Bankless - Will Quantum Computing Kill Bitcoin? | Scott Aaronson & Justin Drake
Episode Date: January 13, 2025Quantum computing is advancing rapidly, raising significant questions for cryptography and blockchain. In this episode, Scott Aaronson, quantum computing expert, and Justin Drake, cryptography researc...her at the Ethereum Foundation, join us to explore the impact of quantum advancements on Bitcoin, Ethereum, and the future of crypto security. Are your coins safe? How soon do we need post-quantum cryptography? Tune in as we navigate this complex, fascinating frontier. ------ 📣SPOTIFY PREMIUM RSS FEED | USE CODE: SPOTIFY24 https://bankless.cc/spotify-premium ------ BANKLESS SPONSOR TOOLS: 🪙 FRAX | SELF SUFFICIENT DeFi https://bankless.cc/Frax 🦄UNISWAP | BUG BOUNTY PROGRAM https://bankless.cc/Uniswap-Bug-Bounty ⚖️ ARBITRUM | SCALING ETHEREUM https://bankless.cc/Arbitrum 🛞MANTLE | MODULAR LAYER 2 NETWORK https://bankless.cc/Mantle 🌐 CELO | BUILD TOGETHER AND PROSPER https://bankless.cc/Celo ------ ✨ Mint the episode on Zora ✨ https://zora.co/collect/base:0x4be6cd4d402fed49eb2de95fbc8e737e8ffd3e7f/15?referrer=0x077Fe9e96Aa9b20Bd36F1C6290f54F8717C5674E ------ TIMESTAMPS 0:00 Intro 6:50 Google Willow Chip 11:58 How is Quantum Computing Accelerating? 19:27 Quantum vs Classical Computers 40:18 Why are Quantum Computers so weird? 46:18 Quantum Computing & Cryptography 52:53 What will Break Cryptography 54:45 Time Horizons 1:03:14 Accounts Getting Hacked 1:13:23 The Bitcoin Case 1:24:10 Quantum Money 1:29:44 The Ethereum Case 1:35:00 Closing Thoughts 1:36:24 Debrief with Justin Drake ------ RESOURCES Scott Aaronson https://www.scottaaronson.com/ Justin Drake https://x.com/drakefjustin ------ Not financial or tax advice. See our investment disclosures here: https://www.bankless.com/disclosures
Transcript
Discussion (0)
If let's say there's only a few entities in the world that have scalable quantum computers, right,
that allows those entities to mine a lot more Bitcoin than everyone else.
Now, eventually, if you got to a world where, you know, just about everyone had access to a quantum computer,
then it's kind of amusing what would happen.
Welcome to Bankless, where we explore the frontier of internet money and internet finance,
and today we're exploring the frontier of quantum computing and its effect on our internet money.
What's it going to do?
Our quantum computer is going to take all of our Bitcoin.
This is Ryan Sean Adams.
I'm here with David Hoffman, and we're here to help you become more bankless.
Guys, special episode.
It's divided into multiple parts, I would say.
The first part, we have Scott Aronson on the podcast.
He is a theoretical computer scientist.
He is a foremost expert in quantum computing.
We also have Justin Drake on the podcast for part of the first part,
and he asks Scott Aronson some questions as well,
particularly about the effect of quantum computing and our cryptocurrencies,
like Bitcoin and Ethereum. Now, because the subject matter goes very deep in quantum fundamentals,
you might feel bankless listener like you're hanging by the seat of your pants, just trying to
keep up with these big brains and some of the ideas propelled forward. So never fear. We have a
final part of the podcast, a third part of the podcast where it's just David, myself, and Justin
Drake. And what we do is we try to synthesize everything we've learned. And that for me was one of my
favorite parts of the episode because it was taking everything big brain that Scott Aronson said
and applying it directly to Ethereum and Bitcoin, what could happen in the cryptosphere.
So three parts to this episode. And you guys are welcome to skip to one of those parts if you get
too lost in the weeds at certain sections. Yeah, I would say the first part of this episode are
two high schoolers asking a PhD about quantum computing and trying to get that PhD to really put it
into simple terms. And I think we thought we did okay there. If you use 100% of your brain power,
bankless listener, I think you'll kind of catch a vibe. You'll catch a direction for it. But it does
get pretty technical pretty quickly. And then when Justin takes over, it starts to focus more and
more on how this relates to crypto. And so the way that this podcast starts is, you know,
what is quantum computing? How is it different? How does it work? How has it changed and impact the
world? And then as we move progress further into this podcast, it's how is this going to impact our
backs. What's going to have to change? What are we going to have to change in Ethereum? How is Bitcoin
going to have to navigate these changes, which is an even more difficult conversation that I'm
less optimistic about. And overall, I just learned a lot. It's an honor to have Scott on the podcast.
He's a big deal, Chad, in this space of quantum computing. And I would also say how quantum
computing relates to crypto is going to be kind of a microcosm for how it impacts the rest of society.
Crypto is not the only industry that is going to be impacted by this. The rest of the world is
going to be impacted by this. And like other examples, I think crypto is going to be a little bit of
a spearhead, a canary in the coal mine, because we're going to tackle this first because we see it
coming and we're futurist and we pay attention to stuff like this, which is why we are doing this
podcast. Yeah, we are. And it's actually a bigger deal than I thought going in. Like it will have a
more fundamental impact on cryptocurrencies than I thought going to this episode. So guys, we appreciate it.
Let's get right into the episode with Scott Aronson and Justin Drake. But before we do, we want to thank
the sponsors that made this possible.
With over $1.5 billion in TVL, the M-Eath protocol is home to M-Eath, the fourth largest
ETH liquid staking token, offering one of the highest APRs among the top 10 LFTs.
And now, CMEEth takes things even further.
This restaked version captures multiple yields across Kerak, Egan-Layer, symbiotic, and many more,
making CMEEth the most fission and most composable LRT solution on the market.
Metamorphosis, season one, dropped $7.7 million in Cook rewards to M-Eath holders.
Season 2 is currently ongoing, allowing users to earn staking.
re-staking and ABS yields,
plus rewards in Cook,
M-Eath Protocol's governance token, and more.
Don't miss out on the opportunity to stake, restake,
and shape the future of M-Eath protocol with Cook.
Participate today at M-Eath.mantle.
comathing.compatible layer-1 blockchain
to a high-performance Ethereum Layer 2,
built on O-P-Stack with Eigen-DA,
and one-block finality.
All happening soon with a hard fork,
with over 600 million total transactions,
12 million weekly transactions,
and 750,000 daily active users
Sellow's meteoric rise would place it among one of the top layer twos,
built for the real world and optimized for fast, low-cost global payments.
As the home of the stable coins,
Sellow hosts 13 native stable coins across seven different currencies,
including native USDT on Opera MiniPay,
and with over 4 million users in Africa alone.
In November, stablecoin volumes hit $6.8 billion,
made for seamless on-chain FX trading.
Plus, users can pay gas with ERC 20 tokens like USDT and USDC
and send crypto to phone numbers in seconds.
But why should you care about Sellow's transition
to a layer two? Layer two's Unify Ethereum. L1's fragmented. By becoming a layer two,
Cello leads the way for other EVM-compatible layer ones to follow. Follow Cello on X and witness
the great cello happening where Cello cuts its inflation in half as it enters its layer two
era and continuing its environmental leadership. Bankless Nation, I am honored to introduce you to
Scott Aronson. He is a theoretical computer scientist and he's a chair at the University of Texas
at Austin where he directs the Quantum Information Center. He's an expert in quantum. And over the last two years,
He was actually on leave.
He was working on AI safety at Open AI.
So it's safe to say we have an expert in at least two domains of interest today, quantum
computing and AI.
Scott, welcome to bankless.
Well, thanks so much.
It's great to be here.
Joining us, because this is kind of an intimidating subject matter for David and I.
We're going to need help.
We've got Justin Drake.
You know Justin from the Ethereum Foundation as well.
He's going to serve as technical co-host for a portion of this conversation.
Justin, how you doing?
Doing great things for having me.
And a real honor to be on a podcast with Scott.
Yeah, great to see you, Justin. Yeah, it's great to have Scott interacting with the crypto community because we have a quantum intersecting crypto here. And that's kind of the genesis for this conversation. I think David and I have a simple goal for this episode, which is just to get crypto people up to speed on quantum computing. Because I feel like we just don't know enough right now. We've heard the scary news that quantum might be used at some point in the future to break our cryptography and to steal our cryptocurrency. So that's kind of scary. And so what I want to do for bankless listeners is break this into two parts.
part one will be what I call the kind of the little brain questions. That's for David and myself. We're
to ask you about the quantum 101, kind of the popular beliefs about quantum, make sure we have a good
grounding and foundation. And then part two, Justin's going to lead. That's more the big brain
side of things where you guys can talk about cryptography, quantum, will this break Bitcoin, will
this break Ethereum? And if so, how? And we'll do our best to keep up. Yes, thank you. You guys
ready for this? Perfect. I got the head shake acknowledgement, which is just as good as the verbal.
Let's get into the small brain, quantum 101. Okay. So there was
this thing that happened about a month ago. This was early in December. The CEO of Google tweeted
something out, Sundar, the CEO of Google. He said, Willow, our new state of the art quantum computing
chip with a breakthrough that can reduce airs exponentially as we scale up using more qubits,
cracking a 30-year challenge in the field. So introducing a new state-of-the-art quantum computing
chip, Willow. And this, I think, broke mainstream news. It broke into crypto and started us
talking once again about quantum computing and how it might affect cryptocurrency moving forward.
So there's a lot of worries around this. I want to start the question with maybe this tweet.
The Google Willow Chip, is this a major breakthrough from your perspective? I mean, you've
been working in quantum for 20 years. How big of a deal is this? I mean, I would call it an
engineering milestone. So it's not that it overturns anything that was previously believed or
represents some great new discovery. I mean, this is stuff that as theorists, you know,
was predicted in the 1990s, right, that once you get qubits that you can act on with a low enough
error rate, then you can do these very clever quantum error correcting codes, right, that will
protect your underlying logical qubits, sort of even better than the physical cubits are being
protected. And in principle, you could then preserve encoded qubits for arbitrary amounts of time, right?
So this is a theory that's been in place since 1996 or so.
But what's exciting is that, like, 30 years later,
we are only now finally starting to experimentally demonstrate some of these predictions.
So the milestone that Google announced in December,
it was actually a paper that they, you know, had online since the summer.
So it was sort of old news to us by the time that Google announced it in December.
But, you know, they have now built a chip with like a hundred,
three physical qubits, I think. That's what Willow is. Okay, it's superconducting cubits,
you know, arranged in roughly like a 10 by 10 grid. And they use them to implement something
called the surface code, okay, which is a quantum error correcting code. Again, as theorists,
we've known about since 1997, okay? But for the first time, they're doing it in a way where,
as they scale to larger and larger surface codes, so like from a three by three,
re-array to a 5 by 5 to a 7 by 7 and so forth, they are preserving an encoded
cubit for longer and longer amounts of time. So they've passed the threshold where going to a
larger code gives you more and more of a net win. You know, it's kind of like the Fermi
pile in 1942, you know, past the threshold where, you know, each nucleus decaying is
causing more nuclei to decay, right? This is some kind of important thresholds, right?
