One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable.
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
Even if Q-day means there is a way to deterministically retrieve any private key from a public key (is that what it means? or is the blast radius of q-day contained? This is a bit above my level of cryptography), I’m sure we could come up with something to minimize the damage. In the worst case, it might involve a claim process with an authority or consensus mechanism to prove who the rightful owner of the funds is and revert the unauthorized transactions on the new chain.
Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal.
> How do you prove anything, after the key material is compromised?
It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here.
In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand.
Letting the hack stand means the chain comes to a halt and all value is destroyed? Even if you’re a staunch bitcoin purist, I don’t think that’s the path you want to go on.
The chain wouldn't halt because mining won't be affected by quantum. If you see hacks happening you could race to move your coins into a PQ wallet before the hackers do. I'm assuming that PQ software will be available before the hacks. I agree that this is a very bad scenario.
The Bitcoin “value overflow incident” on August 15, 2010 is probably the closest thing and that didn't affect the price much (though one BTC was around 8c at the time)
This time you'll have hundreds of billions of BTC that will be hacked by someone who will probably instantly unload it. In that scenario it's hard to see the price of it not dropping >90%, so you'd have to think people would prefer a roll back.
That said, I don't know how you could even do a roll back, you're not rolling back to a 'safe' state since the keys aren't safe at that point.
However in terms of the hack, Bitcoin is slow - most exchanges require a few confirmations so it's 30+ minutes to land a deposit in Coinbase/Binance at minimum, and a transfer that huge would instantly set off alarms. Seems unlikely that they would be able to unload that much.
Coinbase would definitely go into buy-only mode during a major crash but that just means people would scream while they watch futures/perps go to zero.
"If you're first out the door, that's not called panicking."
> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
> The only way to authenticate who owns what coins is with signatures
Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.
> In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.
> Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market.
No one knows, but the incentives are aligned with a softfork to burn Satoshi's coins.
> Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party?
Basically you'd have to relax the trust/decentralization guarantees, but you don't have to relax them all the way. Most likely a consortium of trusted actors (Blockstream, major miners, major exchanges, bitcoin-adjacent companies,...). Or something like a consensus mechanism with aligned incentives a la Kleros. I think "we" could come up with "something", even if it is not perfect, because the value of Bitcoin is ultimately in the community of people who use Bitcoin, not just the protocol.
"Hard-fork" might not be the right way to see this. It's more like starting a completely new protocol where people who held Bitcoin at a certain snapshot can redeem a one-time airdrop equivalent to the value they held, provided they can prove ownership. As that protocol's value overtakes the value of the original Bitcoin chain (which will eventually be completely dead), we can all agree to call it Bitcoin.
>The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.
Most participants don't care about this. For almost everyone, the point of Bitcoin is to go up. As long as they can find enough buyers that also believe it will go up, the rest is optional. Especially if it's temporary, for a one-time migration.
In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be.
And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.
Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.
I'm not sure you fully grasped what was said in the parent comment. It literally does not matter anymore if we can all agree on the previous blocks, it would be impossible to identify who owns which wallet anymore. The seed phrase would be useless.
Ah, then yeah, in that case, it'd be basically over.
Maybe large exchanges would try to step in to make a fresh chain based on their combined account data, and just drop the people relying on self-custody. But I doubt the market would go for it - the uncertainty would crash it hard enough that it would never recover.
You have to consider the network-level forwarding, not only the crypto. The noderunners could role out a new version that uses whatever heuristics to identify transactions that are likely from an attacker. If transaction aren't forwarded, they don't end up in the mempool and thus not in the blockchain. And yes, then the attacker might try to manipulate those heuristics and filter etc. It would become a cat-and-mouse game, but as long as the "good guys" act faster than the attack adapts, there is a good chance a big number of coins can be secured. It is not an all-or-nothing game.
The point is you can't distinguish transactions that are from an "attacker" when the underlying signature scheme is broken. The Bitcoin P2P network has some metrics to disconnect from nodes that might be trying to DoS you, but if a transaction has enough fees, is spending unspent coins, and has a valid signature, it's valid.
> It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
If you publish/take a snapshot of the ledger at (say) 23:59 UTC everyday, and publish it with a SHA2/3 hash, people will know what the state of ownership was at that time. Then if a break occurs at any later point you cannot trust any transaction afterwards, but some portion of folks can attest to their ownership.
There will be some portion of folks that did some legitimate transactions that could come into question, but at least it's not necessarily everyone.
In my humble opinion (because I'm not a "crypto investor"), Ethereum lost all credibility with that fork. You can't trust a system/currency that changes the rules like that.
The mostly likely quantum attack on Bitcoin will be a catastrophic transfer of large wallets to burn addresses along with a massive short position. No need to worry about washing stolen coins when you can just enjoy your "well timed" legal short position's windfall.
Interesting, considering the extra liability / (stability) volatility that bitcoin options provide when making ROI and hashrate calculations, this can be a triple threat.
Like publicly destroying ivory /poppy stockpiles while simultaneously holding puts/futures on correlating pharmaceutical financial instruments.
1) Short markets in Bitcoin don't have unlimited depth, and the centralized ones are KYC'd so there's some risk there
2) What if it doesn't tank the price? One thing people have suggested is just burning all the vulnerable coins[1]; it reduces supply so maybe the price will... go up? The point is there's uncertainty.
Sorry I wasn't clear there. Because most of the short-depth is controlled by centralized exchanges, there's a risk you won't be able to actualize your short (withdraw, either in crypto or to a bank account), even if it's successful -- they could just block you from withdrawing and/or report you for fraud.
I’m pretty sure the hope isn’t that burning some coins tanks the price. The point is that publicly demonstrating that you can crack wallet keys is what tanks the price.
I don't see how 1 is any issue at all. Using a computer to make the intended bitcoin calculations much faster than anyone else possibly can is entirely within the rules of how bitcoin works.
It will also tank the price because by doing it, you have demonstrated you have complete control of bitcoin transfers, you can transfer bitcoins from anywhere to anywhere else at any time, and that there is no way to flag it as illegitimate because mathematically you're just providing the correct numbers.
This would be the case if many people get the quantum “crack” at the same time. Since it would enable a pre-image attack, one actor could selectively mine blocks for a considerable time until others catch up. This could be going on now.
Yeah, sway better strategy than dowing the world bitcoin is bust while holding it short would be to just mine blocks here and there, to steal from inactive wallets, etc.
I'd drain as much wealth from the network without being detected instead of going guns blazing.
Does anyone happen to know if it is settled law in the United States that transferring bitcoins using a cracked key is a criminal act? It’s not immediately obvious to me that it would be covered by the CFAA.
"A CRQC is an existential threat to Bitcoin (you might believe this is very low-likehood). Your measurement of this threat should literally be:
(A) How likely you think it is a CRQC appears by a given time, multiplied by
(B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
Karl Popper calls this a psychological probability(% chance I go to the gym today). This is different from objective probability (% chance a dice lands on 5).
In this case, it seems like we are rolling dice but no one is quiet sure if the dice are fair, how many sides it has and what numbers are written on the dice.
The only thing I am confident in is if it the bigger the fire, the faster the work. I want the Bitcoin community to start the work as early as possible so that it doesn't have to rush because rushing increases the chance of mistakes.
I'm skeptical that B is fully possible. You can create a PQ fork of bitcoin but you cannot automatically bring vulnerable wallets along - and there are a lot of vulnerable wallets, especially from the early days. There's a catastrophe ahead for bitcoin with an apparent probability of 1.0. That's hard to account for in this scheme.
It would still tank the price. Right now many Bitcoins are lost because no one holds the keys any more. When they can hack it, suddenly the sell pressure significantly goes up.
2045 A=~1.0 seems way off. CRQC is still a theoretical construct with hurdles to overcome. Yes, there is a significant risk that it will exist somewhere in the next decades, but there is also still a significant chance that it will be shown to be practically impossible.
That is not what I am hearing from people working on CRQC. A prediction of a CRQC with 10% by 2030 was made by own of the top experts in this field. 2045 used to be the pessimistic outlook by experts with a bunch of experts predicting earlier. Recent work has shown that CRQC is actual 20 times easier to built that previously thought, accelerating all timelines.
We are seeing significant progress in two different types of quantum computers, neutral atom and superconducting qubit.
No one really knows when it will happen, but the chance that it is practically impossible is held only by a small number of experts. Given what we have seen in 2026 has significantly shifted expectations.
You should also consider that a CRQC needs not only to exist, but be used in a certain way. I can hardly see the first thing Google or IBM do upon their breakthrough, is stealing bitcoins. There is a reputation to have. And it is also unlikely some hacker can build a superior quantum computer in their backyard before some trillion dollar companies with a research budget can.
