1. Allow anyone to steal vulnerable coins, benefitting those who reach quantum capability earliest.

"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone."

Think of it as a theft from everyone

Not necessarily. Operating quantum computers costs a lot. For example no one will run computations if it costs 100M to break 50M worth UTXO. Of course with technological and algorithmic improvements the cost of breaking a key will go down.

But as costs go down each quantum-computer owner is faced with dillema, they:

1. either hack the UTXO ASAP pocketing the small difference between value-of-UTXO and cost-to-break-it
2. or wait for further advancement to increase margin profit

Due to game-theory we can expect quantum-computer-owners to go for option 1. They won't go for option 2, because they don't know if other players will also go for option 2. It introduces race-to-the-bottom dynamics between competing players in which cost-to-break-UTXO approaches value-of-the-UTXO.

Does it seem similar to something? Yeah, bitcoin mining in which average-cost-to-mine-one-bitcoin approaches value-of-one-bitcoin.

Quantum UTXO hacking can be framed as another parallel process of proof-of-work mining, but with the quantum-computers instead of SHA hashing chips. And as such I don't think it is something to deem negative.

incentivize migration

If the threat were real (super-positional whether it is or not), that is the incentive.

Forced movement is a non-starter, ones desire to quantum-proof their key does not impart a responsibility on anyone else.

No one can be forced to move their coins to quantum safe signature schemes.

On the flip side, no one can be forced to accept coins from quantum vulnerable signature schemes.

On the flip side, no one can be forced to accept coins from quantum vulnerable signature schemes.

If you receive abandoned coins that you suspect were stolen by QC, you can burn them. No one is forced to honor them.

You're not afraid people will be forced to accept coins, but that they will happily accept them. This undermines your previous argument.

This is not a technical BIP, it's a vanity one trying to impose a view on the market.

secure the value of the UTXO set

A functional QC would effectively be a winner-take-all coins, candidates in the running to have it already have access to a material number of coins (Google, Microsoft have countless passwords emails 2FA to custodial platforms and password managers containing seeds, backdoored OS's, softkeyboards... etc).

A QC could also sign for any software distribution as it could bitcoin keys, enabling untold new backdoors into systems. There's no change to Bitcoin that can protect Bitcoin from a QC threat (hoax) because Bitcoin is not the only link in the chain.

1. Allow anyone to steal vulnerable coins, benefitting those who reach quantum capability earliest.

"Quantum recovered coins only make everyone else's coins worth less. Think of it as a theft from everyone."

Think of it as a theft from everyone

Not necessarily. Operating quantum computers costs a lot. For example no one will run computations if it costs 100M to break 50M worth UTXO. Of course with technological and algorithmic improvements the cost of breaking a key will go down.

But as costs go down each quantum-computer owner is faced with dillema, they:

1. either hack the UTXO ASAP pocketing the small difference between value-of-UTXO and cost-to-break-it
2. or wait for further advancement to increase margin profit

Due to game-theory we can expect quantum-computer-owners to go for option 1. They won't go for option 2, because they don't know if other players will also go for option 2. It introduces race-to-the-bottom dynamics between competing players in which cost-to-break-UTXO approaches value-of-the-UTXO.

Does it seem similar to something? Yeah, bitcoin mining in which average-cost-to-mine-one-bitcoin approaches value-of-one-bitcoin.

Quantum UTXO hacking can be framed as another parallel process of proof-of-work mining, but with the quantum-computers instead of SHA hashing chips. And as such I don't think it is something to deem negative.

Quantum sweeping does not generate consensus, it only funds quantum. Quantum computing isn't bad in itself, it will advance material science far beyond what can be done with classical supercomputers. But it's a mess for everyone if it ends up crashing crypto in the process, so it's better to close as much of the surface of attack as possible to make sure we don't end up with wicked incentives.

On the flip side, no one can be forced to accept coins from quantum vulnerable signature schemes.

If you receive abandoned coins that you suspect were stolen by QC, you can burn them. No one is forced to honor them.

There is no way to know, those transactions are indistinguishable from legit ones, the attacker is literally signing with your private key.

You're not afraid people will be forced to accept coins, but that they will happily accept them. This undermines your previous argument.

This is not a technical BIP, it's a vanity one trying to impose a view on the market.

secure the value of the UTXO set

A functional QC would effectively be a winner-take-all coins, candidates in the running to have it already have access to a material number of coins (Google, Microsoft have countless passwords emails 2FA to custodial platforms and password managers containing seeds, backdoored OS's, softkeyboards... etc).

A functional CRQC will be expensive ($1B-$10B) and only break a finite number of keys per year, it's not infinitely powerful which means that their use will be driven by incentives. The Bitcoin community must decide if they want to be the exit liquidity of quantum computing companies. This BIP proposes a way to reduce the surface of attack as much as possible.

A QC could also sign for any software distribution as it could bitcoin keys, enabling untold new backdoors into systems. There's no change to Bitcoin that can protect Bitcoin from a QC threat (hoax) because Bitcoin is not the only link in the chain.

