Here’s why we shouldn’t burn quantum-vulnerable bitcoin
I’ll start by admitting I’m nowhere near as knowledgeable as Jameson Lopp when it comes to assessing the quantum threat to Bitcoin. That said, I wrote this to rebut his argument for burning quantum-vulnerable coins and explain why I believe it sets such a dangerous precedent for Bitcoin.
This is an op-ed from UTXO Management Venture Partner Guillaume Girard. Have a hot take on a hot topic in Bitcoin? Send us a shout (hello@blockspae.media)!
If you’re unfamiliar with the “Quantum Problem” and its implications for Bitcoin, I recommend reading Lopp’s article first: Against Quantum Recovery of Bitcoin. It provides essential context for what follows.
On the perennial problems of human intervention
The crux lies in this question from Lopp:
“I’ve started seeing more people weighing in on what is likely the most contentious aspect of how a quantum resistance upgrade should be handled in terms of migrating user funds. Should quantum-vulnerable funds be left open to be swept by anyone with a sufficiently powerful quantum computer, or should they be permanently locked?”
I’d argue that, generally, any large-scale human intervention in Bitcoin should be categorically rejected. Bitcoin was designed to avoid human “intervention” precisely because it inevitably leads to mistakes or corruption. One might claim intervention “for the right reasons” is justifiable, but that opens the door to endless subjective debates.
History is our teacher here: communists genuinely believed they were “doing the right thing” for society, yet their interventions consistently led to disaster because humans are less efficient than free markets at solving large-scale problems.
Lopp acknowledges this tension in his piece but pushes further with an intriguing point:
“I assume this is because not freezing user funds is one of Bitcoin’s inviolable properties. However, if quantum computing becomes a threat to Bitcoin’s elliptic curve cryptography, an inviolable property of Bitcoin will be violated one way or another.”
This is a fair point from first principles, but preemptively violating Bitcoin’s properties to prevent potential future violations feels wrong—like something out of Minority Report. Moreover, not all violations are equal. A quantum computing theft of bitcoin isn’t the same as a deliberate community decision to freeze funds when doing nothing remains an option. Setting aside the consequences of inaction for now, choosing to undermine Bitcoin’s ethos preemptively isn’t equivalent to the crime of quantum-enabled theft.
What constitutes “confiscation”?
Lopp argues that “confiscation” isn’t the right term for his proposal:
“I don’t think ‘confiscation’ is the most precise term to use, as the funds are not being seized and reassigned. Rather, what we’re really discussing would be better described as ‘burning’—placing the funds out of reach of everyone.”
I strongly disagree. Lest we stumble into a Ceci n’est pas une pipe-esque discourse, let’s call a pipe a pipe – this is 100% confiscation. Dressing it up as “burning” feels like semantic sleight-of-hand reminiscent of euphemisms like the “re-educating valued workers” used to downplay political purges in Siberia. I’m not labeling Lopp a communist here; my point is that rephrasing doesn’t change reality. This is preventive confiscation of perfectly valid coins, vulnerable or not.
Given Lopp’s well-known Bitcoin stance, I don’t assume he’d support arbitrary coin seizures. But this proposal risks opening a dangerous door. Today, it’s quantum-vulnerable coins; tomorrow, it could be something else. Imagine: “Greetings from the Department of Bitcoin Wizardry. Your self-custodied bitcoins are vulnerable, so we recommend burning them to prevent potential losses.”
Moral and philosophical opposition to Lopp’s solution
Lopp neatly sums up what he calls the “Ethical Dilemma,” or which action causes the least harm to Bitcoin’s principles. He then weighs the pros and cons of allowing or preventing quantum adversaries from seizing funds. I have no critique here; his analysis is spot-on. (Again, read his article for the full picture.)
After laying out the trade-offs, Lopp explains how he’d burn quantum-vulnerable coins, concluding with:
“While the moral quandary of violating any of Bitcoin’s inviolable properties can make this a very complex issue to discuss, the game theory and incentives between burning vulnerable coins versus allowing them to be claimed by entities with quantum supremacy are a much simpler issue. I, for one, am not interested in rewarding quantum-capable entities by inflating the circulating money supply just because some people lost their keys long ago and some laggards are not upgrading their Bitcoin wallet’s security. We can hope that this scenario never comes to pass, but hope is not a strategy.”
