Bankless - Ethereum’s Quantum Strategy with Justin Drake
Episode Date: March 23, 2026Quantum used to be crypto’s distant sci-fi problem. Justin Drake says it now has a clock. In this episode, we unpack what “Q-Day” actually means, why Justin thinks 2032 is the date the entire in...dustry should be planning around, and why Ethereum is targeting 2029 to get post-quantum ready. --- 📣SPOTIFY PREMIUM RSS FEED | USE CODE: SPOTIFY24 https://bankless.cc/spotify-premium --- BANKLESS SPONSOR TOOLS: 🔮POLYMARKET | #1 PREDICTION MARKET https://bankless.cc/polymarket-podcast 🪐GALAXY | INSTITUTIONAL DIGITAL FINANCE https://bankless.cc/galaxy-podcast 🏅BITGET TRADFI | TRADE GOLD WITH USDT https://bankless.cc/bitget 🎯THE DEFI REPORT | ONCHAIN INSIGHTS https://thedefireport.io/bankless 🐇MEGAETH | 1ST REAL-TIME BLOCKCHAIN https://bankless.cc/megaeth --- TIMESTAMPS 0:00 When is Q-Day? 5:35 The moment quantum becomes crypto-relevant 10:11 How many qubits does it take to break crypto? 16:22 What a real Bitcoin quantum attack would look like 20:19 How much Bitcoin is actually vulnerable? 26:26 Burn, freeze, or salvage? Bitcoin’s impossible choice 35:06 Proof of seed phrase and Bitcoin’s post-quantum bottleneck 41:02 Ethereum’s exposure: smaller, but not zero 45:43 Ethereum’s tougher roadmap: three layers, three upgrades 50:29 The execution-layer plan: replace ECDSA without killing throughput 57:56 Post-quantum, post-AI cryptography 1:03:36 BLS, KZG, LeanVM, and the rest of the stack 1:06:42 Is this bigger than the Merge? 1:17:21 If Bitcoin stumbles, does all crypto stumble too? 1:19:35 “Quantum is not a challenge—it’s an opportunity” 1:21:27 AI, quantum, crypto and the 2032 convergence 1:28:04 Harvest now, decrypt later 1:30:09 Defensive accelerationism and Ethereum’s role 1:39:10 Stoicism, P-doom, and why he keeps building --- RESOURCES Justin Drake https://x.com/drakefjustin/ Bitcoin Quantum Risk List https://www.projecteleven.com/bitcoin-risq-list Nic Carter Blog Posts https://murmurationstwo.substack.com/p/bitcoin-developers-are-sleepwalking https://murmurationstwo.substack.com/p/trillion-dollar-salvage https://murmurationstwo.substack.com/p/bitcoin-developers-are-mostly-not The Strawmap https://strawmap.org/ --- Not financial or tax advice. See our investment disclosures here: https://www.bankless.com/disclosures
Transcript
Discussion (0)
One interesting shift of mindset for me in the last few months is that I've stopped thinking about post-quantum as a hurdle that we have to overcome.
And I think of it more as an opportunity.
It's an opportunity for Ethereum to stand out as the very first global financial system that is post-quantam secure, not just relative to its competitors, you know, like Bitcoin and whatnot, but also relative to, you know, fiat and trotify.
And I think it would, you know, send a very strong message and kind of be a very natural security shutting point for the world to migrate over to Ethereum.
Bankless Nation, we are once again joined with Justin Drake.
We're going to talk about quantum computing as it relates to crypto, Bitcoin, and also Ethereum.
Justin, welcome back to the podcast.
Hi, guys. Thanks for having me again.
So quantum has become kind of a...
a big, looming threat to our industry.
We've always kind of known this.
We have known this.
We have known that this is a thing, that quantum is a thing.
It's been largely theoretical.
Over the last, I'll say, six months or so,
quantum has firmly moved from theoretical
to something materially impacting our industry.
Starting with, I'll say, just like Bitcoin price,
just because fund managers, even BlackRock,
has put out pieces about the threat of quantum
to the security and therefore the value of Bitcoin.
And so we have anecdotally seen people de-wading their portfolio of Bitcoin.
Perhaps that has also suppressing the price of all the other assets in the industry.
And not to just talk about price, but as we understand it, quantum really just impacts the way
blockchain's function.
So this seems to be a fundamental problem of our industry as a whole, a hurdle that our
industry has to get over that when crypto blockchain was created in the first place, we were not
we are not equipped to become post-quantum of an industry.
So maybe to start off that with context,
what is the timeline here that our industry needs to be aware of,
the hurdle that's coming that we need to get over?
When is that hurdle coming?
I've heard this become called Q-Day.
When is Q-Day?
How much time do we have to get over this quantum hurdle?
Yeah, so I just want to back up a little bit
and kind of emphasize what you said,
which is that in the last six to 12 months,
we've had major breakthroughs.
One of them is this notion of error correction.
So we're able to go from so-called physical qubits,
which are very noisy and error-prone,
to like these perfectly logical cubits.
Right now we can basically manufacture one logical qubit,
but it's still a very important zero-to-one moment,
and now it's about scaling it to multiple logical qubits.
Another big breakthrough is on the algorithmic side of things.
previously we thought it would take millions, actually tens of millions of physical cubits in
order to break our beloved cryptography.
But last year, there was a paper that made a 10x improvement, bringing it down to 1 million
physical qubits.
And this year, we have another 10x improvement, bringing it down to 100,000 cubits.
So the goalposts are coming closer and closer and closer.
And you have this double exponentials in some sense that will eventually cross.
And then another thing that has happened is on the investment side of things, a lot of quantum
startups have been raising billions of dollars.
So last year, I believe we're talking on the order $5 billion.
And this is unprecedented.
Previously, we were talking hundreds of millions of dollars.
And I think the culminations of all of these things has really energized the public and led to this narrative,
which has indeed potentially impacted the price of Bitcoin.
and ether. Now, projecting into the future, my personal Q-Day is in 2032. This is a little bit of
an optimistic take in the sense that it's possible they'll arrive a little bit later, but, you know,
we need to be prepared in some sense for the worst-case scenario. So I'd say there's at least a 1%
chance that Q-day is in 2032, more likely than not double-digit percentage that Q-day is in 2032.
various experts that are super knowledgeable in the field will tell you somewhere between
2031 and 2038 maybe and one of my friends who's in the industry Steve Briarly who's the
founder and CEO of one of the biggest quantum error correction companies in the world who happens
to be based in Cambridge where I am our children went to the same class he his personal
Q-day was 2032, but he's had this date for 15 years, and it's always stayed the same.
Wow. That's impressive continuity. And basically, you just need to extrapolate the exponentials,
and that's where you end up. And so what we're trying to do with Ethereum is, you know,
to make sure that we have everything wrapped up well before 2032. And, you know, my completion
date for Ephraim being fully post-quantum-secure is 2029. So a year ago, we had,
You on with Scott Ironson, who is kind of a godfather in this space of quantum as well.
And we asked some questions about kind of when Q-Day.
And is a good definition of Q-Day, Justin, that that's the day in which quantum computers can break our signature schemes, like ECDSA?
Is that what Q-Day actually means?
Yeah, exactly.
So we have this new term called Croc, cryptographically relevant quantum computer.
She squint a little bit.
The cure in the middle becomes an O and it's like a crocodile crock.
Yes, that is when, you know, for us, it becomes relevant.
It's possible that there will be other applications that make quantum computers useful for, you know, chemistry or physics.
But that will come, yeah, a bit later.
Okay, I recall him saying he was kind of hedging at that time.
This was a year ago.
This was, I think, in January 2025.
And he said, within 10 years, we should have useful fault-tolerant quantum computers,
but he was very careful to say
that doesn't mean that we would be breaking,
able to break ECDSA.
And generally he wouldn't commit to a date
because he said it was a staggeringly hard engineering problem.
I have noticed that his tone has changed a little bit
over the past year,
and indeed he's actually joined some organizations and foundations
to help cryptocurrencies navigate quantum.
It seems like maybe his thinking has changed on this.
Is this for the three-referringes?
reasons you emphasize. We've got breakthroughs and algorithms. We've got, you know, some fault
detection, I think you called this, which allows us to scale logical qubits, which I think that is,
that is the main thing that must be scaled in order to break ECDSA and then also all of the,
the billions in VC and funding that has poured into it. Has his opinion changed on this?
Yeah, I mean, I can't speak for him, but, you know, one thing that I guess we should notice
is that Scott is primarily a ferretian.
So for a very long time, he was working on the theory,
not so much on the day-to-day of quantum computers.
And I think that was partially the reason why he was so hedged.
I think what's happening more and more
is that there's real companies, real entrepreneurs,
building these things.
And he has an insider view,
and he's basically ingesting all this information.
One of the things that he said recently
is that the US government is starting to intervene
with the publication of ideas.
So we have companies and academics
that might come up with improvements,
further improvements to Shores algorithm
and those are not completely being disclosed
potentially for national security reasons.
What if you could trade gold,
4x, and global markets
with the same tools and speed
that you use for crypto.
That's exactly what BitGet TradFi unlocks.
After strong beta demand,
including over $100 million in single-day gold trading volume,
BitGet TradFi is now live for all users.
Inside of your existing BitGet account, you can trade 79 instruments across Forex,
precious metals, indices, and commodities all settled directly in USDT.
No platform switching and no fiat conversions.
This is BitGET's universal exchange vision in action.
Crypto and traditional finance side by side.
You get deep liquidity, low slippage, and leverage up to 500X, letting you apply crypto
strategies to macro markets.
New to Tradify?
Start with gold.
The gold USD pair is liquid.
macro-driven and a familiar natural bridge between crypto and traditional markets.