In practice, wouldn't it only be the dead wallets that would be affected? Granted, it is not a small number - IIRC, around 20% of all mined bitcoin are stored on these so-called dead wallets. With current prices that's a quarter trillion dollar worth BTC.
As was alluded to in the comments, my colleagues at Blockstream Research are doing some work on this with mechanisms called SHRINCS and SHRIMPS.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
This work is important, and I'm looking forward to forming an opinion on it. Maybe a future post! For those who are interested, this is what I'm aware of:
This is one of the most lazy writings i've ever heard... CRQC is not non-zero across all timeslines, it is inevitable. With the inevitability, the satoshi wallets can never be secured.
Somewhat ironic question, but as ETFs holdings of BTC continue to grow, is there a possibility that the custodians of those ETFs start to have a backup plan for ETF holders or create an alliance to push a fork forward? The management fee those companies generate is non-trivial, so they're incentivized to stay ahead of this.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
Yes, if you read the fine print on the ETFs they tell you what they will do in case of a fork. Usually their custodian picks the "winning" chain at their discretion. There's a similar (although reversed) situation with stablecoins.
In the absolute disaster scenario where the ecosystem is taken by surprise by an adversary with a CRQC, regulated custodians could form a consortium to reconstitute a new quantum-resistant version of bitcoin, pooling their ownership ledgers from before the disaster to reinitialize the blockchain and consigning to oblivion all coins not held in custody.
Yup. I quite literally don't know anyone who is using Bitcoin directly to pay for everyday expenses, nor even for larger purchases. It always includes using an off-ramp and going through fiat.
The thing that supposedly sets Bitcoin apart from other cryptocurrencies is that it's deflationary and 'immutable', in that Satoshi is gone forever and any deviation of Bitcoin from his golden idea will result in undermining its essence. If Bitcoin can get quantum-attacked then, from a technical point of view, nothing will be lost. The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography. But at that point, is it still Bitcoin? Because you've undermined the immutability. If the core devs can just say "this core property of Bitcoin is now something completely different", who's to say that they won't change their minds about the deflationary nature in the future? All credibility will be lost. Now, if you accept that, is perhaps all credibility lost already? ...
This was already pretty well hashed out (heh) during the 'core'/'cash' issue when there was an attempt to fork in an expanded the block size. Both chains still exist. Bitcoin operation is entirely up to the miners to determine the heaviest chain, and that's like two entities (the number of entities required is called the Nakamoto coefficient). It's not magic, but there is a huge cult built up around it by scammers, rubes, opportunists and speculators.
> The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography.
That doesn't work, because once the signature scheme has been broken, nobody can prove that their coins are theirs. No roll back or word-of-god would help.
The only way to make bitcoin quantum-safe, is to introduce a quantum safe signature scheme, to encourage everyone to move their coins and to somehow accept that those who don't are not longer in control of their coins.
No because you are not changing the ledger. You are changing the authentication mechanism for transactions. It's like adding a new supported password hash.
If you don’t also drop wallets with compromised signatures at some point after introducing secure signatures (effectively editing the ledger) they will be up for grabs.
Absent a functional ledger rewrite I expect there would be some window where miners with access to CRQCs switch their focus over to exclusively mining blocks of transactions transferring coins from insecure wallets to secure wallets under their own control. Is there actually interest in living in the world where the first person with both a CRQC and a mining farm gets to claim all of the stranded bitcoins for themselves?
Bitcoin core devs do not make decisions for the distributed network. Yes they have outsized power but with the whole BIP110 thing going on now and Bitcoin Knots gaining adoption, I'm more confident now that sudden changes from the core devs will not be blindly accepted by all. That aside, it will be necessary to hard fork the chain from a point before a quantum attack, but there will be several proposals and the community will vote with their nodes.
Bitcoin has had significant protocol upgrades before, including the highly divisive segwit. IMO immutability is a non-issue, there's plenty of evidence that Satoshi generally agreed that consensus via the longest chain (most PoW) wins.
Thus, upgrading the protocol/code to change the encryption to something quantum-resistant should be no more controversial a change than segwit. The community has already answered the "is it still Bitcoin". Yes it is, protocol and code is free to change given longest-chain consensus.
The problem will be what to do with legacy addresses. Never before have issued coins been forcibly deleted by a BIP. It could turn out that legacy addresses (including Satoshi's) that fail to have their coins moved after a deadline must be considered compromised and burned/destroyed. That has no precedent with bitcoin, although it does with ETH.
Anyone know if there's a way out that doesn't require this? Obviously there's no way to ensure all legacy address coins are moved by the deadline.
> Anyone know if there's a way out that doesn't require this?
Honestly, I see this as a way for the powers that be to force explicit KYC. You want those coins? You prove they're yours, you stick your name on that wallet and all the liability that comes along with it. Otherwise the government (some government) holds onto them until you can definitively prove they're yours. I dont think this scenario is likely, but I can see it being something that is proposed or tried.
I looked into it and the currently leading proposal: Hourglass v2 is pretty clever. Once 'Hourglass' is enabled, the rate at which legacy (P2PK) coins can be spent is (proposed to be) capped at 1btc / block. Thus they will not be burned, but the rate at which they can be stolen/compromised will be limited such that the economic impact is at most about 1/3 the block reward.
This gives holders of those old addresses the maximum amount of time to move their coins to more modern addresses and still the ability to move some coins after the deadline. If legacy keys are compromised in bulk, IE access to sufficiently powerful quantum computing is rapid and widespread, then there will be high competition via the existing txn fee bidding process for that 1btc/block slot. Thus most of the value of the will be captured by the txn fee and go to the miners, effectively boosting the mining reward by ~1/3.
Doesn’t this effectively still destroy all legacy wallets? Once the throttling limit goes into effect, it will be impossible for holders of legacy wallets to transfer their bitcoin without paying ~1 bitcoin per bitcoin they want to move. Doesn’t this amount to the same thing as abolishing all legacy wallets plus increasing the mining reward with extra steps?
Not necessarily, we could reach a point where theoretically it is possible to crack elliptic curve but still prohibitively expensive except for nation states. At that point or near that point, miners would likely agree to engage the throttle.
Presumably the vast majority who had their key would move the coins before the throttling takes effect so in the event of a 'slow takeoff' quantum scenario where quantum computing is expensive or nation states don't want to divulge the capability there could be no demand for the 1btc slot. If a lucky individual forgot about their coins (likely an early 50btc block), it only takes them ~8hrs to transfer at the normal txn fee.
Only those with access to legacy coins can compete for that slot.
The main advantage is it delays the transfer to the mining reward to the last possible moment, IE the trigger for the transfer to the mining reward likely only happens if there is sufficient contention for that 1btc slot because legacy wallets are getting cracked.
I think we still have a 3-4 years of escape window to reach the necessary qubit range of breaking the encryption. But China is unstoppable and advancing rapidly, So crypto community needs to upgrade to Post-Quantum Cryptography before the threshold breaks.
ETH is not afraid of doing hard forks, so I'm expecting that they will lead in adopting post quantum cryptography. And then BTC ecosystem participants can learn from ETH.
even if btc does a hard fork, you'll need to "reshim" the encryption on each wallet. and you can only do (n) tx per block. and only 1 blocks per unit time. this limits the speed of bitcoin moving to PQC, it must take at leaat ~3 years iirc
I assume that the solution to this would be a modification of the cryptographic basis of Bitcoin. Is there any way at all to do that without leaving behind people who aren't available at the time of transfer? Like if Satoshi was in a coma and not dead, is there any way at all to harden Bitcoin against attacks that would leave his wallet accessible to him?
Naive question may be. But if quantum can break bitcoin, won't it also be able to break other encryptions that literally everyone else uses as well? So, it's not that bitcoin is particularly vulnerable right any more than banks and Gmails?
Yes and no. I'm no expert, but there's two things that don't make it nearly as dangerous as it is for BTC.
The first is the fact that many things are centralized. Things like Signal already have quantum-resistant encryption, and if they don't, they're able to implement it relatively quickly because it's centralized. BTC is not centralized and needs to jump through a bunch of hoops to get anything done.
The second is that because those things are centralized or close to, you can roll back changes with ease. For instance, if you hack a bank and steal a bunch of money from an account you're far more likely to be able to freeze those funds and get other banks to help stop everything before they're gone forever. You can't do that with BTC.
Q: A CRQC also breaks banking, military communications, and most of the internet today! If one appears, isn’t Bitcoin the least of our problems?
