Bitcoin’s Post-Quantum Problem Isn't Just Math

[Antidote47k]

Most conversations about Bitcoin and quantum computing focus on the exact same thing: When will a quantum computer break our current signature scheme?

But a recent working paper on Delving Bitcoin shifts the lens entirely. It argues that the cryptography is actually the straightforward part—the real mess lies in the economics of the migration itself.

Think about it: even if Bitcoin adopts flawless, quantum-resistant signatures tomorrow, the code change alone doesn't secure the network. Millions of independent users have to manually move their coins to addresses secured by the new scheme. In a completely decentralized system, you can’t just force a synchronized update.

Instead, you get a chaotic mix of timelines. You’ll have early adopters upgrading immediately, laggards waiting until the last minute, and massive custodians or exchanges managing complex migrations. Then there are the inactive wallets and millions of genuinely lost coins that can't move, leaving a massive honeypot of vulnerable targets on the old chain.
That’s the real coordination nightmare. The success of a post-quantum transition doesn't just rely on math; it relies on game theory. How do you design incentives that convince enough of the network to migrate in time, without compromising Bitcoin's core principles of immutability and opt-in consensus?
The technical threat gets all the headlines, but the economic migration is the real final boss. That's the part that actually deserves our attention

Source: https://delvingbitcoin.org/t/quantum-sunset-economics-a-working-paper-analyzing-pact-adoption/2645

[PrivacyG]

You know what.  We have seen SO many shit coins migrate years or even months apart and I have not seen articles about how bad it is.  Everyone was in fact excited to see their favorite shit coin 'gain more value'.

The Bitcoin community is trying to figure out a way around Quantum.  This is completely different and whether it is going to be a difficult way around it or not, it has to happen or Bitcoin will at some point die.  Shit coins die from people losing interest, Bitcoin would die defeated by Quantum.  Compare these two!

It is one of the probably few if not the only threat I would not mind a 'migration' at all.  In fact.  It is not even a migration as we know it.  Migrating from Legacy to SegWit or from current Addresses to post Quantum ones is not a head ache.  Migrating to another chain, to 'the newest fork' et cetera is.  Bitcoin is avoiding future problems and when we will have the solution against Quantum, we will still be at a decent distance from an actual Quantum threat which means people, exchanges, everyone have time to decide whether to risk or not to.  Which is fair in my opinion.

[stompix]

Think about it: even if Bitcoin adopts flawless, quantum-resistant signatures tomorrow, the code change alone doesn't secure the network. Millions of independent users have to manually move their coins to addresses secured by the new scheme. In a completely decentralized system, you can’t just force a synchronized update.

I don't see any problem whatsoever!
The author is making a zeroburger from a nothingburger!

We already had this kind of migration with SegWit addresses, this would be no different.
You want to protect your coins, so you move them to a new wallet, that's all, exchanges have been doing this for ages already, just as they offer a hundred options for your coins they can simply add a new type of address for post-quantum BTC.

The only actual problem is the migration time, it would require anywhere from 50 to 200 days of chain capacity for all the addresses with somewhat of a balance to migrate to a new one.

Then there are the inactive wallets and millions of genuinely lost coins that can't move, leaving a massive honeypot of vulnerable targets on the old chain.

I fail to see how this is a problem!

[CryptoYar]

It is much more sensible presentation of quantum doom than it is in typical media reports. Breaking secret coding is well defined technical challenge that smart people are working on. Moving coordination is more messy due to fact it includes human behaviour on large scale. Lost coins problem is of special interest. There are more than a million Bitcoin that have been locked in Satoshi wallet and will never ever get moved. Those coins laying on unprotected old system in change period is real target for attackers which no good secret coding can resolve.

It is game theory part with this that makes it truly challenging. In decentralized system no one can be forced to move. Only rewards you can give that sensible actors will want to move are rewards strong enough that they will want to move. Real challenge with these rewards is to create them without weakening Bitcoin basic features. The technical threat is discussed since it is more easily explained. But change would be successful or unsuccessful, depending on economic coordination problem.

[ABCbits]

But a recent working paper on Delving Bitcoin shifts the lens entirely. It argues that the cryptography is actually the straightforward part—the real mess lies in the economics of the migration itself.

I can't read the paper yet since SSRN block my IP. But choosing and implementation cryptography is far from straightforward. Each cryptography have different trade-off, while some security bug happen due to bugged software implementation.

We already had this kind of migration with SegWit addresses, this would be no different.

The only actual problem is the migration time, it would require anywhere from 50 to 200 days of chain capacity for all the addresses with somewhat of a balance to migrate to a new one.

FWIW, i expect chosen QC-resistant cryptography will have bigger size for public key, signature or both. So without also increase maximum block size, estimated days for migration would take more days.

[stompix]

~
FWIW, i expect chosen QC-resistant cryptography will have bigger size for public key, signature or both. So without also increase maximum block size, estimated days for migration would take more days.

Well, in theory, we could have a gentleman's agreement and deal with this without fees reaching $100 again, especially since the migration itself won't be that much bigger in size with standard inputs, so we could prepare for this
- exchanges consolidating their inputs prior to the deployment, so they don't need to immediately use the funds in QC-resistant addresses
- users pausing their spending habits for a while
- people with addresses not under imminent threat, with no spent inputs in their address, not rushing to be the first ones to move
- and so on

But of course, since well, block size is a no-go anyhow and will never be, the most important thing will be to have this available way before any sign of an actual threat!

[Luzin]

And this is why the current BIP proposal is still a topic of debate and controversy. Because reaching a consensus together on the best decision against the Quantum threat is really difficult. I’m following its development, but there’s always a weakness behind any anti-quantum invention idea. I hope there will be the best solution soon so users won’t feel worried because this situation is bad news, and it could make investors walk away. IMO