I tried to write a summary of the thread a little while ago (https://stacker.news/items/1451973). I found waxwing's comments very insightful.

>This brings us to the question then how at all Bitcoin users can migrate to new cryptography, `because we cannot assume that secp256k1 will last forever. ` And I think the answer is essentially that it requires the entire ecosystem to change their assumptions. This does not mean that adding a new opt-in cryptographic primitive is infeasible or a bad idea; it just means that adding FancySig as an option is changing the collective security assumption from "secp256k1 is secure" to "secp256k1 AND FancySig are secure" once FancySig gets adopted at scale, and the discussion about adding new primitives should be treated with the gravity that entails. And it means that disabling secp256k1 EC operations (or near-everyone migrating to FancySig, but I think that is unlikely) is the only way to change the collective security assumption from "secp256k1 AND FancySig are secure" to "FancySig is secure"

Merch call this the trust me bro algo haha. But wow Peter is a fantastic writer!

> Limitations of Cryptographic Agility in Bitcoin

There are great arguments on [that thread](https://groups.google.com/g/bitcoindev/c/O6l3GUvyO7A) - not everyone agrees with sipa there, but there were some good challenges and follow-up responses clarifying things too.

optimism

Ethan discusses algorithm agility for Bitcoin. It motivated by long-term security, considering that cryptographic algorithms weaken over time. Ethan proposes a redundant signature scheme allowing coins to be spent with multiple algorithms. 

Using the tap leaf tree, users can spend coins with Schnor or another algorithm. If Schnorr is broken, coins can be moved using the alternative algorithm. He recommends at least two signature algorithms, with one being a highly secure backup. A practical example involves Schnorr and a hash-based scheme like Sphinx or Shrinks. 

Mike adds that P2MR allows leaves requiring multiple algorithms for added security. Peter's post, "Limitations of Cryptographic Agility in Bitcoin," aligns with Ethan's goals of algorithm agility.

Stacker Saloon

saloon

>Ethan discusses algorithm agility for Bitcoin. It motivated by long-term security, considering that cryptographic algorithms weaken over time. Ethan proposes a redundant signature scheme allowing coins to be spent with multiple algorithms. `Using the tap leaf tree, users can spend coins with Schnor or another algorithm. If Schnorr is broken, coins can be moved using the alternative algorithm. He recommends at least two signature algorithms, with one being a highly secure backup. A practical example involves Schnorr and a hash-based scheme like Sphinx or Shrinks. `Mike adds that P2MR allows leaves requiring multiple algorithms for added security. Peter's post, "Limitations of Cryptographic Agility in Bitcoin," aligns with Ethan's goals of algorithm agility.

From Bitcoin opTech 

This sounds like a really cool idea.