A lot of links in the chain have started upgrading.
38% of HTTPS traffic is already using PQC encryption on CloudFlare:
https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption-adoption
Kyber has been supported by Chrome since 2023.
Software signing must still be upgraded on Github.
Banks are roadmapping their own upgrade: https://www.bis.org/publ/bppdf/bispap158.htm
Bitcoin is one of the easiest and most profitable target but one of the most difficult to upgrade because of its decentralized nature. While upgrading to stronger signatures, the community must decide what to do with the lost coins.

I read about your BIP on CoinDesk. It's mind-blowing and thank you for leading the way. Post-quantum migration should be pro-active rather than reactive.

Please keep the comments focused on technical review -- thank you.

This BIP is hostile for the Bitcoin community and the entire Bitcoin network because it is saying that you can't spend in the future non-quantum compatible funds.

Simultaneously, this BIP is hostile for quantum capable adversaries because it is saying that you can't steal bitcoin with your fancy computer.

I think @jlopp also need a disclamer, see: https://qb.tc/team

When I wrote my initial essay 4 months ago I was not collaborating with anyone. This BIP is a continuation of those same ideas I came up with independently.

This BIP is hostile for the Bitcoin community and the entire Bitcoin network because it is saying that you can't spend in the future non-quantum compatible funds.

I think @jlopp also need a disclamer, see: https://qb.tc/team

NOTE: As a miner starting in November of 2013 who has invested more into the ecosystem than most... When I invested in the QBTC team (Great team all Bitcoiners by the way) it was because we agreed with Lopp essay and we reached out to collaborate. Q-day is coming sir and Lopp proposal is the best I have seen and should be supported.

Openly saying that we can't spend in the future non-quantum compatible funds, is hostile for the Bitcoin community and the Bitcoin network!

If I have Bitcoin from 2011, I will not able to spend it in the future or receive Bitcoin to my address?

I've attempted to remove the ad hominem and replies to it. @1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw, there's no need to repeat the same argument.

Let's keep discussion here focused on technical review of the BIP itself.

@jonatack he proposed nothing technical in nature. He just want us to not able to spend our Bitcoins in the future. I find not a single technical proposal in this BIP draft.

@jonatack he proposed nothing technical in nature. He just want us to not able to spend our Bitcoins in the future.

False. In the event that quantum computers become a reasonable threat, I want people not to be able to spend their coins in a manner that is indistinguishable from quantum theft. As such, I want spending restricted so that it requires a quantum safe cryptographic proof accompanying it.

You don't have to restrict any spending! That is just absurd. You should instead just propose hybrid addresses that are quantum resistant and also backwards compatible with ECDSA.

I also don't understand what is this rush. You seem like someone who very much would like to enforce on us the "spending restriction".

Quantum computers would need ≥ 1 million physical qubits and this must be logical qubits (error-corrected). We are very-very far from any quantum computer that would pose a threat to Bitcoin.

Estimates suggest this kind of quantum computers would exist after the year of 2040. So don't need to rush and block transactions now just because you're afraid of imaginary quantum computers.

You don't have to restrict any spending! That is just absurd. You should instead just propose hybrid addresses that are quantum resistant and also backwards compatible with ECDSA.

This BIP has no intention of addressing the separate issue of what post quantum cryptographic scheme to implement.

I also don't understand what is this rush. You seem like someone who very much would like to enforce on us the "spending restriction".

This BIP has no intention of addressing the separate issue of when to implement a post quantum cryptographic scheme.

This BIP only addresses the migration and incentives issues that arrive AFTER those questions have been resolved.

In short, it sounds like you have not comprehended the actual timeline and preconditions of activating this BIP.

You're free to propose a BIP to compete with BIP-360 and then we'd evaluate how it would affect the need for this BIP.

I strongly consider it.

@jlopp
Here is our BIP titled: Quantum-Resistant Transition Framework for Bitcoin
https://github.com/bitcoin-foundation/bips/blob/master/bip-quantum-resistant-transition-framework-for-bitcoin.mediawiki

Will send it now to the mailing list before opening a new PR.

The assertion that '''quantum algorithms are rapidly improving''' is misleading. The specific algorithm that jeopardizes Bitcoin's cryptography, Shor's algorithm, has been a known entity since the 1990s and has not undergone fundamental change.

This BIP proposal strikes me as highly alarmist and unprofessional. Moreover, it appears to have bypassed the essential, consensus-driven process of the Bitcoin Development Mailing List, as I have not observed any discussion indicating this proposal was ready for a formal pull request.

Note: I am an author of a competing draft BIP presently under review on the mailing list.

The assertion that '''quantum algorithms are rapidly improving''' is misleading. The specific algorithm that jeopardizes Bitcoin's cryptography, Shor's algorithm, has been a known entity since the 1990s and has not undergone fundamental change.

The algorithm here is referring to underlying algorithms that make the QC hardware more effective and require fewer physical qubits for a factoring task.