Try trading gold on BitGet now at bitget.com.
Click the link in the show notes.
For more information, this is not financial advice.
Galaxy operates where digital assets and next-generation infrastructure come together,
serving institutions end-to-end.
On the market side, Galaxy is a leading institutional platform,
providing access to spot, derivatives, structured products, defy-lending,
investment banking, and financing.
With more than 1,600 trading counterparties,
Galaxy helps institutions navigate every phase of the market cycle.
The platform also supports long-term allocators
through actively managed strategies
and institutional grade staking and blockchain infrastructure.
That scale is real.
Galaxy has over $12 billion in assets on the platform
and averaged a $1.8 billion loan book in late 2025,
reflecting deep trust across the ecosystem.
Beyond digital assets, Galaxy is also building infrastructure
for an AI-powered future.
Its Helios Data Center campus is purpose-built
for AI and high-performance computing,
with more than 1.6 gigawatts of approved power capacity,
making it one of the largest sites of its kind.
From global markets to AI-ready data centers,
Galaxy is serving the digital asset ecosystem end-to-end.
Explore Galaxy at galaxy.com slash bankless or click the link in the show notes.
Wow. Okay, so governments are getting involved in this, it sounds like.
So we're not actually sure all the work that's going on behind the scenes even.
We're aware of the commercially viable work at this point.
Okay, so on the logical qubit piece, you said we have like,
one logical qubit right now. There's physical qubits and logical qubits, and the thing to scale
is logical cubits if you, if, you know, in order to break ECDSA, how many logical cubits do we actually
need to break these algorithms? Because that's, that's a metric that I'm looking at. But is that even
the right number to look at? If we're at one, I've heard people talk about, well, you need a thousand or
maybe 1500, something like this. Is this a number we should be paying attention to? And what do you
think about this? Yeah, so there's like multiple relevant metrics. There's the total number of
physical qubits. There's the total number of logical qubits. And there's also the total number of
steps it takes to run the algorithm. And this has a real impact because it's going to determine if it
takes a minute to break a key, a day, a week, or a month, or year. And what are the scaleers for
each of those, physical, logical, and then time to, you know, the algorithm? Yeah. So roughly speaking,
the number of physical qubits
to get one logical qubit today
is a few hundred, call it a thousand.
And what should happen is that
the quality of the physical qubits,
the so-called fidelities, should increase.
And also we should come up with
better erasure coding codes
that will basically improve this ratio.
So it's possible that in the future
we'll only have 100 logical cubits
for every, 100 physical for every logical one
or maybe just 10.
So that's going to improve.
And then when you look at the algorithm to break the discrete log and the CDSA,
roughly speaking, it's a small multiple of the number of bits in the curve.
So we're working with this curve called SEC P-256K1.
The 256 stands for 256 bit.
So you take this number and then you multiply it by five or six or something.
And that will give you roughly the number of logical qubits that you need.
So let's call it 1,500.
100. And so, you know, because today we're at one logical qubit, in some sense, we're three orders
of magnitude away, like three, 10 xes in order to get there. But again, what will happen is that
we're going to have improvements at the error correction side of thing. So right now, the 1,000 to 1 will
become maybe 100 to 1 or 10 to 1. And also we're going to have improvements on the algorithmic
side of things that will reduce the number of physical cubits, say logical.
cubits. Now, on the run times, this is kind of interesting because there's two flavors of
quantum computers. There's the so-called fast clock and the slow clock. So the fast clock
operate really fast, kind of at the speed of light. So you have the so-called superconducting
quantum computers, and you have the photonic quantum computers. And you have photonic, as the
name suggests, it's using photons, light, which explains why it's like so fast. And then you have
the other flavor, which is the slow clock,
they call trapped ions and neutral atoms.
The names don't really matter,
but roughly speaking, they operate a thousand times slower.
And each architecture and so-called modality
has its own advantages and disadvantages.
And so it's quite possible that in the beginning
we might see a slow clock modality win out
in the sense that they will be the first one
to break a key, but it will take them a long time. It might take them a week or a month.
And so in some sense, Q-Day is not totally black and white. Like, there will be a little bit
of a period where it's kind of broken, but only for the very, very top high-value addresses.
Interesting. But Q-Day could also happen without, you know, behind the scenes, without us knowing,
you know, how far along we really are. Yes. And if indeed it is going to be a nation-state that has access,
to these quantum computers first, you know, unless, you know, crypto is, plays a major
systemic role in the world. More likely than not, they'll use their powers to attack things
in a stealthy way, for example, spy on their adversaries. So that plays in our favor. But if you're
dealing with a purely rational, you know, entity that's motivated by dollars, they might indeed,
you know, go for Bitcoin or Ethereum. Last question on QBITs. So,
Are quantum computing data centers being built out right now?
We have this massive data center build out for AI.
Is something similar starting to happen with quantum computers?
Yes.
So I was reading this press release, I believe, from Quantinium.
They're building kind of this photonics-based quantum computer.
And they're very, very stealthy.
They raise a lot of money, billions of dollars, partly from the Australian government,
if I understand correctly.
and they kind of want a one-shot quantum computer.
So a lot of what the other companies are doing
is that they're building like small proof of concepts
and then ramping up.
They want to build the whole thing from day one.
And so they're building this massive data center
and you can see pictures on the internet.
And I think this is because of the modality
where we're dealing with photonics,
which doesn't require like the really cold temperatures
that some other modality.
for example, superconducting requires.
And so you can take a much more traditional looking data center
and put your quantum computer there.
You just talked about how Q-Day isn't really black and white.
It's not a binary.
There's a bunch of different things about a blockchain
that are relevant to quantum.
Each one has a different level of quantum susceptibility.
But I want to take the position that actually Q-Day is an acute-specific event.
It's when the actual attack happens.
and as a result of the attack, something breaks.
And maybe that's different for different blockchains
because different blockchains risk profiles aren't uniform.
But we can talk about like the Q day for Bitcoin
under the assumption that Bitcoin doesn't do anything.
So if we assume that Bitcoin doesn't adapt,
it doesn't solve its quantum susceptibility,
then there is a specific day that will happen
where like Bitcoin is attacked.
What does that look like?
What would happen on that day?
Do we have an idea of the way that Bitcoin is the most susceptible first?
Like what's the lowest hanging fruit for a quantum computer to attack Bitcoin?
Basically, you need to look at the incentives to attack.
And the rational move for an attacker is basically to go fetch the largest addresses.
And actually, maybe even before that, to go fetch either addresses where there's like perfect privacy
or addresses where there's plausible deniability.
So let me go through these one by one.
So the very first target will probably Zcash,
because if you attack Zcash,
you can mint an arbitrary number of ZDC
and no one will know.
So QDA won't be made public.
Wait, just to be clear, Zcash is not post-Quantum secure right now?
Correct.
Even though it's using ZK, like snarks and all this?
Yeah, it's using snarks that are based on the curve
that are liable to be broken by...
Okay.
Okay.
And then, you know, one potential set of victims might be people who have died, for example,
and they've just lost their coins.
And so if someone steals that coins, no one's going to complain.
There's like some amount of plausible deniability.
But then eventually, you know, we get-
But we would notice that.
I mean, like if we started seeing coins from people who-
Yes and no, because we're already seeing it today.
Like, you know, every quarter or so there's like some zombie address that has a
for, you know, 13 years, they resurrect and no one knows the real reason.
It could...
Right.
It's like a 13-year-old Bitcoin wallet that hasn't had a transaction since they mined the 50
bitcoins forever ago, and it makes its first transaction in 13 years.
Whether that person is still alive and just waking up a dormant wallet or it's a quantum
computing...
Who to say?
Attack.
You don't...
externally, a naive viewer just looking at the Bitcoin.
blockchain. It was like, I don't know how to tell the difference. These look the same to me.
Exactly. Yes. And then, you know, you'd probably go and attack the biggest fish,
which might be some exchange that hasn't put in the correct infrastructure to protect themselves.
So it turns out there's a very easy mitigation to quantum computers, the very first ones, at least,
is to not reuse your addresses. Because when you reuse your address, you reuse the public key.
and that means that an attacker has the time to go crack the corresponding private key
and then steal your funds the second time you use the address.
And so really the best practice should be that if you're holding any funds in long term
called storage, it should be a clean address for which the corresponding public key has never
been revealed.
And just to make this crystal clear, what a quantum computer allows you to do is to go from
the public key back to the private key. So it really jeopardizes the foundations of our property rights.
So long dormant coins, no matter what blockchain, long dormant coins that have had their public key
exposed, which is not all dormant coins, but it is a large percentage of them are at risk.
These are the Satoshi coins. Satoshi coins and maybe a handful of others, but as I understand it,
Satoshi has his coins in a wallet that people know,
this is why we know they're called the Satoshi coins
because we know where they are,
to what percentage of Bitcoins are susceptible to this?
Yeah, so there's this webpage called the Risk Lisk,
is spelled with a Q instead of a C,
by this company called Project 11,
where they have this dashboard
that gives you a live view of vulnerable addresses.
And I believe it's on the order of 35%, you know,
35% of Bitcoins.
Yes.
So millions of Bitcoin, let's say six or seven million, something like that.
Yeah, that's hundreds of billions of dollars.
And you're right that it does include the one million, roughly one million BTC that Satoshi holds.
Now, one of the interesting features of Satoshi's BTC is that they're all of increments of 50 Bitcoin.
Because basically, that was the rewards that you would get.
And he would use a fresh address every time he mined.
That's how the default software was programmed back then.
And if it takes, let's say, a day or even, let's say, 10 minutes, you know, to hack one pub key,
you will see Satoshi's coins being drained at roughly the same rate that they were mined back then,
you know, once every 10 minutes or so.
