Freezing BTC on legacy addresses (non QC-resistant) with BIP-361

[Italian Panic]

It's still a "draft" proposal, so it can be subject to change over time. At least, we don't have to worry about the threat of Quantum computing for decades. I don't get why the rush in making BTC QC-resistant. QC is still in its infancy. If it's a "threat" to Bitcoin, it can also be a threat to the banking sector, and even government systems. Everything depends on cryptography these days.

Time will tell us whenever the community will go full-speed ahead with BIP-361 or not. We'll see what happens...

For decades? United States government websites and National Security system will need to be quantum-resistant by 2035, when elliptic curve cryptography will be at high risk of quantum attacks, or at least at high risk of “harvest now, decrypt later” attacks. Probably that current systems using hash based cryptography will be replaced by systems known as dilithium (like the finctional mineral in Star Trek), which operate using a lattice scheme derived from Shamir-fiat heuristic.
The real problem on legacy address (and not only for legacy address) is related to the exposition of the public key direct in the TX, and bip361 exclude the address based on bip39. The solution, maybe, will be the guarantee that only one bitcoin can be transferred per block derived by legacy address

[Dogedegen]

For decades? United States government websites and National Security system will need to be quantum-resistant by 2035, when elliptic curve cryptography will be at high risk of quantum attacks, or at least at high risk of “harvest now, decrypt later” attacks. Probably that current systems using hash based cryptography will be replaced by systems known as dilithium (like the finctional mineral in Star Trek), which operate using a lattice scheme derived from Shamir-fiat heuristic.
The real problem on legacy address (and not only for legacy address) is related to the exposition of the public key direct in the TX, and bip361 exclude the address based on bip39.

None of what you have written here is true and it seems that you have used AI to help you write things that you do not understand. Bitcoin is not at risk of any "harvest now, decrypt later" attacks because there is nothing to harvest, that kind of attack applies to traditional systems. All information in the Bitcoin blockchain is publicly available at any time, you do not need to save it now you can just get it at the later point. These are not transient data point, like how you could harvest some session data and try to decrypt it later. We know which addresses are vulnerable and which are not and what makes addresses vulnerable. P2PK has all its data exposed, you can use it at any point in the future you do not need to harvest anything now and taproot addresses to. The other addresses are only vulnerable when they are reused, so harvesting a lot of public keys now and using them later when the addresses are empty is pointless too.

Next it makes no sense to talk about replacing hash based cryptography, I wrote a thread where I talk about quantum computers a bit. The hash functions that are used in Bitcoin are not vulnerable to quantum computing based on the current knowledge, so the hash functions will not be replaced. The only thing that is vulnerable is ECDSA, and to mention that it will probably be replaced by lattice schemes is also incorrect. We do not know which ones will be used yet.

The solution, maybe, will be the guarantee that only one bitcoin can be transferred per block derived by legacy address

Just no, please do not use AI to write posts about these matters. There is the hourglass protocol, but it is definitely not 1 Bitcoin per block and nobody would agree to that arbitrarily low number. If you assume 2 million Bitcoin in legacy addresses after some cutoff date, then it would take 20000000 minutes to spend it which is 833333 days or 2283 years. I would facepalm if there was an icon for that here..

[Luzin]

Time will tell us whenever the community will go full-speed ahead with BIP-361 or not. We'll see what happens...

Yes, of course, it seems that a long process is still needed, but at least we hope developers can anticipate this problem. I am sure this technology will emerge someday, so making anticipations is the best step. At least until now, there are 2 proposals that have been made: BIP 360 and BIP 361. From these two proposals, all have obvious weaknesses, none have been able to provide a perfect solution. Even so, in the end, we should remain calm because this technology will continue to develop, and I am sure developers will also anticipate this problem. So it seems they should be able to grow together. Maybe there are some parts that are exploited by bad actors, but I see there is always a solution in the end.

[Dogedegen]

Time will tell us whenever the community will go full-speed ahead with BIP-361 or not. We'll see what happens...

Yes, of course, it seems that a long process is still needed, but at least we hope developers can anticipate this problem. I am sure this technology will emerge someday, so making anticipations is the best step. At least until now, there are 2 proposals that have been made: BIP 360 and BIP 361. From these two proposals, all have obvious weaknesses, none have been able to provide a perfect solution. Even so, in the end, we should remain calm because this technology will continue to develop, and I am sure developers will also anticipate this problem. So it seems they should be able to grow together. Maybe there are some parts that are exploited by bad actors, but I see there is always a solution in the end.