A: True! Banking software, military communications, and the internet also need to be upgraded. I have high confidence they will be, successfully (I’d put my B_{HTTPS} at close to 1). Unfortunately, I have less confidence that Bitcoin will upgrade successfully since upgrading a decentralized system of honey-badger-like participants is much more challenging and people like the questioner seem to think this is a valid argument that we shouldn’t even worry about it? If you disagree and think there will be a CRQC and the rest of the internet won’t upgrade successfully, maybe you should consider shorting the stock market and buying gold. But not Bitcoin, because if we do nothing that won’t work anymore. Not investment advice.
>Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
Cryptocurrency gains are taxable in many (most?) countries. Clearly the governments see cryptocurrency as something more than just random numbers without meaning.
Likewise, when government agencies shut down dark net markets (DNMs), they will seize the cryptocurrency funds that the DNM had (from market fees etc., or even funds that belonged to customers and were in escrow etc. by the DNM) if they can (i.e. if they get access to the private keys of DNM owned wallets either by technical means or by convincing the operators of the DNM to hand over the keys). Again because the governments view cryptocurrencies as something more than just random numbers without meaning.
Speaking of seized funds. Let’s say that a government agency had seized a significant amount of bitcoin from a DNM and was transferring those funds to wallets under government agency control. Along comes some guy with a quantum computer and takes those funds for himself. Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
>Cryptocurrency gains are taxable in many (most?) countries.
So?
>Clearly the governments see cryptocurrency as something more than just random numbers without meaning.
Not really? It's the realized gains that get taxed. That's a completely generic feature of the tax system, the government doesn't give a shit (and shouldn't) what people decide has value in any given transaction. The only thing they care about is whether or not there was actual cash equivalent value exchange happening. Barter is always a potentially taxable event. The government makes no judgement on whether you do it with pretty river rocks or random numbers, they can assess the value of the exchange as if it was done with cash and tax that result.
Re: Seizure of everything related to an illegal operation: sure, they will take everything they can find regardless. They'd take a computer with a ~/.ssh full of random keys too. The data they seize might also have pirated movies/games/music. Some of the things might have "value" but that doesn't make them currency.
None of this implies the result you clearly wish it did.
>Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
You "think not"? Why not? What laws do you think are being violated? There are lots of cases where the government will seize something that might at the time of the seizure be worth $X, and then legitimate activity happens elsewhere such that now it's worth $0.5X or whatever, and that's perfectly fine. The question hinges on whether the activities of other independent people/entities unrelated to the criminal entity that got seized are legitimate or not. It's not a matter of vibes. Like, imagine the government seizes a winning lotto ticket. And then before they can do anything with it somebody unconnected else goes into a convenience store and legitimately buys a ticket, guessing the number too. The value of what the government seized has just dropped. Would I expect the government to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!”
Well, yes? That is indeed my expectation, within the rules of the game in question. If the lotto says "if you fail to claim your winning ticket within 1 week before someone else guesses it as well then too bad" or "well then you both split it 50/50" or whatever, yeah I'd expect the government to be held to the exact same standard as anyone else.
> You "think not"? Why not? What laws do you think are being violated?
Actually we have real world examples of this very sort of thing: someone stealing cryptocurrency from a government agency seizure using the publicly knowable private keys for a wallet. No quantum computer was even involved, just plain old human error.
In South Korea this year, a government agency released pictures of a physical seizure that included written down mnemonic seed phrase.
The funds were then stolen, using that seed phrase.
And then:
> A Korean National Police Agency official said at a press briefing on the 3rd that "the first thief submitted a confession to the Cybercrime Reporting System on the 28th of last month, so on the 1st we arrested the person based on that and are tracking the secondary thief."
So there you have it. The government in South Korea considered this a theft. An arrest was made. Investigations were made.
It is so very obvious that this is what would happen when you steal cryptocurrency from the government. Even when the government agency itself was the one to accidentally publish the private keys so that they became public knowledge.
> It's the realized gains that get taxed. That's a completely generic feature of the tax system, the government doesn't give a shit (and shouldn't) what people decide has value in any given transaction
If I buy a vintage computer second hand for $1500 and then manage to sell it to someone else for $2000, I don’t owe taxes on that.
But if I buy $1500 worth of bitcoin and then sell those bitcoins for $2000, I owe taxes on that.
So yes, the government does “give a shit” what people decide has value in any given transaction.
>If I buy a vintage computer second hand for $1500 and then manage to sell it to someone else for $2000, I don’t owe taxes on that.
Uh, in the United States? Yeah, you absolutely do [0, 1]:
>"If you make a profit through these activities, it’s considered taxable income. You can use the Form 1099-K, along with other records, to determine how much tax you owe."
>"Remember that all income, no matter the amount, is taxable unless the law says otherwise – even if you don’t get a Form 1099-K."
>"If you made a profit or gain on the sale of a personal item, your profit is taxable. The profit is the difference between the amount you received for selling the item and the amount you originally paid for the item."
You may wish to review your understanding and confidence in your understanding of tax law.
Isn't your bank balance in a bank database also "just a number"? That number still exists if it goes up or down.
I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass. However, what if you somehow persuaded a bank employee to change someone's balance? The bank employee has some kind of authority to do this and the result is once again "just a number".
OK, what if you display some fraudulent information somewhere that leads a bank employee to decide to update a balance?
I don't want to entirely dismiss your intuition because after all there is lots of interest in not relying on legal systems to adjudicate issues related to cryptocurrency transactions. However, changing numbers and causing people or devices to change numbers is not inherently categorically exempt from being considered fraudulent. For that matter, computer fraud laws are often explicitly written to apply to unauthorized alteration of data, not just to unauthorized access to a specific device.
You might try to defend this by saying
* the ownership of cryptocurrency assets is defined as the ability to transfer them, and should not be further or separately interpreted apart from that ability, or
* deceiving a protocol is less obviously wrongful (or at least harder to define) than deceiving a person, or
* computer crime should require undermining someone's intent about the use of devices or data and that intent should be clearly manifested and meaningful, which it arguably isn't in a cryptocurrency system, or
* offline institutions create some kind of intelligible notion of ownership that's related to the non-digital world and this kind of ownership is what laws about theft or fraud aim to protect rather than any other kind of ownership without that non-digital nexus. (although this doesn't seem to be empirically true as ownership of, for example, domain names has been recognized as a form of property by courts since at least Kremen v. Cohen in 2003, even though it is just a matter of a database entry and has no offline existence)
These are interesting conceptual possibilities, but not necessarily persuasive for courts, law enforcement, or cryptocurrency end users.
>Isn't your bank balance in a bank database also "just a number"?
Absolutely not, but also "yes, which means no". In the first case, a bank balance isn't "just" a number, it's a massively regulated and legally backed number with many layers of interlocking entities, both private and multiple layers of government, in charge of maintenance, auditing, insuring, and enforcing. There is no equivalency to cryptocurrency there, as has been regularly touted.
To the second, it could certainly be argued that a bank balance is indeed "just a number" and that's the point, what gives the number its value is all the infrastructure around it not anything intrinsic to the number itself. If someone finds out my bank balance in Account ABC is $42076 that might have privacy implications sure, but knowing that number gives you access to absolutely nothing of meaning. That's a completely different situation to one where independently finding a given number, which note you need not even have any idea who it belongs to, suddenly equates to ability to make use of that number in real world relevant ways by social consensus.
We're talking more the equivalent of Adam guessing a winning lottery ticket, and then hanging onto it hoping the value will go up and he can trade on the ticket or do other things with it while not actually cashing it in because it's so unlikely somebody else will guess the ticket. Maybe because the lotto ticket winners are published on a public ledger, and Adam doesn't want the notoriety, or at least not just yet. Then Bob does independently guess it, immediately turns it in, and now Adam's lotto ticket is worthless. Bob didn't steal anything from Adam. Whether what Bob did is ok or not depends on the rules of the game.
>I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass
Holy shit are you for real? COULD be seen? Yes hacking into a bank would absolutely mean felony prosecution on multiple counts if you were caught.
>However, what if you somehow persuaded a bank employee to change someone's balance?
They would be committing multiple felonies and you would be committing criminal conspiracy, inducement and so on depending on jurisdiction, and probably wire fraud and a bunch of other stuff if you do it remotely that are sorta gimmes for prosecutors.
>The bank employee has some kind of authority to do this and the result is once again "just a number".
The bank employee does not have legal authority to do this. Any technical authority they have is only within the auspices of the law, internal compliance controls and practices and on and on.
Anyway without going through your whole post you're doing a whole lot of false equivalency. Breaking into and modifying somebody else's systems is no small point, it's explicitly illegal under the CFA in the US and similar in the rest of the developed world. There's no such thing as legally "copying" money from an end owner perspective, even if internally to the global financial systems when it comes to fiat currencies from the Treasury & Fed or other national equivalents to banks and other governments and so on it gets more complicated. It's all meant to effectively be a digital version of actual old fashioned hard currency. Hence the entire core concept of theft: it applies to zero sum games, where one person getting more cash means another person now has less.