So it will be a process that will be extended through time.
And one interesting consequence is that if you're a small fish and you have like significantly less
then 50 bitcoins worth in your address,
then you're fine.
You kind of shielded by Satoshi.
You'll see it coming.
Right.
Yes, exactly.
In the running away from zombies,
you just need to not be the slowest one.
And in this case,
we need to not have the largest wallets
that are quantum insecure
because they'll just go for the larger wallets.
Exactly.
So Q-Day happens in a Justin Drake scenario,
and maybe a Z-cash is the first
to have some form of,
of an attack. And then you might see some addresses on chain that aren't very noticeable because the
attacker won't want to draw their attention to it, some addresses on Bitcoin. But then the attacker
would kind of step things up and go for larger and larger treasure sources on Bitcoin.
Now, my understanding, we talked about this a little bit last year when he came on, we talked about
quantum. And then I've read some Nick Carter pieces currently, is that there is a portion of
Bitcoin supply that is kind of in the lost coin type of scenario, which is like either the individual
has passed away, lost their private keys, there's Satoshi themselves. And I think Nick
estimated this to be potentially up to the minimum threshold for that is like 1.7 million
Bitcoin. I know there are different estimates of this, which would be 8.6%
of the mind supply.
So this is less than the 35% that you were talking about.
Maybe 35% is susceptible to an attack.
You have to imagine people who are trying to stay one step ahead of the zombie attack,
they will, and they'll just move addresses to one that is not susceptible to this type
of attack.
But if the coins are lost, if there's no access to private keys, then of course you
can't move to an address that is less, that is not quantum attackable.
And so 1.7 million Bitcoin would be about 8.6% of supply.
And then the other estimates, you know, say that there could be as high as 15% of Bitcoin
that's susceptible to this type of thing.
What numbers have you seen and what percent of Bitcoin do you think is just like lost
and going to be susceptible to a post-Q-day attack?
Yeah.
So the rough number that I have in mind is in line with those that we share.
It's 2 million Bitcoin.
which let's say is 10%.
So we have the $1 million from Satoshi,
and then we have roughly another million that hasn't moved for a very long time.
Now, we need to discount some of that because, you know,
some zombie addresses that are legitimate, you know,
will revive over the coming years.
But we should also increase it because there might be some, like,
recently spent addresses that will be lost.
And so, you know, 5 to 15%, I think, is the correct range.
and I would bet around, you know, 10, 12% or so.
You know, it's very sizable.
It's definitely in the hundreds of billions of dollars.
And one could kind of think through the game theory here.
You know, option A is to try and burn the coins.
The advantage here is that you don't have the hundreds of billions of dollars of cell pressure.
So if you analyze this with a short-term lens, that's the rational move.
But then, you know, the whole story of Bitcoin is to be, you know, strong,
property rights. And so if you have a longer lens, then you should not want to burn the coins.
And it's very difficult to know which way the community will go. It's possible that ultimately
the decision will be made by large holders, for example, Michael Saylor and N strategy,
right? Because these large holders, they will receive a copy of both versions of the Bitcoin,
the one with the burn and the one without the burn, and they can choose to dump the one that they
don't like. And we know that Sailor is in favor of burning. And so he can single-handedly
potentially, quote, manipulate the market and get the outcome that he wants. Can we be clear on what
you mean when you say there's two options? Like two options for who? So we have a scenario where
post a Q-day, so if you believe in a Q-day, okay, and you clearly do that it's coming at some point in time,
we will have, say, 10% of all Bitcoin supply that can be attacked.
by whoever has the best quantum computer at that time.
And attack just means they can go and reach in and get the Bitcoin.
And that can happen in relatively short order over days and weeks and maybe months,
but they can pick these addresses off one by one.
And effectively that 10% can be taken by someone.
You're saying that the Bitcoin community has some options with what to do with that 10%
on, I guess, the social layer, on the hard fork layer, and those options are twofold.
Either they can burn or freeze the coins.
They can effectively say, no, Satoshi, this 10% Satoshi's amount and some others,
these are dead addresses, we know they're dead, we don't want them to be quantum
susceptible.
So we're just going to make a social decision in hard fork and just say, these coins shall
never be moved.
They're frozen.
We'll write it into the code, right?
So it's $21 million less the 10% that was, you know, like,
frozen this one time. That's one of their options. The other option is they just leave that 10%
to whoever can create the quantum computer to go claim them, almost like a salvaging a shipwreck
situation where you have a Spanish Armada fleet and they sink with all their gold and their
treasure and whoever has that builds the submarine to go to the bottom of the ocean, to get the
gold can go claim it. But those are forced options. No matter what happens, if QDA happens,
the Bitcoin community will have to choose one of those two options, either intervene, burn,
and freeze, or just leave it to whatever geopolitical commercial force has the ability to develop
quantum computers and go claim the prize. Is that what we're saying here? Yes, that's very well said.
but the one small correction is that this doesn't have to happen at Q-Day or after Q-Day.
It can happen prior to Q-Day.
At any point in time, the Bitcoin community or some subset of it can propose to make a fork.
And then at the fork block number, there would basically be two versions of Bitcoin the asset,
just like the Bitcoin Cash fork back then.
The Bitcoin Classic, if you will, Bitcoin Cash.
And ultimately, this is decided by the market.
So you'll have exchanges that will set up the $2.000.
two versions of the assets, and it's the market that decides which one is the true Bitcoin.
And it's possible just because of short-term liquidity dynamics that the version which
burns the coins, potentially ahead of Q-Day, is going to be the one that that wins.
Right. Okay. So I'm Michael Saylor. I own a large percentage of the Bitcoin supply,
like 2, 3%, especially the liquid supply. I get both copies of the,
the Bitcoin. So we're forking the Bitcoin blockchain, just like we did during the Bitcoin
fork wars between Bitcoin Cash and Bitcoin back in 2017. I'm Michael Saylor. I want to preserve
my value. So I sell all of the bitcoins that are quantum susceptible. And I keep all the
bitcoins that are on the version of Bitcoin that burned or locked all of the quantum
susceptible of bitcoins. And therefore, the price of the Bitcoin blockchain, the Bitcoin on
a Bitcoin blockchain that has quantum susceptibility,
the untouched blockchain, that one goes down.
And the price of the Bitcoin,
the version of Bitcoin that is having all the
quantum susceptible bitcoins burned,
stays high because no one's selling that one.
Michael Saylor's not selling, you know, BlackRock's not selling
or whoever, anyone who believes in this isn't selling.
And so what you're saying is simply the price of the quantum
solved Bitcoin will be higher and therefore that will,
by market forces,
become the canonical Bitcoin.
Yeah.
And Michael might even decide to buy, you know,
the burn version of the Bitcoin
using the proceeds of the vulnerable
and go from like 5% to 5 and a half or whatever.
Right.
Question though.
Doesn't this mean that there needs to be
some level of top-down coordination
on which wallets are frozen
and which wallets are not frozen?
And so isn't that also a choice
that needs to be made of like,
okay, clearly we can label Satoshi's coins.
We will definitely freeze those,
but then we have to freeze a few more,
and there are some wallets out there
that are, you know,
we can be meaningfully sure about.
It's like, it's okay to freeze those
because that person's dead.
But we actually don't know where to draw the line
on which wallets are valid to be frozen
and which wallets are actually owned by humans somewhere
that are just dormant.
Is there a clear line there?
How do we make that choice?
Well, there's a concept called the shelling point,
which is, you know, in the absence of a central coordinator,
how do you come to consensus?
And like, for Bitcoin, I guess the shining point might be, you know,
the block where a having might happen.
So you might pick the first having or the second having or the third having.
That seems like reasonably credibly neutral.
Any coin that hasn't moved since, let's say,
the second having is considered that.
So we just pick a date and we say,
hey, if you are leaving your wallet, your bitcoins in a quantum insecure wallet by this date,
we are going to burn your coins on this Bitcoin secondary blockchain that we're going to fork.
Yeah.
There's a relatively wide design space.
And some people have tried to be creative.
So for example, some people are trying to solve two problems in one go,
both the quantum one and the security budget problem,
where the proposal is let's take the two million coins.
And instead of burning them, we just add them to issuance,
that it kicks the can down the road for the security budget.
I bet that becomes even more ambitious in terms of Bitcoin coordination.
I don't know if you want to overload Bitcoin's coordination ability.
Yes.
If I were a betting man, I would just bet on very simple burn, let's say, after a second
happen.
This is so difficult, though, because to your point earlier, Justin, this does shatter
the incorruptible narrative, the property rights narrative.
So this is any decision on a freeze or burn somewhat shatters the pure nature of what Bitcoin is.
And I must wonder, so Nick Carter in his essays about this, goes through a different story where there's not a burn and freeze scenario.
Instead, it's the salvage scenario where you just leave the coins.
And in his scenario, he goes through, there's a private quantum lab that you cracks the ECDSA ahead of schedule.
They happen to be kind of U.S.-based.
The U.S. government quickly nationalizes them.
In secret, it goes and starts acquiring the Bitcoin.
They coordinate with Treasury.
They coordinate with the big ETF providers, Black Rocks, the Michael Sailors of the
world.
And at the end of this, the U.S. ends up with the 10% of Bitcoin supply in the Treasury.
And he goes through fictional price charts, of course,
when people realize the Bitcoin network is under quantum attack
and the supplies being taken by someone,
price spikes down by 73%.
But then when it's revealed that actually the U.S. government has it,
and they're using salvage laws, maritime salvage laws,
in order to legally confiscate this,
then the market rebounds and is very excited
because the U.S. has this Bitcoin Strategic Reserve Treasury.
