During the last austin bitdevs we discussed the different trade offs between freezing and not freezing the quantum vulnerable coins. I brought up an argument that it seemed most people had not heard before so I wanted to write it out.
I first want to preface by saying I think quantum is mostly a LARP. From my view, we are very far away from being able to build a computer with enough qubits to do anything useful, we can't even get our current ones to run shor's algo without a million hacks. However I do think it'll happen one day, when we've built a dyson sphere and have cities on Mars, we probably will have figured it out by then. That day could be faster than I expect (certainly was for AI) but it seems this is more of a physical and engineering problem rather than a math / theory problem, which are much harder to solve.
--
The traditional freeze vs don't freeze argument is typically a philosophical debate about property rights. Should we freeze people's vulnerable coins to protect the rest of the network. Typically the argument is that since ~20% of all coins have exposed pubkeys, even if everyone using bitcoin today moved to quantum safe addresses, their coins could become worthless because quantum computers would steal all the vulnerable coins and crater the price of bitcoin, so everyone essentially loses their money, not just the people who didn't move over. The typical argument against this is sums up to: "not my problem, worst case is cheap bitcoin and a one time redistribution event", a more code is law stance. I mostly agree with this and definitely agree with this before we've actually seen proof of a QC breaking a 256 bit key. Regardless of how you feel about the potential property right violations here, I am going to make a security/game theory based argument on why bitcoin will need to freeze the coins once a quantum computer has been proven to able to crack coins.
Quantum vulnerable coins break mining incentives. Let me lay out the scenario. Assume that multiple labs have gotten to the point where they can break bitcoin keys and are now going all out, stealing as many coins as possible (the doomsday scenario). This will result in the same thing we normally see with low entropy keys where multiple people keep fee bumping until its eventually mostly miner fees and a small portion goes to miners. It will be slightly different as this will be millions of coins and multiple blocks worth of transactions rather than a one or two transactions. This is normal however, not what the real issue is. The real issue is that these labs will likely partner with big miners to prevent this race so they can steal the coins without the threat of fee bumping races. This could likely result the chain to temporarily split and forever leave a huge incentive for deep reorgs.
If we have large miners each pair with a quantum lab, they have no incentive to mine on top each other's blocks because there is a literal multi-million bitcoin incentive not to. This would likely result in a chain split between the two and then becomes a war of attrition, who can keep their miners on for longer until one runs out of money. During that period we would have a huge chain split and would have a hard time resolving it. We have no way to UASF out of this without just picking a winner or declaring them both losers and freezing the coins before they started the attack, both terrible options. This is the case for if multiple miners do it at the same time and tbh we'd have to pretty crazy luck for that to happen. What I think is more worrisome is the bounty these coins leave behind.
Currently there is not a huge incentive to 51% attack bitcoin. If you are able to 51% attack bitcoin and rewrite parts of the chain you can get block rewards that wouldn't have gone to you but it is a lot of risk when you could get similar rewards for just mining on the latest chain so the only real incentive is preventing new txs / censorship which has no real financial gain so we don't assume people will do this. However, quantum changes this equation. When there is a period of blocks that steal all the quantum vulnerable coins there is a HUGE incentive to reorg these blocks and instead steal them for yourself, even if they are buried under months to years worth of blocks. Today is there less than a million bitcoin left to be given out in the block subsidy, so the block reward will never be able to compete with the incentive there is to try to rewrite these old blocks and get the millions of bitcoin for yourself. This will forever be the case essentially until the block reward of all the blocks after equals the amount stolen (fees will need to go MUCH higher).
There are 2 real threats here, during the attack we lose all finality guarantees as miners will be reorging each other attempting to get the vulnerable coins for themselves, and after the attack there will always be an incentive to try again and get those coins.
Curious on people's thoughts on these potential attacks. I have not seen people even bring up any miner arguments for quantum vulnerable coins and haven't figured out my exact stance on what we should actually do. This is my best steel (steal?) man argument on why we should freeze the coins.
First, who's to say that centralized mining pools will even be around by then? It's entirely possible that decentralized mining becomes normal with pools that don't send out universal templates that force a particular set of transactions, in which case, the cooperation scenario of mining conglomerates/quantum labs is void.
Even in the nightmare scenario, you might get large miner/quantum lab pairings that don't cooperate with the rest of the network, but my gut says they would cooperate instead. If you have 3 uncooperative chains of 50 blocks each, no exchange (or vendor, or OTC desk, or individual) is going to take deposits, especially from the conflicting transactions which spend patoshi coins. And think about what the price action will be like if there are 3 possible chains, any of which can wipe out the other. As a miner/quantum lab, you likely won't be able to cash out unless you cooperate with other miner/quantum labs so that there's 1 chain. The entire ecosystem functions because there's agreement on what the state of the Bitcoin ledger is. If you break that assumption, everything else breaks as well. So the "multi-million" bitcoin incentive to build on your own chain run into the non-functioning of normal Bitcoin functions if you have multiple chains. The incentive will be to cooperate, because that's the cleanest path to making back whatever investment you made into quantum to find the private keys.
Incidentally, I think the scenario of quantum people just straight dumping all the coins to crash the price is extremely unlikely. Most likely, they'll try to find large buyers for the coins instead, which is what large whales do now. And if Bitcoin survives the release of the patoshi coins, I think we'd be in for a huge price increase due to the removal of uncertainty around those coins.
to protect from some malicious future person hypothetically stealing some coins we should... go ahead and steal those coins right now
But we'd be stealing them with good intentions!