The problem is not about anticipating something or not. If you use the search history on this forum you can find quantum computing concerns that are 10 years old, maybe even during the time satoshi was here. I think that there were some, but I am not sure if my memory is tricking me. That would mean that people have already speculated on the possibility of this attack vector for 15 years in direct relation to Bitcoin. What you should understand also is that mostly researchers are dealing with these problems and not people who just develop software, the developers will be the ones coding the implementation of the solution or verifying it. Now just because we can anticipate a problem that does not mean that we can solve it, or that we can solve it in a way that does not come with many negatives.

The issues that come from quantum computers based on the current knowledge are clear. We know what is coming, we don't know when it is coming. Aside from some surprises like someone figuring out some new breakthrough where quantum computers can solve things that we thought they couldn't, the road ahead is clear. The problem is that knowing all of this does not change anything at all, we are at the same problem of the question what to do. Users who are active will change to quantum safe signatures as soon as they are available, I don't doubt that. This leaves the question of old coins that have their public key exposed and the only solutions are freezing or confiscating them and not doing anything at all. Both paths have their own downsides in a way that they don't even seem like good solutions, some will be in one camp and some other people in the other.

I am personally against freezing or confiscating. I would leave things like they are and just add some strict but reasonable hourglass limit for legacy coins. With that old holders would not be locked out, and attackers could not flood the market with coins but would have to slowly introduce them back. I think it would be the solution with the least tradeoffs.

Read my thread https://bitcointalk.org/index.php?topic=5559777.

[NotATether]

It is interesting to see if old legacy coins and other legacy products will need peeling.


Not sure about it passing time will tell.

I do feel better about not having any rare older pieces that I will now need to dump.

In my opinion, any BIP that requires the collectible community to destroy their coins is very poor and misguided.

I do not think the legacy coins would be locked up. Too many people will think their BTC was burned.

[SeriouslyGiveaway]

In my opinion, any BIP that requires the collectible community to destroy their coins is very poor and misguided.

I do not think the legacy coins would be locked up. Too many people will think their BTC was burned.

They can sweep their coins to new wallets and their coins won't be destroyed but their collectibles will be destroyed entirely or with most of collectibles' values.

I am really against any centralized enforcement like confiscation, freeze or burn bitcoins stored in any wallet because of any reasons. Risk of quantum computers, ok let's build a BIP and upgrade the Bitcoin protocol. Who want to migrate their bitcoins to a new BIP have freedom to do that and other people who don't want to do that, can stay with the Legacy addresses. They are responsible with their coins, and they have freedom to do anything they want with coins and collectibles.

[Abiky]

They can sweep their coins to new wallets and their coins won't be destroyed but their collectibles will be destroyed entirely or with most of collectibles' values.

I am really against any centralized enforcement like confiscation, freeze or burn bitcoins stored in any wallet because of any reasons. Risk of quantum computers, ok let's build a BIP and upgrade the Bitcoin protocol. Who want to migrate their bitcoins to a new BIP have freedom to do that and other people who don't want to do that, can stay with the Legacy addresses. They are responsible with their coins, and they have freedom to do anything they want with coins and collectibles.

If the community learns of the hidden intentions behind the upgrade, they will outright reject it. I'm sure of that. You can see how the community rejected bigger block sizes in the past. Because they thought it would make Bitcoin less-decentralized over the long term. It's what led us to the "block size wars". Eventually, Bitcoin split into two cryptocurrencies, leaving us with BTC and the spinoff chain, BCH.

I believe history will repeat itself if developers continue to push with the implementation of BIP-361. For now, the proposal remains a draft. We'll see what happens...

[Dogedegen]

It is interesting to see if old legacy coins and other legacy products will need peeling.

Not sure about it passing time will tell.

I do feel better about not having any rare older pieces that I will now need to dump.

In my opinion, any BIP that requires the collectible community to destroy their coins is very poor and misguided.

I do not think the legacy coins would be locked up. Too many people will think their BTC was burned.

If there is a recovery mechanism then legacy coins or legacy products will not need peeling, because in most cases the products used P2PKH addresses and not P2PK so the only remainder would be P2PK addresses with coins on them. But any such proposal without a guaranteed recovery mechanism for legacy P2PKH is doomed in inception, and even those that have a recovery mechanism are hard to swallow. These days there is no acceptable reason to use P2PK addresses or still keep those, and I would gladly accept getting rid of those but there is no way to do it without freezing coins. Many of those keys are probably lost but we can't be sure, other people may keep some keys with balances for any weird reason. We are creating technical debt for no good benefit here and this is what happens when you have a system where people can do whatever they want which is rarely a good thing, but Bitcoin could not exist were it not such a system.