So now, you know, it's still not good enough to do, you know, a full, scalable, you know, fault-tolerant quantum computation. I mean, for one thing, you know, we're only talking for now about one encoded qubit, right? That is just sort of sitting there, right? You know, a next step would be to build multiple encoded cubits, have them interact with each other. So that hasn't been done yet with encoded qubits of this quality. And, you know, if you really wanted to, I mean, we'll get into this.
later, but if you really wanted to break cryptographic codes, then you'd probably be talking about
millions of physical cubits, in, you know, possibly in hundreds or thousands of dilution refrigerators,
you know, all with interconnects. So, long story short, we're not there yet. Okay, but, you know,
this is an important milestone, something that theorists talked about since the 90s, and it is
exciting that just within the last year, you know, we've seen that cross, you know, and, you know, there have been
skeptics of quantum computing who have, you know, I think, you know, firmly predicted that, you know,
we would never get this far, right? That, you know, like, we don't really understand quantum mechanics
itself, or, you know, there are sort of sources of correlated noise that violate the assumptions
of the theory of quantum fault tolerance. And, you know, when we try to build this, we're going to
see that. It's going to make quantum computing impossible. You know, and we haven't seen any sign of
any of that, right? You know, everything seems to be working just like the theory in the 1990s said it would. So I would
say that's the main upshot. Well, that does seem significant from the perspective of kind of the
theory is being worked out now in engineering. And so this is an engineering milestone, as you said.
So a big question then is, like, how much will this accelerate moving forward, right? And are there any
analogs? I mean, are we looking at kind of the transistor and Moore's Law? Are we looking at something
as explosive as AI, which just seemed to you, like we would.
from Transformers, and then suddenly there was, you know, GPT, and now we're seeing monumental gains.
Like, how fast could this accelerate moving forward?
Yeah, I mean, you can always try to look for historical analogies, right?
I do that as well.
I do it all the time.
It's also hazardous, right?
Because each situation is not quite the same as the previous ones, right?
In this case, you know, I think my main caution would be, you know, some people just, you know,
they hear all these exciting things about quantum computing, and they expect
that, okay, then this must just be the next frontier that is going to replace all of our existing
computers, right? It will just revolutionize everything. And, you know, the hard part with a
quantum computer is that, you know, in order for it to be useful, you have to beat a classical
computer, right? Classical computers already exist. They are, you know, one of the triumphs
of civilization. Okay. And we can get into this later, but it is mostly for certain very special
tasks that we know how to get a huge advantage with a quantum computer over a classical one.
And for many, many other tasks, for many, you know, I'd say the majority of what we do with
our computers on a day-to-day basis, a quantum computer would probably help you little or not
at all, right? It would, you know, you could use a quantum computer to check your email or to
play Candy Crush, but it would be like using the space shuttle to taxi people around the
parking lot.
It would just not make sense.
Okay, so, you know, you really have to look at, you know, these specific applications where a quantum
computer promises an improvement, right?
And even once, you know, we achieve the full promise of quantum computing, I mean, those are,
you know, I think it's going to be certain specific industries where we're mostly going to see the
effect.
Okay, so that's, I think, the first thing for people to understand and that really differentiates
this from AI, for example.
I like to say that the differences with AI, you don't have to, you know, beat anything that humans can do. It is enough to achieve parity with a mediocre human. And that already changes the world, right? With quantum computing, you really have to beat classical computing, right? And it's a miracle that that ever happens. But, you know, it's mostly for certain specific problems where it does. Okay, so, you know, the types of problems where quantum computers can help or not help,
You know, that we can discuss in as much detail as you like, right? Because in some sense, we know a great deal about that.
And the timeline, how long this is going to take, that we know less about, right? Or rather, you know, if I did know a lot about that, then I wouldn't be a professor. I would be an investor.
So, you know, all I can do is just sort of, you know, look at scatter plots, you know, look at, you know, what promises were made over the last 20 years.
the various quantum computing efforts and how on track are they and delivering on those promises.
And if you look at that, what you see is that, well, it seems like we have come an incredible
distance since where we were when I entered this field in the late 1990s. It's been more than 20 years
now, right? But in the 90s, it would have been amazing to get just two cubits to talk to each
other with, say, 50% fidelity, you know, 50% accuracy, right? And then, you know, we knew that,
okay, if you could get that really, really close to one, like, you know, 99.999% or something like
that, then quantum error correction starts to kick in, and then you can push the effective error
all the way down to zero. But, you know, that just seemed like so far off from where people were.
Okay, but, you know, over 25 years, what happened was that that 50% fidelity,
became 90%, became 99%.
And now in the latest systems such as those of Google or Quantinium or Quara,
it's 99.8% or 99.9%.
And in the meantime, the quantum error correction methods have also improved,
so that they can cope with larger amounts of error.
And so we are now at or very, very near the threshold,
where in principle quantum error correction does become a net win as you scale up.
Okay, so, you know, that's not to downplay the sort of enormity of the engineering work
that is ahead of people, right?
But, you know, if you just look at the error rates, right, as a function of time, you know,
that looks pretty good, right?
And it looks like if people wanted this badly enough and were willing to spend enough money,
right, I certainly can't rule out that, you know, within the...
the next decade that they could, you know, get useful quantum advantages. I mean, you know, it's sort of like,
you know, asking a nuclear physicist in the 1930s, right? You know, how long until we're going to get
a critical man, right? And like, Neil's Boer, for example, was asked that question, and he said,
well, it's not going to happen for, you know, in any foreseeable future because you would have to
convert an entire country into a uranium enrichment factory, basically, right? It's just fanciful,
And then, you know, apparently like in 1943, he toured the Manhattan Project. And then he said, well, I see that that's what you've done.
Wow. So, you know, at some point it just becomes a question of, you know, how much is someone willing to spend, you know, how badly do they want this, right? And so the timeframes, you know, depend on all sorts of things that, you know, I as a theoretical computer scientist, you know, I'm not able to predict very well.
But, you know, we'll get into this shortly, but I would certainly say that, you know, people who have encrypted data that they want to stay secret for the next decade. Yeah, you know, if I were such a person, then I would probably already be, you know, looking to migrate to post-quantum or quantum resistant methods of encryption.
I think that really helps us place ourselves in history as it relates to this quantum arc development. We are somewhere in the inflection point of going from,
research and theory into practicality and it's kind of just becoming a matter of time of willpower and
expense. And Scott, I do kind of want to return back to something you were saying earlier about
the differences between quantum computing and classical computing, because I think this is really
the first big aha moment that I want listeners to really integrate into their brains. The metaphor that
I've had to understand this for me personally that I think worked very well is trying to get people
out of the idea that quantum computer is not just a faster classical computer.
Yes.
For example, there's an arc of automobiles that we can say.
First, we had the Model T Ford, and now we have, you know, Ferraris and Toyotas that work very well
and they're very dependable.
And that's a coherent directional arc of progress of that technology.
I mean, the speed hasn't really increased all that much, certainly not exponentially, but yes.
They certainly look sleek.
But what we're not doing with quantum computing is,
we're just making a better classical computer.
It's much more like something where we're actually making a boat
and we're going off into a different frontier
that cars were not able to explore or navigate.
Doesn't matter how good the engine you made and put it into a car.
It's not going to help you on water.
And what quantum computing is like,
well, we're actually changing the shape of the frontier that we're navigating.
We're going into a different uncharted land.
And now we are able to explore a different field of mathematics
and there's different applications.
there's different utility out there.
That was a really helpful metaphor for me.
Maybe you can extend that metaphor and run with that and help explain that a little bit.
Yeah, I mean, like most metaphors, that one has both good and bad to it.
Right.
I mean, you know, a quantum computer would really harness nature to do computation in a fundamentally new way, right?
It's the first device since Alan Turing, really, that changes, you know, the basic rules of what is efficiently computable and what isn't, right?
and it does that because it is exploiting the laws of quantum mechanics.
So quantum mechanics famously says that systems can be in what are called superposition states.
So a quantum bit, what we call a qubit, can be in a superposition of the zero state and the one state,
which means that you have some number, which is called an amplitude, which is attached to the possibility that the cube bit is zero,
and you have another amplitude that's attached to the possibility that the qubit is one, right?
And so it's not definitely one or the other. Now, if you look at the qubit, if you measure it to ask which one it is, then you'll get a definite answer, right? It will tell you, you know, either that it's zero or that it's one. And the probability of each possible outcome will be related to the amplitude by a very famous rule in physics called the Bourne rule.
It's going to say you take the square of the absolute value of the amplitude, okay, to get a probability, okay? But the key thing is that these amplitudes are not themselves just probabilities, right? What is a probability? Right, it's a number from zero to one, right? It's a, you could talk about a 30% chance of rain or of, you know, someone winning an election, but you'd never talk about a negative 30% chance, right? That would just be nonsense. Okay, but amplitudes can be positive or. You know,
negative. In fact, they can even be complex numbers. So this is the key, right? This is the key thing that we
learned about reality, you know, in 1926, that somehow under the hood, nature is using these numbers
that are closely related to probabilities, but they're not, because they're complex numbers, right?
They're these amplitudes. Okay. And so now that's already interesting, if I talk about, you know,
a single cubit, you know, which could mean like an electron that could be,
one of two locations, or that could be, you know, spinning either clockwise or counterclockwise
about some axis, you know, has some little degree of freedom. Okay, but it's even more interesting
when I talk about multiple cubits, okay, because the rules of quantum mechanics, you know,
which have been, you know, experimentally confirmed, you know, over and over, you know,
thousands of times for the last century, right? They are unequivocal that if I have, let's say,
two cubits, now I need four amplitudes. I need an amplitude for both cubits to be zero,
so for the state zero, zero, and then I need an amplitude for the first cubit to be zero,
and the second to be one, for zero, and then I need an amplitude for one-one, okay? If I have
three cubits, now I need eight amplitudes, right? One for every possible three-bed string.
if I have, you know, 100 cubits, two to the hundred power amplitudes, right? And if I have
a thousand cubits, now that's actually more amplitudes than could be written down in the entire
observable universe. Okay, it's two to the thousand power, right? So in some sense, ever since we've
known quantum mechanics, like we've known that nature off to the side somewhere is storing this
vast scratch paper, you know, with this unbelievable number of parameters, you know, just
to keep track of the states of, you know, rather small numbers of particles, like a few hundreds
or thousands, right? And every time something happens to those particles, nature has to cross
off all of those numbers and replace them with new numbers. Okay. Now, it's true that we never
directly see those numbers, right? You never directly see an amplitude, okay? But we need them to
calculate the probabilities of the various outcomes that we do see. Okay, so this is the basic story.
So chemists and physicists have known about this for generations, this sort of exponentiality
that is at the core of quantum mechanics, you know, because of this sort of explosion of amplitudes.
They've known about it mostly as a practical problem, right?
That if you're trying to simulate chemical reactions or, you know, simulate materials using a classical
computer, you know, you have to solve what's called the Schrodinger equation, right, which is the central
equation of quantum mechanics in which basically just tells you how the amplitudes are changing over
time when a system is isolated, when your qubits are isolated from the outside world, like when
no one is measuring them. And it just says that they change over time by a linear differential
equation that preserves the property that the probabilities of all the different outcomes
will always add up to what. That's all it says. I just, you know, maybe the most important
equation in physics, right? So in principle, we understand all that. It's even a very simple-looking
linear differential equation. The trouble is just, you know, how many damn amplitudes there are,
right? And so as soon as people started trying to simulate, you know, let's say lots of entangled
electrons, you know, on computers to calculate, you know, the properties of chemical reactions,
they ran into that exponential explosion, right? And so a lot of what chemistry, you know,
and physicists have been doing, you know, since the 50s and 60s, has been, you know,
inventing heuristics, you know, approximations, hacks, you know, that let them avoid that
exponentiality in various special cases, you know, by being clever, right? But in the early 1980s,
you know, a few physicists, most famously Richard Feynman and David Deutsch, had this remarkable
idea that if nature is giving us this computational lemon, like, why don't we try to make
lemonade out of it? Right? So why don't we build a computer that would itself take advantage of
that same exponentiality? Okay, they called that a quantum computer. You know, of course,
it was just a thought experiment at the time. Okay, but, you know, they immediately faced the question
while supposing that we built that device, what would it be good for? Right. And at the time, they really only knew
one answer to that question, which was it would be good for simulating quantum mechanics itself.
