It seems really dumb to freeze coins that arenāt stolen preemptively that we donāt even know can be stolen. There are vulnerable keys on bitcoin all the time. If anyone has problems with confiscating >1000 sat UTXOs with some proposal like the cat (which I agree is way too far, btw), then I canāt see how freezing coins - not because QC is here - but because enough people are afraid that itās eminent that we are going to go ahead and essentially cause the very harm that others would be vulnerable to (losing their coins) before the quantum attacker does it.
Discussion
Thatās supposed to be *less than* 1000 sats but Iām typing with one hand holding a baby š
Isnāt all coins. Active, passive, lost or whatever among the 21 mill coins?
I actually donāt understand the problem.
Stealing is not ok, but if they are lost it should be ok looking for them in my opinion.
This doesnāt have anything to do with the 21 million limit. I only bring it up in the context that the notion of not freezing other peopleās bitcoin is
ā¦ is at the same level of importance as the 21 million limit when it comes to Bitcoinās fundamental principles
(my kids are making it hard to type and I dropped my phone which sen the half typed message š¤¦š»āāļø)
>has unfuckable property
We should fuck the property
Makes sense
It sounds like youāre assuming Iām advocating for freezing at any point soon or prior to it being incredibly obvious that a CRQC is a short-term reality and largely unavoidable. Iām not.
Loppās proposal is the only one I know of on this topic thatās sort of concrete in when itās saying to freeze coins, and every suggestion I have heard is prior to QC being able to do so (as the theft of Satoshis coins would be the obvious and huge first lost to the problem). But even in that context I still land on the āwe donāt freeze coinsā conclusion because who knows how many people might still be able to move coins and want to come back before any QC decides to go after their UTXOs, etc. I donāt think it is reasonable to assume any QC even after decades of being able to break one with a ton of energy or work, would be able to quickly or in a matter of moments, just break signatures wantonly. Which leaves a massive gap between āthey spent 5 years breaking Satoshiās coinsā and āeveryone else is immediately vulnerableā landscape.
In other, other words, I still think it is very likely that almost everyone save for the highest and most obvious balances would potentially still have years to move their own coins *after* Satoshiās were already broken.
Two points. First of all, Iām somewhat confident weāll learn that a CRQC is imminent with some time left prior to theft being actually possible, see nostr:nevent1qqs8cxj6ukqvh65l3ypqervzdly3fqpru34jv0avlve30u6lttpxe4cpzamhxue69uhkummnw3ezuendwsh8w6t69e3xj7spzamhxue69uhhyetvv9ujucm4wfex2mn59en8j6gpr3mhxue69uhkummnw3ezumt4w35ku7thv9kxcet59e3k7mgprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvg034fh
Secondly, I would be surprised, though itās certainly possible, if a QC is only able to steal coins after a year of constant compute. While they wonāt be instant, maintaining coherence for long is one of the key challenges, so compute being longer than minutes to break a key (with some probability, maybe it takes some number of tries, though) seems somewhat unlikely.
Finally, its worth pointing out that one of the best ways we have to ensure people retain access to their bitcoin (allowing proof-of-seedphrase to allow for spends) *requires* that we freeze vulnerable spend paths before they can be otherwise stolen. So I think that should weigh pretty heavily in favor of freezing.
Of course, however, we cannot decide this for any future community and I think we agree itās *highly* dependent on the particulars of what public information is available and what the timelines look like. The best we can do is speculate on likely scenarios and then decide what we think should happen in them.
Sadly, the freeze-vs-not decision is important today, because it impacts what choices we have available to begin preparing - if freezing is highly likely, we can āhideā QC safety in taproot leaves today without impacting wallets. If itās not, it has to be a separate address type which has *huge* deployment timeline challenges (thereās *still* exchanges that canāt send to taproot addresses, for exampleā¦)
Err, guess that was more than two points.