Szabi ⚡

THIS IS BIG. A Bitcoin developer has built a working prototype that protects your wallet from quantum computers. Even if Bitcoin is forced to shut down part of its own security system to protect itself. To understand why this matters you need to understand the problem first. Every Bitcoin wallet is secured by a cryptographic signature scheme built on elliptic curve mathematics. The security assumption behind this system is that deriving a private key from a publicly visible public key requires computational work that classical computers cannot perform within any practical timeframe. Quantum computers running Shor's algorithm can break that assumption. Google researchers published findings last week showing a quantum computer could compromise Bitcoin's core cryptography in as little as nine minutes, using significantly fewer physical qubits than prior estimates required. The threat is not immediate but the timeline is compressing faster than most researchers projected. Now here is where it gets complicated. Bitcoin's Taproot upgrade, activated in 2021, improved transaction efficiency and privacy across the network. But by design it permanently exposes the public key of every Taproot wallet on the blockchain. Because that public key is permanently recorded and publicly visible, a sufficiently powerful quantum computer could use it to derive the corresponding private key and drain the wallet at any point in the future. Approximately 6.9 million Bitcoin across Taproot and older P2PK address formats are already in this exposed state. The developer community has a contingency plan for this scenario. If quantum computers advance to the point where this becomes an active threat, Bitcoin could activate an emergency soft fork that disables the key path spend in Taproot, which is the specific spending mechanism a quantum attacker would exploit. This closes the vulnerability before it can be exploited. But this emergency response introduces a serious secondary problem that nobody had resolved until now. The vast majority of modern Bitcoin wallets, particularly single signature Taproot wallets, rely entirely on that key path spend mechanism and have no alternative spending path configured. If Bitcoin disables that mechanism network wide, those wallets have no remaining method to authorize transactions. The funds inside them become permanently inaccessible, not stolen, but completely unspendable even by their rightful owners. The same upgrade designed to protect users could permanently strand their funds. This is the problem that Olaoluwa Osuntokun, chief technology officer of Lightning Labs, just solved with a working prototype posted to the Bitcoin developer mailing list yesterday. His solution uses a zk-STARK proof, which stands for zero knowledge scalable transparent argument of knowledge. In practical terms this means the following. Every Bitcoin wallet is ultimately derived from a master seed, typically the 12 or 24 word recovery phrase generated when the wallet is first created. All keys in the wallet are mathematically derived from that seed following a deterministic standard called BIP-32. Osuntokun built a system that generates a cryptographic proof demonstrating that a specific public key was derived from a specific master seed via the standard BIP-32 derivation path, without revealing the seed itself or any intermediate private key material. The Bitcoin network can verify the proof and authorize the wallet owner to move their funds, bypassing the disabled signature mechanism entirely. The prototype generates a valid proof in 50 seconds on a standard MacBook using Metal GPU acceleration, consumes approximately 12 gigabytes of RAM during proof generation, and produces a final proof of 1.7 megabytes. Osuntokun acknowledged the codebase is largely unoptimized and that a production implementation built specifically for this statement would run significantly faster and produce smaller proofs. He also noted that multiple proofs could be aggregated into a single compact proof to reduce on-chain verification overhead. Cryptographically relevant quantum computers capable of executing this attack do not exist today. What has changed is that Google's latest research has materially lowered the estimated resource requirements for such an attack, and the practical timeline is now closer than the field previously assumed. What is also new is that the developer community now has a working prototype of one of the critical tools needed to execute an emergency quantum defense without permanently locking legitimate holders out of their own funds. A problem that has existed in theoretical discussions for years has now produced a concrete technical implementation.

I’m tired of repeatedly describing this attack, so I’ll write it out once more and reference this post. A CSAM Flood Attack is when a well-funded enemy (e.g. central banking cartel) “floods” the network with a brutal, relentless, never-ending stream of “spam” with the intent of rebranding bitcoin from money to CP db. This coincides with a ruthless PR campaign and political platform. Because Trump has politicized bitcoin, haters of all kinds will gladly hop onboard, making 2028 an attractive time to launch. An attack using OP_RETURN (no discount) to embed one 100kb image per block at 10 sats/vb every 10 minutes for one year currently costs about $60 million, a pittance. In fact, the attacker will profit, using foreknowledge of the timing to speculate on derivatives. We will find ourselves in the untenable position of defending a chain we inexplicably allowed to become saturated in child rape pics. Bitcoin will be tarnished, rightfully so at this point, and beyond redemption in the minds of many. Goodbye normie savers, sound money lovers, ETF buyers and treasury bros. Goodbye price. Goodbye monetary revolution, freedom from fiat slavery. All because we were too stubborn or too stupid to take simple actions to mitigate our greatest and most obvious threat.

Don't let the bad actors trick you into thinking Bitcoin Core 30 allows you to re-enable the datacarrier limit: 1) Along with unlimiting the default, they also broke it further. datacarriersize=83 now (as of Core 30) allows for 83 outputs totalling 830 bytes of spam, instead of just 92 bytes of spam (9 bytes of which couldn't be arbitrary) as in Core 29 and earlier. 2) datacarriersize is marked as deprecated, and explicitly planned to be removed in a future release (likely silently, since "it's already deprecated"). 3) Core never fixed the Inscription exploits (CVE-2023-50428 and CVE-2024-34149) which allow spammers to bypass the datacarriersize limit. The only way forward now is a mass migration to Knots. Not the way I wanted things to go, but Core has given us no other choice. Once this is resolved, we should avoid putting all our eggs in one basket, and encourage the creation and use of multiple clients.

You missed your chance to save in bitcoin and retire after 1-2 years. You missed your chance to save in bitcoin and retire after 2-4 years. You missed your chance to save in bitcoin and retire after 4-8 years. And now you’re missing your chance to save in bitcoin and retire in 8-16 years. The longer you wait to start saving in bitcoin, the longer it takes to have enough to retire.