And, you know, I think more than 40 years later, you know, the truth is that is still the economically
most important application of quantum computers that we know. Right. That, you know, they would give you
this general purpose, you know, way to cut through this sort of exponential, you know, explosion and
amplitudes and thereby simulate, you know, whatever quantum material, whatever high-temperature
superconductor or photovoltaic or protein you might care about and, you know, possibly get a,
you know, a much better simulation, a more accurate simulation in a shorter amount of time than a
classical computer could give you. Okay. But that was not the discovery that really put quantum
computing on most of the world's radar, right? As long as it was just a
a device for simulating quantum mechanics, it was mostly just that this idea kicked around by,
you know, a few strange physicists and computer scientists, right? And what really captured people's
attention was the discovery in the mid-1990s that a quantum computer could also achieve, you know,
dramatic speed-ups for at least a few purely classical problems, problems that have nothing
to do with quantum mechanics, right? The most famous example there is that, you know,
the problem of finding the prime factors of a huge number.
Okay.
And some of your listeners may know this happens to be the problem that underlies the security
of a large fraction of the encryption that currently protects the Internet,
particularly anything that's encrypted with RSA, right?
It depends on the belief that factoring is a hard problem.
Okay.
And in 1994, Peter Shore showed that if you could build a large quantum,
computer, then there would be a fast method for factoring large numbers. You could factor an n-digit
number using a number of steps that would scale only roughly like n-squared, okay, whereas the best
classical method takes a number of steps that grows exponentially with that, actually with the
cube root of it. Okay, so that was an exponential speed up over the best-known classical algorithm, okay?
And variance of that, as it turns out, could break most of the other public key encryption
that we also use to protect the internet, including Diffy Hellman, which is based on a problem
called discrete logarithms and even elliptic curve encryption.
Okay, that would all be broken by quantum computers.
Okay.
And so then that really got people's attention, okay?
But unfortunately, what happened, like 30 years ago was that like a certain narrative took hold,
you know, about how a quantum computer would do all of this,
that's been really, really hard to dislodge, you know,
even though I've been trying for 20 years on my blog, right?
And the narrative basically says,
well, the way that a quantum computer would do this
is it would just try every possible divisor of your number in parallel, right?
It would try everything in superposition,
and it would basically just be like a massively parallel,
an exponentially parallel classical computer.
And I think that caught on because it sounded really good.
You know, anyone could understand why that would be useful, right?
And, you know, it even had some relationship to something true.
Okay, but unfortunately, that's not how it works.
It's false in a very important way, right?
And so now I think we can really get to the heart of, you know, how a quantum computer
is different from a classical one, right?
So it's true that with a quantum computer, you can create an equal superposition over every possible solution to your problem, even if there are exponentially many of them.
You know, that's even an easy thing to do with a quantum computer. The trouble is that for a computer to be useful, you know, at some point you have to look, you have to measure, you have to get an output.
Okay. And if you just did that, you know, to an equal superposition, not having done anything else, then the rules of quantum.
quantum mechanics, you know, this born rule, are very clear that all you're going to see will be a
random answer. And if you just wanted a random answer, you could have just flipped a coin a bunch of
times, you know, you could have just picked one yourself. You could have saved yourself all the billions
of dollars of, you know, building this quantum computer, right? So really, the only hope of getting an
advantage from a classical computer, you know, compare it to just a classical computer with a random number
generator, right, is to exploit the way that these amplitudes, being complex numbers, work
differently from conventional probabilities, right? And with every algorithm for a quantum computer,
you know, including the famous Shores factoring algorithm, okay, the trick is that you're trying
to choreograph a pattern of interference in such a way that for each wrong answer, so like
each number that's not a prime factor of your number.
Some of the contributions to its amplitude are positive and others are negative so that on
the whole they cancel each other out.
Whereas for the right answer, you know, you want all the contributions to its amplitude
to be pointing in the same way so that they reinforce, so that they add up, right?
And if you can arrange that, then when you measure your qubits, you're going to see
the answer you want, in the case of the...
Shores algorithm, the prime factors of your number, with a high probability. And, you know, if you don't
see it, you can always just repeat the quantum computation several times, you know, until you do.
Okay, but the whole game is to use this interference between positive and negative amplitudes
to try to boost the probability of seeing the right answer, you know, to higher than you could get
with a classical computer. Now, it's very tricky. It's like nature is.
giving you this really bizarre new hammer, right? It's not obvious a priori that there's any
useful nails that that hammer can hit, you know, other than just simulating quantum mechanics
itself, right? That's why it took people like Peter Schoror to figure this out, right? It wasn't
obvious, okay, because you have to, you know, arrange all this interference, even though you
yourself don't know in advance which answer is the right one, you know, if you already knew what
would be the point, right? And you have to do all of this faster than the fastest classical method,
right? Or else, you know, again, why not just use a classical computer instead? Okay, so this is the game
with quantum computing, and this is why, you know, the applications of a quantum computer
have been more specialized than some people would like, right? To go back to your boat analogy,
right? Okay, in some sense, anything that a classical computer can do, you know, a quantum computer,
can also do, right? So maybe it's less like a boat than an amphibious vehicle. But it just, for most of
what we do with classical computers, there's no point to using a quantum computer because it's not
any better, right? It's only better to the extent that you can take advantage of this interference
phenomenon to concentrate more amplitude on the answer you want faster than a classical algorithm
could do the same thing. I think the intuition that I'm getting is that quantum computers are good at
very large number management.
Scott,
maybe I can ask perhaps our last fun,
dumb question before we hand things off
to Justin Drake here.
These are not dumb questions.
Oh, good, good.
I'm glad.
I'm glad.
The simple question is the pictures
of the quantum computers that I've seen.
Why do they look so weird?
Yeah.
Like, why, like, I'm used to chips
that are these like very small, flat,
square, you know, metal things
that fit into like my motherboard.
And that is not what I'm looking at right here.
So what's the deal with this?
Yeah, can you describe for people
just listening to this, David,
what we're looking at here. This is like a quantum computer image. There's a whole bunch. I mean, if I was in
charge of making a sci-fi movie in the 70s or 80s about some like ray gun thing that was on some
spaceship and I wanted to make it look as crazy and futuristic as possible, I would make something like
a quantum computer machine. It doesn't look real. It looks so incredibly complex that you don't even
question like what you wouldn't even question it what it does if you saw this in a movie. So I think that the key
to answering your question is to just remember what classical computers looked like in the 50s.
Right? They also looked really like intimidating and science fictional, right? You know, of course,
they would be much less powerful than anyone's iPhone is today, right? But, you know, because people
were just learning how to build these things, right? But, you know, they didn't have all the
components just like etched to one little microscopic chip, right? That, you know, it was all out there
to be looked at. And I think that's the
reason for the science fictiony appearance. So in those pictures, you know, I should caution that I am not
an experimentalist. You know, I do get taken on lab tours, you know, and talk to my experimental
colleagues, but, you know, they make me promise up and down not to touch anything. But, you know,
in a lot of these pictures, what you're seeing is basically just a dilution refrigerator, right?
So most of that fancy stuff, you know, all it's for is for cooling down your chip.
So, you know, now it has to be cooled down very cold to, you know, with superconducting cubits.
They typically cool them to about 10 mil Kelvin, which is like a hundredth of a degree above absolute zero.
And the reason for that is that it's only at such low temperatures that you really see your degrees of freedom behaving as cubits.
You know, staying isolated from their environment, not getting measured by their environment, you know, and being able to persist for a long time.
and by a long time we might mean like 50 microseconds or something like that.
So, you know, not long by human standards, but, you know, long enough to do something interesting with them, right?
We need them to sort of stay in these superposition states without the environment getting in the way.
Okay, so basically when you're looking at those fancy images, you know, in many of the cases, a lot of what you're looking at is just a refrigerator.
Okay?
And the actual chip itself, you know, just looks like a pretty standard computer chip, right?
That's where the qubits are in a superconducting device.
Okay, but the reason why those dilution refrigerators, they look kind of like upside down wedding cakes.
I've heard them described as, right?
It's because like each layer is cooling to a lower temperature than the layer above it.
So like you have one layer that's cooling to a few Kelvin and then maybe, you know, the next layer is cooling to,
I don't know, you know, a few hundred milichelvin, right? And then, you know, you get all the way down
to the temperature that you want. Let's say that's 10 mil Kelvin, and that might just be in something
that's the size of my fist. And that's where you put the chip. Okay, and the chip is where the actual
qubits are. So that's where the real action is happening. And then the other thing that you see is a lot
of wires, right? Because, you know, at the end of the day, we need to tell these cubits what to do,
and what operations should they do, you know, to affect their amplitudes to create this interference
pattern that we want? And all of that control is being done by classical computers, right? So you have,
you know, lots of just conventional classical computing hardware. You know, you've got, you know,
often some grad students or postdocs just sitting at, you know, a Linux box or a Mac or whatever,
and they're just writing code that is going to control a microcontroller
that is going to send commands into the dilution refrigerator,
into the chip, to tell the qubits what to do.
So all that classical electronics, that's the other thing you're seeing there.
Now, if we were talking about different kinds of quantum computing hardware,
like trapped ion or neutral atom or photonic cubits,
then you'd be looking at different things.
But in some sense, the pictures are fun to look at, right?
But like all the real action is happening in this space that we never directly see,
this what we call Hilbert space, right?
The sort of abstract space of possible quantum states described by these different amplitudes.
And so, you know, when I visit labs and I talk to the experimentalists,
it's like, you know, we have those cool looking things that you showed as like a very cool backdrop.
but then we just end up, you know, usually on a whiteboard, just talking about quantum states.
It's so wild and cool and exciting that these upside-down wedding cake refrigerators
allow us to tap into nature's scratch pad.
And a lot of what you said was like just so fascinating to me.
And it shows there's so much to learn here.
At this point in the conversation, I think we're done with the David and Ryan questions.
We want to introduce Justin Drake.
I think a lot of people at this point in the conversation,
we have the foundation for what quantum computers are, what they can do,
now we want to know how they affect our cryptography because the basis of this entire cryptocurrency
industry that we've birthed is part economics and a lot cryptography. And so if we're saying
quantum computers kind of break RSA, break some of the underlying assumptions, we need to know
how many of those refrigerators it takes, and by when, like at what point in time are Bitcoin,
4 million Bitcoin that aren't quantum secure, could be like quote unquote hacked. Anyway,
Let me introduce Justin into the conversation. And Justin, I don't know what you want to do, but feel
free to take the reins on the rest of this conversation and get into those topics with Scott.
Absolutely. So Scott, it sounds like, you know, everything's going to plan. We've had these theoretical
predictions that are coming true with the engineering. And quite famously, a couple months ago,
you wrote this statement in one of your blog posts saying that you expect that within the next 10 years,
we should have a useful, full-tolerant quantum computer,
or we will learn something fundamentally new,
maybe something fundamental about how physics works.
I should clarify that by useful,
that doesn't necessarily mean, you know,
hacking Bitcoin or, you know, breaking RSA, right?
You know, I think before we see that,
we're going to see quantum simulations
that can tell us interesting new things about nature, right?
Like that I'll be very disappointed
if we don't at least see that within the next decade.
And the breaking RSA part, I don't know. I don't know how long it will take.
So this morning, very coincidentally, I bumped into Steve Briarly, who is the founder of River Lane.
It's a quantum computing company in Cambridge. They do quantum error correction.
And he told me that he believes it will cost $10 billion in R&D to break ECDSA. Does that sound reasonable to you?
It sounds like about as good of a guess as anyone's. You know, he would probably know more than me.