I'd welcome any actual specific laws on the books about cryptocurrency that contemplates what would happen if someone simply guesses a private key with no interaction with anyone else and then uses it on the network. But without that it's hard to see any existing precedent. On the contrary, cryptocurrency people have repeatedly pushed, and built into the core foundations, the notion of code being law, that possession of a private key is all that's needed and the rest is up to the network and you're supposed to be in charge of that (or someone else is on your behalf and that relationship can be subject to contracts).
> Holy shit are you for real? COULD be seen? Yes hacking into a bank would absolutely mean felony prosecution on multiple counts if you were caught.
I meant to refer specifically to the trespass theory (advocated about 25-30 years ago by some companies as a way to enforce terms of service) as a reason one might attempt to distinguish "changing a number on company X's computer" from "changing a number in a distributed database". That is, there might be legal theories that are more protective of individual companies' computers just because the physical computers belong to the companies as opposed to information-in-general.
However, other forms of computer crime law can protect information-in-general, regardless of where it's stored or by whom.
My point was that existing laws have been happy to punish changing numbers on computers based on the meanings that those numbers have to people, what people act as though those numbers represent. I believe some of these laws are drafted broadly enough that they already treat stealing cryptocurrency as illegal. Even if legislators didn't consciously regulate it this way, courts may conclude that concepts of fraud, property, conversion, etc., already apply to cryptocurrency systems, even if there isn't an obvious technical difference between a transfer intentionally authorized by a human owner and a transfer authorized as a result of fraud, hacking, bugs, etc.
I understand that in, say, Bitcoin, "ownership" of assets stored in a UTXO is implemented only as the ability to cause a transaction that consumes that UTXO, and that this ability doesn't refer to a person's name or identity, or to good or evil, or to the reason that someone caused such a transaction, or to how someone came to possess the necessary information to create it. The blockchain consensus is updated based on whether the transaction followed certain deterministic rules, and concepts like "the owner" do not in fact appear directly anywhere in those rules. However, this doesn't stop a court from saying that some such transactions represent fraud or conversion or something while others don't, even though the transactions in question were equally valid according to the blockchain consensus.
I understand that there's uncertainty and debate in the cryptocurrency world about how we should want legal systems to regulate or not regulate cryptocurrency, remedy or not remedy otherwise-wrongful actions committed via cryptocurrency systems, and enforce or not enforce agreements implemented in or through cryptocurrencies. I also think you're right to point out that there's an issue about whether the content or behavior of the code is, or is meant to be, the "entire agreement" among parties using it, or whether it just somehow reflects other kinds of relationships that are also partly enforced by legal systems.
I currently work on smart contracts for a living. I find the question of how legal systems should view them fascinating, and I don't have a clearly articulated position on it.
Edit: I'd again like to point to Kremen v. Cohen as an analogy. In that case there was a privately (sort of) created database of domain name registrations. There weren't specific laws or regulations created to describe how the courts should view domain name ownership. The defendant in that case fraudulently caused a domain name to be transferred from the plaintiff to the defendant. The courts agreed that the domain name was "property" and that the defendant could be sued for this, again even though there was no specific legislation regulating the domain name industry. Now, many people are unhappy about various ways that the legal systems of various countries try to control and regulate domain name ownership and transfer. I know people who've worked on naming systems that are explicitly meant to be harder for governments to regulate.
Still, when courts looked at the original DNS decades ago, none of these forms of queasiness about the government's role stopped the courts from concluding that domain names were property based on their characteristics and use, and that people could be sued for fraudulently taking domain names away from other people.
It seems like you might be perceiving a kind of hypocrisy in the notion of people wanting to deliberately create things that are harder to regulate, and then still sometimes involving the courts in disputes over them.
I can't imagine that getting laws passed is going to help. The government can't just order a bank to restore funds, the way they can with regular currency. They could try forcing the culprit to return them, but it seems unlikely for the culprit to be in your jurisdiction.
I suppose we could pass laws to prevent them from ever spending the money in a country that they can control. Even then, they'd have to find ways around the funds being "laundered" through mixers.
The best bet would be to factor satoshi's keys, and then publish them on something like OEIS for some novel-math reason, and let someone else steal them for you.
The world digital economy is worth more than 20T and we're concerned about an asset <2T!? If quantum breaks the highest form of encryption we have today, we have bigger problems at hand.
The signature scheme used by bitcoin is far from the best encryption we have today, and more resistant to being updated than most more important things. So it’s an interesting novelty.
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
Apparently bitcoin foundation is already working on SHRINCS and SHRIMPS. But whether they will forcibly revoke keys of satoshi and all early bitcoin whales or not is another question!
One thing that is not addressed: say this quantum attack happens tomorrow and everyone agrees it was an attack, what would prevent the community (miners, node operators, and users) to hard fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin? There would be loss of value of course, but it is not unrecoverable.
It’s worth remembering that Ethereum forked for much less (not even a bug in the protocol, but a bug in a private application running on the protocol) and nobody seems too upset about it a decade later.
A hard fork implies a difference in consensus rules, and what do you propose that difference be?
Existing wallets need to actively commit to some PQ signature mechanism, prior to Q-day.
Even if Q-day means there is a way to deterministically retrieve any private key from a public key (is that what it means? or is the blast radius of q-day contained? This is a bit above my level of cryptography), I’m sure we could come up with something to minimize the damage. In the worst case, it might involve a claim process with an authority or consensus mechanism to prove who the rightful owner of the funds is and revert the unauthorized transactions on the new chain.
Yes, this is not ideal! But if the wallet conversion requires active participation, preemptive measures are also not ideal.
> Q-day means there is a way to deterministically retrieve any private key from a public key
That's exactly what it means. (Note also that under ECDSA you can retrieve a public key from a valid signature).
How do you prove anything, after the key material is compromised?
> How do you prove anything, after the key material is compromised?
It’s a blockchain, so the simplest would be chain of custody until the chain points undeniably at you. This is not a pure cryptographic device, some social intervention might be needed here.
In theory nothing prevents that but it would be so contentious that the backlash (e.g. 90% drawdown) may be even worse than just letting the hacks stand.
Letting the hack stand means the chain comes to a halt and all value is destroyed? Even if you’re a staunch bitcoin purist, I don’t think that’s the path you want to go on.
The chain wouldn't halt because mining won't be affected by quantum. If you see hacks happening you could race to move your coins into a PQ wallet before the hackers do. I'm assuming that PQ software will be available before the hacks. I agree that this is a very bad scenario.
The Bitcoin “value overflow incident” on August 15, 2010 is probably the closest thing and that didn't affect the price much (though one BTC was around 8c at the time)
This time you'll have hundreds of billions of BTC that will be hacked by someone who will probably instantly unload it. In that scenario it's hard to see the price of it not dropping >90%, so you'd have to think people would prefer a roll back.
That said, I don't know how you could even do a roll back, you're not rolling back to a 'safe' state since the keys aren't safe at that point.
Very good point on the roll-back.
However in terms of the hack, Bitcoin is slow - most exchanges require a few confirmations so it's 30+ minutes to land a deposit in Coinbase/Binance at minimum, and a transfer that huge would instantly set off alarms. Seems unlikely that they would be able to unload that much.
Coinbase would definitely go into buy-only mode during a major crash but that just means people would scream while they watch futures/perps go to zero.
"If you're first out the door, that's not called panicking."
BTC thrives on hype and hope that others will buy in. A successful quantum attack would obliterate the value and future value.
I'd argue there may be an increase in value over time if the community handles the fork well.
And you’d get laughed at for that argument.
> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?
It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
You need to more to safer signature algorithm before the break, after the break it is game over.
> It’s worth remembering that Ethereum forked for much less
Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.
> The only way to authenticate who owns what coins is with signatures
Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.
> In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.
Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.
> Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market.
No one knows, but the incentives are aligned with a softfork to burn Satoshi's coins.
> Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party?
Basically you'd have to relax the trust/decentralization guarantees, but you don't have to relax them all the way. Most likely a consortium of trusted actors (Blockstream, major miners, major exchanges, bitcoin-adjacent companies,...). Or something like a consensus mechanism with aligned incentives a la Kleros. I think "we" could come up with "something", even if it is not perfect, because the value of Bitcoin is ultimately in the community of people who use Bitcoin, not just the protocol.
"Hard-fork" might not be the right way to see this. It's more like starting a completely new protocol where people who held Bitcoin at a certain snapshot can redeem a one-time airdrop equivalent to the value they held, provided they can prove ownership. As that protocol's value overtakes the value of the original Bitcoin chain (which will eventually be completely dead), we can all agree to call it Bitcoin.
