BitMex Research is out with part 4 of their ongoing series on quantum computing and Bitcoin. In this number, they take an interesting look at BIP 361 (#1471384) and in particular the concept of a "freeze" of quantum vulnerable coins (a concept which is not very popular among Bitcoiners).

BitMex Research discusses the idea of making such a freeze dependent on funds in a canary address being moved.

Instead of a freeze softfork activating in five years, an alternative is that in five years we instead enter a canary watch state. If it is proven, onchain, that a relevant quantum computer exists, the canary activates and the freeze therefore immediately activates. If the canary does not activate, the quantum vulnerable coins can still be spent as normal, or perhaps with the outputs in the next transaction unspendable for a predetermined safety window, like the 100 block period that coinbase outputs cannot be spent for.

This canary address would be a specially crafted address that relies on a smaller prime number (I think) which would be more vulnerable to Schor's algorithm (the use of which quantum computers make particularly efficient) while not necessarily being more vulnerable to traditional brute-forcing.

In order to incentivise any entity with a powerful quantum computer to activate the canary, users could donate Bitcoin to the canary address, to create a quantum bounty. Investors in this fund need not give up their money forever, they could send the funds to a 1 of 2 multisignature output, where one public key is their own and one public key is the one associated with the canary address. The investor can then withdraw their Bitcoin from the incentive fund whenever they like.

Of course, a big problem here is that an attacker who develops a cryptographically relevant quantum computer may choose not to attack the canary address, waiting instead to attack more valuable addresses. However, as BitMex points out that if the canary address is sufficiently easier to crack and if it has at least a meaningful balance of bitcoin, it is possible that a state actor or other regulated entity with such a quantum computer might choose the white hat path rather than full attack.

BitMex concludes with a discussion of the length of a "safety window." In BIP 361, a five year window is proposed, after which quantum vulnerable coins would not be spendable (except via a zkProof method yet to be determined). BitMex suggests an alternative approach that treats quantum vulnerable coins like coinbase transactions: not spendable for a certain number of blocks.

Five years after activation, BIP-361 will “reject transactions that rely on ECDSA/Schnorr keys”. Instead of this rejection, these quantum vulnerable spends could still be allowed. They could be allowed in the same way coinbase outputs are allowed, with the outputs unspendable for 100 blocks. Instead of 100, another number could be chosen, for instance 50,000 blocks (Around 1 year). If the canary activates within the safety window, then the coins would be immediately frozen, if not, after the 50,000 block window expires, the coins could be considered as normal coins and become freely spendable.

Choosing how long this safety window should be will be difficult, should it be 0 blocks, 1 block, 100 blocks, 50,000 blocks, 200,000 blocks or a dynamic number of blocks based on the amount of time that has elapsed since activation? These are hard choices, with real trade-offs, but it's also difficult to decide today to freeze all quantum vulnerable coins in five years time. This five year period is also arbitrary. This approach is a mitigation of the harshness of a freeze.

I'm not so sure the quantum canary path is a good idea. I doubt that an entity who develops a quantum computer that can crack Bitcoin public keys will settle for a canary address -- even if it had 100s of Bitcoin in it. Seems like a government would sweep that tech up pretty quickly. If such a plan were to work, it would have to be very thoughtful about the amount of bitcoin in the address and the ease with which the address could be cracked.