Yeah, I mean, the amount, you know, I was just at a conference called, you know, Q2B, quantum to business in December. And they heard an estimate there that there's about like $40 billion per year globally being spent on quantum information research, right? Research and development. Now, you know, a lot of that probably depends on exactly how you define it, right? Because there's a lot of people, you know, who, you know, have things that they would have done anyway, but that, you know, that they've sort of redefined as being quantum information.
because it sounds cool, right? But, you know, the expenditures are reaching the billions of dollars. I would say, you know, already, like a decade ago, they passed the point where sort of academic labs, you know, could mostly hope to compete, you know, on pure scaling, right? Like a professor at a university, you know, might be able to raise a few million dollars, right? They can't raise hundreds of millions of dollars, right? And I think a few hundred million dollars, you know, at this point is table-s. You know, at this point is table-s.
for, you know, just having a state-of-the-art experiment, you know, like the kinds that Google or
IBM or Amazon or, you know, the various startups like Quantinium, Quera, or Cy Quantum,
are doing. And now when you talk about scaling up, you know, to break ECDSA or other
cryptographic standards, right? So, you know, you're talking about like a few thousand
logical qubits, right, just, you know, to run whatever version of Shores algorithm you need to
run. But now each logical qubit needs to be encoded using a quantum error-correcting code, right? And that
itself might take hundreds or thousands of physical cubits. Okay, so you get like thousands
times thousands, basically. And so now you're talking about millions, maybe even hundreds of
millions of physical cubits. So these estimates were first done, I think, by Austin Fowler and others,
you know, around 2008, you know, and they look pretty scary, right? I mean, it depends on how
you look at it, right? It's again, you know, like think of the estimates in the 1930s of like,
what is the critical mass for, you know, a nuclear weapon if you use U-235, right? Like, on the one hand,
it's very scary, on the other hand. It says, oh, if we merely did this, then we would have that, right? So now, you know, if, let's say for simplicity, we talk about superconducting qubits, right? So each chip, you know, I think can store up to a few hundred, maybe a few thousand cubits. Okay? And now if I need millions of cubits, now I'm talking about hundreds or thousands of chips, right? And the trouble is each of these dilution refrigerators, right, only cools, you know, a
pretty small volume, right? And so now if I need lots and lots of superconducting chips,
now I'm talking about lots and lots of dilution refrigerators, right, whose chips all need to be
connected to each other, you know, have to be connected by sort of a quantum communications
network. And so now I'm envisioning potentially like filling a building, basically, with
dilution fridges, right, having this whole quantum network between them. Okay, this sort of thing
hasn't been demonstrated yet. But, you know, if you wanted to build a scalable device using
superconducting qubits, then it looks like that is where things would need to go.
In the interest of time, can I ask you some rapid-fire questions? All right. So I guess
one of them that I'm curious about is when we do have a quantum computer that can break
cryptography, is it going to break a very specific flavor of cryptography, such as RSA or specifically
BLS signatures or ECDSA, or is it going to be a general purpose, quantum computer that can be
reprogrammed to break all of the elliptic curve-based cryptography? Oh, okay. So, I mean, once you have a
quantum computer at all that is able to break, let's say, elliptic curve cryptography, I would
strongly expect that to be a programmable device that you could then reprogram to break RSA, to break Diffie
Helman, for example, you know, with all sorts of cavars. You know, with all sorts of cavars.
depending on exactly what is the key size, exactly, you know, how many qubits do you have and
do you need for each one of these codes, but I would expect it at that point to be a fully programmable
device. But it's very important to say that, you know, there are other cryptographic codes,
most famously the ones based on lattices, for example, or just symmetric key cryptography,
you know, things like DES, AES, that we don't know how to break a few.
even using a quantum computer, right? And where even having a quantum computer would only make a
modest difference. Okay, so that's a really crucial point, right? But for those codes that are breakable
by a quantum computer, like, you know, the ones based on abelian group problems. So, you know,
RSA, Diffy-Helman, elliptic curve crypto, I would expect that once you can break one of them,
then within very short order, you can break the others also. Okay, understood. Another
question I have is, once we have these computers, how much time will it take to break one key?
And the reason is that on Ethereum, we have a million validators. And so if it takes one day
to break one validator, it would take a million days to break all of them. And in a similar
situation with Bitcoin and Ethereum accounts, there's millions of them. Yes. Yeah. So like I said,
the sort of initial estimates for, you know, what it would take to run a fault-tolerant quantum
computation to break, you know, RSI or Diffie Hellman are, you know, at interesting
key sizes, you know, are pretty scary looking, right? You know, they involve many millions of physical
qubits, you know, possibly hundreds or thousands of dilution refrigerators, and, you know, the estimates
that I've seen would be like to break a 2048-bit key, you might be running your quantum computer
for a week, okay? You know, this is for a single key, right? But this, of course, you know, could improve
in the future, right? So you can imagine, you know, the NSA sort of building this.
to sort of use for very, very high-value targets, right?
But, you know, you could easily imagine that there will be, you know, some interval in time
when, you know, this exists, you know, it can be used, you know, if someone really, really
cares enough to break one specific key. But, you know, even then, people might, you know,
be able to go on using RSA because just, you know, the breaking is very, very expensive, right?
You know, or at least it would depend who those people are, right?
anyone needing military level security, they should definitely at that point be switching to
lattice cryptography. But, you know, maybe for a casual user, you know, RSA would still be safe
enough. But like with most things in computing, you know, you would expect the cost to come
down over time, right? So specifically with cryptocurrency, you know, I think it's important for people
to understand that, like, there are two main places where cryptocurrencies are relying on
cryptography, right? One of them is for digital signatures, right? And the digital signatures,
right now, you know, in both Bitcoin and Ethereum, as I understand it, are based on, you know,
elliptic curve or other public key cryptographic codes that are quantumly breakable, right? So if you
had a quantum computer and if it was fast enough, then you could forge signatures, and in that way,
you could steal people's crypto, okay? But it would have to be quite fast. And it's possible that even
after you have the first, you know, really large fault-tolerant quantum computers, they won't
immediately be fast enough to actually break the signatures as quickly as you would need. So maybe you
have a grace period, right? Maybe you have an interval where you can actually still use these signature
schemes. But, you know, the other important thing to say there is that we already know alternative
signature schemes that plausibly resist quantum attack, right? So, as you know, very well,
people in the crypto community have already been talking about should we migrate to these
alternative signature schemes. You know, that could be a hard logistical or engineering problem,
but, you know, Ethereum already demonstrated that it could do this merge, you know, that it could
actually change the, you know, underlying basis of how Ethereum worked, you know, while it was still
in use, right? And so, you know, maybe, you know, Ethereum has the capacity to do such things,
you know, with Bitcoin, maybe that's harder, right? But that's the signature schemes. I like,
to a theorist like me, like, you know, it's all a solvable problem, right? Because, you know,
we know, you know, what signature schemes you could use that are plausibly quantum secure,
you know, but it is a big headache to upgrade that, right? And then there's a second big place where
cryptography of some kind is used in cryptocurrency, and this is for proof of work, right,
which Ethereum is no longer based on, but which Bitcoin and many other cryptocurrencies still
are, right? And so the proof of work is basically, you know, involves a hash function, right,
where you have to find pre-images of some hash function in order to mine new cryptocurrency.
and these problems generally don't have that abelian group structure that I was talking about before,
and we don't know, even with a quantum computer, how to get exponential advantages for these sort of mining problems,
these problems of inverting this hash function in order to generate new cryptocurrency.
For those types of tasks, what we know with a quantum computer is how to get a more modest advantage,
using a different quantum algorithm, which is called Grover's algorithm. And Grover's algorithm,
compared to Shore's algorithm, has a much, much wider range of application. Like, it really does
apply to just about any problem that involves, you know, searching a giant list of possible solutions,
right? It doesn't require any abealian group structure or, you know, fancy periodicity or anything like that.
But the disadvantage is that Grover's algorithm gives you only a much more modest speed-up.
It's not an exponential speed-up.
It can basically solve just about any search problem in roughly the square root of the number of steps that a classical computer would need.
So that's clearly something, but the square root of an exponential is still an exponential, right?
like the square root of two to the thousand power is two to the 500 power, for example, right?
And now the trouble is, you know, if you're going to be running a quantum computer with all this error correction, right, that induces an enormous overhead.
You know, like optimistically, let's say a factor of a million, you know, compare it to just, you know, if you didn't need error correction, right?
And so now, let's say you have a problem with end possible solutions, like you're trying to mine some new crypto.
and you have a hash function with N possible pre-images.
So then the best case would be that our quantum computer,
using Grover's algorithm, reduces N to square root of N.
But really, because of the error correction,
let's say we're replacing N by a million times square root effect.
And so now we have to worry about that constant pre-factor.
And eventually the quantum computer becomes a net win,
but only when a million times square root of N is less than N.
So when does that happen?
That happens when N is a trillion.
So basically for mining problems, you know,
you could eventually see an advantage with Grover's algorithm,
but, you know, it might not be for a while.
Even after you can build a fully fault-tower quantum computer,
you know, it still might not be a win for mining cryptocurrency,
you know, until things get a lot better than they are, right?
whereas for Shores factoring algorithm, because the advantage is exponential, there you would much,
much more quickly see the way. Okay, so I feel the need for a little brain to hop into this big brain
conversation. Justin, from a crypto perspective, would you be able to summarize kind of what will
break? So Scott is painting a world, a future world, not immediate, where we might have sophisticated
enough quantum computers to break some things in crypto. I guess from a practical perspective,
what breaks within Bitcoin, what breaks within Ethereum?
How would users feel this if like suddenly tomorrow we have such a quantum computer?
Yes, I think what Scott alluded to is that there's different layers to the blockchains.
There's the application layer, the consensus layer.
Within the application layer, one of the most worrisome things is that the accounts that hold the balances could get cracked,
meaning that from the public key, you can derive a private key to forge messages,
forge signatures and therefore steal money. So that means if there was an Ethereum account with
say $100 million in it, right? And you would assume an attacker, a quantum computer attacker would
prioritize the big value accounts. They're not going to come steal my $5 worth of ETH in some, you know,
metamask private key that I have. They're going to go for the big ones. And that could theoretically
be done right now on Ethereum. Also on Bitcoin, question mark. Yeah. So both Bitcoin and
Ethereum used the same cryptography. It's called ECDSA. And the reason why I asked this question
of time it takes to break a key is, as you said, an attacker would presumably attack the bigger fish
before the smaller fish. And I asked the same question that's interesting to my friend Steve from
River Lane. And he said in his estimate it would take a few seconds. So it looks like the experts
really can't agree on even the order of magnitude. Well, it depends enormously on what
architecture we're assuming, right? Is it trapped ions? Is it superconducting qubits? Right? You know,
superconducting cubits would be like, you know, the gate times would be a thousand times faster.
So yeah, so you can get wildly different estimates depending on, you know, what numbers you plug in.
I see. That makes sense. Yeah. This almost feels, Justin, sort of like the AI conversation of how fast takeoff is towards AGI.
It's like, we don't know all of the intricacies, not to open up another can of worm, Scott. I know you're in that field as well.
But Justin, it seems like a really big deal if accounts can be hacked on Bitcoin and Ethereum.
That's like existential level stuff.
And I know Scott was also talking about proof of work, which could be susceptible to some of this
too.
But maybe let's take the big thing, which is accounts getting hacked.
I mean, that kind of destroys both Bitcoin and Ethereum.
Again, if we had one of these quantum computers overnight, what's kind of your reaction
to that?
And like, are we all doomed?
Because that was basically the Genesis conversation when I talked about.
talked about the Google CEO rolling out Willow. There's a lot of conversation about, well,
Bitcoin is doomed, you know, like, unless it hard forks in some way. And because it's very
difficult for Bitcoin to hard fork, you know, it could be susceptible to these types of attacks.
So what's kind of the crypto community's reaction to this? Like, what do we do?