>The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.
Most participants don't care about this. For almost everyone, the point of Bitcoin is to go up. As long as they can find enough buyers that also believe it will go up, the rest is optional. Especially if it's temporary, for a one-time migration.
In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be.
And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.
Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.
I'm not sure you fully grasped what was said in the parent comment. It literally does not matter anymore if we can all agree on the previous blocks, it would be impossible to identify who owns which wallet anymore. The seed phrase would be useless.
Ah, then yeah, in that case, it'd be basically over.
Maybe large exchanges would try to step in to make a fresh chain based on their combined account data, and just drop the people relying on self-custody. But I doubt the market would go for it - the uncertainty would crash it hard enough that it would never recover.
You have to consider the network-level forwarding, not only the crypto. The noderunners could role out a new version that uses whatever heuristics to identify transactions that are likely from an attacker. If transaction aren't forwarded, they don't end up in the mempool and thus not in the blockchain. And yes, then the attacker might try to manipulate those heuristics and filter etc. It would become a cat-and-mouse game, but as long as the "good guys" act faster than the attack adapts, there is a good chance a big number of coins can be secured. It is not an all-or-nothing game.
The point is you can't distinguish transactions that are from an "attacker" when the underlying signature scheme is broken. The Bitcoin P2P network has some metrics to disconnect from nodes that might be trying to DoS you, but if a transaction has enough fees, is spending unspent coins, and has a valid signature, it's valid.
> It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.
If you publish/take a snapshot of the ledger at (say) 23:59 UTC everyday, and publish it with a SHA2/3 hash, people will know what the state of ownership was at that time. Then if a break occurs at any later point you cannot trust any transaction afterwards, but some portion of folks can attest to their ownership.
There will be some portion of folks that did some legitimate transactions that could come into question, but at least it's not necessarily everyone.
In my humble opinion (because I'm not a "crypto investor"), Ethereum lost all credibility with that fork. You can't trust a system/currency that changes the rules like that.
The mostly likely quantum attack on Bitcoin will be a catastrophic transfer of large wallets to burn addresses along with a massive short position. No need to worry about washing stolen coins when you can just enjoy your "well timed" legal short position's windfall.
Interesting, considering the extra liability / (stability) volatility that bitcoin options provide when making ROI and hashrate calculations, this can be a triple threat.
Like publicly destroying ivory /poppy stockpiles while simultaneously holding puts/futures on correlating pharmaceutical financial instruments.
two things:
1) Short markets in Bitcoin don't have unlimited depth, and the centralized ones are KYC'd so there's some risk there 2) What if it doesn't tank the price? One thing people have suggested is just burning all the vulnerable coins[1]; it reduces supply so maybe the price will... go up? The point is there's uncertainty.
[1] https://x.com/lostbutlucky/status/2040878873731080681
What risk are you envisioning in #1?
Sorry I wasn't clear there. Because most of the short-depth is controlled by centralized exchanges, there's a risk you won't be able to actualize your short (withdraw, either in crypto or to a bank account), even if it's successful -- they could just block you from withdrawing and/or report you for fraud.
I’m pretty sure the hope isn’t that burning some coins tanks the price. The point is that publicly demonstrating that you can crack wallet keys is what tanks the price.
I don't see how 1 is any issue at all. Using a computer to make the intended bitcoin calculations much faster than anyone else possibly can is entirely within the rules of how bitcoin works.
It will also tank the price because by doing it, you have demonstrated you have complete control of bitcoin transfers, you can transfer bitcoins from anywhere to anywhere else at any time, and that there is no way to flag it as illegitimate because mathematically you're just providing the correct numbers.
This would be the case if many people get the quantum “crack” at the same time. Since it would enable a pre-image attack, one actor could selectively mine blocks for a considerable time until others catch up. This could be going on now.
Probably not since quantum computers don't exist.
Yeah, sway better strategy than dowing the world bitcoin is bust while holding it short would be to just mine blocks here and there, to steal from inactive wallets, etc.
I'd drain as much wealth from the network without being detected instead of going guns blazing.
Washing coins is not too difficult, you could split up values into lots of addresses and use them to buy other coins on other chains.
Would going for the bitcoin puzzle wallets be a better demonstration of "it's broken" without needing to do anything fancy?
https://btcpuzzle.info/
If all of them went to "solved" at once or in short order I believe that would cause sufficient panic without worry of stealing or burning.
Does anyone happen to know if it is settled law in the United States that transferring bitcoins using a cracked key is a criminal act? It’s not immediately obvious to me that it would be covered by the CFAA.
I would be surprised if the U.S. legal system requires itself to list every possible mechanism by which someone might steal money.
"Darn it, he's right, there's nothing in the rules here saying a dog can't play basketball or fetch money out of a bank vault..."
Bitcoins aren't money.
It's easy to argue that anyone can operate any wallet without restrictions but just pulling the right key to it.
Every participant knows and accepts it the moment they pull a random key and start operating the corresponding wallet.
"A CRQC is an existential threat to Bitcoin (you might believe this is very low-likehood). Your measurement of this threat should literally be:
(A) How likely you think it is a CRQC appears by a given time, multiplied by (B) How likely it is you think Bitcoin will not successfully upgrade by that time."
It would interesting to survey people about their answers.
My off the cuff answer is:
2030: A=0.05, B=0.01
2035: A=0.50, B=0.001
2045: A=~1.0, B=~0.0
I reserve the right to change my mind on these answers at any point. This is not a serious prediction.
Karl Popper calls this a psychological probability(% chance I go to the gym today). This is different from objective probability (% chance a dice lands on 5).
In this case, it seems like we are rolling dice but no one is quiet sure if the dice are fair, how many sides it has and what numbers are written on the dice.
The only thing I am confident in is if it the bigger the fire, the faster the work. I want the Bitcoin community to start the work as early as possible so that it doesn't have to rush because rushing increases the chance of mistakes.
Start early, don't rush.
CRQC = cryptographically relevant quantum computer
I'm skeptical that B is fully possible. You can create a PQ fork of bitcoin but you cannot automatically bring vulnerable wallets along - and there are a lot of vulnerable wallets, especially from the early days. There's a catastrophe ahead for bitcoin with an apparent probability of 1.0. That's hard to account for in this scheme.
I would argue that the hackers will do the jobs of transferring funds from insecure wallets to secure ones very efficiently.
It would still tank the price. Right now many Bitcoins are lost because no one holds the keys any more. When they can hack it, suddenly the sell pressure significantly goes up.
a hard fork could burn bitcoins which are vulnerable
2045 A=~1.0 seems way off. CRQC is still a theoretical construct with hurdles to overcome. Yes, there is a significant risk that it will exist somewhere in the next decades, but there is also still a significant chance that it will be shown to be practically impossible.
That is not what I am hearing from people working on CRQC. A prediction of a CRQC with 10% by 2030 was made by own of the top experts in this field. 2045 used to be the pessimistic outlook by experts with a bunch of experts predicting earlier. Recent work has shown that CRQC is actual 20 times easier to built that previously thought, accelerating all timelines.
We are seeing significant progress in two different types of quantum computers, neutral atom and superconducting qubit.
No one really knows when it will happen, but the chance that it is practically impossible is held only by a small number of experts. Given what we have seen in 2026 has significantly shifted expectations.
"Accelerated timeline" and "impossible" are not mutually exclusive. We may just reach the point where we conclude it's impossible sooner.
Not commenting on specific numbers/estimates.
You should also consider that a CRQC needs not only to exist, but be used in a certain way. I can hardly see the first thing Google or IBM do upon their breakthrough, is stealing bitcoins. There is a reputation to have. And it is also unlikely some hacker can build a superior quantum computer in their backyard before some trillion dollar companies with a research budget can.
In practice, wouldn't it only be the dead wallets that would be affected? Granted, it is not a small number - IIRC, around 20% of all mined bitcoin are stored on these so-called dead wallets. With current prices that's a quarter trillion dollar worth BTC.
As was alluded to in the comments, my colleagues at Blockstream Research are doing some work on this with mechanisms called SHRINCS and SHRIMPS.
Of course, inventing and demonstrating a quantum-resistant signature mechanism isn't the same thing as deploying it in consensus or upgrading everyone's UTXOs to it, and it's fair to say that there are many steps in between!
This work is important, and I'm looking forward to forming an opinion on it. Maybe a future post! For those who are interested, this is what I'm aware of:
- Tim Ruffing proved that Taproot's commitment scheme was quantum-resilient: https://eprint.iacr.org/2025/1307
- Jonas Nick and Mikhail Kudinov have proposed SHRINCS: https://delvingbitcoin.org/t/shrincs-324-byte-stateful-post-... and SHRIMPS: https://x.com/n1ckler/status/2038695067754328095.
