[Veserv]

If you assume powerful quantum computers then Bitcoin is dead, that is a straightforward result.

The digital signatures that prevent others from spending your bitcoins are based on elliptic curve cryptography (ECC). The security of elliptic curve cryptography is based on the hardness of the discrete logarithm problem (DLP). A sufficiently powerful quantum computer can use a variant of Shor’s algorithm to solve the DLP in runtime polynomial in the key size (my research indicates O(n^3) in key size more or less), giving you the private key behind a bitcoin wallet in a very tractable amount of time.

Though everything else they are saying about backdoors or design issues are wild speculation, a powerful quantum computer absolutely would allow you to spend anybody’s, including Satoshi Nakamoto’s, bitcoins.

[greyface-]

Single-use P2PKH addresses are quantum safe, since the public key is not revealed publicly until spending, just its hash. QC breaks ECDSA but not SHA256.

[tromp]

Even those are at risk if the key can be cracked in a matter of minutes, since it takes 10 mins on average from publishing your spending transaction to it getting mined, and the attacker can doublespend it with a much larger fee.

[greyface-]

This is true. Leaving coins at rest is safe, but moving them before the threat is understood might be risky. Widespread opt-in RBF enforcement could mitigate the risk to some degree, if miners cooperate and shun full RBF after a quantum attack. In the worst case, one might need to submit their "exit" transactions directly to a non-evil miner in order to avoid revealing the pubkey before confirmation. Ideally, this will all be figured out ahead of time, and most non-"lost" coins will be moved over to post-quantum UTXOs before the risk is serious.

[Veserv]

Having just read up on it, sure. But that is a very restricted use case as you could only use your wallet for a single send transaction and that has already happened for the specific case of Satoshi's wallet.

I believe you could scaffold up a system even with a 1-send limit that transparently functions the same as what currently exists since you can issue transactions to multiple parties within a single send, but that largely kills Bitcoin as normally used. All but the most sophisticated users would be required to hand over control of their wallet to actually manage the massive proliferation of addresses needed to act as if you have more than a 1-send limit. But sure, you are technically correct that there exists a very narrow use case which you can probably hijack aggressively enough to salvage the system if you tried hard enough.

[greyface-]

You're right that Satoshi's coins are at risk (but because they're using the older P2PK, not due to key reuse), and I agree that this would lead to some amount of chaos and transformative disruption.

> users would be required to hand over control of their wallet to actually manage the massive proliferation of addresses needed

BIP32 solved this in 2012, and is used by basically all self-custodial wallets these days. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawi...

[Veserv]

Ah, I did not previously know that there were a plural number of Satoshi wallets. I previously read that Hal Finney was the first recipient of a Bitcoin and which came from Satoshi Nakamoto and assumed that there was just a single Satoshi wallet which would mean there is key reuse.