> First, stop assuming they're Satoshi's. We don't know that.
Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though.
> Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation.
Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices:
* disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type
* allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system.
I find it *incredibly* unlikely that the market decides to value fork b over fork a.
> Third, there is no "we" to make such a choice.
There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides.
> No group of people have the right to confiscate coins, no matter how rational the reason.
In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo.
> And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't.
Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork.
> Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it
Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.
Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though.
> Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation.
Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices:
* disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type
* allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system.
I find it *incredibly* unlikely that the market decides to value fork b over fork a.
> Third, there is no "we" to make such a choice.
There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides.
> No group of people have the right to confiscate coins, no matter how rational the reason.
In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo.
> And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't.
Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork.
> Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it
Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.