Also, LetsEncrypt is very cool! Thanks for working on it.
This is one of the most lazy writings i've ever heard... CRQC is not non-zero across all timeslines, it is inevitable. With the inevitability, the satoshi wallets can never be secured.
tbh I've heard the same about the nuclear fusion for many years now
Somewhat ironic question, but as ETFs holdings of BTC continue to grow, is there a possibility that the custodians of those ETFs start to have a backup plan for ETF holders or create an alliance to push a fork forward? The management fee those companies generate is non-trivial, so they're incentivized to stay ahead of this.
Now, of course, the irony here would be traditional finance infrastructure winning out over decentralized, which could definitely deal a psychological blow to BTC's perceived value... but it's something I've been thinking about lately as this existential threat rises on the horizon.
Microstrategy is already pushing/funding quantum resilience for Bitcoin, so yes!
Yes, if you read the fine print on the ETFs they tell you what they will do in case of a fork. Usually their custodian picks the "winning" chain at their discretion. There's a similar (although reversed) situation with stablecoins.
In the absolute disaster scenario where the ecosystem is taken by surprise by an adversary with a CRQC, regulated custodians could form a consortium to reconstitute a new quantum-resistant version of bitcoin, pooling their ownership ledgers from before the disaster to reinitialize the blockchain and consigning to oblivion all coins not held in custody.
Which would ofc be hilarious given BTC’s raison d’être.
> I personally care more about using Bitcoin than its price
I suspect that the author is in a pretty drastic minority here.
Yup. I quite literally don't know anyone who is using Bitcoin directly to pay for everyday expenses, nor even for larger purchases. It always includes using an off-ramp and going through fiat.
The thing that supposedly sets Bitcoin apart from other cryptocurrencies is that it's deflationary and 'immutable', in that Satoshi is gone forever and any deviation of Bitcoin from his golden idea will result in undermining its essence. If Bitcoin can get quantum-attacked then, from a technical point of view, nothing will be lost. The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography. But at that point, is it still Bitcoin? Because you've undermined the immutability. If the core devs can just say "this core property of Bitcoin is now something completely different", who's to say that they won't change their minds about the deflationary nature in the future? All credibility will be lost. Now, if you accept that, is perhaps all credibility lost already? ...
This was already pretty well hashed out (heh) during the 'core'/'cash' issue when there was an attempt to fork in an expanded the block size. Both chains still exist. Bitcoin operation is entirely up to the miners to determine the heaviest chain, and that's like two entities (the number of entities required is called the Nakamoto coefficient). It's not magic, but there is a huge cult built up around it by scammers, rubes, opportunists and speculators.
Miners enforce the consensus rules but they can't change them. If miners try to change the rules, exchanges have no obligation to follow.
> The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography.
That doesn't work, because once the signature scheme has been broken, nobody can prove that their coins are theirs. No roll back or word-of-god would help.
The only way to make bitcoin quantum-safe, is to introduce a quantum safe signature scheme, to encourage everyone to move their coins and to somehow accept that those who don't are not longer in control of their coins.
No because you are not changing the ledger. You are changing the authentication mechanism for transactions. It's like adding a new supported password hash.
If you don’t also drop wallets with compromised signatures at some point after introducing secure signatures (effectively editing the ledger) they will be up for grabs.
Absent a functional ledger rewrite I expect there would be some window where miners with access to CRQCs switch their focus over to exclusively mining blocks of transactions transferring coins from insecure wallets to secure wallets under their own control. Is there actually interest in living in the world where the first person with both a CRQC and a mining farm gets to claim all of the stranded bitcoins for themselves?
Bitcoin core devs do not make decisions for the distributed network. Yes they have outsized power but with the whole BIP110 thing going on now and Bitcoin Knots gaining adoption, I'm more confident now that sudden changes from the core devs will not be blindly accepted by all. That aside, it will be necessary to hard fork the chain from a point before a quantum attack, but there will be several proposals and the community will vote with their nodes.
For better or worse, Bitcoin is a true democracy. If all/most users decide to switch to a new quantum safe algorithm, then it is so.
See (for example) the August 2017 "hard fork" — when "bitcoin" split into bitcoin and bitcoin_cash (by node concensus for new maximum blocksize).
Protip for readers: when people on HN say "democracy", what they mean is "plutocracy".
Bitcoin has had significant protocol upgrades before, including the highly divisive segwit. IMO immutability is a non-issue, there's plenty of evidence that Satoshi generally agreed that consensus via the longest chain (most PoW) wins.
Thus, upgrading the protocol/code to change the encryption to something quantum-resistant should be no more controversial a change than segwit. The community has already answered the "is it still Bitcoin". Yes it is, protocol and code is free to change given longest-chain consensus.
The problem will be what to do with legacy addresses. Never before have issued coins been forcibly deleted by a BIP. It could turn out that legacy addresses (including Satoshi's) that fail to have their coins moved after a deadline must be considered compromised and burned/destroyed. That has no precedent with bitcoin, although it does with ETH.
Anyone know if there's a way out that doesn't require this? Obviously there's no way to ensure all legacy address coins are moved by the deadline.
> Anyone know if there's a way out that doesn't require this?
Honestly, I see this as a way for the powers that be to force explicit KYC. You want those coins? You prove they're yours, you stick your name on that wallet and all the liability that comes along with it. Otherwise the government (some government) holds onto them until you can definitively prove they're yours. I dont think this scenario is likely, but I can see it being something that is proposed or tried.
I looked into it and the currently leading proposal: Hourglass v2 is pretty clever. Once 'Hourglass' is enabled, the rate at which legacy (P2PK) coins can be spent is (proposed to be) capped at 1btc / block. Thus they will not be burned, but the rate at which they can be stolen/compromised will be limited such that the economic impact is at most about 1/3 the block reward.
This gives holders of those old addresses the maximum amount of time to move their coins to more modern addresses and still the ability to move some coins after the deadline. If legacy keys are compromised in bulk, IE access to sufficiently powerful quantum computing is rapid and widespread, then there will be high competition via the existing txn fee bidding process for that 1btc/block slot. Thus most of the value of the will be captured by the txn fee and go to the miners, effectively boosting the mining reward by ~1/3.
Doesn’t this effectively still destroy all legacy wallets? Once the throttling limit goes into effect, it will be impossible for holders of legacy wallets to transfer their bitcoin without paying ~1 bitcoin per bitcoin they want to move. Doesn’t this amount to the same thing as abolishing all legacy wallets plus increasing the mining reward with extra steps?
Not necessarily, we could reach a point where theoretically it is possible to crack elliptic curve but still prohibitively expensive except for nation states. At that point or near that point, miners would likely agree to engage the throttle.
Presumably the vast majority who had their key would move the coins before the throttling takes effect so in the event of a 'slow takeoff' quantum scenario where quantum computing is expensive or nation states don't want to divulge the capability there could be no demand for the 1btc slot. If a lucky individual forgot about their coins (likely an early 50btc block), it only takes them ~8hrs to transfer at the normal txn fee.
Only those with access to legacy coins can compete for that slot.
The main advantage is it delays the transfer to the mining reward to the last possible moment, IE the trigger for the transfer to the mining reward likely only happens if there is sufficient contention for that 1btc slot because legacy wallets are getting cracked.
The core developers need buy-in from nodes controlling > 50% of the computing power in the network to make any fundamental change to the network.
I think we still have a 3-4 years of escape window to reach the necessary qubit range of breaking the encryption. But China is unstoppable and advancing rapidly, So crypto community needs to upgrade to Post-Quantum Cryptography before the threshold breaks.
ETH is not afraid of doing hard forks, so I'm expecting that they will lead in adopting post quantum cryptography. And then BTC ecosystem participants can learn from ETH.
even if btc does a hard fork, you'll need to "reshim" the encryption on each wallet. and you can only do (n) tx per block. and only 1 blocks per unit time. this limits the speed of bitcoin moving to PQC, it must take at leaat ~3 years iirc
I assume that the solution to this would be a modification of the cryptographic basis of Bitcoin. Is there any way at all to do that without leaving behind people who aren't available at the time of transfer? Like if Satoshi was in a coma and not dead, is there any way at all to harden Bitcoin against attacks that would leave his wallet accessible to him?
Naive question may be. But if quantum can break bitcoin, won't it also be able to break other encryptions that literally everyone else uses as well? So, it's not that bitcoin is particularly vulnerable right any more than banks and Gmails?
Yes and no. I'm no expert, but there's two things that don't make it nearly as dangerous as it is for BTC.
