Err, guess that was more than two points.

Two points. First of all, I’m somewhat confident we’ll learn that a CRQC is imminent with some time left prior to theft being actually possible, see nostr:nevent1qqs8cxj6ukqvh65l3ypqervzdly3fqpru34jv0avlve30u6lttpxe4cpzamhxue69uhkummnw3ezuendwsh8w6t69e3xj7spzamhxue69uhhyetvv9ujucm4wfex2mn59en8j6gpr3mhxue69uhkummnw3ezumt4w35ku7thv9kxcet59e3k7mgprpmhxue69uhhyetvv9ujuumwdae8gtnnda3kjctvg034fh

Secondly, I would be surprised, though it’s certainly possible, if a QC is only able to steal coins after a year of constant compute. While they won’t be instant, maintaining coherence for long is one of the key challenges, so compute being longer than minutes to break a key (with some probability, maybe it takes some number of tries, though) seems somewhat unlikely.

Finally, its worth pointing out that one of the best ways we have to ensure people retain access to their bitcoin (allowing proof-of-seedphrase to allow for spends) *requires* that we freeze vulnerable spend paths before they can be otherwise stolen. So I think that should weigh pretty heavily in favor of freezing.

Of course, however, we cannot decide this for any future community and I think we agree it’s *highly* dependent on the particulars of what public information is available and what the timelines look like. The best we can do is speculate on likely scenarios and then decide what we think should happen in them.

Sadly, the freeze-vs-not decision is important today, because it impacts what choices we have available to begin preparing - if freezing is highly likely, we can “hide” QC safety in taproot leaves today without impacting wallets. If it’s not, it has to be a separate address type which has *huge* deployment timeline challenges (there’s *still* exchanges that can’t send to taproot addresses, for example…)

It sounds like you’re assuming I’m advocating for freezing at any point soon or prior to it being incredibly obvious that a CRQC is a short-term reality and largely unavoidable. I’m not.

Certainly possible, yes. I’d be fairly surprised, though. Yes, if a CRQC becomes realistic there may be an incentive to hide it so that you can complete it and go steal a bunch of bitcoin, but generally conspiracies don’t really scale - it seems to me it would be incredibly unlikely that a large team of expert scientists (not to mention investors and executives and support staff) would not be able to keep quite that they’re within shooting distance of a CRQC. More generally, while it’s possible that this happens via some huge breakthrough, that isn’t what we’ve seen so far with QCs - they’ve been very slow deliberate progress iterating in small public steps. A startup making good progress for 5 years then suddenly going dark without shutting down may well also be an indication of something.

Ultimately this gets into the “it’s hard to speculate what a future community might do” because there is so much detail to any potential scenario that would go into such a decision. In my (fairly strong) opinion, the community is likely to have enough information to be relatively confident that a CRQC is highly likely at least 1-5 years prior to it existing (where the range is mostly uncertainty about the rate, not uncertainty about the state of things), but it certainly could happen that I’m wrong. Ultimately we can’t decide for the future community, but we do need to at least somewhat predict what they’re going to do because it’s important to understand it to help us decide what to do today to prepare.

This all somewhat ignores the possibility that a government gets a CRQC first. I’m admittedly not incredibly concerned about that, both because so far it appears the most advancements have been in private companies willing to throw money at this, but even if that changes, a government leaking that they have a CRQC by stealing Bitcoin doesn’t seem super likely to me either.

Yea, though minor nit: HD doesn’t necessarily mean seedphrase, though I think basically the only modern wallet this applies to is Bitcoin Core.

You have two choices - let a CRQC company steal their coins or freeze them and let those with a seedphrase (which is most modern wallets!) get their money back. It seems really dumb to cut off our nose to spite our face here.

The current QC research world is quite open, and I see little reason to think that that will change any time soon. It’s possible it does, of course, but the companies and scientists working to build them want credit, to attract investment, to attract customers (once they have something useful), etc.

No one is advocating freezing QC-vulnerable spend paths any time soon. And if no CRQC ever appears, then no such freezing should ever occur! The question is only what to do if a CRQC is clearly going to exist within a relatively short time period - do you freeze and let people with seed phrases get their money, or do you let the CRQC operator steal it all?

You’re assuming I’m advocating for doing this now or any time soon, which I very much am not. The only time where it makes sense to consider freezing QC-vulnerable coins is when it’s very obvious that a CRQC is on the immediate horizon and they’re going to be stolen if nothing is done.