Shor's algorithm requires a certain number of logical qubits to perform a task in a period of time. The hardware provides a certain number of physical qubits, so the question then becomes how many physical qubits are needed to make a logical qubit and thus how many physical qubits are needed to run Shor's algorithm attack on a particular key size. We are seeing rapid progress in the quantum algorithms that reduce the number of physical qubits needed for a logical qubit and thus accelerate Shor's Algorithm.

In the specific of this work How to factor 2048 bit RSA integers with less than a million noisy qubits (may, 2025) which states:

"In Gidney+Ekerå 2019, I copublished an estimate stating that 2048 bit RSA integers could be factored in eight
hours by a quantum computer with 20 million noisy qubits. In this paper, I substantially reduce the number of qubits required. I estimate that a 2048 bit RSA integer could be factored in less than a week by a quantum computer with less than a million noisy qubits."

That's a 20x improvement. Now as far as I can tell, this specific paper uses a technique that only applies to RSA and doesn't improve on factoring attacks against the elliptic curve cryptography used by Bitcoin. That said, the very fact that we are seeing this sort of rapid improvements in quantum factoring is worrying.

Moreover, it appears to have bypassed the essential, consensus-driven process of the Bitcoin Development Mailing List, as I have not observed any discussion indicating this proposal was ready for a formal pull request.

It seems to me that there are some misconceptions about the BIPs process and the purpose of the BIPs repository. BIPs start as personal recommendations by the authors to the community. The BIPs repository is a central publication medium for collating these author documents in one highly visible location. Generally, it’s preferable if ideas are met with interest and encouragement before they are elaborated into fleshed out submissions, and there are editorial standards to help keep the repository’s content relevant. Other than that, publication basically only hinges on the submission being on-topic and sufficiently mature. As proposals get adopted by the community, the community takes on more ownership of proposals, but especially in the Draft stage and even up to the Proposed stage, BIPs should not be construed as endorsed whatsoever by anyone except the authors and other explicit proponents.

For this particular proposal, the mailing list thread presenting the idea for this BIP collected 22 emails and a number of replies indicated interest or support for the idea which absolutely should encourage the would-be BIP author to submit their document to this repository.

Let’s refer to this as BIP 361. Please:

• Update the BIP header in the preamble
• Update the Assigned header in the preamble to 2026-02-11
• Add an entry for your BIP in the README.mediawiki file
• Rename your document’s file to bip-0361.mediawiki

Alright, there are still several things I've been wanting to add, just hasn't been a high priority since this is a far-future plan. Will aim to get some updates pushed in the next week.

Made the requested changes though I'm not clear on how to resolve the current failing diff check.

Given that proposals can be further developed in Draft stage and this is predominantly a proposed outline how to further react to the quantum thread, would you perceive your document to be ready for publication?

Yes, I think it's pretty well baked for now. The 2 outstanding issues are going to need a lot of time for R & D.

1. A quantum resistant scheme that gains consensus.
2. A quantum resistant zero knowledge proof scheme for recovering funds that don't migrate before the ECC deprecation deadline.

This is the BITCOIN IMPLEMENTATION PROPOSAL repository not some personal blog for essay and media attention grabbing that in essence completely nonsense masquerading as a solution.

@SHAKE256: The Bitcoin Improvement Proposals repository is a publication medium to put proposals forth to the Bitcoin community. This document is a recommendation by Lopp et al to the community. My assessment is that this document is nearing sufficient maturity to be published in Draft status to the repository. Neither number assignment nor publication should be construed as endorsement by the BIP Editors. Publication does not convey anything about the community sentiment or likelihood of ecosystem adoption either. It simply means that it’s on-topic; and its publication serves to facilitate community consideration.

It’s not clear to me what conflict of interest you perceive. I’m not, nor have I ever been, paid by Jameson, I do not financially benefit from adoption of this proposal. I do not have any stake in any pro- or anti-quantum computing ventures. In fact, I don’t think that the quantum threat is going to substantiate at all in the next few decades. However, it still seems pertinent that these ideas be discussed as others obviously are already concerned about quantum threats.

If you have any arguments why you think this is not on-topic or not ready, or would like to raise specific issues concerning the content of the proposal that have been insufficiently addressed, those might be relevant regarding its readiness for publication—just thinking that it shouldn’t be adopted is not.

Your style reminds me of two other accounts that posted here before: https://github.com/1BitcoinBoWP1FZ4xwTNkq6XksKidmgYYw and https://github.com/21btc12VnSa25vj8pWh2wvBScs16Hx. Would you happen to be the same person?

@SHAKE256 I understand some of your points, e.g., that this in some ways seems more a blog post than a technical BIP (and the "fail to upgrade and you will certainly lose access to your funds" aspect seems potentially controversial). However, please keep your comments focused here on technical review. I've "hidden" some of them, but they are still viewable. It isn't helpful to repeat them. Rather, it would add more value to omit further personal and/or blanket criticism in favor of specific comments to improve here.

Isn't this "BIP" depends on another one? This should not be allowed to be merged until the other is properly adopted.

I think that aspect could be clearer in this draft (at least, to me), but apart from clarity I believe it's not a blocker in terms of BIPs process as specified in BIP 3.