So that's his other scenario and kind of you just leave the Bitcoin
and some nation-state, maybe the U.S. government actually cracks it and gets that.
Do you find a scenario like that plausible?
Because at least in that scenario, you're not breaking any property rights.
It certainly is incredible that this will have happened to a multi-trillion dollar network.
And there's such a prize bounty.
It's like just unprecedented.
But that could happen as well.
And maybe that's a better outcome for Bitcoin.
Yeah, so I have a couple thoughts.
The first one is that there is this rather sophisticated way of proving ownership of Bitcoin
without going through the private key.
And this is what's known as a proof of seed phrase.
So the way that you derive a Bitcoin address is in some set in three steps.
Step number one is that you generate your seed phrase.
Step number two, you do some manipulations on the seed phrase, including hashing,
and this is an important point, to derive.
your private key, and then from the private key, you derive the public key, you know,
which then is the address that goes on chain.
Now, the private key, unfortunately, is no longer something that can prove ownership,
but because of the hashing step, if you know your seed phrase, that is still a proof
of ownership.
And so one thing that could happen, and technically speaking is the soundest way forward, is
to freeze the Bitcoin, but to allow anyone to revive their Bitcoin with a proof of seed phrase.
Now, the proof of seed phrase, unfortunately, is quite complicated. It requires a snock, a zero-knowledge
proof. And so it would significantly potentially complicate a Bitcoin. But I guess we'll get back
to this later because my prediction is that Bitcoin is going to have snarks to solve the so-called
size problem of post-quantum signatures. So Bitcoin is very much known for not wanting to increase
its block size. Unfortunately, post-quantum signatures are roughly 10 times larger than ECDSA.
To give you the concrete numbers, ECDSA is 64 bytes. It's a minuscule signature. The smallest NIST-standardized
post-quantum signature is Falcon, which is 666 bytes, more than 10 times larger. And so if you were to naively
swap out ECDSA for something that is post-quantum secure without increasing the block size,
your throughput is going to go down roughly 10x.
So your TPS on Bitcoin will go from 3 to 0.3, which in my opinion is a non-starter.
And so what we're building for Ethereum is this fancy post-quantum signature aggregation
technology so that you don't put the raw signatures, even if they're large on chain.
You only put this aggregation proof.
And my bet is that Bitcoin is going to adopt the solution that Bitcoin will develop because there's just no other technically sound way forward.
I see. And that's why you're betting against the salvage type scenario because you think they'll go with this approach.
And if they go with this approach, then that gives them a way to more credibly, neutrally, like kind of like freeze the assets because they're not completely freezing it.
If you can prove ownership, then you can access the old legacy Bitcoin.
Yes. Now, unfortunately, you know, if your property rights maxi, this is not completely satisfactory.
No. And the reason is that there are some subset of the frozen addresses for which there is no known seed phrase.
So, for example, the seed phrase standard only came several years after Genesis. So all of the earlier, all the Satoshi addresses, for example, won't have a corresponding seed phrase.
And there's some like wallets, for example, MPC-based wallets where there is no corresponding seed phrase.
So it's not a perfect solution, but it gets you 80% of the way.
So messy.
This is so messy no matter how you cut it.
Yes.
Yes.
The other thing I wanted to highlight is that a lot of people think that when you steal
Bitcoin, the price of BTC, the asset will crash.
And then, you know, the asset that you've stolen will be worthless.
But there actually is a way to basically hedge the price of Bitcoin, which is very easy.
You just go short BTC.
So let's say you know for sure that you've cracked the private key of a wallet that holds,
let's say 100,000 BTC.
What you do is you short 100,000 BTC that locks in your profit of 100,000 BTC.
And then no matter what the price of Bitcoin does, it goes up or down,
you've locked in your profit, which could be, you know, tens of billions of dollars.
Now, I do want to flag that, Justin, you think in a particular way.
and the way that you think is why you are in Ethereum.
And if you were a Bitcoiner, you would think a different way.
The Bitcoiner way of thinking is very unique, very distinct,
like Ryan just alluded to a property rights maxi.
I think what Justin would do if he was in charge of Bitcoin
is very different than what the general aggregate of Bitcoiners would do
if they're in charge of Bitcoin.
And I don't really have like an actionable question here,
but I just do want to highlight that what Bitcoiners do is probably not what you're going to do.
Nick Carter's charge is that basically what many of the Bitcoin Core devs are doing
is kind of bearing their head in the sand and saying two days not real or it's not going to be real for like 20 to 30 years.
That's what he's saying they're doing.
Just to be clear, my prediction around the burn winning out is a prediction of what I think is most likely.
It's not what I would do.
If I would actually just not touch Bitcoin and embrace the property rights, you know, just because I have, you know, I don't have this short time preference.
And I think many Bitcoiners will agree with me.
But unfortunately, you know, Michael Saylor has just such a strong influence that, you know, in some sense, Bitcoin has been centralized at the social layer.
And that comes with great power and great responsibility.
I actually agree with you.
That's what I would do too.
I would let the treasure hunt happen.
I would let the salvage happen.
I would not touch anything.
That is the key thing that Bitcoin does and just let the chips fall where they may.
Let me ask you the same question, though.
So it's not just some portion of Bitcoin supply that is post-quantum insecure.
Also, Ethereum has this problem too, but with a different percent of supply.
can you map that same problem?
So we get to a post-Q-day scenario.
Oh, my God, somebody, let's say they didn't freeze and burn.
Somebody is grabbing, scooping up the Satoshi Bitcoin.
What is happening on Ethereum at this point in time?
What percent of supply would be susceptible?
Let's just say Ethereum didn't solve quantum yet.
So let's just say it's in its current place.
What percent of supply would be vulnerable to this type of an attack?
One advantage that Ethereum has is that there isn't the 5% of supply controlled by one person, Satoshi, which is kind of thought to be lost.
The other advantage in some sense is that Ephraim is less old and it had a price from day one.
So there was a reason to take care of your ether from the very beginning, whereas in the early days of Bitcoin, it was just monopoly money and people just.
didn't really have very good hygiene with their private keys.
And so it's much more likely that, you know, the 1.7 that Nicotta was talking about, you know,
are actually, you know, truly, truly lost.
Now, when I was with the ultrasound project, one of the things that we were trying to do
is calculate the amount of known loss coins so that we could add it to the dashboard in addition
to the burn.
And it was just such a negligible amount
that we didn't even bother doing it.
There were like some...
But you have like the parody hack,
isn't that a large portion?
Yes, very good point.
So that was like the number one item in the list.
But it so happens that this is a brick small contract,
which is not vulnerable to quantum computers.
So the...
It's actually just stuck.
It's not about not having the private keys.
It's just literally stuck.
It's bricked, yes, exactly.
And then, you know, there's like a few case studies of a few people.
If you really go digging in the Reddit discussions and whatnot, you'll find stuff.
But in the grand scheme of things, it's, you know, some total less than 0.1%.
So that is the known lost supply.
But, you know, realistically, there will be some coins which, you know, will be revealed to be lost closer to Qday.
and that if I were to make a guess, you know, that is in the small single digit,
call it, I don't know, two, three, four, five percent maybe.
So you think maybe at max two, three, four, five percent of Ethereum supply is kind of
both lost and in quantum crackable addresses?
Exactly, yes.
I mean, if I were to make a concrete prediction, I'd say, you know, 2%,
which is roughly on order of magnitude less than Bitcoin.
and, you know, this quantitative difference actually has a qualitative consequences,
which is that in the case of Ethereum, I would strongly advocate for not doing anything
and really honoring property rights because at the end of the day, whatever, 2% is not a big deal.
And the case of Bitcoin, 15% is a massive deal.
So Ethereum will have to make this same choice, right?
Yes.
Rather to, you know, so let's say it's something like 3%, whether to do the freeze and burn
or just let that be a treasure hunt.
And your hope is that we just go with the treasure hunt option,
which means some sort of quantum attacker
will be able to scoop up that 1 to 3% of ether.
And if you zoom out and you look at the big picture,
we're basically moving towards ether being much better money than BTC.
It will be non-interventionist, respectful of property rights.
It will be quantum secure.
and it will not have the security budget issue
that is going to plague Bitcoin in a couple halvings.
And so I think this is a big opportunity for the asset.
Okay, so we have just talked about kind of the soft social issue
that quantum computing brings up.
There's a lot of technical challenges
that we also have to face in order to make
kind of the rest of the chain post-quantum secure.
I want to bring out this tweet that I saw from Haseeb Qureshi, friend of the show.
He said this, and he was quote tweeting a Vitalik post on Ethereum's quantum roadmap.
And you said this, Ethereum has a tougher roadmap to become post-quantum than Bitcoin.
Actually, a lot of dependencies before you can tackle EOAs and private keys due to post-Quantum proof sizes.
So his take is actually the challenges and the roadmap ahead for Ethereum.
Ethereum are much tougher than Bitcoin.
What do you think about that?
So there's two problems that need to be solved.
There's the technical one and the social one.
If you look at the technical one, you know, Haseeb is correct, that there's basically three
problems that Iffirm has to solve, each are the different layers of Ethereum.
So there's the consensus layer where we have this cryptography called BLS.
There's the data layer where we have KZG, and then we have the execution layer where we have
ECDSA.
and each three of these pieces of cryptography are vulnerable.
And that is a superset of what you have in Bitcoin
where you only have the ECDSA problem.
So in some sense, we have like three times more things
that we need to upgrade.
But when you zoom out, I would argue that the bigger issue,
maybe 80% of it, is social.
You know, we've already touched on whether to burn or not to burn.
But there's something even more fundamental,
which is do we accept that this is even a problem?
And in Bitcoin land, you have this immunoscience,
which basically just rejects any kind of, you know, narrative,
which could potentially be bad for the price.
