are the result of accidents or user error. They reduce the effective supply permanently and unpredictably, which is consistent with Bitcoin’s neutral and permissionless design.

By contrast, “quantum recovered coins” do not increase Bitcoin’s total supply, they simply move coins that were already part of the supply into circulation. This is not monetary inflation; it is redistribution within the existing ruleset.

Market impact should not be overstated. Bitcoin has historically absorbed major shocks, including large scale hacks involving hundreds of thousands of BTC, during periods of far lower liquidity than today. While price volatility may occur, markets tend to reprice efficiently, and such effects are typically temporary rather than systemic.

Most importantly, Bitcoin is built on voluntary participation and individual responsibility. If quantum risk becomes real, users can choose to migrate their funds to quantum resistant schemes. Those who do not are implicitly accepting that risk just as users today accept risks related to key management.

A proposal to forcibly freeze or invalidate coins that have not migrated introduces a fundamentally different paradigm: it imposes collective control over individual property. This shifts Bitcoin away from its core principles of decentralization, neutrality, and censorship resistance, and toward a system where protocol level decisions can override ownership.

If that proposal isn't closed, we'll become SocialistCoin.

[Mia Chloe]

Fuck this. I'll go back to the mailing list and Github and argue against it until all these ideas are withdrawn.
I have always been an opponent of disabling people's addresses. We are not Microsoft or some software company. Why should we have to 'sunset' things? This is a protocol.
Let it be the responsibility of the users to make a simple transaction to a new type of address (that doesn't even exist yet).

This quantum scare is literally bringing more attention than I did expect and it seems developers are also buying the bait. This argument has two sides but I guess I'll be sticking to the one strongly against this new upgrade per say. This idea of quantum recovered coins,  lost  coins and others I don't really buy.

I see it as against what decentralization really stands for and let's not forget every bitcoiner ought to be responsible for his own coins but this argument is saying otherwise cloaked behind advantages of the whole quantum stuff.

[NotATether]

Lost coins are the result of accidents or user error. They reduce the effective supply permanently and unpredictably, which is consistent with Bitcoin’s neutral and permissionless design.

By contrast, “quantum recovered coins” do not increase Bitcoin’s total supply, they simply move coins that were already part of the supply into circulation. This is not monetary inflation; it is redistribution within the existing ruleset.

Don't forget the case where a hacker finds a bug in the implementation of "quantum recovery" or whatever it's called and exploits it to siphon legacy coins away, and either 1) developers simply do nothing or 2) they rewrite transaction history in the process of making a patch just like Litecoin developers did a few days ago, both having their own catastrophic consequences.

[Curious T]

From my understanding biggest risk are for bitcoin addresses that already had sent coins in the past.
I am not quantum expert also, but someone with unlimited money printing could invest a lot in cracking this sooner than people expect it.

I understand very little about quantum computers, so I try to read more about the topic instead of talk, but whenever I come across this topic, there is always something that is constant.
One of them is that the vulnerable addresses are the ones that have already sent bitcoin from that address. Then the second thing I see is that people are always worried about Satoshi's Bitcoin. But if Satoshi never sent Bitcoin from his known addresses, how are his addresses vulnerable?

[ABCbits]

From my understanding biggest risk are for bitcoin addresses that already had sent coins in the past.
I am not quantum expert also, but someone with unlimited money printing could invest a lot in cracking this sooner than people expect it.

I understand very little about quantum computers, so I try to read more about the topic instead of talk, but whenever I come across this topic, there is always something that is constant.
One of them is that the vulnerable addresses are the ones that have already sent bitcoin from that address. Then the second thing I see is that people are always worried about Satoshi's Bitcoin. But if Satoshi never sent Bitcoin from his known addresses, how are his addresses vulnerable?

It's because one analysis (called Patoshi Pattern) says about 1 million Bitcoin mined by Satoshi. In past, P2PK "address" is used to receive mining reward. The output is just public key, but note that some block explorer show it incorrectly or convert the public key into legacy address before it's shown to you.

[Curious T]

It's because one analysis (called Patoshi Pattern) says about 1 million Bitcoin mined by Satoshi. In past, P2PK "address" is used to receive mining reward. The output is just public key, but note that some block explorer show it incorrectly or convert the public key into legacy address before it's shown to you.

Oh, now I get why they are vulnerable. I just read up a little bit more about the P2PK addresses too. Thanks.

[d5000]

By contrast, “quantum recovered coins” do not increase Bitcoin’s total supply, they simply move coins that were already part of the supply into circulation. This is not monetary inflation; it is redistribution within the existing ruleset.

Fully agree. I would even add that we don't know if these coins aren't in circulation. They look dormant currently. But in reality Satoshi, or any other early miner, can appear at any time and sell these coins.

Thus there is no theft on every Bitcoin user (instead only on the individual users affected, who can of course take legal action). These coins are simply part of the supply and should also be considered part of the market. One could argue that a quantum thief is more eager to sell the coins than Satoshi who - if he still is alive - might prefer to hold then. But even if Satoshi never sells the coins, he still might spend them eventually, e.g. buying a house for BTC.

By the way, I got the shower thought today that BIP-361 could even be considered malware, because it can cause damage to informational assets through transmission of data, as punished by the CFAA in the US for example (see this thread about the possible legal risk of Bitcoin confiscations by developers).