Yes, we strongly agree that options for QC-secure Bitcoin storage should be provided *long* before that time comes, and without that any discussion of freezing also makes no sense.

I agree it’s not a technical problem, but of course technical details impact the available options and should be considered.

Yes, we agree that “preemptively stealing coins because they may theoretically get stolen in the future” is a terrible idea. Considering such a change at any time prior to when it’s clear that a CRQC is on the immediate horizon and clearly going to happen would be absolutely insane.

But once you do reach that point, some vulnerable coins are not going to be claimable by their owners no matter what you do. I prefer to allow some of the owners to get their funds back by freezing and enabling claims via a ZK proof of seedphrase over letting some QC startup steal all the coins. Seems kinda obvious that the community would prefer that to me, but I guess maybe not.

You can either freeze vulnerable spend paths and let a majority of owners reclaim their coins (via seedphrase) or you can let some QC startup steal a ton of lost coins and dump them on the market, impacting everyone. This is a really obvious choice…

You didn’t meaningfully engage with any of my arguments, which is a bit sad, but you know that isn’t going to happen. Any QC startup that gets that far is going to have investors that want paid back. They’ll sell about as quickly as they can.

IOW, you can allow (probably) a good majority of (not-lost) funds to be recovered, but *only* if you freeze other spend paths!

Except it’s not quite! If you freeze vulnerable spend paths then you can allow coins which were stored in wallets with seed phrases to be recovered. You cannot otherwise.

You’re confusing a core principle of bitcoin for the way the core principle was written down. It’s (obviously) a core principle of Bitcoin that coins never be frozen or stolen by any action aside from a mistake by their owners. However, that’s not the question we face if a CRQC becomes reality. The coins *will* be stolen or frozen, there is no other option [1]. In the face of that, you either pick that they be stolen by some QC startup, or you pick that they be frozen by fork. Also…

[1] There is actually one other option. If the keys for the coins were created with a seedphrase-based wallet, we can allow them to be recovered by their owners, but *only* if we freeze vulnerable spend modes!

I believe you missed that disallowing “Quantum Recovery” is required in order to allow a majority of coins to be recovered by their rightful owners! We can allow people to spend funds if they can prove that they were built using a seedphrase and they know the seedphrase, but this only works if vulnerable spend paths are prevented!

Because the supply of Bitcoin available on markets suddenly 10xing impacts everyone.

Oh also I forgot to respond to your second point - if we allow for claims via a seedphrase-based recovery scheme, we will not know which coins are frozen and which are not, so it remains 21M Bitcoin :)

*proof of* ownership. But the practical concept of “ownership” isn’t about proof but rightful access.

It’s *way* more than 5%! A CRQC operated by a private entity will almost certainly not be interested in stealing 5% of the supply and sitting on it, they’ll likely want to sell a decent chunk of their stolen coins to pay back investors for the immense R&D cost they spent. The total quantity of coins available on markets is not anywhere close to 20M, it’s a tiny fraction. Having something even like 1-2% of total Bitcoin supply flood the market at once is going to have a very large impact on price.

As for your claim that this is somehow changing a fundamental property of Bitcoin, i think you’re losing the Bitcoin philosophy for the way it happened to be written down. Yes, it’s critical for Bitcoin to have a hard line in the sand against coin theft. But you don’t get to pick here - the coins are going to be stolen or frozen no matter what you do. Getting myopic about *who* is doing it isn’t a part of Bitcoin’s value proposition, you’re just reading too much into the way the rules happened to be written down, not the reason for them.

No, you’re confusing the tech details for the reality. if someone steals a private key a court would force them to return the funds, because *obviously* it’s not theirs.

The solution to that concern is lead time :). Provide a way to embed a QC-safe pubkey in outputs today, give wallets plenty of time to adopt it, then there will have been years and years of lead time :)

In the face of a CRQC you cannot. That’s the point. You can in the narrow exception case of having created the key using a seedphrase-based derivation.

nostr:nevent1qqsyc37nf49gj4ghyv7na7dzhmz35fztdswzkuy2gr499qyun86spdgpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq3gamnwvaz7tmwdaehgu3wdau8gu3wv3jhvqgcwaehxw309aex2mrp0yh8xmn0wf6zuum0vd5kzmqpzfmhxue69uhk7enxvd5xz6tw9ec82csggqu4j

Does it? First of all you didn’t engage with the argument in the post at all, so I’d encourage you to do so. But to your point, I disagree. You could also see this as preventing these coins from being stolen. In fact, in order to enable people to claim funds that were stored insecurely but using a seedphrase-based derivation you *have* to freeze insecure spend paths. Given that is the vast majority of wallets today, I find it hard to believe the tradeoff of screwing most bitcoiners is worth it.