I mean, I think Ephraim's reaction is that we use what's called account abstraction to allow for
accounts that hold balances to define their own signature scheme, which could be post-quantum
secure. So Ethereum today, without any hard forks, can support post-quantum signatures. It's more of a
standards and adoption process that needs to happen through the wallet. One of the downsides of
post-quantum signatures is that they tend to be roughly 10 times larger than the pre-quantam signatures,
and so you'd have to pay 10 times more gas to get them through on chain. Okay, that's a huge downside,
though, right? And how about Bitcoin as well? Yeah, so I guess one positive,
note for the signature size is that we can have snarks aggregate the post-quantum signatures into
a single proof, and that can be a very nice batching optimization. In the case of Bitcoin,
unfortunately, there is no real solution. There are some mitigations that you can take. So one of
the big ones is that you don't expose your public key. So what you do instead is you expose the hash
of the public key so that an attacker without the public key can't find the private key.
attack your system. And the idea is that you only reveal your public key for a small period of time,
maybe just a few minutes until your transaction gets included in the block. And if Scott is indeed
right that it takes a whole week to crack a single key, then any in-flight ephemeral key will
actually be secure. As I said, that week could certainly come down, right? I mean, you know,
what is doable in a week? And, you know, one year maybe, you know, may indeed be doable in a few seconds
in a future year. Yeah, absolutely. Yeah.
And so eventually, plausibly, Bitcoin will have to do some sort of a fork in order to protect
itself.
We'll have to introduce a new signature scheme.
But then even if it does that, there is another problem, which is the lost coins.
Satoshi has a million coins that haven't moved.
And unfortunately, Satoshi's coins are vulnerable in a sense that it's using an old version
of Bitcoin script where the public key does go on chain.
And so anyone can go ahead and mine these coins.
I have a bit of an optimistic take, which is that Satoshi's one million Bitcoin is about $100 billion today.
And if Bitcoin was to achieve parity with gold, it would be a trillion dollars.
And it would basically be a hugely valuable societal bounty to basically push forward the development of quantum.
And actually my friend Steve this morning totally unprompted, he basically asked me about Satoshi's coins because he's been thinking about potentially starting a company to do just that.
I mean, whether it's a societal benefit or not, would seem to depend entirely on who gets those coins.
Who do you think that might be, Scott? Like, who's the most likely party of people out there?
Nation states, a tech company, who do you think can get there first?
I mean, you know, all we can say is, like, who is, you know, ahead right now in the race to build scalable devices?
And, you know, the companies, you know, it is mostly being led by private companies.
You know, I'd say for the past decade, you know, the ones that people mostly talk about are
Google, IBM, doing superconducting qubits,
quantum, you know, maybe some others like ion Q,
Rigetti, Cy Quantum, doing photonic qubits.
Okay, and then in China, we have less visibility into what is going on there,
but the government is certainly much more heavily involved in China.
I just want to make sure I understand the state of Bitcoin.
So from what you're saying, Justin, what you're saying, Skies,
basically with Bitcoin, there is an upgrade path.
It would require a hard fork.
We all know how difficult hard forks are in Bitcoin.
say Bitcoin could do some sort of a hard fork to implement, you know, quantum secure
cryptography, then that could be done. And that would protect most of the value on Bitcoin,
most of the Bitcoin in existence. But there is a subset of Bitcoin, the early Bitcoin,
including Satoshi's $1 million, which is kind of locked in the Satoshi wallet and hasn't moved
since the very early days. But not inclusive of that. I saw some other estimates that
was between 1 and 4 million Bitcoin supply. So as you say,
said, if you kind of extrapolate that forward, we could be talking about hundreds of billions of
dollars or trillions of dollars, and that cannot be upgraded. So even if you did this post-quantum
cryptography upgrade for Bitcoin, you can't really upgrade that one to four million in Bitcoin
supply. So that's kind of a problem. And I know the Bitcoin community has talked about this,
and this is sort of the aftermath of what we saw early in December. What do you do? Do you burn the
Bitcoin? Do you like do something else with it? Do you slash it in some way? And that, of course,
is very much against, you know, Bitcoin religion and Bitcoin, you know, canon. And so what you're saying
is this presents almost like a, not a bug bounty, but a bounty for whoever builds a quantum
computer, like, fastest to go snatch up that Bitcoin. What a weird world we live in. I can't
believe that's the reality. Is what I said just like approximately true? I hadn't thought about it
in those terms before, like Satoshi's Bitcoins as like a pirate's booty to be, you know,
snagged by whoever first builds a quantum computer, I guess if their ethical scruples allow for that.
Well, but they don't have to be ethical, to your point earlier, Scott. I mean, they could be nefarious
actors. I mean, honestly, it would be North Korea. We have a lot of North Korean, like,
based tax in IMPTO today, but that's a bug bounty incentive. And so, Scott, when you're saying
there's like $40 billion a year being put into quantum computers, well, this increases the
economical value. Well, I think that's for all of quantum technology. But, you know, however,
people define that. But yeah, I mean, there are lots of governments that have, you know, made significant
investments, you know, the U.S., China, Singapore, Australia, you know, the U.K., the EU. But I think the leading
efforts to scale this up are mostly private companies, at least as far as we know in public,
you know, mostly in the U.S. and Canada, right? But, you know, of course that could change.
Justin, let me get your perspective on Bitcoin. Do you think that this is existential for Bitcoin?
I mean, observing the Bitcoin community for the decade or so that you've been doing this,
what do you think actually happens here in this scenario?
I basically see two scenarios.
Scenario number one is that the Bitcoiners are very, very purest and don't want to touch
the supply of Bitcoin because, you know, that violates the property rights of some people,
including Satoshi.
There is another, you know, direction, which is more subtle, which involves freezing the
coins up until there is a point where the owners can provide a proof of knowledge of the initial
seed, the seed phrase that generated the public keys and the private keys.
And so if you have an entity, for example, Satoshi that generated their addresses from a seed,
then because the key derivation process uses hash functions, then you can actually use the
seed as the new private key, the new secret. That's a very nice idea. I hadn't heard about that.
Nor did I even know about the use of hash functions at that stage of it, which is crucial to that
idea. Yes, exactly. It's not my idea. It's one that's been around for a few years. But unfortunately,
Satoshi's coin specifically wouldn't apply. More likely than not, he'd just generate those
randomly as opposed to from a seed because the 12-word seed standard that we have today post-date Satoshi's.
Oh, wow. So even in that case, even with your kind of like plan B solution, that one million Satoshi coins would just likely be. So I wonder what happens, right? Does the Bitcoin community fork? Is there kind of Bitcoin quantum and then original Bitcoin, right? But again, this won't play out overnight as what we found out for the big first part of the podcast with Scott. But at some point, this is coming. At some point, this is inevitable. And whether it's like, you know, 2030 or whether it's, you know, 2050, we just like don't know. But I guess the.
the clock is ticking. Is that what you would say, Justin? Yeah. And one of the very nice things is that
not all of Satoshi's coins are in the same address. Satoshi's coins are scattered over many,
many addresses that each have 50 Bitcoin, because that's the amount of Bitcoin that you would get
when you used to mine a block in the early days of Bitcoin. So it's many, many 50 Bitcoin
bounties out there, not one lump sum. Exactly. And so you could think about it as quantum issuance
that could extend the secure lifetime of Bitcoin, because we all know that Bitcoin
has this security problem where assurance goes to zero,
well now we have this new, fresh 50 Bitcoin per unit of time
where the units of time is dictated by how fast these quantum computers can operate.
And so if it takes, for example, one day to break one Satoshi address,
that's maybe a totally reasonable thing where you're just unlocking 50 Bitcoin per day,
and that actually secures the Bitcoin blockchain for another few years.
Wait, wait, wait, run that by me again.
How does that secure the Bitcoin blockchain?
So let's say it happens gradually.
We see it on chain.
We're like, oh, you know, a quantum computer just, you know, took 50 Bitcoin in bounty,
and then tomorrow we see the same thing.
The next day we see this.
How does that secure Bitcoin?
Yeah, so the way that Bitcoin is ultimately secured is people buying hardware and burning a lot of energy.
And for them to do that, they need to get paid to pay for the hardware and electricity.
And Bitcoin has a decaying issuance.
And so unless the fees grow dramatically by a tool of the money,
of magnitude, which I don't think will happen, then we need to have some sort of a solution for
Bitcoin security. Now, these 50 Bitcoin is basically an incentive to go pay to buy hardware,
in this case, quantum hardware, and to pay the electricity to power the quantum computer.
And if we're talking 50 Bitcoin per day, then that will extend the secure lifetime of Bitcoin
over a few more years. Wow, that's wild. Okay, so that's the Bitcoin story. How about Ethereum?
How is Ethereum position for this, Justin?
Yeah.
So actually, the Bitcoin story, as Scott alluded to, is not completely finished because
proof of work is itself going to be more likely than not disrupted.
Oh, well, let's talk about that then first.
What happens with proof of work with Bitcoin?
So with the proof of work, you know, like I said, eventually you can get an advantage
from Grover's algorithm, right?
And then that allows, you know, if let's say there's only a few entities in the world that
have scalable quantum computers, right?
that allows those entities to mine a lot more Bitcoin than everyone else.
Now, eventually, if you got to a world where, you know, just about everyone had access to a quantum computer,
then it's kind of amusing what would happen, right?
Which is that, you know, the proof of work just has its hardness to set automatically
based on, you know, how much mining people have been able to do recently, right?
And so all that would happen would be that, you know, the pre-images would have to satisfy an ever more stringent.
condition and so that basically the proof of work would automatically, in Bitcoin anyway,
would automatically just be made harder to compensate for Grover's algorithm and we would all just
be back where we started. I mean, I have a slightly different take. I agree with you over the very
long term, but the transition from classical to quantum might be very problematic. And the reason is
that at no point in time do we want one single entity to have more than 50% of the hash rate?
And more likely than not, there will be a first mover.
And even the second, third, fourth mover might have very big discrepancies relative to the best performer.
And, you know, it might be a 10x delta in performance or in energy efficiency or even orders of magnitude difference.
And so my expectation is that for several years, there will be one dominant actor, which, as Scott said, would likely be either the Chinese government or, you know, a company like Google.
or Amazon. And that's kind of scary. And so the good news that Scott pointed out is that more likely
than not, we're looking at Grover disrupting Bitcoin mining way after it breaking ECDSA.
And so this is a longer-term future, maybe on a 30-year time scale, if I were to.
And Justin, could proof of work be fixed by implementing a sort of a quantum-resistant proof-of-work
algorithm. That would require another hard fork, presumably, and just, like, be a big social, like, upheaval in Bitcoin. But could that happen?
So unfortunately, I think the answer is no. I think Scott do correct me.
I mean, there are proof of work tasks that would give you more quantum resistance, right? More
resistance to Grover's algorithm. But the truth is that at the point where you're talking about doing a fork, right, you could also just talk about, well, you know, once we get past this transition, then, you know, you just take the existing proof of work and you make it appropriately harder, right? I mean, I've seen in the literature,
like proofs of work where a quantum computer would only give you like an end to the two-thirds power
advantage as opposed to a square root of an advantage. There's also proof of space, you know,
type of protocols like I know Bram Cohen, like Chia, has been very interested in those,
and those would probably see little or no quantum advantage as far as I know. So you could consider,
you know, forking to something like that to proof of space. But, you know, any,
task that involves just pure searching through a whole bunch of pre-images to a hash function,
like should be susceptible to a Grover speed up, right? If we change to a different kind of
task, like I want to find collisions, you know, I want to find two inputs to this hash
function that mapped to the same output, then I can find tasks of that sort where the advantage
from a quantum computer is less than a square root, or it's only, you know, end to the two-thirds,
or even end to the three quarters
or something smaller like that.
So I do want to highlight something very cool,
which is that quantum might actually be the end game of Bitcoin,
which sounds completely crazy.
And the reason is that even though quantum might disrupt
the consensus of Bitcoin, Bitcoin, the blockchain,
not BTCD assets,
there's also this vision of quantum money
where you don't even need consensus,
where basically you have money
which acts like cash, where I give you a piece of cash,
the whole world doesn't have to know about it,
only you and I have to know about it.