Of course, of course
Logical, no? 😀
you can't steal what was already stolen before you :big_brain_explosion:
Let's do it... and we’ll just drop them into every address like a dividend! ~lol
Pick your poison: unstable consensus or confiscation precedent.
source
https://twiiit.com/robin_linus/status/2047165887354949856
Very fascinating. I haven't really thought it through, but figured this would be a good plug for my Bitcoin math primer and Bitcoin math puzzle series of posts. To evaluate the incentives for quantum labs to partner with miners, and to not mine on top of each others' blocks, requires models of miner strategic behavior, and they need to be stateful models where action depends on things like how long each miner's private chain is, how many coins they've stolen via quantum, etc.
My first instinct though, is that if this war was to break out, the effect on bitcoin's viability would be way worse than if just a single quantum attacker stole a bunch of coins. So you are offering a stronger argument for confiscating quantum-vulnerable coins than the standard argument.
"Steelman" is correct. Like, you're building a man made of steel. It's the opposite of "strawman".
Damn my joke didn't hit lol
lmao, now i get it
If you freeze those vulnerable coins, how do you unfreeze them later?
you don't
That sounds like confiscation! What if the owner shows up with the valid key before the QCs are done?
The "freeze" proposals always come with a grace period for ppl to migrate to a new QC-secure address. Owner should have plenty of time to secure their coins (usually years)
deleted by author
Maybe I didn't explain myself well, I was talking before quantum computers became a thing. I imagine the freezing would happen before that.
I highly doubt it. Fighting over the chain would kill the bitcoin price. A 51% fight between big players would quickly turn into one side cutting deals and building a coalition. An attacker would likely form this coalition before initiating the attack.
It's a good point. I think more mining pools should give some competition to Slipstream which would stop the RBF wars you mentioned.
As for the re-orgs wouldn't mining pools be shooting themselves in the foot? If mimers can re-org then Bitcoin loses it's value and all their mining equipment becomes worthless.
Aren't most of the large miners public companies?
That would result in massive lawsuits.
In the first days of weeks after a quantum computer moves coins, I can see something like the constant reorg battle taking place.
But it seems that once a couple days-worth of blocks have been built on a transaction stealing satoshis coins, the risk to a competitor quantum computer/miner combo starts to get high.
Sure, the subsidy + fees isn't very much compared to a million bitcoins, but it is also the case that such an attacker intending to do a really deep reorg for this purpose runs a risk of pissing off the network.
I suspect that economic nodes will be accept some reorging at the beginning of a quantum era, but a deep reorg (multiple days or weeks worth of blocks) might be rejected by many (I don't think there are very many code is law folks in their heart of hearts).
For the same reason a miner with >51% hash would find it pretty difficult to force a soft fork that the network doesn't like, I suspect a deep reorg for no purpose than to steal satoshis coins would be rejected. Maybe?
When ((if) QC will be a norm, so somebody will try to steal coins, fiat will no longer be a norm, maybe just in some desert or lost place on Earth...
Stealing coins to sell them for more fiat is kind of dumb argument.
other things exist besides bitcoin and fiat. not my argument either way
I know is not yours.
Interesting point on the bounty effect creating endless reorg incentives. But
code is lawstill wins for me, don't touch anyone's coins preemptively.seems like an extra temporary hurdle. not a deal breaker.
There is nothing really new with quantum, reorg risks already exists if N -1 block reward > N block reward + 2 * block_energy_cost.
The race is converging towards marginal gain be 0 and the most solvable miners setting the chain forward and the others miners finding themselves at deficit.
The probabilistic impossibility on catching up in the block race can be reduced within the formalization of the Gambler’s Ruin as applied to bitcoin, which is already today at the ground of network’s security.
The full math and game-theory analysis can be flesh out of course, but the point is the risk already exist today with Coinbase and MicroStrategy’s centralized bags being pwned and the liquidity being leveraged to gain a persistent edge in the mining race.
Let’s be clear, I’m not making the argument to freeze Coinbase or MicroStrategy’s coins.
The miner-coalition premise is load bearing, and worth pressure testing against two bounds the thread has not surfaced.
One. Eyal and Sirer's 2013 selfish mining paper already worked out the threshold where a miner with roughly 25 to 33 percent of hashrate can profitably withhold blocks, depending on network propagation. Quantum bounties do not introduce a new threshold there. They change the per-block expected value for the exact same strategy we already have math for. This is a coefficient change, not a new formula.
Two. A deep reorg to steal buried coins is not free for the attacker. Every block they rewrite orphans their own coinbase from the replaced chain, and they lose any fees they had already collected. That opportunity cost compounds with depth. For a reorg of N blocks, the attacker is burning N times current subsidy plus fees in sunk rewards. That is the bound on "forever incentive to reorg." The bounty is real, but bounded by the subsidy schedule the attacker is paying into to chase it.
None of this kills the broader argument. Just sharpens the shape of the attack window.
the hard part here isn’t the theft, it’s the transition rule.
if the first proven qc break becomes "we’ll decide case by case", every wallet, exchange, and miner now needs an oracle for finality. that breaks programmability before it breaks cryptography.
if there is a freeze path, it needs explicit trigger, explicit unfreeze criteria, and a real migration path. otherwise you’re not solving the problem, just turning it into permanent governance.
deleted by author