I see that you like my idea. 
Well, it's a good idea if implemented safely, but I won't let you take all the credit, since I've discussed such a thing in the past:I could provide a zero knowledge proof that I am in possession of the extended private key or the seed phrase which was used to derive that private key.
Thanks for the link. I hadn’t seen that.
Why do you focus on the extended private key or seed phrase? If a ZK system were implemented that ran Bitcoin consensus rules (including Bitcoin script, and everything else) inside a proving circuit, then people could simply publish proofs that they had validated their own transactions spending the coins. The transaction inputs and outputs would not be hidden, so there is no need to worry about double-spends (the reason for Zcash’s nullifier system). IMO, it would be a terrific engineering effort to get this working right; and computational costs may be not insignificant. But in theory, it can surely be done; and in practice, an emergency would probably justify the costs.
(Bonus, another thing I have been wanting to investigate and post about: Perhaps the engineering effort could also be repurposed to make a succinct version of Bitcoin, for light clients to attain full-node security simply by validating a proof that someone else had validated the entire blockchain up to the current tip. I do not know if this is feasible in practice. Mina had to invent their own cryptographic primitives, for efficiency reasons.)
On a wider scale, although it would be great to have such a thing implemented, and it would be a prerequisite to me being comfortable with some coins being "locked" by consensus, it would only serve to make a small difference in the event that quantum computers can break the ECDLP. Assuming that the majority of addresses which are being actively reused would migrate to quantum-proof addresses, and that the 1.73 million BTC in P2PK addresses will be stolen regardless, then this system would only serve to protect coins in non-reused non-P2PK addresses which are inaccessible to the owner. We cannot place an accurate figure on this group, but I believe it to be significantly smaller than all the estimates bandied about by people who simply assume that any coin which hasn't moved in >5 years (for example) has been lost, since (for example) such a category includes the majority of my coins, which are absolutely not lost.
It's certainly worth doing for the individuals it would protect, but it will make little difference I think to the overall impact on bitcoin.
It's certainly worth doing for the individuals it would protect, but it will make little difference I think to the overall impact on bitcoin.
One of the great things about Bitcoin is that people are never under time pressure to move their coins. You can go into a coma or get shipwrecked on an island, and reclaim your bitcoins when you are available to claim them.
Anyone who deals with altcoins eventually has the experience, “You must upgrade/do this claim procedure/exchange old tokens for new tokens” with a deadline to avoid losing your money. Not so much in the more credible altcoins, but it is disturbingly common in others. It is horrible, and it is all the more reason to appreciate Bitcoin.
With the type of system that I describe, most people who follow best practices for avoiding address reuse could upgrade and move coins at their leisure. If you so choose, you could leave your >5-year-old coins untouched for another 30 years—then publish a proof to spend them.
But what about all those other UTXOs (lost reused P2PKH/P2WPKH, lost P2TR, lost reused P2SH/P2WSH multisig)? I think that is the main dilemma here. I would quote Pieter Wuille here: "If a QC can ever spend lost ECC-locked coins, I believe it's game over for Bitcoin. How can an asset maintain value if an attacker has the ability to flood the market with the significant portion of the entire supply?".
I don't like the idea of some coins being locked by consensus, however, Pieter has a point that the economical impact of flooding the market with all these coins could be unsurvivable.
I don't like the idea of some coins being locked by consensus, however, Pieter has a point that the economical impact of flooding the market with all these coins could be unsurvivable.
That could surely cause an extreme bear market. How much worse of a bear market could be caused by calling into question Bitcoin’s fundamental trustworthiness?
A major part of Bitcoin’s fundamental value is that you can trust that nobody will ever change the rules to seize your coins or divert their value. (This sometimes happens in alts—e.g., Juno, or Terra.) And as o_e_l_e_o has noted, there is no way to know if a coin has been lost. “Lost coins” statistics are guesses, and probably bad ones.