And the way that it works is that the private keys
are themselves quantum objects,
they're a private superposition,
and when you sign a message with your key,
you're effectively destroying the private key
and thereby not being able to double spend it.
Yeah, so I mean, even more simply, right, one of the fundamental facts in quantum mechanics is called the no cloning theorem, right? And as the name suggests, it says that, you know, there is no way to copy an unknown quantum state, right? So if I have some qubits in a superposition state and I want to make new qubits that are in the same superposition state, I can't do it, right? You know, I can measure my old cubits, but measuring not only you won't tell you.
me everything I need, it will even destroy the one copy that I had. And so, you know, one of
the oldest ideas in the history of quantum information, going all the way back to the 60s, was the
idea that you could use this no-cloning theorem to create physically unclonable cash, right? And this
was an idea of Stephen Wiesner. You know, he proposed a scheme that would do this with
provable security, but it had the drawback that if you wanted to verify a bill as genuine,
then you had to take it back to the bank that printed it. Right. So around 2009, I sort of revived
the interest in the subject of quantum money, and I came up with some proposals for schemes
of quantum money that anyone could verify, right, not just the bank. So what we called publicly
verifiable quantum money. Now, some of my and others' original proposal,
were then broken.
But now we have proposals
for publicly verifiable quantum money
that seem to be secure
based on some barely accepted
cryptographic assumptions.
We could do a lot better,
but based on things like
indistinguishability obfuscation,
if those exist in a way
that's secure against quantum computers,
then you can build this
publicly verifiable quantum money.
Now, the main drawback
would be a technological one,
In order to do what Justin and I were talking about, you know, not only would you need quantum computers, you would need quantum computers that can keep quantum states, preserve them for arbitrary amounts of time, like however long you needed this money for, right?
So you would need to keep your quantum state, you know, maintaining its superposition, its coherence for weeks, months, you know, whatever, right?
And with many of the schemes, you would also need the ability to send these states around.
you know, like from the sender to the recipient, which would then require like a quantum communications
network, you know, a quantum internet, right? But, you know, I mean, these are all things that you
could imagine doing in some future. Now, your listeners might be amused to know that the first time
that I heard about Bitcoin was in 2010 or so, 2011, when I was going around giving talks
about my new ideas for publicly verifiable quantum money. And then people,
would come up to me after the talks, and they would say, you know, there's this other way of getting,
you know, unclonable electronic cash. You know, there's this Bitcoin thing. You should really look into it,
right? And so I did. And I said, oh, well, well, okay, of course you could do it that way. But then,
you know, you basically require, you know, this whole distributed process over the internet to serve as
your trusted third party. And you require this blockchain that's going to grow without bound,
right as the thing continues so you know surely no one really wants that right but fine i'll have to
mention this in my talks as a thing that quantum money could someday be better then right and you know
of course it never once occurred to me to say you know should i be buying up this bitcoin
could i be investing my life savings in it and holding it right so right to finish off your question
about what to do about it and what the impact i think we've covered bitcoin in the case of
Ethereum, there's one thing that we do need to change as well, which is the consensus layer.
So today, the cryptography that we use in the beacon chain is called BLS signatures.
It's very powerful because you can aggregate the signatures, but unfortunately it's not
post-quantum secure.
And the good news is that we have knowledge of cryptography that can give us the same aggregation
property and is post-quantium secure.
There's actually a paper from the Ephemian Foundation, researchers and collaborators
that will be published this month.
And once we do the migration, then it's end of story.
There's no more doubts about, you know, proof of work, potentially leading to centralization.
And so in some sense, proof of stake is much more secure against quantum computers than
proof of work.
It's a final solution as opposed to one, which is much more uncertain.
Okay.
So the overall story is there's a lot going on in Bitcoin with the advent of quantum compute.
both on the ability to kind of like take funds from individual accounts and also in the
proof of work algorithm. And so some major upgrades might be in store. However, at the end,
there's a light at the end of this tunnel, which is like quantum money. That's a concept that
could continue to be iterated and worked on. Or even before that, just quantum resistant,
you know, conventional cryptocurrencies are also a light at the end of the tunnel. So another light
at the end of the tunnel. And for Ethereum, we have like a future hard fork that could be planned,
that is capable of being pulled off,
and that would make Ethereum effectively quantum secure.
Just last question on this, Justin,
are there any tradeoffs with deployment of using quantum-resistant cryptography for Ethereum?
Like, does the whole thing get slower?
Are there any downsides to this?
So the major trade-off is that the signatures are about 10 times larger.
So the consensus participants, they're casting attestations or votes,
and in order to have as many attestors as possible,
we want to have the messages be as small as possible.
Right now, in the context of the beam chain,
which is meant to be like this proposal
to make Ethereum post-quantum secure,
we're derisking the most risky part of the design,
which is specifically the post-quantum signatures,
and the fact that they are roughly 10 times larger.
And one of the things that we're looking into right now
is new ways to spread the bandwidth flow
in the peer-to-peer network.
So we're going to be doing experiments
with the library that we use called LipP2P,
and basically slicing and dicing the peer-to-peer network
slightly differently with a different architecture.
But other than that fact,
the verification costs, the signing costs,
all of that is extremely good.
Justin, what's your personal take on how soon we need to do that for Ethereum?
Given the estimates, I know it's just like a moving target,
no one really knows.
You know, what would make you feel comfortable?
So I think the quantum narrative is one which, you know,
will age like fine wine over many, many years.
I wouldn't say there is a specific rush.
And actually, that's one of the reasons why, you know,
it's better to do the beam chain properly so that we have a solution that will stand
the test of time as opposed to rushing something.
What I would like to see is on a five-year time scale having post-quantum cryptography.
Part of the reason is something that I learned very recently is that ECDSA is being
deprecated by NIST. So I have some dates here. So in 2030, ECDSA will be deprecated and it will be disallowed in
2030, five. And so what I expect could happen as a consequence is that highly regulated institutions
might just be disallowed from touching Ethereum if we don't do these upgrades ahead of time.
Yeah, and NIST held a competition to, you know, agree on standards for post-quantum cryptography,
ran from about 2017 to 2022, and that converged around what's called lattice-based
cryptography. You know, learning with errors-based cryptography is sort of the main
quantum-resistant alternative that is standing. And so NIST is, I think, already urging people
to start this transition. And I recently learned that companies like Google are apparently
already doing this. So the transition to post-Quantum crypto is already happening to some
extent. This has been amazing, Scott, Justin. So it sounds like we are not doomed that, you know,
cryptocurrency will be able to get out of this on the other side, that it will require some
significant upgrades. And it's not happening anytime soon, massive quantum computers that can
break our cryptography, but it could happen. And I guess we should be on the lookout for those
Satoshi Bitcoin, 50 at a time starting to leave the accounts. If we start to see something like that,
then maybe we sound the alarm. And Scott, if you would please sound the alarm as well,
If you feel like this is approaching sooner and the crypto industry needs to take some action, please come back and let us know.
Okay, okay. I mean, look, I blog about these things when I'm asked. But, you know, I would say if you want to worry about something, dooming the world, worry about AI.
Oh, my. That's another subject. I was going to end this episode asking you.
The threat to cryptography from quantum computers, that feels more like Y2K. Right. It is a headache, but it is a survivable one.
That's fantastic context. We'll have to have you back on and ask you your P-Doom and get into the AI safety.
But that's not for this podcast. Scott, Arensen, thank you so much for joining us. Justin Drake.
Thank you so much for co-hosting. This has been tremendous.
Thank you. Yeah, thank you. It was fun.
Bankless Nation, got to let you know. Of course, crypto's risky. You could lose what you put in,
particularly if your addresses are not quantum secure decades in the future.
But we are headed west. This is the frontier. It's not for everyone. But we're glad you're
with us on the bankless journey. Thanks a lot.
The Arbitrum portal is your one-stop hub to entering the Ethereum ecosystem.
With over 800 apps, Arbitrum offers something for everyone.
dive into the epicenter of Defy, where advanced trading, lending, and staking platforms are
redefining how we interact with money.
Explore Arbitrum's rapidly growing gaming hub from immersed role-playing games, fast-paced fantasy
MMOs to casual luck battle mobile games.
Move assets effortlessly between chains and access the ecosystem with ease via Arbitram's
expansive network of bridges and onrifts.
Step into Arbitrum's flourishing NFT and creators-based, where artists, collectors, and social converge
and support your favorite streamers all on chain.
Find new and trending apps and learn how to earn rewards
across the Arbitrum ecosystem with limited time campaigns
from your favorite projects.
Empower your future with Arbitrum.com.
Visit portal.arbitrum.io to find out what's next on your web free journey.
Uniswap Labs is making history with the largest bug bounty ever.
15 and a half million dollars for critical bugs found in Uniswap V4.
This isn't just any update.
Uniswop V4 is built with hundreds of contributions
from community developers and has already undergone nine independent audits,
making it one of the most rigorously reviewed code bases to be deployed on chain.
And with 2.4 trillion in cumulative volume process across Uniswop V2 and V3,
without a single hack, the commitment to security and transparency is rock solid.
Now Uniswap Labs is taking an extra step to make V4 as secure as possible with a $15.5 million
bug bounty.
Head to the link in the show notes to dive in and participate in the Uniswap V4 bug bounty.
All the details from eligibility and scope to the rewards are there.
Hey, Bankless Nation, this is a debrief.
We thought we would include Justin Drake on this so he could synthesize in that episode,
because it was a lot. It was a lot.
Scott went deep in certain areas and, you know, came back.
And anyway, let's start to synthesize some of this.
So, Justin, what do we need to take away from just like the basics of quantum computers?
Can you parse that for us?
Yeah, so one basic concept is that there's two types of cubits.
There's the physical cubits and the logical cubits.
if we want to do digital computation that breaks cryptography, we need these more fancy logical
qubits. But the building blocks, the bricks that make up the logical cubits are what's called
physical cubits. And unfortunately, the physical cubits are extremely noisy. And so we need
what's called error correction. So we need to take the noise, remove it so that we're left with
pure signal, which is binary digital signal. And I think
the very beginning of our conversation
basically was with this
willow breakthrough
where essentially we have for the
first time a logical
cubit. A logical
cubit, one of them. So we're
able to take 101
physical cubits, put them in
a lattice, and basically we have this
error correction happen, and that
gives us this meta-building
block, which is the logical cubit. And then
if we want to go actually break
octography, we need to put
thousands, tens of thousands, maybe hundreds of thousands, of these logical cubits together to form
what's called a scalable, fault-tolerant quantum computer.
Okay, so I'm sort of getting the picture.
Of course, you know this.
You're an Ethereum researcher, but, you know, things in Ethereum or crypto writ large are just
like basically research theory-type phase, and then they become an engineering challenge.
It feels like that's kind of what we're at with quantum computing, where we've been in this
kind of research theory-type phase.
but now we've hit this threshold of, oh, now it's just an engineering and scale problem.
And, like, humans are really good at that.
That's why Scott kept going back to, like, I don't know when it's going to happen.
It depends how much capital is there.
I'm just like, well, capital's easy.
Yeah, that's a solvable problem.
I mean, as soon as there's something to scale, we know that capital will go and then we'll
push the button, we'll scale that.
So he was talking about 40 billion year.
I'm like, 40 billion, what's that?
I mean, like, you get nation states involved?
Like, this could be hundreds of billions very easily.
and now it's just a matter of scaling it.
And you measure the scale with these two bits, right?
So, like, right now we're one,
but when we start to break cryptography,
we're getting into the millions of qubits,
and then that's when we can start breaking cryptography.
Is that about right?
Yeah, so millions of physical qubits
and about tools of magnitude less of logical cubits,
because it's, roughly speaking,
100 physical qubits for one logical cubit.
Is there something like notion of Moore's Law here?
Like, can we apply like Moore's Law to quantum computing
for at one, maybe in a couple years, we'll be at 10,
and a couple years after that, we'll be at 100,
and then not too long after that, it'll be higher than we can count.
