Quantum Safe Bitcoin Transactions

https://x.com/avihu28/status/2042287457530478720?s=46

Bitcoin developers and researchers have proposed BIP-361, which suggests freezing early Bitcoin addresses considered to have quantum vulnerabilities—primarily P2PK addresses with publicly exposed public keys—to prevent future quantum computers from deriving private keys from public data and stealing funds.

That means 1.1M ($74B) of Satoshi’s coins will become obsolete.

We knew only bank can freeze your account.

image1050×458 26.3 KB

https://github.com/bitcoin/bips/blob/master/bip-0361.mediawiki

Regarding Quantum Safe Grin, ChatGPT just surfaced this paper to me:

https://arxiv.org/pdf/2603.28846 (April 2026)

The newer 2026 Google Quantum AI / Boneh et al. paper explicitly flags Pedersen commitments used in Mimblewimble and Bulletproofs used in Mimblewimble as vulnerable to quantum attacks, including an on-setup style risk from the fixed public generators used in Pedersen commitments. The paper says that for Mimblewimble-like systems, a CRQC could break the binding property of Pedersen commitments and enable undetected inflation, and that Bulletproof-style systems can lose soundness if the underlying commitment binding breaks

The paper does call out Pedersen commitments and Mimblewimble directly

Sorry for the LLM spam, but this is a good breakdown of what a Grin v2 would take. Could be flat wrong on some things but Idk it’s a starting point. If we could keep Grin with the same identity and features, but make it quantum proof, I would throw all the council money at that.

Clean, ready replacements

• Schnorr / AggSig → ML-DSA
  (transaction signatures)

• Ed25519 (Slatepack + payment proofs) → ML-DSA
  (authentication + proofs)

• X25519 / Slatepack encryption → ML-KEM
  (wallet-to-wallet encryption)

No clean replacement (requires redesign)

• Pedersen commitments → no drop-in
  → replace with lattice-based confidential transaction system (LACT+ / MatRiCT class)

• Bulletproofs → no drop-in
  → replace with lattice-based range/balance proofs

• Kernel excess commitments → no equivalent
  → replace with single PQ transaction proof object

• AggSig aggregation → no equivalent
  → replace with multiple ML-DSA signatures or proof-level aggregation

• Multisig / contract construction → no equivalent
  → rebuild on PQ signatures or PQ proofs

Format / plumbing updates

• Slatepack → Slatepack v2 (ML-KEM + ML-DSA payloads)

• Wallet keys → PQ key hierarchy (ML-DSA + ML-KEM)

Keep as-is

• UTXO model / cut-through / MMRs → unchanged
• Emission / economics → unchanged

Bottom line

• Signature + transport layer: simple swaps
• Confidential transaction core: full replacement, no standard exists

My AI’s answer to that:

Without a proven solution for fault tolerance, any estimate for breaking Pedersen commitments is speculative.

• Current reality: We have no working, scalable fault-tolerant quantum computer—only theoretical frameworks (like surface codes) that require millions of physical qubits per logical qubit at today’s error ratesquantumcomputingreport.com+1.
• The gap: Even if we hit 30,000+ physical qubits by 2030, without fault tolerance, they can’t run Shor’s algorithm reliably—so Pedersen commitments remain secure.
• Conclusion: Estimates for breaking Pedersen commitments assume fault tolerance will be solved, which is unproven. Until that’s demonstrated, no timeline is grounded in reality—it’s all extrapolation based on unresolved challenges.

The risk is the “on-setup” attacks. Did you have your AI read this new paper specifically?

They only need to run the exploit one time and they get a permanent back door.

AI:
No. There is no real-world evidence of a successful quantum computing attack breaking crypto fundamental parameters (e.g., ECDSA, Pedersen commitments). All current threats are theoretical and require fault-tolerant, large-scale quantum computers that do not yet exist.

Note, that I “educate” my AI carefully to avoid assumptions and the use of non existing techniques. There is an abundance on “what if…” and “theoretical possibilities”, but without any real backing of technological feasibility. These papers easily lead AI astray making wrong conclusions since they do not by default separate fact from fiction.

“Yet” is the operative word here. Do you think they would announce to the world beforehand “hey, we’re gonna break your entire crypto currency with a permanent back door. We’ll give you a head start!”

No, they’ll likely just do it and let all non-quantum-proof currency collapse while the power consolidates to the quantum proof.

Even if we got a friendly notice, at that point it would be too late. We wouldn’t have the time to properly research and implement an upgrade. And no, switching to ElGamal commitments isn’t a solution. Even if it protected funds, the market would completely collapse in a fire sale.

Math isn’t fiction, though. That paper isn’t some Isaac Asimov story.

Also, just from a marketing standpoint, “grin isn’t hackable yet” is not compelling. However, imagine if research was done on how to keep the same feature set but be quantum proof. That’s actually a very compelling story. Half of the marketing for Monero is in the fact that they are actively thinking ahead.

To me that logic sound like saying, start preparing for you next holiday to the Proxima Centauri (closest star apart from our sun). Because if we develop Warp drive, you can be there in 3 days at Warp 9. Only problem, we do not have warp drive technology.

Now ask yourself, if we get a Quantum Apocalypse, what would get broken?
Well, bloody everything!
I would be more worried about someone breaking into nuclear launch sites at that point since the cryptography that protects those facilities, the banking system etc. nothing would be safe. Why target Bitcoins billions while you can target central banks trillions?

…Now lets get down our feet again on the ground and talk about reality.
Ask you AI:
Did quantum computers compute 7!. Tell me yes or no.

Answer: No

That means that logical qbit still do no not scale and we are still at the same point we were year ago. And no, error correction does not solve the scalability of logical qbits.

Not really. It doesn’t benefit an attacker to destroy the world. It does benefit an attacker to hack or discredit rival monetary systems. (The attacker in this case would likely be a government)

Quantum computers may or may not exist in various states of function. Black budget programs have had all kind of advanced technology for a while.

My thinking is, if we can make something quantum proof today based on an understanding of mathematics, and we willfully do not, why? What is the point of stamping out foot and saying “it doesn’t exist! It won’t happen!” when we can just implement a future proof system instead?

Grin is supposed to be for the decades and centuries ahead. That’s how it was envisioned. So why are we the only crypto project that is putting our heads in the sand? Like, we’re not even interested in post-quantum cryptography?

Of course we are interested, but no one has come forward with a proposal to research the topic and implement it.

For me it is more a fashion thing. Everyone is lately talking about Q-day, while the reality is that day is still very far from being upon us. It does not mean we/I are not interested, just that I think we should be realistic about it not being a very pressing or urgent issue. Getting node syncing stable, fixing database corruption issues, fixing those bugs in the contract branch, implementing multisig, getting MWixnet up and running. Those are all higher priority if you ask me.