Bitcoin’s Post-Quantum Problem Isn't Just Math

[Antidote47k]

Most conversations about Bitcoin and quantum computing focus on the exact same thing: When will a quantum computer break our current signature scheme?

But a recent working paper on Delving Bitcoin shifts the lens entirely. It argues that the cryptography is actually the straightforward part—the real mess lies in the economics of the migration itself.

Think about it: even if Bitcoin adopts flawless, quantum-resistant signatures tomorrow, the code change alone doesn't secure the network. Millions of independent users have to manually move their coins to addresses secured by the new scheme. In a completely decentralized system, you can’t just force a synchronized update.

Instead, you get a chaotic mix of timelines. You’ll have early adopters upgrading immediately, laggards waiting until the last minute, and massive custodians or exchanges managing complex migrations. Then there are the inactive wallets and millions of genuinely lost coins that can't move, leaving a massive honeypot of vulnerable targets on the old chain.
That’s the real coordination nightmare. The success of a post-quantum transition doesn't just rely on math; it relies on game theory. How do you design incentives that convince enough of the network to migrate in time, without compromising Bitcoin's core principles of immutability and opt-in consensus?
The technical threat gets all the headlines, but the economic migration is the real final boss. That's the part that actually deserves our attention

Source: https://delvingbitcoin.org/t/quantum-sunset-economics-a-working-paper-analyzing-pact-adoption/2645

[PrivacyG]

You know what.  We have seen SO many shit coins migrate years or even months apart and I have not seen articles about how bad it is.  Everyone was in fact excited to see their favorite shit coin 'gain more value'.

The Bitcoin community is trying to figure out a way around Quantum.  This is completely different and whether it is going to be a difficult way around it or not, it has to happen or Bitcoin will at some point die.  Shit coins die from people losing interest, Bitcoin would die defeated by Quantum.  Compare these two!

It is one of the probably few if not the only threat I would not mind a 'migration' at all.  In fact.  It is not even a migration as we know it.  Migrating from Legacy to SegWit or from current Addresses to post Quantum ones is not a head ache.  Migrating to another chain, to 'the newest fork' et cetera is.  Bitcoin is avoiding future problems and when we will have the solution against Quantum, we will still be at a decent distance from an actual Quantum threat which means people, exchanges, everyone have time to decide whether to risk or not to.  Which is fair in my opinion.

[stompix]

Think about it: even if Bitcoin adopts flawless, quantum-resistant signatures tomorrow, the code change alone doesn't secure the network. Millions of independent users have to manually move their coins to addresses secured by the new scheme. In a completely decentralized system, you can’t just force a synchronized update.

I don't see any problem whatsoever!
The author is making a zeroburger from a nothingburger!

We already had this kind of migration with SegWit addresses, this would be no different.
You want to protect your coins, so you move them to a new wallet, that's all, exchanges have been doing this for ages already, just as they offer a hundred options for your coins they can simply add a new type of address for post-quantum BTC.

The only actual problem is the migration time, it would require anywhere from 50 to 200 days of chain capacity for all the addresses with somewhat of a balance to migrate to a new one.

Then there are the inactive wallets and millions of genuinely lost coins that can't move, leaving a massive honeypot of vulnerable targets on the old chain.

I fail to see how this is a problem!

[CryptoYar]

It is much more sensible presentation of quantum doom than it is in typical media reports. Breaking secret coding is well defined technical challenge that smart people are working on. Moving coordination is more messy due to fact it includes human behaviour on large scale. Lost coins problem is of special interest. There are more than a million Bitcoin that have been locked in Satoshi wallet and will never ever get moved. Those coins laying on unprotected old system in change period is real target for attackers which no good secret coding can resolve.

It is game theory part with this that makes it truly challenging. In decentralized system no one can be forced to move. Only rewards you can give that sensible actors will want to move are rewards strong enough that they will want to move. Real challenge with these rewards is to create them without weakening Bitcoin basic features. The technical threat is discussed since it is more easily explained. But change would be successful or unsuccessful, depending on economic coordination problem.

[ABCbits]

But a recent working paper on Delving Bitcoin shifts the lens entirely. It argues that the cryptography is actually the straightforward part—the real mess lies in the economics of the migration itself.