The first is the fact that many things are centralized. Things like Signal already have quantum-resistant encryption, and if they don't, they're able to implement it relatively quickly because it's centralized. BTC is not centralized and needs to jump through a bunch of hoops to get anything done.
The second is that because those things are centralized or close to, you can roll back changes with ease. For instance, if you hack a bank and steal a bunch of money from an account you're far more likely to be able to freeze those funds and get other banks to help stop everything before they're gone forever. You can't do that with BTC.
From the article:
Q: A CRQC also breaks banking, military communications, and most of the internet today! If one appears, isn’t Bitcoin the least of our problems?
A: True! Banking software, military communications, and the internet also need to be upgraded. I have high confidence they will be, successfully (I’d put my B_{HTTPS} at close to 1). Unfortunately, I have less confidence that Bitcoin will upgrade successfully since upgrading a decentralized system of honey-badger-like participants is much more challenging and people like the questioner seem to think this is a valid argument that we shouldn’t even worry about it? If you disagree and think there will be a CRQC and the rest of the internet won’t upgrade successfully, maybe you should consider shorting the stock market and buying gold. But not Bitcoin, because if we do nothing that won’t work anymore. Not investment advice.
>Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
I've had this thought for awhile actually: how would reproducing some random number be legally "stealing" under any legal system in the world? Putting aside that cryptocurrencies have always been about "code decides" etc, that they're outside of the legal system entirely, but I'm struggling to see where there's any actual property interest here. Randomly generated numbers are not protected by IP in any way. There's no computer fraud act angle or the like here, nobody would be having so much as the slightest interaction with anyone else's private system. They'd merely be taking publicly available unprotected numbers and doing some math on them with their own quantum computer. Somebody else who has something related to those numbers is never deprived of them or interacted with in the slightest. There is nothing resembling "hacking", no flaws in the software exploited, all just math there from the start.
I can understand how suddenly a lot of proponents might wish to cling to and push the idea that it's "illegal" or "stealing", but doesn't appear to be any meat on dem bones. Maybe they hope to generate support to get laws passed banning it, though hard to see that working out either. As a practical matter seems like they're just going to have to agree on a transition to new version using PQE algorithms and try to convert over before it's too late?
Cryptocurrency gains are taxable in many (most?) countries. Clearly the governments see cryptocurrency as something more than just random numbers without meaning.
Likewise, when government agencies shut down dark net markets (DNMs), they will seize the cryptocurrency funds that the DNM had (from market fees etc., or even funds that belonged to customers and were in escrow etc. by the DNM) if they can (i.e. if they get access to the private keys of DNM owned wallets either by technical means or by convincing the operators of the DNM to hand over the keys). Again because the governments view cryptocurrencies as something more than just random numbers without meaning.
Speaking of seized funds. Let’s say that a government agency had seized a significant amount of bitcoin from a DNM and was transferring those funds to wallets under government agency control. Along comes some guy with a quantum computer and takes those funds for himself. Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
>Cryptocurrency gains are taxable in many (most?) countries.
So?
>Clearly the governments see cryptocurrency as something more than just random numbers without meaning.
Not really? It's the realized gains that get taxed. That's a completely generic feature of the tax system, the government doesn't give a shit (and shouldn't) what people decide has value in any given transaction. The only thing they care about is whether or not there was actual cash equivalent value exchange happening. Barter is always a potentially taxable event. The government makes no judgement on whether you do it with pretty river rocks or random numbers, they can assess the value of the exchange as if it was done with cash and tax that result.
Re: Seizure of everything related to an illegal operation: sure, they will take everything they can find regardless. They'd take a computer with a ~/.ssh full of random keys too. The data they seize might also have pirated movies/games/music. Some of the things might have "value" but that doesn't make them currency.
None of this implies the result you clearly wish it did.
>Is the government agency just going to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!” No, I think not.
You "think not"? Why not? What laws do you think are being violated? There are lots of cases where the government will seize something that might at the time of the seizure be worth $X, and then legitimate activity happens elsewhere such that now it's worth $0.5X or whatever, and that's perfectly fine. The question hinges on whether the activities of other independent people/entities unrelated to the criminal entity that got seized are legitimate or not. It's not a matter of vibes. Like, imagine the government seizes a winning lotto ticket. And then before they can do anything with it somebody unconnected else goes into a convenience store and legitimately buys a ticket, guessing the number too. The value of what the government seized has just dropped. Would I expect the government to throw its hands in the air and say “oh well, he guessed the random number, nothing more we can do!”
Well, yes? That is indeed my expectation, within the rules of the game in question. If the lotto says "if you fail to claim your winning ticket within 1 week before someone else guesses it as well then too bad" or "well then you both split it 50/50" or whatever, yeah I'd expect the government to be held to the exact same standard as anyone else.
> You "think not"? Why not? What laws do you think are being violated?
Actually we have real world examples of this very sort of thing: someone stealing cryptocurrency from a government agency seizure using the publicly knowable private keys for a wallet. No quantum computer was even involved, just plain old human error.
In South Korea this year, a government agency released pictures of a physical seizure that included written down mnemonic seed phrase.
The funds were then stolen, using that seed phrase.
And then:
> A Korean National Police Agency official said at a press briefing on the 3rd that "the first thief submitted a confession to the Cybercrime Reporting System on the 28th of last month, so on the 1st we arrested the person based on that and are tracking the secondary thief."
https://biz.chosun.com/en/en-society/2026/03/03/2HRCGVESIZBT...
So there you have it. The government in South Korea considered this a theft. An arrest was made. Investigations were made.
It is so very obvious that this is what would happen when you steal cryptocurrency from the government. Even when the government agency itself was the one to accidentally publish the private keys so that they became public knowledge.
> It's the realized gains that get taxed. That's a completely generic feature of the tax system, the government doesn't give a shit (and shouldn't) what people decide has value in any given transaction
If I buy a vintage computer second hand for $1500 and then manage to sell it to someone else for $2000, I don’t owe taxes on that.
But if I buy $1500 worth of bitcoin and then sell those bitcoins for $2000, I owe taxes on that.
So yes, the government does “give a shit” what people decide has value in any given transaction.
>If I buy a vintage computer second hand for $1500 and then manage to sell it to someone else for $2000, I don’t owe taxes on that.
Uh, in the United States? Yeah, you absolutely do [0, 1]:
>"If you make a profit through these activities, it’s considered taxable income. You can use the Form 1099-K, along with other records, to determine how much tax you owe."
>"Remember that all income, no matter the amount, is taxable unless the law says otherwise – even if you don’t get a Form 1099-K."
>"If you made a profit or gain on the sale of a personal item, your profit is taxable. The profit is the difference between the amount you received for selling the item and the amount you originally paid for the item."
You may wish to review your understanding and confidence in your understanding of tax law.
----
0: https://www.irs.gov/newsroom/are-you-making-extra-cash-selli...
1: https://www.irs.gov/businesses/what-to-do-with-form-1099-k
Isn't your bank balance in a bank database also "just a number"? That number still exists if it goes up or down.
I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass. However, what if you somehow persuaded a bank employee to change someone's balance? The bank employee has some kind of authority to do this and the result is once again "just a number".
OK, what if you display some fraudulent information somewhere that leads a bank employee to decide to update a balance?
I don't want to entirely dismiss your intuition because after all there is lots of interest in not relying on legal systems to adjudicate issues related to cryptocurrency transactions. However, changing numbers and causing people or devices to change numbers is not inherently categorically exempt from being considered fraudulent. For that matter, computer fraud laws are often explicitly written to apply to unauthorized alteration of data, not just to unauthorized access to a specific device.
You might try to defend this by saying
* the ownership of cryptocurrency assets is defined as the ability to transfer them, and should not be further or separately interpreted apart from that ability, or
* deceiving a protocol is less obviously wrongful (or at least harder to define) than deceiving a person, or
* computer crime should require undermining someone's intent about the use of devices or data and that intent should be clearly manifested and meaningful, which it arguably isn't in a cryptocurrency system, or
* offline institutions create some kind of intelligible notion of ownership that's related to the non-digital world and this kind of ownership is what laws about theft or fraud aim to protect rather than any other kind of ownership without that non-digital nexus. (although this doesn't seem to be empirically true as ownership of, for example, domain names has been recognized as a form of property by courts since at least Kremen v. Cohen in 2003, even though it is just a matter of a database entry and has no offline existence)
These are interesting conceptual possibilities, but not necessarily persuasive for courts, law enforcement, or cryptocurrency end users.
>Isn't your bank balance in a bank database also "just a number"?
Absolutely not, but also "yes, which means no". In the first case, a bank balance isn't "just" a number, it's a massively regulated and legally backed number with many layers of interlocking entities, both private and multiple layers of government, in charge of maintenance, auditing, insuring, and enforcing. There is no equivalency to cryptocurrency there, as has been regularly touted.
