Post
Topic
Board Wallet software
Re: Should wallets warn if you re-use addresses due to quantum computers?
by
d5000
on 20/07/2025, 15:07:55 UTC
The way I see it is that if there is even a small possibility of reversing a public key to get the private key, and we still haven't migrated to a resistant protocol (a hard fork), then Bitcoin will have had become obsolete!
That means the warning you are talking about is either pointless (meaning it is impossible to reverse pubkey and reusing your address doesn't put you at any risk) or it is not a warning (bitcoin is already over and you shouldn't even be using it anymore).
Sorry, I don't understand your logic here. Migrating vulnerable coins to fresh addresses is something everybody can do now. And then they are safe until quantum computers are so fast that they can compute a private key in less than an hour [1]. That will take several (probably dozens of) millions of qubits.

The threat that a quantum computer attacks coins with a published public key (due to address reusage or P2PK etc.) is much less far away in the future, and can perhaps be performed in the next decade. If this kind of attack can target 25% of all coins, then it's much more likely to be disruptive for the market, than if it only can target Satoshi's coins and a few lost coins more. In addition, we would see an epic blockchain congestion as everybody (of those who own vulnerable coins) would try to move their coins after the attack has been discovered. This could be a dramatic blow for Bitcoin (even if it's unlikely to be its "death").

For me, the ideal migration path is: first nudging users even more to not reuse addresses, like with such warnings like proposed in this thread, to reduce the number of vulnerable coins, and then implement post-quantum cryptography optionally once it is mature enough and we have a clear candidate. In the mailing list discussion unfortunately there were some objections from cryptography experts against Falcon-512 which is the most convenient candidate as of now. They would prefer Sphincs+ but this one has even (much!) larger signatures.

Do you have any data sources for this? I'm interested to know in specifics like how many Bitcoin exactly are contained in the old outputs.
I took the number of 25% from this post in the thread about Jameson Lopp's draft BIP. I thought Lopp himself had given a number in his blog post but there's only one part where he cites a social media post about 3.7 million lost BTC and a comment about vulnerable coins in the rich list. I have read about similar numbers in the past (around 5 million if I remember correctly). If you google, you'll see the 25% in several articles. Google Gemini even talks about 32% (6.5 million).

The source for the 25% seems to be a Deloitte report from 2020, which also has a chart about the number of coins in specific outputs.

A substantial part of these vulnerable coins according to Lopp's blog post sit in exchange cold wallets, which are often multisig-secured and thus at least a little bit harder to crack. But I think exchanges and other big service providers (ETF custodians ...) would anyway be the first entities to be incentived to abandon address reuse forever once the quantum threat becomes real.



[1] I think the real danger for this "short exposure" or "mempool" attack will start when QCs are fast enough for cracking a key in 30 minutes or less. They could speculate to be lucky and attack keys hoping for a block taking an hour, but they would waste a lot of resources because the probability for such a long block time is quite low. So I think as superfast QCs will be expensive in that stage, attackers would not start with "mempool attacks" until they are so fast that the effort probably will result in a success at least several times a day.