And you have, you know, people like adding back that are saying,
you know, quantum computers are at least decades away from today.
And so, you know, step zero is to have some sort of acceptance
that there is a problem.
And it's possible that Bitcoin will be slightly too late
and that would have much bigger consequences than on the technology side of things.
So you think generally Bitcoin will have a harder problem because of their social layer
is just not acknowledging this reality and is less willing to engage with new developments on chain?
Yeah, let me say this.
I'm willing to bet a large amount that all three layers of Ethereum will be upgraded prior to the single layer of that.
Right, right.
So we have three times larger of a problem, but it is on the Ethereum side of things, just an engineering problem at the end of the day.
And not only that, it is an engineering problem that Ethereum is taking head on.
So while the Bitcoin engineering problem is a smaller engineering problem, it is a social,
problem, a coordination problem, which is fundamentally
harder to get over.
Yes, exactly. And
even on the technical side of things,
you know, this is a problem
that we've been working on for, you know,
almost a decade now. So
if you rewind the clock back
to 2018, we gave a $5 million
grant to stockware
to study these hash-based post-quantum
snarks and to lay the foundations
with, you know, snock-friendly
hash functions. This is where the
Poseidon hash function came,
came out from.
And if you look in more recent past,
in 2024, there was the lean consensus chain
that was announced formerly known as the beam chain.
We've had, for example, the post-quantam workshops in Cambridge last year.
We now have a dedicated post-quantam team with Tomah and Emil.
And we have this straw map which really details
some of the key milestones to making these upgrades.
Can we talk about each of those problems one by one?
And I know, Justin, you can get into extreme detail with respect to the cryptography.
We'll want to try to keep this at the level that David and I can understand, which is much more simple, let's say, Justin.
But we do understand kind of the different layers, of course, of the Ethereum stack.
And maybe we can start with the execution layer, because that's been the main thing we've talked about, ECDSA.
This is the signature scheme behind both Bitcoin addresses and Ethereum addresses.
That's the thing that would be cracked in a post-quantum world where somebody could go and take the actual assets.
So what's the upgrade path to ECDSA?
That is a long-standing cryptography tool.
And do we have something that can replace it?
What's the process for that?
Yeah.
So first of all, let me just highlight that this is a very big task fundamentally where changing the pillars of blockchains, the base cryptography and swapping it out with something new with completely different properties.
Now, if you were kind of a layperson, your answer might be, it's simple.
We have a standard body called NIST, the National Institute of Standards and Technology.
They've basically come up with this post-quantum signature competition, and they've selected a few, namely Falcon, the lithium, and Sphinx Plus.
And so we just need to pick one or several of these options.
The problem is that NIST has not designed for the blockchain use case.
They've designed for a use case where you have individual signatures for individual messages that are used on the internet.
in the context of blockchains, you have batches of transactions.
For example, for Bitcoin, you have thousands of transactions per block.
And again, we have the size problem with the post-quantum signatures that at least 10 times larger,
if not 100 times larger.
And so, in my opinion, it's a total non-starter to consider these individual signatures
that were just naively packing and concatenating in the blocks.
The only solution that I see is called signature aggregation, where you take multiple signatures
and then you squish them into one multi-signature, if you will, and then verifying this master
multi-signature is the same as verifying all of the individual constituents.
Now, when you do your homework, you know, looking at the design space for aggregatable post-quantum
signatures, there's just not that many options.
essentially one option that is viable, in my opinion, at least with the technology that we have today,
which is to make use of snocks, specifically post-quantum snocks.
And there's not that many post-quantum snogs that we know about.
It's basically one major family, which is the hash-based snocks.
So the basic idea is that you take individual post-quantum signatures,
and then you prove knowledge of all of these signatures to end up with a final snok
proof. Now, if you're going to go with the hash-based snarks, you might as well also go with
the hash-based leaf signatures, the unaggregated raw signatures. And the reason is that this gives
you simplicity and security benefits. It is the most minimal security assumptions that you can have
where you're just assuming that your hash function is secure. And in the world of blockchains,
hash functions are some costs. We have them everywhere, you know, for building blocks and
Merkel trees and state trees and blockchains where the chaining is done with with
hash is.
And so, you know, the Affirm Foundation has put in a lot of effort to start with hash-based
signatures and make sure to make them as snock-friendly as possible so that the cost of aggregation
is as low as possible.
And, you know, I'm pleased to report that the performance of,
of this approach is actually good enough for all of the blockchains.
So, you know, whatever the throughput of your chain is, you can have an aggregator on
reasonable hardware, for example, on a laptop CPU that can just be aggregating all these
transactions and producing a final proof that gets accompanied with the block.
And one of the ironic things about this approach is that it's actually a scalability increase
relative to what we have today.
And the reason is that
you don't have the fixed cost
of 64 bytes per transactions.
The transactions have like zero byte of signature data
and then you have this one master signature
which gets amortized away
across all of the transactions in the block.
Okay, so this is a upgrade
for many of the other smart contract blockchains
downstream of Ethereum,
especially the ones that optimize for speed,
like slot comes to mind.
Not just smart contract, right?
Bitcoin as well, ECDSA.
Yeah, right, right, right.
So like, but the idea here, what I thought going into this episode, that chains like Solana
would be encumbered by having to do beefier signatures, just in the same way Bitcoin
TPS slows down to 0.3 transactions per second.
Solana would similarly also slow down because transactions just would be beefier in a post-quantum
world.
But what you're saying is with this technology, that it won't be true.
it actually will allow chains to broadly get faster and solve that problem.
Yeah, exactly.
And just like Satoshi with ECDSA set a de facto standard for the whole industry,
and we basically copied even the curve, the K-1 curve,
which is very unusual to pick with Satoshi.
No one knows why he picked that curve, but that became the de facto standard.
I think there's an opportunity for Ethereum to be a first mover and set the de facto standard.
And the strategy that we're taking is actually to collaborate with the Bitcoiners.
So in the Bitcoin land, there's a couple individuals, Mikhail Kudinov and Nick Jonas.
They're both part of Blockstream.
And they're both hash-based signature experts.
And we're basically working with them to make sure that whatever we develop in Ethereum land is also applicable to Bitcoin.
And if Bitcoin and Ethereum uses that standard, then the whole industry presumably will also
use this time. Some exciting news. We are launching a new podcast to help people figure out the
crypto cycle, how to navigate it. The best crypto cycle investor I know, his name is Michael Nato.
He runs the Defi report. This is the guy that sent me a sell alert before the 1010 price drop
happened. His cycle analysis has been absolutely on point. I've been following him for years.
And this year, we started recording weekly podcast episodes. Each one, we get into his portfolio,
what he's holding, the market structure, entry targets, fair market value of Bitcoin and Ether,
and where we are in the cycle, there's new episodes that are released every Wednesday. They're 30 minutes. They're short. They're punchy. I think this crypto cycle is harder to navigate than most. So let's do it together. Go subscribe to this podcast. Search the Defi Report. Wherever you get your podcast, YouTube, Apple, Spotify, or find a link in the show notes. There's a new episode waiting for you now. That's fantastic. So we have a way to solve the execution layer, post-quantum upgrade without a performance hit. Let me ask you another question, though. How about security?
So these are, this is newer cryptography versus ECDSA, which has been around forever, has Lindy, it's been proven.
Should we be worried in implementing new cryptography that there's some kind of hidden bug zero day, something out there that, you know, could completely destroy what we've built?
So I have a few thoughts here.
You know, we take security extremely, extremely seriously.
And overall, what I expect will happen is that the.
solution that we deploy is going to be orders of magnitude more secure than what we have today
with ECDSA.
Now, let me try and explain this.
So ECDSA is based on elliptic curves, which are, you know, these fancy structured mathematical
objects.
And it is possible that some clever mathematician comes up with an algorithm to break the
discrete log using some very fancy mathematical trick that humanity.
was not aware of.
And this is the kind of thing
that has happened in the past.
We have better and better algorithms
for factoring, for example,
and for the discrete log.
And one possibility
with the advent of AI
is that we just have mathematicians
that are 100 times smarter
than human mathematicians
that discover this hidden structure,
niptic curves,
and can break up to cryptography.
And so the cryptography that we're building
is not only post-quantum,
it's also post-AI.
and going back to one,
the other thing that I said is that it only relies on hash functions.
So if you take basically any signature scheme,
it will rely on two things.
One, the hash function,
and then two, an optional additional hardness assumption,
which might be the discrete log,
or in the case of lattice-based signatures,
like these structured lattices.
But in the case of hash-based signatures,
there isn't this additional hardness assumption.
It's just hash functions.
So if your hash function is secure, then you're good.
And so in that sense, I expect to be an improvement versus the status quo.
Now, there's two caveats that I want to highlight.
caveat number one is that we're dealing with more complex objects.
And the solution that we have here is what we call deep end to end for more verification.
So we have our cryptographic object and we want to basically prove mathematically
that it is sound, that it is impossible to forge a signature.
And not only do we want to do this for the mathematics,
but we also want to do this for the code.
And had you asked me, you know, two, three years ago,
is there something that, you know, that would be doable?
I would have said yes, but it was, you know,
extremely laborious, extremely expensive.
But what we're seeing with the advent of AI
is that this very laborious and expensive work
can be done 100 times faster and 100 times.
cheaper. We're starting to see, you know, bleeding-edge world-class mathematics. For example, a recent
result that won the Fields Medal, which is the equivalent of a noble price for mathematics,
that result has been formally verified by an AI in five days. They produce half a million lines
of code proving mathematically that, you know, like machine-checkable proof that this is indeed a valid
in the process, finding all sorts of typos in the proof of the human written paper.