I can't read the paper yet since SSRN block my IP. But choosing and implementation cryptography is far from straightforward. Each cryptography have different trade-off, while some security bug happen due to bugged software implementation.

We already had this kind of migration with SegWit addresses, this would be no different.

The only actual problem is the migration time, it would require anywhere from 50 to 200 days of chain capacity for all the addresses with somewhat of a balance to migrate to a new one.

FWIW, i expect chosen QC-resistant cryptography will have bigger size for public key, signature or both. So without also increase maximum block size, estimated days for migration would take more days.

[stompix]

~
FWIW, i expect chosen QC-resistant cryptography will have bigger size for public key, signature or both. So without also increase maximum block size, estimated days for migration would take more days.

Well, in theory, we could have a gentleman's agreement and deal with this without fees reaching $100 again, especially since the migration itself won't be that much bigger in size with standard inputs, so we could prepare for this
- exchanges consolidating their inputs prior to the deployment, so they don't need to immediately use the funds in QC-resistant addresses
- users pausing their spending habits for a while
- people with addresses not under imminent threat, with no spent inputs in their address, not rushing to be the first ones to move
- and so on

But of course, since well, block size is a no-go anyhow and will never be, the most important thing will be to have this available way before any sign of an actual threat!

[Luzin]

And this is why the current BIP proposal is still a topic of debate and controversy. Because reaching a consensus together on the best decision against the Quantum threat is really difficult. I’m following its development, but there’s always a weakness behind any anti-quantum invention idea. I hope there will be the best solution soon so users won’t feel worried because this situation is bad news, and it could make investors walk away. IMO

[Satofan44]

Instead, you get a chaotic mix of timelines. You’ll have early adopters upgrading immediately, laggards waiting until the last minute, and massive custodians or exchanges managing complex migrations. Then there are the inactive wallets and millions of genuinely lost coins that can't move, leaving a massive honeypot of vulnerable targets on the old chain.
That’s the real coordination nightmare. The success of a post-quantum transition doesn't just rely on math; it relies on game theory. How do you design incentives that convince enough of the network to migrate in time, without compromising Bitcoin's core principles of immutability and opt-in consensus?
The technical threat gets all the headlines, but the economic migration is the real final boss. That's the part that actually deserves our attention

Fuck off with more fearmongering, this doesn't matter at all. There is no nightmare, there is no chaos, there is nothing at all. People are responsible for their own coins and they have the freedom to decide what they want to do. If they do not update in time and their coins get compromised it is only their own fault and the network couldn't care less at all about it. This is a terrible post by an user who does not even understand the basics of Bitcoin, it seems like an attempt to farm merit by users that may give merit for technical posts.

Well, in theory, we could have a gentleman's agreement and deal with this without fees reaching $100 again, especially since the migration itself won't be that much bigger in size with standard inputs, so we could prepare for this
- exchanges consolidating their inputs prior to the deployment, so they don't need to immediately use the funds in QC-resistant addresses
- users pausing their spending habits for a while
- people with addresses not under imminent threat, with no spent inputs in their address, not rushing to be the first ones to move
- and so on

While your examples are good, this only helps if the size is only somewhat larger. If you have keys that are 5 or 10 times larger, it does not solve the issue at all. Still, why would anyone care about any of this? It could only become an issue if there is a very time sensitive urgency of migration, in all other cases it does not matter at all. Here is an example with random numbers to illustrate a point: Let's say that we get quantum resistant addresses in 2027, and the first working quantum computer in 2030. There will be a full 3 years worth of time to migrate to this new scheme, there is no urgency and there is no rush. There may be a very big and long queue of migration, but simply wait your turn and it will pass.

Any kind of panicking and rushing will lead to errors, overpaying and unnecessary drama and chaos. Also remember, the size of outputs is not the same size of inputs so the real issue of capacity does not start during the migration -- it starts after the migration, once users that using these addresses. Creating outputs that are quantum-resistant is much cheaper than spending them in many post-quantum schemes. So you have the transient time of migration, and later you could have a severely reduced TPS depending on the exact scheme that is adopted.

But of course, since well, block size is a no-go anyhow and will never be, the most important thing will be to have this available way before any sign of an actual threat!

This is not true and should not be true. As technology radically improves and develops reducing transaction capacity is just moronic regardless for what virtuous reason you want to do it, and a reduction in capacity is basically going to happen with any scheme that is adopted.