The limitations of cryptographic agility in Bitcoin

The discussion revolves around the contemplation of future technological advancements, specifically the development and implications of quantum computing on Bitcoin and the broader tech and military industries. The conversation is framed by considering two potential outcomes: one where quantum computing never materializes (referred to metaphorically as a "unicorn"), and another where it does emerge with significant impact.

In the scenario where quantum computing remains an unachieved goal, the inclusion of Post-Quantum Cryptography (PQC) scripts and signatures in Bitcoin is debated as potentially unnecessary, thus adding bloat without real benefit. This perspective takes into account the additional computational overhead and cost introduced by Schnorr signatures, which would become slightly more expensive due to the requirement of script spend paths without the balancing advantage of a key spend path.

Conversely, the realization of quantum computing poses a grave threat to the security and functionality of Bitcoin. The potential for quantum computers to render existing cryptographic safeguards obsolete would necessitate a drastic overhaul of Bitcoin's security measures. This could lead to the first complete shutdown of the network to facilitate the transition of funds to new, quantum-resistant wallets. Such a migration would rely heavily on zero-knowledge proofs, significantly increasing both the cost and computational requirements for transactions and potentially exposing the network to denial-of-service vulnerabilities. Given the substantial resources required, this scenario suggests that only the wealthiest participants would be able to maintain their holdings, thereby undermining the utility and inclusiveness of the network.

The introduction of SLH-DSA, or similar quantum-resistant cryptographic methods, is proposed as a preemptive solution to allow for a smoother transition should quantum computing become a reality. Despite concerns over its relative bulkiness, SLH-DSA is presented as a less cumbersome option compared to the extensive demands of migrating to new PQC wallets post-quantum breakthrough. By adopting SLH-DSA or equivalent technologies now, users would have the flexibility to transfer their funds securely against quantum threats at a comparatively low cost per transaction, provided they choose to utilize this option before the advent of quantum computing. This approach underscores the importance of forward-looking adaptation in safeguarding digital assets amidst rapidly evolving technological landscapes.