So that's the kind of due diligence that we want to have in order to avoid the bugs.
Now, there is another thing that I want to highlight, which is the hash function itself.
So historically, blockchains have been built on either Chateau in the case of Bitcoin or
a hash function called Ketchak in the case of Ethereum.
And the proposal that we have for post-quantam Ethereum is to introduce another hash function
called Pesadon, which in some sense is a different type of hash function because it's snark-friendly.
Now, by the time we launch Pesedon, it should be pretty safe in the sense that it will have
been analyzed for a whole 10 years.
it will have been securing many billions of dollars
through the L2s
and it will have gone through
cryptanalysis by all of the top
experts in the field
and also recently we just announced
a one million dollar prize
to try and break
Poseidon. But it is
indeed possible that
that Poseidon which is a new thing
would break.
Now, the way
unfortunately that you design hash
functions is that you can't just
prove that they're secure. The best that you can do is, you know, the lack of an attack that
proves that they are insecure. And so there's basically this baking time. And the order of magnitude
that I have in mind is eight years. Why eight years? Because when Satoshi picked Shattu Ketchak,
it was eight years old. When Vatac picked Ketchak, it was eight years old, coincidentally. And so,
you know, I would want Pesadon to be at least eight years old, which it will be when we do deploy it
on Fier.
Okay, so that's the execution layer.
Quickly, could you talk about the data layer?
KZG needs to be upgraded to something post-quantum
and the consensus layer where we have BLS signatures.
Is that sort of similar in terms of the level of effort
to the execution layer in replacing ECDSA?
So let me start with the consensus layer
because it's a simpler answer.
At first approximation is basically a copy paste.
So we have a similar concept,
We have actors making signatures, and there's a lot of signatures,
and they take up a lot of space, and we want to compress them.
The issue of the consensus layer is that we have way more signatures than at the execution layer.
People don't realize this, but we have a million validators.
So that's a million signatures per epoch, which is 32,000 signatures per slot,
which is thousands of signatures per second.
You know, it's like, it's more than Solana, you know, in terms of
vote transactions.
In order to unlock a certain performance optimization,
which is only available at the consensus layer,
we have this notion of a stateful signature,
which basically says that the messages that you sign
have a counter that increases every time you sign.
And doesn't that remind you of something?
The slot number.
So in Ethereum, at the consensus layer,
you will only ever sign a single message per slot.
If you sign two messages per slot, you'll get slash, so you'll probably never do that.
And we use this constraint to basically have signatures that are 10 times more efficient to aggregate.
But this is the main difference, you know, the stateless, so-called stateless hash functions at the execution layer
versus the state-fall signatures where you have this slot number that increments.
And the aggregation technology, we have a name for it.
It's called Lean VM, which is a minimal,
ZKVM for hash-based cryptography.
Basically, what LeanVM would be doing is proving that this is a correct, you know,
Merkel route.
And the main thing that we're not completely sure yet is Web or not, this approach can unlock,
you know, what I call it the Terra gas frontier.
So, you know, we have this very ambitious one gigagas per second at the R1, 10,000 TPS.
But in some sense, even more ambitious, one terra gas, 10 million transactions.
per second at the L2 using the data availability.
And we're talking about one gigabyte per second of data availability.
And so the question is, can the ZKVM be performant enough to crunch through one
gigabytes of data per second?
And, you know, this is still yet to be determined based on future optimizations.
Okay.
But what we do know for sure is that if we will have the DA to have the one gigagas per second
for the L1, plus, you know,
a handful of other altos. So I think now listeners might be thinking at this point of the conversation,
okay, it sounds like the Ethereum community has a plan to upgrade to post-quantum. They're acknowledging
that quantum computers will exist and there is a Q-day and they have a plan. Now they're wondering
about timeline and level of effort. So I took Vitalik's post-quantam roadmap tweet and I threw it into
Claude and I was like, hey, Claude, what's the level of effort here? What are we talking about? How
difficult really is this. And Cloud responded, like, think of this as like a nine out of ten.
Okay, this is one, the most significant upgrade, maybe one of, or the most significant upgrade
that Ethereum will ever do. It compared it actually to the merge, where we sort of had to,
we had a plane and mid-flight, we had to swap out the proof of work engine for proof of stake.
Well, now we're swapping out all of the, many of the core cryptography of Ethereum. And that feels like
a pretty large level of effort.
So can you, I guess, scope this for us?
First of all, are we going to be ready for this by 2032?
And also, like, how difficult is this as you're getting into it?
Does it seem possible for us?
Does it seem daunting to you?
Yeah, so I have two parts to the answer here.
The first part is actually it's even more ambitious than the way you framed it.
And the reason is that the,
the change to the cryptography is so invasive that it's essentially almost a rewrite of the consensus
layer, at least. And so if we're going to rewrite the consensus layer, we might as well, like,
properly rewrite it and like put all of the goodies and clean up all of the technical debt.
And does that remind you of anything? That's the Lean Consensus Project, where we're basically
bundling together multiple rewrites, including the single start finality with the upgrade to post-quantum.
So yes, it is a very ambitious project.
In some sense, we're starting from a clean slate and building something amazingly beautiful and simple and efficient and, you know, provably secure and all of the good things.
The good news is that in many ways, starting from scratch is simpler because, you know, you're, you don't have all of this technical debt.
and we can rewrite the spec to be as minimal and simple as possible.
And this is where the terminology lean comes from.
We want to have maximum simplicity,
where we want to have the whole state transition function
basically be a thousand lines of Python code
that some sort of smarts high school that can just read.
And right now we have test nets,
sorry, deaf nets for lean consensus.
And the specs are so easy to ingest that we've seen,
about 10 teams
all implement them,
join, start joining
the deaf nets
and do so without even contacting
the Fium Foundation.
So the barrier to entry
is relatively low
and we're in this crazy world
where AI development
means that you can basically
just to a large extent
vibe code your client.
And then I think there's a big reason
why we have so many clients.
And oftentimes we're talking about either single person teams or like small like two person
or three person teams.
And I think this is going to have, you know, interesting consequences in terms of like
sustainability, you know, paying for all of these client teams as well as, you know, around
governance of, you know, how do we make upgrades to Ethereum?
Like on this, on this latter topic, the way that we do governance today, roughly
speaking is that we have five consensus layer clients and they all need to implement the upgrade,
so some sort of EIP, in order to move forward. And if we want in the future, when we have,
you know, let's say 10 or 15 clients, we can just require the top 80% or the fastest 80%
in order to move forward. And that's more of a Darwinian competition that allows us to
move fast, much, much faster without having to wait for the, the slowest clients.
So will we be ready by 2032?
At what point we'll be ready?
So the whole straw map, you know, has everything laid out up to 2029, which is basically the exact same roadmap that I gave at my DevCon talk where I introduced the beam chain.
And back then people were just-
Hated?
Yes.
It was my most hated slide TM, you know, because it stretched over, you know, four and a half years or whatever.
And, you know, I historically, I've been like bad with timelines.
It's just been way too optimistic.
But, you know, as I age and I mature and I have white hair, I've been becoming better
at timelines.
And I think it was a realistic slash conservative timeline that got people upset.
But, you know, that's just the way it is.
But what was starting?
Also, just for adding on the context, the reason why people got upset was this was in peak
Solana momentum versus a perceived last.
of technical momentum on the Ethereum roadmap.
So it was also the timing of the context.
It wasn't just that you were giving a roadmap
that was like four years long.
I think that was also two years ago as well.
And so we're also decently all the ready,
like decently far into that roadmap,
but there's also the context in the moment as well.
So I don't want to discount that for the listeners
who don't have that context.
Exactly.
Yeah.
So we're a year and a half away.
And back then it was four and a half years ago away.
So now we're roughly three years away.
And I'm relatively confident that, you know, we can meet this 2029 milestone.
And I think there's even an opportunity, you know, if we want to move like faster, thanks to your AI.
So by 2029, all of this would be implemented if it meets the roadmap, everything we just talked about.
You promise?
Everything.
Another question, as I was thinking about this, and this is sort of from old software,
engineering veterans that have told me in the past, they say things like, you know what,
rewrites never work. And they have reasons for this that I'm not a software engineer, so I can't
recite. But it's basically like the rewrite is kind of a trap because it's a myth, because like there's
this panace of getting rid of all the technical debt. But like what ends up happening is you just
kind of do staple on to the existing code base. And it becomes so much more thorny to,
to start something from scratch.
In this case, Justin, you're saying, like,
hey, a rewrite is going to be a fresh start.
It's going to work.
What gives you that confidence?
And why is there something in the back of my head
of some ancient software developer telling me
that rewrites never work?
Why does that not apply here?
One piece of good news is that in some sense,
we have already done this type of large rewrite,
as you alluded to, with the merge.
Like, we completely changed the consensus foundations of Ethereum
from proof of work to proof of stake.
So that's, in some sense, it's an existence proof that it can be done.
And, you know, Ethereum is no stranger to ambitious projects.
You know, we've had other, like, very ambitious things like bank shodding and data value sampling that is kind of on a similar scale.
Another piece of good news is that we have no choice.
Like, we have to, you know, change the cryptography.
It is a very strong forcing function.
And that alone, you know, I would.
argue is a 80% rewrite anyway. So that makes the coordination and coming to consensus
much simpler. And then the other thing else, go ahead. I guess we should emphasize.
It's not just Ethereum has no choice. No one in crypto has an alternative to this. Everyone in
crypto has to do a rewrite. With Bitcoin, it's just ECDSA, but that in itself is enough.