To the second, it could certainly be argued that a bank balance is indeed "just a number" and that's the point, what gives the number its value is all the infrastructure around it not anything intrinsic to the number itself. If someone finds out my bank balance in Account ABC is $42076 that might have privacy implications sure, but knowing that number gives you access to absolutely nothing of meaning. That's a completely different situation to one where independently finding a given number, which note you need not even have any idea who it belongs to, suddenly equates to ability to make use of that number in real world relevant ways by social consensus.
We're talking more the equivalent of Adam guessing a winning lottery ticket, and then hanging onto it hoping the value will go up and he can trade on the ticket or do other things with it while not actually cashing it in because it's so unlikely somebody else will guess the ticket. Maybe because the lotto ticket winners are published on a public ledger, and Adam doesn't want the notoriety, or at least not just yet. Then Bob does independently guess it, immediately turns it in, and now Adam's lotto ticket is worthless. Bob didn't steal anything from Adam. Whether what Bob did is ok or not depends on the rules of the game.
>I understand that the bank's ownership of its computer means that hacking into it could be seen as (for example) a trespass
Holy shit are you for real? COULD be seen? Yes hacking into a bank would absolutely mean felony prosecution on multiple counts if you were caught.
>However, what if you somehow persuaded a bank employee to change someone's balance?
They would be committing multiple felonies and you would be committing criminal conspiracy, inducement and so on depending on jurisdiction, and probably wire fraud and a bunch of other stuff if you do it remotely that are sorta gimmes for prosecutors.
>The bank employee has some kind of authority to do this and the result is once again "just a number".
The bank employee does not have legal authority to do this. Any technical authority they have is only within the auspices of the law, internal compliance controls and practices and on and on.
Anyway without going through your whole post you're doing a whole lot of false equivalency. Breaking into and modifying somebody else's systems is no small point, it's explicitly illegal under the CFA in the US and similar in the rest of the developed world. There's no such thing as legally "copying" money from an end owner perspective, even if internally to the global financial systems when it comes to fiat currencies from the Treasury & Fed or other national equivalents to banks and other governments and so on it gets more complicated. It's all meant to effectively be a digital version of actual old fashioned hard currency. Hence the entire core concept of theft: it applies to zero sum games, where one person getting more cash means another person now has less.
I'd welcome any actual specific laws on the books about cryptocurrency that contemplates what would happen if someone simply guesses a private key with no interaction with anyone else and then uses it on the network. But without that it's hard to see any existing precedent. On the contrary, cryptocurrency people have repeatedly pushed, and built into the core foundations, the notion of code being law, that possession of a private key is all that's needed and the rest is up to the network and you're supposed to be in charge of that (or someone else is on your behalf and that relationship can be subject to contracts).
> Holy shit are you for real? COULD be seen? Yes hacking into a bank would absolutely mean felony prosecution on multiple counts if you were caught.
I meant to refer specifically to the trespass theory (advocated about 25-30 years ago by some companies as a way to enforce terms of service) as a reason one might attempt to distinguish "changing a number on company X's computer" from "changing a number in a distributed database". That is, there might be legal theories that are more protective of individual companies' computers just because the physical computers belong to the companies as opposed to information-in-general.
https://en.wikipedia.org/wiki/Trespass_to_chattels#Early_app...
However, other forms of computer crime law can protect information-in-general, regardless of where it's stored or by whom.
My point was that existing laws have been happy to punish changing numbers on computers based on the meanings that those numbers have to people, what people act as though those numbers represent. I believe some of these laws are drafted broadly enough that they already treat stealing cryptocurrency as illegal. Even if legislators didn't consciously regulate it this way, courts may conclude that concepts of fraud, property, conversion, etc., already apply to cryptocurrency systems, even if there isn't an obvious technical difference between a transfer intentionally authorized by a human owner and a transfer authorized as a result of fraud, hacking, bugs, etc.
I understand that in, say, Bitcoin, "ownership" of assets stored in a UTXO is implemented only as the ability to cause a transaction that consumes that UTXO, and that this ability doesn't refer to a person's name or identity, or to good or evil, or to the reason that someone caused such a transaction, or to how someone came to possess the necessary information to create it. The blockchain consensus is updated based on whether the transaction followed certain deterministic rules, and concepts like "the owner" do not in fact appear directly anywhere in those rules. However, this doesn't stop a court from saying that some such transactions represent fraud or conversion or something while others don't, even though the transactions in question were equally valid according to the blockchain consensus.
I understand that there's uncertainty and debate in the cryptocurrency world about how we should want legal systems to regulate or not regulate cryptocurrency, remedy or not remedy otherwise-wrongful actions committed via cryptocurrency systems, and enforce or not enforce agreements implemented in or through cryptocurrencies. I also think you're right to point out that there's an issue about whether the content or behavior of the code is, or is meant to be, the "entire agreement" among parties using it, or whether it just somehow reflects other kinds of relationships that are also partly enforced by legal systems.
I currently work on smart contracts for a living. I find the question of how legal systems should view them fascinating, and I don't have a clearly articulated position on it.
Edit: I'd again like to point to Kremen v. Cohen as an analogy. In that case there was a privately (sort of) created database of domain name registrations. There weren't specific laws or regulations created to describe how the courts should view domain name ownership. The defendant in that case fraudulently caused a domain name to be transferred from the plaintiff to the defendant. The courts agreed that the domain name was "property" and that the defendant could be sued for this, again even though there was no specific legislation regulating the domain name industry. Now, many people are unhappy about various ways that the legal systems of various countries try to control and regulate domain name ownership and transfer. I know people who've worked on naming systems that are explicitly meant to be harder for governments to regulate.
Still, when courts looked at the original DNS decades ago, none of these forms of queasiness about the government's role stopped the courts from concluding that domain names were property based on their characteristics and use, and that people could be sued for fraudulently taking domain names away from other people.
It seems like you might be perceiving a kind of hypocrisy in the notion of people wanting to deliberately create things that are harder to regulate, and then still sometimes involving the courts in disputes over them.
I can't imagine that getting laws passed is going to help. The government can't just order a bank to restore funds, the way they can with regular currency. They could try forcing the culprit to return them, but it seems unlikely for the culprit to be in your jurisdiction.
I suppose we could pass laws to prevent them from ever spending the money in a country that they can control. Even then, they'd have to find ways around the funds being "laundered" through mixers.
You might be surprised how many crypto hackers have been arrested and convicted. Usually they want to spend the money in civilization.
https://en.wikipedia.org/wiki/Illegal_number has lots of examples. The color of your bits matter.
The best bet would be to factor satoshi's keys, and then publish them on something like OEIS for some novel-math reason, and let someone else steal them for you.
Judge: so he had a number in his online account and you changed the number without his authorization? Straight to jail.
That is how.
Law isn't code.
The world digital economy is worth more than 20T and we're concerned about an asset <2T!? If quantum breaks the highest form of encryption we have today, we have bigger problems at hand.
Quantum computing does not break all cryptography.
The signature scheme used by bitcoin is far from the best encryption we have today, and more resistant to being updated than most more important things. So it’s an interesting novelty.
It probably isn’t helpful that Bitcoin can only handle 7 TPS, so there is a scenario where even if you wanted to get out of BTC you couldn’t.
Are there currently circulating cryptocurrencies that use quantum resistant cryptography?
Good article with some questionable remarks like
> Q: Stealing is illegal, so why would anyone use a CRQC to steal Bitcoin?
> A: If you truly believe this, you really should value Bitcoin at 0 – it has many unnecessary components with a lot of overhead, like proof-of-work and digital signatures.
Proof of work is still necessary for two reasons:
1) to fairly distribute all coins (it's not sufficient though, e.g. Bitcoin's halvings still concentrate wealth on early miners/adopters)
2) to provide objective proof for the true transaction history, anchored in energy expenditure.
A related article on Bitcoin Core resistance to upgrading: https://murmurationstwo.substack.com/p/bitcoin-developers-ar...
I guess the argument goes more like: If nobody were to attempt to steal anything, you don’t need security for your ledger anyway.
> 2) to provide objective proof for the true transaction history, anchored in energy expenditure.
Why do you need this if you are willing to trust other people not to steal coins or lie?
> 1) to fairly distribute all coins
Same question as above. If you don't care about perfidy, simply use the honor system for coin distribution.
If you do care about perfidy, then you should probably care about people breaking the law to steal your coins.
Apparently bitcoin foundation is already working on SHRINCS and SHRIMPS. But whether they will forcibly revoke keys of satoshi and all early bitcoin whales or not is another question!