The limitations of cryptographic agility in Bitcoin

In a recent discussion on the Bitcoin Development Mailing List, Pieter highlighted several key points regarding the security and future of Bitcoin. He emphasized that his intention is not to propose freezing coins within the Bitcoin network. Instead, he pointed out that the perception of vulnerability among a substantial amount of Bitcoin could lead to a decrease in its value. This could happen through various scenarios, such as the emergence of a more economically relevant chain following a fork or a mass migration of coins to Post-Quantum Cryptography (PQC) addresses due to fear of quantum computing risks.

Pieter underscored the importance of designing Bitcoin with the future in mind, where no significant amount of coins are perceived as vulnerable. However, he also acknowledged that simply providing users the option to migrate to schemes with different security assumptions does not eliminate the original security assumption from the system. As long as a considerable number of coins remain secured by the secp256k1 algorithm, the entire Bitcoin network and its users, including those who have migrated, continue to rely on its security.

Furthermore, Pieter discussed the need for Bitcoin to maintain its value through differentiation from competing monetary systems, highlighting fixed inflation schedules and inviolable property rights as critical components. He suggested that avoiding market fear that could erase the value of coins, even if they are not moved, is also crucial.

Addressing the potential impact of quantum computing, Pieter imagined a scenario where a significant majority of Bitcoin in known-public-key addresses suddenly move to a PQC address, possibly due to a Cryptographically Relevant Quantum Computer (CRQC). Such an event, followed by a public claim of CRQC possession, could devastate Bitcoin's market value and relevance.

Lastly, Pieter reflected on the ecosystem's response to systemic risks posed by large coin holdings on exchanges. He criticized the community’s complacency towards these risks and compared it to potential vulnerabilities from quantum computing threats. He argued that solutions like combining FancySig with BIP340 outputs to address security concerns come at a significant cost, yet they don't fully mitigate the underlying issue that Bitcoin's security is heavily reliant on the secp256k1 algorithm as long as a substantial number of coins are protected by it. This dependency remains a pivotal concern for the future of Bitcoin's security and integrity.