[EthanHeilman]

> fork the chain at a snapshot before the attack, patch the protocol, and call that Bitcoin?

It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.

You need to more to safer signature algorithm before the break, after the break it is game over.

> It’s worth remembering that Ethereum forked for much less

Ethereum could simply return the coins to the original owners. If the signature scheme is insecure, returning the coins just means the attacker can steal them again.

[glerk]

> The only way to authenticate who owns what coins is with signatures

Maybe the only fully cryptographic absolutely zero-trust way? In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.

Of course, this is not ideal and everyone would prefer not to go down that route. But even if we prepare in time and Bitcoin provides a quantum-secure address scheme before "Q-day", what happens to all the wallets that didn't upgrade? Is it open season on them? Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market. I think even with the upgrade plan in place, a hard-fork + recovery will be on the menu, with various degrees of community support.

[EthanHeilman]

> In practice there are very few bitcoin outputs that aren't linked to an offline identity and most users could easily produce a proof of ownership.

Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party? The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.

> Satoshi's wallet alone could crash Bitcoin's value as a currency if dumped on the open market.

No one knows, but the incentives are aligned with a softfork to burn Satoshi's coins.

[glerk]

> Any who is going to in charge of reading that proof of identity and moving the coins? A trusted centralized party?

Basically you'd have to relax the trust/decentralization guarantees, but you don't have to relax them all the way. Most likely a consortium of trusted actors (Blockstream, major miners, major exchanges, bitcoin-adjacent companies,...). Or something like a consensus mechanism with aligned incentives a la Kleros. I think "we" could come up with "something", even if it is not perfect, because the value of Bitcoin is ultimately in the community of people who use Bitcoin, not just the protocol.

"Hard-fork" might not be the right way to see this. It's more like starting a completely new protocol where people who held Bitcoin at a certain snapshot can redeem a one-time airdrop equivalent to the value they held, provided they can prove ownership. As that protocol's value overtakes the value of the original Bitcoin chain (which will eventually be completely dead), we can all agree to call it Bitcoin.

[realharo]

>The point of Bitcoin is to avoid exactly that sort of trust relationship, otherwise use the banking system.

Most participants don't care about this. For almost everyone, the point of Bitcoin is to go up. As long as they can find enough buyers that also believe it will go up, the rest is optional. Especially if it's temporary, for a one-time migration.

[realharo]

In practice, what you really need is consensus. As long as enough of the important participants agree, that's how it will be.

And since there are millions of identical copies of the entire pre-attack ledger out there, this should not be that difficult.

Potential future buyers might reevaluate whether this whole thing has any monetary value, but that's a separate concern. Bitcoin's market value was never about the technical details.

[rcbdev]

I'm not sure you fully grasped what was said in the parent comment. It literally does not matter anymore if we can all agree on the previous blocks, it would be impossible to identify who owns which wallet anymore. The seed phrase would be useless.

[realharo]

Ah, then yeah, in that case, it'd be basically over.

Maybe large exchanges would try to step in to make a fresh chain based on their combined account data, and just drop the people relying on self-custody. But I doubt the market would go for it - the uncertainty would crash it hard enough that it would never recover.

[throw0101d]

> It won't work. The only way to authenticate who ones what coins is with signatures. If the signature algorithm is broken, you can't tell who the original owner is to move the coins to a safe signature algorithm.

If you publish/take a snapshot of the ledger at (say) 23:59 UTC everyday, and publish it with a SHA2/3 hash, people will know what the state of ownership was at that time. Then if a break occurs at any later point you cannot trust any transaction afterwards, but some portion of folks can attest to their ownership.

There will be some portion of folks that did some legitimate transactions that could come into question, but at least it's not necessarily everyone.

[EthanHeilman]

> but some portion of folks can attest to their ownership.

How? Alice pay's Bob 1 BTC at random address 0x1234. Someone shows up and says, I own that address and here is signature proving it. But the signature scheme is broken so anyone can do that. So you ask for documentation they own that address, well they have screencap of a message asking for payment from Alice. Is that real? Maybe you find the email of that user and ask them, but they could be lying. Now if you paid from coinbase, coinbase could vouch for you.

So you need some sort of court that sits in judgement over who owns what. That is going to be very expensive. While you are doing this, no one can move funds. What is the most likely outcome of such a system, well there is not CEO of Bitcoin, so you would probably end up with multiple courts producing conflicting rulings that no one would respect.

The whole notion of ownership courts is anathema to Bitcoin's philosophy and would completely undermine the social trust that makes Bitcoin valuable. If we are going to save Bitcoin from a CRQC we must act before a CRQC recovers everyone's private key.

There are three workable schemes:

* For public keys that in hashed addresses such as P2PKH (Pay-to-Public-Key-Hash) et al., if the public key is not known, then you could produce a ZKP that you know the public key (proof of pre-image). The main problem with this approach is that it only protects hashed addresses where the public key has not been leaked or exposed on-chain. It doesn't have enough coverage.

* You can do commit-reveal schemes, this makes miners far more trusted and again only helps with hashed addresses that haven't exposed the public key.

* You can do ZKP proof of HD Seeds, from most modern wallets have HD seeds. AFAICT You'd have to use STARKs but STARKs for HD seeds are too big for on-chain proofs. Not all HD seeds are protected and not all addresses have HD seeds. Just today Laolu published this demo for doing this, the proofs at 1.7 mbs https://groups.google.com/g/bitcoindev/c/Q06piCEJhkI

[littlecranky67]

You have to consider the network-level forwarding, not only the crypto. The noderunners could role out a new version that uses whatever heuristics to identify transactions that are likely from an attacker. If transaction aren't forwarded, they don't end up in the mempool and thus not in the blockchain. And yes, then the attacker might try to manipulate those heuristics and filter etc. It would become a cat-and-mouse game, but as long as the "good guys" act faster than the attack adapts, there is a good chance a big number of coins can be secured. It is not an all-or-nothing game.

[nehan]

The point is you can't distinguish transactions that are from an "attacker" when the underlying signature scheme is broken. The Bitcoin P2P network has some metrics to disconnect from nodes that might be trying to DoS you, but if a transaction has enough fees, is spending unspent coins, and has a valid signature, it's valid.

[littlecranky67]

I did say heuristics, not valid/invalid. You can do all sorts of analytics upon receiving a transaction, and then decide to forward or drop the transaction based on that heuristics. Valid/Invalid could become the minimum requirement for a transaction to be forwarded.

[nehan]

I can't think of heuristics available on the Bitcoin P2P network that would be helpful for this, but I'm curious if you have any in mind.