I think that Lopp or anyone else will have an extremely hard time convincing people to go with this path. He can certainly try, and I do not mind it that much as long as he does not become very toxic or damaging to Bitcoin like Luke-jr became recently. Discourse and advocating for ideas that you believe are right is good. Becoming toxic and harmful when you are not getting your way is terrible and we should never tolerate people like that. In the end my personal view is that any such proposal has a very low likelihood of passing, less than 5 percent.

[Abiky]

If there is a recovery mechanism then legacy coins or legacy products will not need peeling, because in most cases the products used P2PKH addresses and not P2PK so the only remainder would be P2PK addresses with coins on them. But any such proposal without a guaranteed recovery mechanism for legacy P2PKH is doomed in inception, and even those that have a recovery mechanism are hard to swallow. These days there is no acceptable reason to use P2PK addresses or still keep those, and I would gladly accept getting rid of those but there is no way to do it without freezing coins. Many of those keys are probably lost but we can't be sure, other people may keep some keys with balances for any weird reason. We are creating technical debt for no good benefit here and this is what happens when you have a system where people can do whatever they want which is rarely a good thing, but Bitcoin could not exist were it not such a system.

I think that Lopp or anyone else will have an extremely hard time convincing people to go with this path. He can certainly try, and I do not mind it that much as long as he does not become very toxic or damaging to Bitcoin like Luke-jr became recently. Discourse and advocating for ideas that you believe are right is good. Becoming toxic and harmful when you are not getting your way is terrible and we should never tolerate people like that. In the end my personal view is that any such proposal has a very low likelihood of passing, less than 5 percent.

They should consider physical Bitcoin collectibles, especially those in a slab. Because if moving coins becomes mandatory, collectors will be forced to break the slab to peel off the coin. Not only this affects the grading, but it also lowers the value of the collectible itself. The new BIP should allow room for anyone to decide what to do with his/her Bitcoin.

If you don't protect your coins, you'd be at risk of getting "quantum hacked". The choice is yours. But forcing to move, will make Bitcoin no different than an ordinary banking system. For now, the threat of Quantum Computers is low. They aren't even mainstream yet. It's going to take decades before they'll be able to threaten Bitcoin. I'd just sit back and relax.

[ABCbits]

If there is a recovery mechanism then legacy coins or legacy products will not need peeling, because in most cases the products used P2PKH addresses and not P2PK so the only remainder would be P2PK addresses with coins on them. But any such proposal without a guaranteed recovery mechanism for legacy P2PKH is doomed in inception, and even those that have a recovery mechanism are hard to swallow.
--snip--

Even such guarantee exist, people still need to use wallet that can perform recovery mechanism. It introduce some issue, since
1. People need to import their private key or recovery words to other wallet.
2. There's risk people accidentally download fake/malicious wallet.
3. Average people probably find the whole process isn't intuitive or easy enough.

[Dogedegen]

If there is a recovery mechanism then legacy coins or legacy products will not need peeling, because in most cases the products used P2PKH addresses and not P2PK so the only remainder would be P2PK addresses with coins on them. But any such proposal without a guaranteed recovery mechanism for legacy P2PKH is doomed in inception, and even those that have a recovery mechanism are hard to swallow.
--snip--

Even such guarantee exist, people still need to use wallet that can perform recovery mechanism. It introduce some issue, since
1. People need to import their private key or recovery words to other wallet.
2. There's risk people accidentally download fake/malicious wallet.
3. Average people probably find the whole process isn't intuitive or easy enough.

But if a recovery process exists then it is probably going to exist for a very long time, so why would you need to use any wallet? The coins will stay the same way as they are right now, so they will be unpeeled. Only if the recovery process is somehow time limited or something like that would the user need to peel coins like Casascius and then handle the process that you describe. But from what we know about quantum computers and hashes, I do not see how any recovery process would have to be made time limited. If it is going to come then it is going to be available for a very long time and so this type of user will not need to do anything until the day that they actually want to peel the coins, but that decisions is not related to this case. The only change is would be in the redemption process, but overall people redeem using the wallets that they want and trust. There is no specific wallets you have to use.

The risk that you describe will happen that is for sure, but it is more in cases where people will need to do this for some reason. Someone might want to migrate to a quantum signature scheme but has failed to do so in time, then they would have to go through that process. I do not understand why you write other wallet though. If this does become a thing, I expect Core and all main wallets to support it. There is no situation where the network has adopted this BIP but that Core has not implemented the recovery mechanism. Can you explain? Do you think such a scenario is possible, that only some custom wallet has support for recovery but the BIP is accepted by the network and Bitcoin Core?