I struggled with this conclusion. Lopp seems to meticulously present both pros and cons, yet he ends with what feels like disdain for “laggards” and those who’ve lost keys. Couldn’t one argue that people who’ve lost their keys might one day recover them via a quantum recovery service? Yes, the first movers in quantum tech would likely prioritize theft—I get that—but it’s not a guarantee. Confiscating those coins reduces their recovery odds to zero; doing nothing leaves a slim, conceptual chance.
Plus, who decides which quantum-vulnerable coins are “lost”? Ten years of on-chain inactivity? Nine? Five? An old address type? You see the slippery slope.
Lopp suggests a four-year migration window for “laggards” to switch to quantum-resistant addresses. But what about the risks of that migration? What if I, an imaginary foolish bitcoiner prefers sticking with my old addresses over untested new ones? Forcing me to comply feels antithetical to Bitcoin’s ethos. “Bitcoin is for enemies” means it’s also for laggards. Everyone should have the freedom to choose. From my reading of Lopp’s piece, he opposes this liberty. This is what drove me to write this piece. I would agree that his solution is pragmatic, but I reject imposing it on everyone. Confiscation is unacceptable.
The consequences of allowing quantum-theft, and bearing the weight of this decision
To close, I’ll broaden the discussion to what I’d call “my ability to live with the consequences.”
By now, you’ve gathered I oppose coin confiscation, whatever the justification. But if I’m being honest, faced with thieves quantum-fliching millions of bitcoin—potentially crashing bitcoin to zero or shattering confidence in the protocol—I’m not sure I’d stick to the moral high ground.
After all, there is a very real possibility that such an attack would mean the end of bitcoin in the minds of most people, effectively putting an end to the most significant monetary experiment in two millennia. Could I live with the knowledge that it could have been avoided, but we chose to do nothing for the sake of intellectual purity?
I do not have an answer for you. The only thing that I can tell you is that I started my teenage years as a fervent Libertarian, but as I became older, I’ve realized that real life is not always 100% compatible with libertarian ideas. Sometimes you just need to f*** things up and go against “the ideal” in favor of what is the best solution. The best way to describe myself now is something like this: Economically libertarian but socially conservative. Could I grow into a similar philosophical alignment with Bitcoin in the future? God only knows.
This is why I believe we must keep debating the quantum threat Lopp raises. For or against, it demands rigorous discussion—ideally by minds sharper than mine.
Exploring a third option
During my research for this piece, I’ve come across a few tidbits of information that I thought would be interesting to share with the most curious readers.
- Hunter Beast has already proposed a BIP to bring Post-Quantum Cryptography (PQC) to Bitcoin with a new address type. More information on BIP-360: Pay to Quantum Resistant Hash
- A Third option not explored in this article could be the perfect solution to the dilemma outlined above, and it’s called Hourglass. Proposed by Hunter Beast as well, the proposal tries to be the “least damaging” option and is currently under review by developers:
“Hourglass mitigates the downsides of both “confiscatory” and “liquidation” approaches – by limiting the potential supply shock of a quantum event, without burning coins or flooding markets. Relative to other approaches, Hourglass is also the most incentive-compatible with miners. If P2PK spends are limited to 1 per block, it is possible we will see potential bidding wars for these transactions at the fee level – redistributing some of the funds accrued through quantum retrieval to miners in the form of high fees.”
All of that said, quantum signatures are not perfect and come with their own problems:
- Transaction size and fees: Quantum-resistant signatures are significantly larger than traditional signatures, increasing transaction size and transaction fees. Users and wallet developers should be aware of this and plan accordingly. For example, for CRYSTALS-Dilithium Level I, a single public key is 1,312 bytes, and a signature is 2,420 bytes, resulting in a substantial increase compared to ECDSA or Schnorr signatures.
- Performance Impact: Verifying quantum-resistant signatures will be computationally more intensive, and any attestation discount will also increase storage requirements. Node operators should consider the potential impact on resource usage in the long term. Developers may need to optimize signature verification implementations, especially by implementing caching for key generation.
Thank you for reading – Vires in Numeris.
GG
