Avoiding An Unnecessary Quantum Freeze

Abstract: We present another mechanism for mitigating the impact of any quantum related coin freeze. We explore a softfork that would only activate a full freeze if it's proven that a quantum computer capable of stealing Bitcoins actually exists. This approach is achieved by creating a special canary fund of quantum vulnerable coins, where the fund address and public key were generated using a Nothing-Up-My-Sleeve Number system, proving that nobody knows the private key. Any spend from this address would immediately trigger a full quantum freeze. While this approach adds complexity and risk, given how controversial any coin freeze is, mitigating the impact of the freeze using this type of system may be worth consideration.

Overview

We have published three pieces as part of a series on preparing Bitcoin for quantum computers.

1. Quantum Safe Lamport Signatures

2. Taproot Quantum Spend Paths

3. Mitigating The Impact Of The Quantum Freeze

In this fourth piece, we follow on from our article on “Mitigating The Impact Of The Quantum Freeze”, by suggesting further mitigations. There is considerable uncertainty over when and if a relevant quantum computer may arrive. At the same time any coin freeze softfork, will require a long multi-year period, to give people time to prepare and to preserve Bitcoin’s censorship resistance as much as possible. These two competing properties over the schedule could come into conflict, which could be a significant problem. Therefore, it may be appropriate to attempt to mitigate the extent of the freeze as much as possible, even at the cost of greater complexity. In this article, we argue that we should attempt to avoid a complete freeze altogether, unless it is proven that a quantum computer has actually arrived. This should be treated as an alternative or compliment to the quantum safe recovery schemes discussed in our previous article.

BIP-361

Yesterday, BIP-361 entitled “Post Quantum Migration and Legacy Signature Sunset”, was merged into the Bitcoin BIP repository. The BIP suggests that a softfork first bans sending to quantum vulnerable addresses for a period of three years and then in a second phase, quantum vulnerable spends themselves are banned (AKA a freeze), which takes effect after another two years.

The BIP-361 proposal has proved to be controversial because of the freeze. Opponents of the freeze tend to argue that users are responsible for safeguarding their own funds and therefore a protocol freeze is not necessary and that a freeze damages the core censorship resistance property that gives Bitcoin its value. Afterall, if users choose not to migrate to a quantum safe output, perhaps they want their funds to be used as a bounty system to further science and help develop quantum technology. In addition to that, some argue that there is insufficient evidence that relevant quantum computers will be developed.

The Canary Approach

Instead of a freeze softfork activating in five years, an alternative is that in five years we instead enter a canary watch state. If it is proven, onchain, that a relevant quantum computer exists, the canary activates and the freeze therefore immediately activates. If the canary does not activate, the quantum vulnerable coins can still be spent as normal, or perhaps with the outputs in the next transaction unspendable for a predetermined safety window, like the 100 block period that coinbase outputs cannot be spent for.

Nothing-Up-My-Sleeve Number (NUMS)

One could generate a quantum vulnerable Bitcoin address and publish a proof, which demonstrates that the person who created the address does not know the private key, but that the address still represents a valid point on the elliptical curve, so any coins at this address could be spent in theory. The public key would also be published. The quantum migration softfork could mark this address as a special address, the canary address. If there is a valid spend from this address, then the softfork banning quantum vulnerable spends could immediately activate.

The Canary Fund

In order to incentivise any entity with a powerful quantum computer to activate the canary, users could donate Bitcoin to the canary address, to create a quantum bounty. Investors in this fund need not give up their money forever, they could send the funds to a 1 of 2 multisignature output, where one public key is their own and one public key is the one associated with the canary address. The investor can then withdraw their Bitcoin from the incentive fund whenever they like.

The size of the fund could be too small to incentivise the entity with a quantum computer to claim these funds and they could claim other funds instead. That is an inherent risk of this scheme. However, if the lab that develops the first quantum computer is a large regulated reputable entity, they may choose this approach, rather than the approach of stealing other people’s funds.

The Safety Window

Five years after activation, BIP-361 will “reject transactions that rely on ECDSA/Schnorr keys”. Instead of this rejection, these quantum vulnerable spends could still be allowed. They could be allowed in the same way coinbase outputs are allowed, with the outputs unspendable for 100 blocks. Instead of 100, another number could be chosen, for instance 50,000 blocks (Around 1 year). If the canary activates within the safety window, then the coins would be immediately frozen, if not, after the 50,000 block window expires, the coins could be considered as normal coins and become freely spendable.

Choosing how long this safety window should be will be difficult, should it be 0 blocks, 1 block, 100 blocks, 50,000 blocks, 200,000 blocks or a dynamic number of blocks based on the amount of time that has elapsed since activation? These are hard choices, with real trade-offs, but it's also difficult to decide today to freeze all quantum vulnerable coins in five years time. This five year period is also arbitrary. This approach is a mitigation of the harshness of a freeze.

With a safety window of 50,000 blocks, in the event that one lab develops a quantum computer and decides to steal other coins, rather than activating the canary and taking the bounty, then there is the possibility that another competing lab develops a quantum computer within the safety window and activates the canary. The first lab to develop a quantum computer may be concerned that another lab could follow in their footsteps within the safety window and therefore take the canary fund, leaving the first lab with nothing.

Another issue with the safety window approach is that non-upgraded wallets could still be tricked into accepting the quasi frozen funds. However, most venues dealing with a large number of coins may upgrade to handle this.

Conclusion

This approach is more arbitrary and complex than a more simple coin freeze. In the same way, the quantum safe recovery schemes mentioned in our previous article also add complexity compared to a simple freeze. However, in our view, given the significant cost and disruption a freeze could cause, it is probably worth considering and evaluating the potential mitigation options available, in order to minimise the probability that anyone loses their coins.