Yes. So it's possible that IFRM has to do more rewrite than other chains. And this has to do with the number of validators. So if you only have, let's say, 100 validators, then you know, you can just absorb the cost of the 10x largest signatures at the consensus layer. It's not too much of a big deal. So for most of the proof of stake chains, actually you don't need the sophistication that we have. But for if, for example,
The theorem, we're hoping to have tens of thousands of validators voting every single
slots, which is, again, like thousands of seconds, transactions, signatures per second.
And we have to be very creative.
Where I would agree with you is that there has to be a very big change for all
blockchains at the execution layer.
But the good news for the other chains is that the Ethereum is doing all the hopework.
Like, we're building Lean VM.
We're going to formally verify the whole thing and you can just copy paste it.
And it's largely an easy job to integrate it.
Nick Carter tweeted out,
one of the dumbest fallacies is people thinking their coin is going to win
if only Bitcoin dies,
like the ZCast people fighting Bitcoin over quantum.
It's precisely the opposite.
If Bitcoin dies,
no one will ever trust internet money again.
All coins ride on Bitcoin's coattails.
What's your reaction to this sentiment?
Yeah, I disagree with Nick Carter.
And Nick has always been like very upset.
when I tweet about the security budget.
You know, he thinks that it's, you know,
it's destructive of the whole industry
to be talking about this.
And, you know, even though the fundamentals,
you know, align with, you know,
what I say in my tweet,
like we should be treading more cautiously.
And ironically, like, he's doing the same thing with Quantum
that I'm doing with the security budget,
which is kind of to try and force the discussion
and force change.
I mean, what about the larger take, though, Justin, that let's say we get to 2032,
Ethereum is quantum secure, Bitcoin isn't.
Bitcoin gets attacked in some of the ways we've described,
or there's this treasure hunt going on, and there's this market uncertainty as to the outcome.
I think what Nick is saying is like, don't cheer for that,
because that's going to be bad for every chain in crypto.
And he's further saying, so goes Bitcoin, so goes everybody else.
If you want a meme of store of value internet money, Bitcoin has to lead that charge.
There's like no such thing as a flipping type scenario of like Ethereum community being able to say,
hey, look, you know, our chain is post-quantum secure and we don't have the problems that Bitcoin does.
He's saying that this will take the entire crypto space down, at least from an internet money store value perspective.
Yeah, I mean, I disagree.
And you can just, you know, look at historical analysis where you have, you know, seashells that were super
superseded by salt or something, and then they were superseded by silver and then gold.
And then, you know, we even have, you know, Bitcoin, you know, superseding gold potentially.
And just because gold fails doesn't mean that the next thing also has to fail.
And I'd say, you know, that Ephiram is the very natural successor to Bitcoin as internet money.
And just because Bitcoin fails doesn't mean that Ethereum has to fail.
I agree with him that, you know, there might be some short-term pain.
but we're also talking about long-term gain.
So what do we get at the end of this?
So 2030, Ethereum is post-quantum secure.
Because Justin promised.
Let's, you know, what does Ethereum become?
Is it sort of the only one in its class,
or do you expect all other blockchains
to kind of follow in its footsteps
and to also achieve post-quantum security?
Like, at that point in time,
like, what is Ethereum up to?
I know there's a broader roadmap here,
but it does seem like a feather in the cap of being post-quantum secure to the extent that
quantum is on the horizon in the 2030s.
But can you describe the system that we have in 2030 if all of this comes to pass?
Yeah, so one interesting shift of mindset for me in the last few months is that I've stopped
thinking about post-quantum as a hurdle that we have to overcome.
And I think of it more as an opportunity, right?
It's an opportunity for Ethereum to stand out as the very very,
first global financial system that is post-quantum secure, not just relative to its competitors,
you know, like Bitcoin and whatnot, but also relative to, you know, Fiat and TratFi.
And I think it would, you know, send a very strong message and kind of be a very natural security
shutting point for the world to migrate over, over to Ethereum. And not only is it an opportunity
for Ephem
to distinguish itself
relative to its peers,
but it's also an opportunity
for Ephem to become
the best version of itself.
And this goes back to the idea
of the move to post-quantum
essentially being a rewrite
and that being a massive opportunity
to start with a clean slate
and wipe out technical debt.
One interesting data point here
is that the OG beacon chain
launched in 2020
and the design of it
was frozen one year before in 2019.
So when, if and when we ship, hopefully when we ship, you know, lean consensus,
you know, the lean beacon chain in 2029, we're going to be upgrading something that is 10 years old.
And, you know, as you know, in crypto, 10 years is an eternity.
We've learned so much that the lean beacon chain is going to be very, very different from the OG beacon.
And you can think of it as kind of being proof of stake 2.0.
We are in a very interesting time with respect to computing, Justin, there seem to be these three kind of computing platforms and paradigms that are really at the frontier shaking things up in ways that will interact with each other and the ways that will change the course of human history.
One is AI, of course, and everyone is aware of what's going on there.
And where does that lead?
And then we also have quantum, which is maybe where AI was.
in the 2010s, you know, maybe we're in 2018 quantum, something like that as compared to
AI. So we have quantum and what's that going to shake up? And then we also have crypto and
cryptography as best exemplified by I think blockchains like Ethereum and Bitcoin. So it almost
seems like we're entering kind of a singularity of these three things where like, you know,
AI is speeding up quantum and cryptography and then, you know,
cryptography is going to be useful as kind of a counterbalist for some of the centralization
vectors of AI. What do you think of all of this mess? I mean, you're a cryptographer,
and you're certainly involved in at least one of these frontiers. What's going to happen next?
It's very hard to predict. But as you said, there's this very strange coincidence where
2032 seems to be the year where computing in general reaches the singularity. People have been
talking about AI singularity potentially even even before 2032 right there's like AI
2027 which is a very very famous write-up I'm I don't think you know we'll have super
insurgents in 2027 but I think it's likely that we'll have it by by 2032 we're
already starting to see just yesterday you know Kapafi one of the AI OGs starting to have
AI is recursively improved themselves autonomously which is
It's like extremely scary, and this is basically the thing that should start the exponential,
at least many people believe, should start the exponential towards superintelligence.
We have 2032 as, you know, potentially that being Q-Day when we have these crocs,
these cryptographically relevant quantum computer.
And we also have 2032 where, you know, Bitcoin will have what I believe, it's final having.
And I believe, you know, it's, it's, you know, you could call it B day, right?
The, the, the, the, the, the, the, the, the, there's some sort of a reckoning that that's going to happen because the issuance will be way too low to secure it.
And in, in two years time, we're going to have one having.
And then in six years time in 2022, we're going to have this, this other having.
And, you know, the whole, the security story for Bitcoin over the last, you know, 50, you know,
16 years has been that transaction fees are going to replace issuance.
I invite you to look at the data.
It's just not happening.
Transaction fees today are 0.6% of issuance.
So forget about transaction fees.
We're going to have basically an exponential decay of Bitcoin security.
And today, Bitcoin is secured, roughly speaking, by 10 gigawatts.
And here's an absolutely crazy mind-blowing statistic.
Every single day, China deploys one gigawatt.
Every single day China deploys one gigawatts, you know, mostly of solar.
And so 10 days' worth of deployment in China is sufficient to 51% attack Bitcoin.
In terms of energy cost, which is the thing that shields Bitcoin,
China is producing as much energy as it takes to produce to secure Bitcoin every 10 days.
So in terms of the power draw, so Bitcoin is drawing 10 gigawatts.
And, you know, gigawatts is, let's say, you know, a nuclear plant.
So it's 10 nuclear plants.
And China is deploying the equivalent of a nuclear plant every single day.
And, you know, that is the, you know, one of the main bottlenecks to making an attack.
the other bottleneck is to have the rigs, the hardware.
And here we're talking about a million rigs, just a million machines,
and it will cost you about $10 billion to pull off the attack,
which in the grand scheme of things is absolute peanuts,
both relative to the market cap of Bitcoin, but also for an attacker like a nation state.
When you talk this way about Bitcoin, Justin, it almost makes me think
that you no longer think Bitcoin should be sort of the vanguard.
of this crypto movement.
You know, it's almost the framing of this is almost like Bitcoin has some flaws
from a security budget perspective, from a quantum perspective, and Ethereum is going to be here
to kind of lead crypto after, you know, if Bitcoin can't get past some of these flaws.
Is that what you believe?
So I remain optimistic on quantum.
I still think that, you know, ultimately it's rooted in a technical challenge that that can be
overcome. The bigger issue I see is the security budget, because here we're getting at the
core essence, the DNA of what it means to be Bitcoin, which is to have this $21 million
cap and to be secured by proof of work. And I just don't see how you can combine proof of work
and $21 million cap. You have to just lose one. So there is a possibility, for example, that
BTCD assets were to decouple with Bitcoin the chain and it could go live
on the more secure chain for free.
And, you know, the obvious choice here is, you know,
to live as an ERC20 token, for example, on Ethereum.
But just saying these words, you know, is...
Bitcoiners don't think like that.
No, they don't.
But, you know, if I were to say different words like,
oh, yeah, we're just going to remove the 21 million limit
because we realize that the security budget is sufficient.
Bitcoiners also don't think like that.
And so they're heading very fast towards a wall.
And 2032 is the record.
think they. What about quantum as it relates to the rest of society? Because this is not just a
crypto problem. Blockchains are uniquely susceptible to quantum computers, but there are other
components about society that is also susceptible to quantum computers. So like, you know,
regular encryption, for example. To what degree does a post-quantum Ethereum, like the 20, 29, 2032
to Ethereum represent just a tool for society
to solve stuff, fix stuff, prevent stuff
in a post-quantum, post-AI world.
So there's basically two flavors of cryptography,
if you will.
There's real-time cryptography, where you're just
signing messages in real time.
And there's no material impact on the actions
that you made in the past.