Yes, there is an equivalent of Moore's Law,
and I think it's faster than Moore's Law.
I'd have to go look it up exactly.
Wow.
But one of the reasons is that there's multiple layers of the stack
that are improving in parallel.
The physical cubits where the so-called fidelity's or the error rates are improving,
and then that has compounding effects with the way that we do,
error correction. So we have these
like new surface codes and all sorts of
other like fancy mathematics that basically
allows you to correct and detect the errors. And then
there's also improvements at the algorithmic
level. And to me this is extremely
reminiscent with Snarks. Snarks is a
multi-decade journey that started 30, 40 years
ago. And there's various layers of the
stack. There's the proof system. There's
the arithmeticization. There's the
hardware that you used to prove that itself is growing with Moore's Law. And then there's the algorithms
that you use to do the FFTs and the MSMs. And all of these things compound with each other.
And my rough take is that Snarks improved by a factor of five every single year. So it's like
Moore's Law taken to the extreme. And I would imagine that quantum has a similar effect.
All right. So we're somewhere on an S curve, basically, a new S curve, a quantum compute type of
S curve. And we're very early. But you know what S curves do, right? They're exponential.
Okay, so that's quantum computers. Let's talk about then, let's go over once again and parse everything we just talked about for Bitcoin. So quantum computer, let's say it happens overnight. Some government has a quantum computer that is in the millions of qubits. What happens to Bitcoin? What are the vulnerabilities?
Right. So there's two classes of algorithms that affect cryptography. And Bitcoin got extremely unlucky because these are like two.
very, very narrow problems that quantum computers are good at, which is basically breaking
elliptic curves and doing search over a very large search space. And unfortunately, Bitcoin
has both the elliptic curves, in this case, ECDSA to store the balances, and it has the search,
specifically the golden non-se search, right? Like, you have these miners just spending tons of
actually just to find this one golden nonce. That's the proof of work part. That's the proof of work part.
And so in some sense, Bitcoin is like doubly effed.
Doubly screwed because it uses proof of work.
And then also, you know, like the accounts,
I know they're not accounts in the Bitcoin world,
but you basically get at the private keys as well
because they're not quantum safe either.
Yeah.
The account balances, I should say, yeah.
Correct.
The good news is that Bitcoin will most likely have to tackle them sequentially.
First, ECDSA and then the proof of work question.
For ECDSA, as we discussed, basically there's
various possible outcomes. Outcome number one is that nothing changes, and then the Bitcoin effectively
become this bounty or issuance, if you want to think of it that way, to keep the chain growing
and to incentivize proof of work. We're talking, quantifying that, about one to four million or so
supply of Bitcoin? We know that we have the one million coins from Tatsoshi, and we know that today,
if we look at the balances where the public key is known, that's about four million coins. But
of those, some of them are active in the sense that they can always migrate to an address that
doesn't have the public key exposed. And so really what we're concerned about is the lost
coins for which the owners have died, for example. Which could be some subset. Stagnant coins
where the coins won't simply just move when we learn that quantum computing is here. Correct. And so
one possible outcome here is that the community says, we know that we have quantum computers,
So we need to do something.
And any coin that hasn't moved in 10 years, for example, is going to be just completely destroyed.
And that's going to include Satoshi's coins.
But what I find interesting about this, Justin, is that even that choice, what we're talking about right there, it's not just a tech choice.
It's a tech plus it's a social choice because you have to do something different with property rights.
It's no longer immutable property rights, right?
I mean, correct me if I'm wrong.
But there's no way to do this without doing something with that one to.
a 4 million Bitcoin that is kind of like lost and kind of out there. Like you have to have some
policy that requires social consensus that was not in the original like, you know, sayings of
Satoshi in the white paper. You have to make that decision somehow. And so how does that kind
of factor in? I think we need to see what the concrete data on the ground is. If indeed it takes
a very long time to crack just a single key, if we're talking days or weeks, then actually I think
we're fine. If my friend Steve is correct and we indeed can crack keys in a matter of seconds,
then someone will just crack all of the keys and then just steal millions of Bitcoin in one go.
And that would be the equivalent of the Dow hack, whereby a very large percentage of coins
are in the hands of one single entity and that jeopardizes, you know, it's an existential risk
for Bitcoin. And, you know, what they could do as well is just roll back and basically
freeze the coins that all moved at the same time. How are they going to do that, though? Let's do a
scenario here because no one knows with the example of an attacker, and they're going to attack
the high value Bitcoin addresses. They're not going to do the 50 at a time type thing.
They'll do the one with like thousands of Bitcoin in it first, obviously. So let's say you see
that on chain. You have no idea. Someone sees that. I guess maybe you don't even know if it's a
hack. It could just be an old address that has maybe moved, but you see that. You see that.
happening and you have no idea whether the attacker has the ability has spent years to do that one
address or has just done it in like a second. I guess you have to see that the next time it happens
and you kind of can measure how quickly they're able to do this. But like scenario that out,
like you've been in the case of a Dow hack. Imagine you're kind of Bitcoin core, Bitcoin community,
and you start to see some of these addresses on the move and you think they might be quantum.
Like, what do you do next?
Yeah, so the good news is that in order to freeze coins, you only have to do a soft fork.
So basically you have to censor transactions.
Transactions that were previously valid are no longer valid.
That's the definition of a soft fork.
And the soft fork can be enforced by various entities.
It can be enforced by those running nodes.
But actually, it can also be enforced by the mining pools.
And it turns out that like two or three mining pools control 501.
percent of the hash rate.
And so what the mining pools could do as a preventative measure is basically say, if we see
a Satoshi coin, we'll just not include it in our blocks.
We'll just send a tweet saying, hey, warning, warning, Satoshi is alive or we have a quantum
attacker.
Please start debating whether or not as a community we want to soft fork in order to freeze
Satoshi's coins.
Yikes.
I feel like it's a little too late at that point.
But also you equated this with kind of like a Dow type scenario, right? And quite famously,
Bitcoiners came down quite harshly on the Dow scenario for Ethereum because they said,
you guys are invading property rights. This is an immutable blockchain. We thought that's
what Bitcoin is. And somebody's got to make that soft decision. And Bitcoiners quite famously,
like, you know, how do you find social consensus? There is no social consensus. There is no layer
zero in the Bitcoin community. So like, how does that even work? Do you think it will break
brains and break the entire system? So we do have a precedent for this. Back in the early days of
Bitcoin, maybe it was 2010 or 2011, there was this overflow bug. Right. There's an inflation
bug. Which basically allowed for the creation of arbitrary number of Bitcoins. And this was just so
obviously a systemic risk to Bitcoin that they had to fix it. And I think it would be potentially a
similar thing for quantum mining here. But that was 2011. I don't know. That 2010 rollback
is meaningfully different than post-Michael Saylor era of Bitcoin.
When people have, even you, Justin, have suggested, like, possible futures for Bitcoin,
which includes, like, proof of stake and other outcomes, like, including EIP-15.5.9.
And all of these suggestions, many of them include a hard fork.
And when I hear people suggesting a hard fork for Bitcoin, in my mind, I immediately say,
well, that's just not happening.
Like, that just can't be done.
Particularly a hard fork that does something with property rights.
Exactly.
Or the Bitcoin supply or addresses or the thing that the Bitcoin community says is immutable
and has been since I guess 2010, 2011, that bug.
Yeah, it's very hard to tell.
My personal thesis is that the cleanest way for Bitcoin to survive long term is for the
asset, BTC, to decouple from the chain and for the asset to go live on something secure
like an Ethereum.
Hard-de-core Bitcoiners, I don't think we'll accept that.
I don't think there is for hardcore bitcoinsers who do kind of set the value system of Bitcoin,
that it's untenable to say that separate Bitcoin from Bitcoins.
I don't see Bitcoin surviving on a period of decades.
Oh, my God.
So here's what I was trying to figure out, right?
So like when this Willow News from Google, you know, came out, there was a massive reaction.
And some people, you know, went as far as to say, well, you know, Bitcoin is doomed.
And it feels like the reality is like, well, not today.
and there are upgrade paths, of course,
and this will take many years to play out.
But like what you just said is over the long run,
basically this will require a massive social fork of some kind.
Plus, you know, the tech is not so hard.
It's more like what do we do with kind of the property rights of the 4 million Bitcoin
to such an extent that it may not survive.
We're not even talking about the problems with proof of work that will happen after that.
That's just kind of wave one of quantum when, you know,
quantum computers are strong enough to start attack.
individual addresses. So at some level, this is as big an existential deal as, you know,
some of the fudsters and doomsdayers were making it out to be. It's just not going to happen in the
next three years, probably five years, but 2030s-ish. The next cycle problem.
Yeah, I mean, efficient markets should be able to price this in right now, but, you know,
markets are not super efficient. But you're right, there's a conundrum. Either you
socially intervene, in which case you jeopardize the whole story of Bitcoin and the monetary premium,
which is the only thing it has, or you don't intervene, and Bitcoin is just not going to work,
technically, always going to have one entity that's going to control a very large percentage
of all the coin, something like double digits percentages.
So let's play out a scenario where they decide not to intervene in the property rights,
because we're just assuming that maybe they would do something with the one to four million Bitcoin,
But it seems like it could be a path where they just say, nope, we're just going to let it be.
We're not touching that Bitcoin.
In fact, there could be multiple forks, like one fork of Bitcoin that says, no, we're going to do something
with the property of the one to four million Bitcoin and another fork that says, no, this is the real
Bitcoin, Bitcoin Classic.
We could have that type of a scenario.
Anyway, it seems like a viable path where they implement the post-quantum cryptography,
and they just let the one to four million Bitcoin be susceptible to some sort of quantum
computer attacker, and whoever's first, whoever gets there, gets the spoils. It's kind of the
pirate's booty of the sunken treasure ship at the bottom of the ocean and whoever gets it gets it.
I mean, that's viable as well. Can you play that scenario out? Is that a realistic scenario?
In some ways, it feels more realistic to me, but what do you think? There is this conspiracy theory
that Satoshi is actually the NSA and that basically this is a secret master plan where
the U.S. governments will retain dominance economically by control.
controlling a million Bitcoin, and they actually have the private keys. And by the way, I'm a little
shocked that if Satoshi didn't want to spend his coins, why don't he burn them? There's a very,
very easy way to destroy them. Proivably, that would have like eliminated tons of fud. Maybe he has a
plan, and maybe this story has some legs. But the way that I would see the scenario playing out
in the other direction is basically where the Chinese government, which is the most likely
entity that could stealthily build a quantum computer would basically have the same master plan
as the conspiracy theory where they basically said, okay, let's build this quantum computer to get
a million Bitcoin and retain dominance economically in the world.
So I guess that is a possible outcome.
And the Chinese government would have to basically work the social layer very, very strongly
to stealthily and basically hide the fact that they are the new entity controlling these coins.
Okay, we said earlier Bitcoin was kind of doubly screwed.
So that's the first, you know, path where they're screwed.
People can kind of, you know, hack individual Bitcoin accounts and private keys.
But the second path, once quantum computers are strong enough to do that,
they'll also be strong enough to accelerate, like, proof of work mining.
And then you were describing, you were talking to Scott back and forth in the episode.
You basically said you could very easily envision that just some group,
some centralized actor has the first quantum computer that just blast past everyone else. And so,
you know, there's no equilibrium, I guess, where everyone has access to the same tech. It's just like
one super group with a super powerful quantum computer that kind of wrecks havoc on proof of work.
So talk about that scenario. And like, does that mean proof of work is doomed?