It’s stealing if it’s not yours lol. “Theft” isn’t a technical term, it’s a moral one.

Yes

(I know, this means I agree with Sailor…weird spot for me too‏)

While we cannot make this decision on behalf of a theoretical future Bitcoin community, I think burning vulnerable bitcoin is inevitable.

First of all, I think it’s the right decision. In a world where a CRQC (cryptographically relevant quantum computer) is on the short-term horizon, these coins will not remain with their original owners. No amount of hopium will solve that. Instead your options are only (a) freeze or (b) let some CRQC owner eventually steal them. I definitely prefer (a).

Luckily, it doesn’t have to be a lot of coins - any addresses which were created from a standard seed phrase + HD derivation can be recovered with a QC-safe ZK proof. It’s only the very very old coins (or more esoteric wallets) that would be frozen.

Finally, it’s worth pointing out that I think this is inevitable. In a theoretical future where a CRQC is on the horizon, both forks will exist. The market will ultimately decide which bitcoin they value more - one with an extra million coins of supply as the CRQC owners steal lost coins or the one without. I cannot imagine the market preferring the former.

nostr:note1yu8qh0l4cq9gg9fpk4jclp6q0mepuyacq8ha5ljnx76ang52t9pq2npf36

lol you forgot about the democratic elected officials who were assassinated like a month ago? Grow up and fix your filter bubble, you’re part of the problem.

Yep, exactly. Global economic malaise, high youth unemployment in nearly every country, and global inflation has created a ton of pain across the board.

Makes people way more willing to seek out an enemy to blame and left/right social media is very willing to give it to them.

💯

(It appears the restaurant has decided to block everything categorized as “cryptomining”, which Ime includes anything cryptocurrency related at all. If it were actually mining-related that would make sense - don’t want people mining in your restaurant lol, but TALOS Intelligence are incompetent race-to-the-bottom morons)

Ugh, it somehow deleted itself a few months ago I think and I haven’t bothered to fix it. I didn’t remove it 🤦‍♂️

The situation in the US is bad, but it’s not *that* bad.

First of all, writing a wallet where you neither make money nor host any services (i.e. a pure OS software wallet) has much more powerful defenses that didn’t come up in the TC case.

Second, and importantly, this judge didn’t give any material thought to the actual question that mattered here, and will be the focus of the appeal, so it’s far from settled, see https://www.coincenter.org/analysis-the-disappointing-denial-of-tornado-devs-motion-to-dismiss/

Third, never underestimate the value of prosecutorial discretion. Building a wallet that is privacy-focused and where you have private messages between founders talking about Bad People using your product and you do absolutely nothing despite operating the frontend entirely centralized isn’t a good look and prosecutors decide charges based on looks. Obviously I’m not gonna personally run to take the risk operating an LSP in the US under this argument, but let’s not overstate what the actual risk is here.

Finally, let’s get the law changed! The CLARITY Act already passed the house with section 109 protecting developers from these kinds of charges and draft language from the senate has even stronger protections! The senate is in recess, so now’s a great time to go to a town hall and harass your senators!

…or at least make a phone call. Look up the numbers at saveourwallets.org

nostr:note1d0gy5wmh0l6thphrqc22xfn4yjd54l00wpaptw8qtrfugk6pmf7qnwudwa

> Channel probing is made a little harder by the Oakland Protocol, which is still just a proposal.

We implemented it! (Tho now CLN often fails to open channels to me https://github.com/ElementsProject/lightning/issues/4873 )

@nevent1qqst4hnz0ufpkyhuggmxcd52wp6gwdlv7xcp8flv9klm6ec7x8awjrspzfmhxue69uhk7enxvd5xz6tw9ec82cspp4mhxue69uhkummn9ekx7mqpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq3samnwvaz7tmjv4kxz7fwwdhx7un59eek7cmfv9kqlg3xey

I really love when people obsessed with censoring the blockchain get mad about getting banned for brigading and trying to prevent others from doing their work.