pqc_btc.md
# Silent transition to Post-Quantum Bitcoin outputs
_Disclaimer: The authors ([@phyro](https://x.com/phyrooo), [@adamedics](https://x.com/adamedics)) are not cryptographers nor are they up to date with the existing approaches and/or proposals._
## Motivation
Bitcoin might eventually need to upgrade to a post quantum secure signature scheme to defend against an adversary with a quantum computer. This document won't discuss which signature scheme to choose, but rather how to make the transition to it. It seems that we will inevitably need to create a new output type that holds funds in a quantum-secure key and make everyone transition to such output format. The question is how do we transition in a simple and safe way. The most obvious and perhaps essential (see [Deadline](#deadline) section below) approach is to define a threshold height D (deadline) in the future and require everyone to make an onchain transaction that replaces their old ECC output with a PQC one before height D gets mined. This sounds good, but it comes with its own tradeoffs. First, it requires the user to make an onchain transaction prior to D that transitions to a new output type. Requiring everyone to do an onchain transaction could lead to a natural (or malicious) congestion during the days close to D which would also increase transaction fees. High fees and limited space could make some users unable to transition to PQC outputs. And second, it requires the user to make a publicly visible transaction which proves the owner has access to their coins. This might not be an issue for most, but may be a problem for those that want to keep their coins dormant which can be a reasonable thing, especially if you go by the pseudonym of Satoshi. This document describes a possible way to transition to PQC that does not have the congestion issues and allows everyone to transition in a private way.
## Approach
This file has been truncated. show original