[fluxusars]

The thing that supposedly sets Bitcoin apart from other cryptocurrencies is that it's deflationary and 'immutable', in that Satoshi is gone forever and any deviation of Bitcoin from his golden idea will result in undermining its essence. If Bitcoin can get quantum-attacked then, from a technical point of view, nothing will be lost. The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography. But at that point, is it still Bitcoin? Because you've undermined the immutability. If the core devs can just say "this core property of Bitcoin is now something completely different", who's to say that they won't change their minds about the deflationary nature in the future? All credibility will be lost. Now, if you accept that, is perhaps all credibility lost already? ...

[tomtomtom777]

> The Bitcoin core devs can issue a word-of-god statement stating that they'll roll back the chain to before the attack, and all is well. Then they'll change the cryptography.

That doesn't work, because once the signature scheme has been broken, nobody can prove that their coins are theirs. No roll back or word-of-god would help.

The only way to make bitcoin quantum-safe, is to introduce a quantum safe signature scheme, to encourage everyone to move their coins and to somehow accept that those who don't are not longer in control of their coins.

[aeternum]

Bitcoin has had significant protocol upgrades before, including the highly divisive segwit. IMO immutability is a non-issue, there's plenty of evidence that Satoshi generally agreed that consensus via the longest chain (most PoW) wins.

Thus, upgrading the protocol/code to change the encryption to something quantum-resistant should be no more controversial a change than segwit. The community has already answered the "is it still Bitcoin". Yes it is, protocol and code is free to change given longest-chain consensus.

The problem will be what to do with legacy addresses. Never before have issued coins been forcibly deleted by a BIP. It could turn out that legacy addresses (including Satoshi's) that fail to have their coins moved after a deadline must be considered compromised and burned/destroyed. That has no precedent with bitcoin, although it does with ETH.

Anyone know if there's a way out that doesn't require this? Obviously there's no way to ensure all legacy address coins are moved by the deadline.

[aeternum]

I looked into it and the currently leading proposal: Hourglass v2 is pretty clever. Once 'Hourglass' is enabled, the rate at which legacy (P2PK) coins can be spent is (proposed to be) capped at 1btc / block. Thus they will not be burned, but the rate at which they can be stolen/compromised will be limited such that the economic impact is at most about 1/3 the block reward.

This gives holders of those old addresses the maximum amount of time to move their coins to more modern addresses and still the ability to move some coins after the deadline. If legacy keys are compromised in bulk, IE access to sufficiently powerful quantum computing is rapid and widespread, then there will be high competition via the existing txn fee bidding process for that 1btc/block slot. Thus most of the value of the will be captured by the txn fee and go to the miners, effectively boosting the mining reward by ~1/3.

[dodobirdlord]

Doesn’t this effectively still destroy all legacy wallets? Once the throttling limit goes into effect, it will be impossible for holders of legacy wallets to transfer their bitcoin without paying ~1 bitcoin per bitcoin they want to move. Doesn’t this amount to the same thing as abolishing all legacy wallets plus increasing the mining reward with extra steps?

[aeternum]

Not necessarily, we could reach a point where theoretically it is possible to crack elliptic curve but still prohibitively expensive except for nation states. At that point or near that point, miners would likely agree to engage the throttle.

Presumably the vast majority who had their key would move the coins before the throttling takes effect so in the event of a 'slow takeoff' quantum scenario where quantum computing is expensive or nation states don't want to divulge the capability there could be no demand for the 1btc slot. If a lucky individual forgot about their coins (likely an early 50btc block), it only takes them ~8hrs to transfer at the normal txn fee.

Only those with access to legacy coins can compete for that slot.

The main advantage is it delays the transfer to the mining reward to the last possible moment, IE the trigger for the transfer to the mining reward likely only happens if there is sufficient contention for that 1btc slot because legacy wallets are getting cracked.

[weakened_malloc]

> Anyone know if there's a way out that doesn't require this?

Honestly, I see this as a way for the powers that be to force explicit KYC. You want those coins? You prove they're yours, you stick your name on that wallet and all the liability that comes along with it. Otherwise the government (some government) holds onto them until you can definitively prove they're yours. I dont think this scenario is likely, but I can see it being something that is proposed or tried.

[block_dagger]

Bitcoin core devs do not make decisions for the distributed network. Yes they have outsized power but with the whole BIP110 thing going on now and Bitcoin Knots gaining adoption, I'm more confident now that sudden changes from the core devs will not be blindly accepted by all. That aside, it will be necessary to hard fork the chain from a point before a quantum attack, but there will be several proposals and the community will vote with their nodes.

[hparadiz]

No because you are not changing the ledger. You are changing the authentication mechanism for transactions. It's like adding a new supported password hash.

[dodobirdlord]

If you don’t also drop wallets with compromised signatures at some point after introducing secure signatures (effectively editing the ledger) they will be up for grabs.

Absent a functional ledger rewrite I expect there would be some window where miners with access to CRQCs switch their focus over to exclusively mining blocks of transactions transferring coins from insecure wallets to secure wallets under their own control. Is there actually interest in living in the world where the first person with both a CRQC and a mining farm gets to claim all of the stranded bitcoins for themselves?

[cs702]

The core developers need buy-in from nodes controlling > 50% of the computing power in the network to make any fundamental change to the network.

[schlauerfox]

This was already pretty well hashed out (heh) during the 'core'/'cash' issue when there was an attempt to fork in an expanded the block size. Both chains still exist. Bitcoin operation is entirely up to the miners to determine the heaviest chain, and that's like two entities (the number of entities required is called the Nakamoto coefficient). It's not magic, but there is a huge cult built up around it by scammers, rubes, opportunists and speculators.

[wmf]

Miners enforce the consensus rules but they can't change them. If miners try to change the rules, exchanges have no obligation to follow.

[Ferret7446]

For better or worse, Bitcoin is a true democracy. If all/most users decide to switch to a new quantum safe algorithm, then it is so.

[kibwen]

Protip for readers: when people on HN say "democracy", what they mean is "plutocracy".

[ProllyInfamous]

See (for example) the August 2017 "hard fork" — when "bitcoin" split into bitcoin and bitcoin_cash (by node concensus for new maximum blocksize).