And I think here, upgrading to post-content cryptography
should be relatively straightforward for most of the internet.
There are some exceptions, for example,
if you have satellites that have already been deployed
and you literally can't upgrade them,
then they will be producing signatures that can be forged.
But that's more of the exception.
Then there is another problem, which has to deal with encryption.
If there's material that has been encrypted today,
and you're not using post-content secure encryption today,
that means that this data can be decrypted in the future.
And there's this whole class of attack called, you know, harvest now and decrypt later.
I think it's realistic that we're going to have mass decryptions in society.
So we might have, you know, like lots of signal messages from several years ago or maybe lots of, you know, telegram messages or whatever.
I don't want to pick on one specific platform or maybe like troves of Gmail.
messages or all being decrypted simultaneously. And I think that could have a very significant impact
on society. Justin, when we were talking about these three compute technologies, it does feel
like the one that sticks out is AI. And you were talking about 2032 being sort of maybe an
AGI type moment. One just general question I have is, as you are a human, an extremely talented
cryptographer, extremely intelligent, particularly within your domain, but you are not an AGI.
You are not artificial general intelligence. And the concern is, as we enter into that computing
singularity, that all bets are off when it comes to AGI? Like all of the well-laid plans we make
in 2026 to have our blockchains be quantum resistant.
What if AGI just figures out how to crack our quantum-resistant cryptography in some other way?
Like, as a cryptographer, are you worried about the unknown unknowns of artificial general intelligence
and the things that it could crack?
Like, what if we're prepared for this quantum world, post-quantum world, but we're not prepared
for a post-AGI world?
Yeah, so on the cryptography, I'm like fairly, you know,
confident about about the soundness.
And the reason is that you can prove mathematically that your cryptography is correct.
So cryptography is a subbranch of mathematics.
And there is this one exception where you have like these hard problems.
And what you try and do generally speaking is that you calibrate, you parametize these
hard problems so that if someone were to computationally break the hard problem,
it would use more energy than there is in the solar system
or something ridiculous like this.
And going back to the cryptographic foundations
that we're suggesting for post-quantam Ethereum,
which is hashes,
it doesn't get any stronger than that.
This is, in some sense,
the weakest cryptography that you've got to hope to have.
And this is one of the reasons why I'm cautious about putting the foundations
of the incidence of value on top of so-called lattices.
So NIST has, there's like two major flavors of post-quantum signatures.
There's the hash-based stuff and the lattice-based stuff.
And the lattice-based stuff to me is very reminiscent of the elliptic curves.
You know, these are highly structured objects.
You know, lattice suggests that you have these, you know, grid, if you will, of points.
And it's very, it's plausible, at least, that,
you know, some AGI or even stronger, some ASI artificial superintelligence, you know,
something that is thousands of times smarter than the combination of all humanity could crack.
But, you know, the hash functions, there's like reasons to believe that it's, that it's, it's strong.
You know, even though I'm not too worried about a better cryptography, I am worried about something like much deeper, if you will, if you, if you, if you, if you, if you zoom out.
I'm more and more worried about just existential risk for humanity.
And I think more and more people are starting to understand what Eliza was trying to say on bankless not too long ago.
I think it's plausible that if humanity were to survive, that if film plays a key role in that happening.
The metaphor that I have right now is that humanity is driving in a car at 100 miles an hour.
and there's like all sorts of incentives.
There's this moloch trap where, you know, the big nation states,
the TSM, NVIDIA, you know, Open AI,
they're all pressing on the gas.
And the car has no brakes.
It has no seatbelt.
It has no airbag.
And while today, you know, we can steer relatively comfortably at 100 miles an hour,
next year we're going to be at 200 miles an hour
and then the year after that, 300 miles an hour
and eventually we're just going to be driving
irresponsibly fast that we're going to crash into a tree
or into a wall or we're going to drive off a cliff
and I think for me working on the firm
has taken a whole new meaning in the last few months
to a large extent I was ignoring AI
partly because I was just so obsessed with blockchain stuff
but also partly because it was
a toy, you know, just not long ago. But what's happening is that through my work, especially
with formal verification and development and coding, I'm just seeing how powerful this stuff is.
And in the last few weeks and months, I've just been obsessed by AI, just learning as much
as I can watching many, many videos. And I'm by no means an expert. And maybe this is just some sort
of a phase that people go through when they open Pandora's box.
But for me, working on Ethereum is now all about defensive accelerationism.
And I don't see other parts of society that are working on the braking system.
It's just all gas.
And the good news, I guess, is that Ethereum has a lot of the thinking and a lot of the tools
that potentially could provide some of the solutions.
So, you know, by day one, we assume adversariality.
By day one, we're making use of technology like cryptography that empowers the weak
and make sure that, you know, even the strong, the arbitrary strong cannot break certain things.
You know, we're trying to be this source of truth, if you will.
We're trying to be decentralized and and try and give people sovereignty.
And like all of these words, you know, they're at least in the right direction.
And I think it's possible that in the coming months and years,
we will have some sort of an awakening where society goes, oh, shit.
And it might become a moral imperative to start working on defensive accelerationism.
And we might have some of the smartest minds in the world just naturally come to Ethereum as a potential solution,
as part of a suite of solution, is that we need to tackle this.
I love that you're thinking about that, and it does sound like your work on Ethereum gives you meaning.
I have another question on that.
So being obviously a huge fan of Ethereum, David and myself, one of the worries I actually have if kind of the AI destiny comes true is like at some level, yes, it's a defensive accelerationist technology.
It's decentralized.
It's kind of permissionless.
It's pushing power to the small rather than the large.
At another level, though, it is digital, and we have created a property rights system.
And it does seem to be the case that some sort of AGI or ASI could leverage our immutable,
can't turn it off, world computer for things that humanity actually doesn't want.
Are you worried at any level about that being an outcome that it just uses Ethereum for
say, hey, humanity, thanks for the property rights system.
We'll take it from here.
And you've now actually accelerated a technology that you is counter humanity.
I think this is a very fair point.
And, you know, ultimately, Ethereum is a tool which could be used, you know, by both the humans and NDAIs.
Now, maybe this is scope.
But the one way to think about it is that if you remove Ethereum,
that doesn't seem to be like many other alternative products
that people are building in the defensive accelerationalist space.
It's pretty much all accelerationsists.
And so, yes, maybe Ethereum will accelerate some things,
but in some sense is one of the only hopes that we have
for defensive acceleration.
And so as such, I think it's still rational to be trying to ship the straw map
by 2029 and doing my best to make sure that Ethereum will be ready for an age of artificial
superintelligence.
Just last question as we draw this to a close, Justin, this has been absolutely fantastic.
Thank you.
Maybe this is kind of a personal question as you've had an AI awakening over the last few
months.
I now notice you're qualifying the Ethereum with like if humanity survives.
So Ethereum plays a key rule, if humanity survives.
those words are hard to say for me.
It's hard to actually get that out of my mouth
because that is a caveat that I've not had to think about
or deal with.
Like the real possibility that the technology accelerationism
means humanity doesn't survive.
How do you deal with that personally?
I'm relatively zen about it.
I've reached a point where, you know,
I'm happy to die.
you know, I've lived a very happy life.
They're dis shocked.
That was not the answer I was expecting.
I think you just need to keep hope.
You know, you just need to put it aside, you know, the so-called P-Doom.
Like, what is the probability of doom?
Like my P-Dium now is, you know, relatively high.
I think it's more than 50%.
But I don't want to say this.
out loud, you know, I don't want to...
You don't want to live in that pessimism.
Yeah, exactly.
I don't want to discourage myself and make my life miserable.
And maybe more importantly, I don't want to discourage other people, you know, and
have them lose hope.
And so I think we should just be, you know, doing our best with what we have.
The future is highly, highly, highly unpredictable.
And so even though, like, my pedium kind of went way up in the last few weeks and
months, this is a, you know, strong opinion weekly held. And I want very smart people to come
forward and tell me why I should, I should not be so scared and much be, you know, more optimistic
and more hopeful. And, you know, just as I said, I've only been thinking about this for like
literally weeks and months. I'm just scratching the surface. The big wake-up call for me was
opus 4.5, where Emil told me, from, you know, from this point,
going onwards, AI is actually helping me becoming more productive. Before that, it was kind of
net slowing me down. And then what we've seen in the last few weeks is more and more
impressive results. So, for example, about a month ago, one of the key lemurs in the hash-based
snarks, it's called the Polyshocks Spillman lemma, that was proven, formally verified, in eight
hours and it cost $200, something that would have cost, you know, a hundred times more.
if a human were to do it,
and would have taken 100 times more time
if a human were to do it.
And then I also mentioned the Fields Medal result,
which only took five days to generate a 500 line proof.
And, you know, you can just, it's kind of obvious, right?
Like, we're going to have all the known mathematical theorems
just be either, you know, checked and verified by the AIs
with all of the typos corrected.
And for some small subset of, of, quote, theorems,
we're actually going to have, you know, a demonstration
that these are actually incorrect
and that might be counter examples.
And, you know, it already seems like programming
is largely solved.
And then we're going to solve, you know,
scientific progress and all sorts of other things.
You know, really things get philosophical extremely quickly.
And, you know, maybe that's for,
another episode. Yeah, I do think that is for another episode, Justin. It's a fantastic answer,
though. I appreciate your insight into approaching this with some level of stoicism and then agency,
which is working on things that are meaningful to you. And we hope, if humanity survives,
to do many more of these podcasts with you in the future. It's always a treat to have you.
Justin Drake, thank you so much. Thank you. Got to let you know. Of course, crypto is risky. So is the
real world. You could lose what you.
put in but we are headed west this is the frontier it's not for everyone but we're glad you're
with us on the bankless journey thanks a lot