So what would likely happen in that scenario is that for a period of some years, there would be one entity who would control
the vast majority of the hash rate. And so what that allows them to do, actually, is to get
all of the issuance and all of the fees essentially for free, because what they can do is that
they can set the difficulty to be much higher than what all of the classical miners can do. So all of
the classical miners will basically shut off, but not spend so much energy, so not increase
the difficulty so high that they have to spend a lot of energy. So they would have to spend a lot of energy. So
they would have basically acquired the Bitcoin network. It would be theirs and they wouldn't have to
spend much to maintain it and receive all of the rewards. But then there's another more worrisome
attack, which is that they can change the fee schedule. So right now, in the dynamic of competitive
miners, you basically have what's called the first price auction, which is that the transactions
that are willing to pay the most get included, and sometimes 10 cents. That's enough for you to get
included. But when you control the chain, you have monopoly power over what transactions go in.
And so you can have a policy which is not a first price auction. You can have a minimum fee.
So you could say, you know, visa style, please pay 3% of all your Bitcoin. So every time Michael
Saylor wants to move his Bitcoin, 3% goes away. Or, you know, you could go Apple style and say 30%.
That's my cut. And basically, once you've acquired Bitcoin, there's kind of two ways to make
You can try and keep it alive and just milk the fees, the issuance, and the small fee,
or you can do something much worse, which is try to kill Bitcoin and basically short it on the perp markets.
And one of the really scary things is that there's about $40 billion of open BTC perps,
which means that as an attacker, if I want to short in size, you know, tens of billions of dollars,
I can totally do that and it will be relatively cheap.
and the cost of attacking Bitcoin is most likely they're not going to be way, way less than that number.
It already is less today in the context of proof of work.
But if you project yourself into the future, what will happen is that issuance will go down relative to the total supply.
And so the issuance relative to the perp market is going to go down.
But also, if you have this monopoly power on technology and IP, this quantum IP,
then you'll likely have to spend, let's say, $1 billion.
and you'll be able to short hundreds of billions of dollars
because presumably in 10 years' time,
the Bitcoin preps markets will be in the hundreds of billions,
if not trillions of dollars.
But these scary scenarios only happen if, like, one actor,
you know, kind of gets this quantum super ASIC, basically.
And so the only ones that can produce it,
if a different world plays out where all of the nation states kind of compete
and they all kind of, you know, graduate together
and we have larger proliferation of quantum super ASICs,
then can't we still preserve proof of work in kind of the same way?
It's just everything has kind of leveled up by orders of magnitude in terms of the
hashing power.
But since everyone's leveling up together, the proof of work algorithm still works.
Yes, so theoretically speaking, if we all level up together, then it kind of work.
There is this one paper titled on the insecurity of quantum mining, where basically there's
some edge cases where basically, if you're interested, the way that the algorithms work is that
you start your problem and then you do what's called a Grover etixt.
iteration. And when you're doing the iterations, you don't know whether or not you'll be successful.
And then after a certain number of iterations, you observe your quantum system and you see whether or not you found a golden nonce.
And the rational strategy in quantum mining is that when someone produces a block, everyone else is incentivized to observe all of the work that they've done so far and see whether or not they've also won and not.
And what that will create is like high correlations between blocks being produced.
basically there's going to be a lot of uncles and orphans and reorgs, much more so than there is today, because there will be high correlation between when the blocks are produced.
Now, putting that detail aside, what I expect will happen is that we won't all level up at the same time.
And the reason is that quantum is extremely, extremely advanced technology that will take years, maybe decades to commoditize.
And really the principle that Satoshi was leveraging with one CPU, one vote, is this idea of commoditization and linearity, right?
You have two CPUs, you have two votes.
You spend two jewels, you have two votes.
What I expect will happen is that we're going to see massive differences in the performance of the systems.
You might have Microsoft that's going down the superconducting path and then some other team going down the trapped iron path.
and they're going to have completely different performance characteristics.
And even if you have two teams going down the same technology path,
one might have an algorithm which is just orders of magnitude better than another.
And so my expectation is that the difference between the best minor
and the second best miner is going to be orders of magnitude.
And today, if you have a special ASIC, which is, let's say, three times better than the next best one,
you dominate the market.
And so Bitcoin mining is very, very susceptible to these relative differences in performance.
And I think quantum will just massively amplify just because it's not yet commoditized.
Okay, so that's Bitcoin and it's a problem set, which seems pretty significant, pretty vast.
Now, contrast that to Ethereum.
It seems like Ethereum doesn't have a two-prong problem.
So it doesn't have the proof-of-work problem at all.
We're fine from that perspective.
Still does have a set of cryptography that's not post-quantum secure.
but we can get there with a hard fork,
as long as this doesn't happen tomorrow.
Yeah, what are the prospects for Ethereum
kind of upgrading and like being fine
on the other side of the quantum compute revolution here?
Right. So there's four different places
where we might use pre-quantum cryptography.
There's the BLS signatures in the beacon chain.
That's something that's under control
in the sense that we have a plausible upgrade path
within the next half decades, say,
and that's more than enough time.
then we have ECDSA that is used for the account.
And here it's a similar situation to Bitcoin,
except that we have two advantages.
Advantage number one is that we have account abstraction,
meaning that the process of migrating to a different signature scheme
does not require a fork,
and it can start today.
If we have some large holders that want to be very conservative,
they can start the process of migration today.
And, Justin, can this be upgraded for the lost coins, let's say, on Ethereum,
or kind of the passive coins as well, or does it require an active address, an active opt-in?
Yeah, so this is where there's a couple observations.
The first one is that we don't have the equivalent of Satoshi on Ethereum.
Like, we don't have someone who controls 5% of the supply on an exposed address and who's presumed to be dead.
And then the second advantage that we have is that from day one, we had this addresses that were the hash of the public key,
as opposed to being the public key itself.
So what is, you know, four out of 20 million Bitcoin, 20% on Bitcoin might be a much, much smaller number for Ethereum just because from day one, we had this protection.
So if you, just to be concrete, for example, if you participated in the Ethereum, actually this is a real story.
There's some people who participated in the Ethereum pre-sale, they have thousands of ether and they just lost their secret.
these are lost coins, but because the only thing that you see on chain is the hash of the address
and not the pop key, these are actually not exposed to quantum computers.
Okay, so what I'm trying to get to in this is like the set of post-quantum upgrades that
Ethereum needed to do. Remember, with Bitcoin, there was kind of the technical piece,
and then there's also kind of the social property rights type piece. Does Ethereum have an
equivalent problem? Obviously, it has similar technical, but is there a property rights component
to it was some certain amount of ether or tokens or addresses where we actually have to make a
decision whether we freeze, like what we do with that. Yes, there is a similar problem,
but from a quantitative standpoint, it's very different. I think for Bitcoin, it will be
double-digit percentages, whereas for ether, I'm expecting it to be a single-digit perspective.
And so in some sense, ironically, the Ethereum might be able to take the more purest path of not
intervening socially just because the total percentage is much smaller.
5% of eth or do we have any estimates for how much eth and you know tokens or addresses would be
not able to upgrade there was this study that was done at one point on all of the lost coins in
eif and i think we were talking maybe a couple hundred thousand if so like very small amount
and i think half of that was actually the parity wallet hack which itself is not exposed
because it's a contract where you just can't move the coins as opposed to being a normal address,
which is exposed. So if I were to make an estimate, it would be basically 100,000 coins
divided by 100 million supply, which would be 10 basis points, 0.1%.
That's very little. So I would imagine then if it is that amount, if it's greater than that
amount, I don't know. But if it is that amount, that 10 basis points kind of number,
then I imagine the community just like lets it go, probably. I would think that would be
the best interest of eth holders and the property rights of Ethereum to just like do something like
that. Yep, correct. And one of the cool things you can do in Ethereum as well is you can implement
what's called a quantum canary. So you can have all of the efficiencies of pre-quantum
cryptography, which is 10 times smaller. And then when someone provides a proof that small quantum
computers exist, small enough to prove that they are indeed quantum, but not big enough to be able to
break the cryptography, then anyone can produce one of these.
proofs on chain and basically trigger the canary so that the smart contract has a different
behavior and for example migrates to the post-quantum cryptography. So this is a way to have an
immutable smart contract where you don't need governance to turn on that switch. It happens automatically
and you get the best of both worlds. You get the security in the world where quantum computers exist
and you get the efficiency while we wait for quantum computers. Okay, but I interrupted your flow. I think
you're going up more on the technical side of what's susceptible and what upgrades are required
like in general. So just finish that thought out. Right. So we've covered BLS. We've covered
ECDSA. There's two more. One is the blobs. They use this technology called KZG, which is basically
elliptic curve based. That's going to have to be upgraded. And actually I think this is a great thing.
And the reason is that I'm not super satisfied with the blobs as they are today for various
technical reasons. For example, they're very large. They're not variable size. So if you want to
consume, let's say, just one kilobytes of data availability, then you have to consume a whole blob.
And so this means that you have to do blob sharing and blob packing, and it's this whole
complication. We now have, this is something that hasn't been shared publicly, I guess,
sharing it now. There's this idea called blob abstraction, where we can completely abstract away
the notion of blobs from developers. Basically, developers return to just consuming data
But then in the back end, there's this super blob that is effectively the whole consensus and
execution block taken together.
And we do data availability sampling on that directly.
So it's a massive improvement to DevX.
And the fact that we have to move away from the current blobs, because the no post-consum
secure, is a great, I guess, pretext to push this new and improve the design called the blob abstraction.
Very cool.
And would that be in sort of beam chain concept, conceptual design?
that four or five-year time range?
Yeah, I think so in terms of the time range,
but it would be a different layer of the stack.
We have three layers in Ethereum.
We have the consensus layer, data layer execution.
Right.
Beam is consensus.
Beam is consensus.
That would be data.
Okay.
And then there's a fourth place where pre-quantum cryptography might enter,
which is Verquil Trees.
So today we actually have what's called a Patricia Merkel tree for the Ethereum state,
and that is post-quantum secure.
and what we're thinking of doing is moving to cryptography, which is not a post-quantum secure,
because it gives us this efficiency advantage, where the witnesses, the equivalent of the Merkel paths are basically much smaller.
But we need to be careful, right, because it would be kind of awkward if we do the Verkle fork,
and then a few years after that we say, hey, hold on, we now need to upgrade again to be post-quantum secure.
And so at least within Ephem Foundation research, I think there's growing, I guess, maybe not consensus, that's maybe too strong of a word, but directionally there is a growing interest in going directly to having a binary Merkel tree. So basically a revamped version of the Patricia Merkel tree where the hash function is more snark friendly than what we have today, which is Ketchak.
So if you replace Ketchak with a hash function like Poseidon, you can get all of the efficiency benefits of vertical trees where you take all of the witnesses for statelessness and then you compress everything in a single snark and you also get the post-quantum security.
So in my personal opinion, this may be like the more long-term viable approach and it would avoid us to have to do this intermediate vertical fork.
Okay.
So in contrast to Bitcoin Ethereum, it has some of the technical terms.
challenges, but it feels like there's a roadmap to solve that, and we could do that well before
quantum computers are actually a thing. So we're talking the five to seven year time range,
something like that. Is that the general idea here? Yep, exactly. We have a plan for everything.
Okay. And then in contrast to Bitcoin, of course, hopefully, it does not have the social problem
of like, what do we do with the property rights of a massive amount of value on chain? It can just
kind of sidestep that because we don't have one to four million.
Bitcoin worth of ether that's kind of stuck in these addresses that can't be passively upgraded to
be quantum secure. So it doesn't have that challenge. I'm trying to get kind of like order of magnitude
on the Richter scale or something, like the earthquake that quantum computers will hit these
networks with. And it feels almost like to me like, you know, it's kind of a four earthquake.
Like you feel it for Ethereum. It's, you know, four on the Richter scale. But it's not collapsing
buildings. It's not destroying things. For Bitcoin, though, I feel like this is a lot. I feel like
is higher on the Richter scale. I mean, we might be at a five, six, or seven on the Richter scale
for the shake up that this will cause in Bitcoin because there's just like a lot of challenges
and Bitcoin has not hard forked in this way ever before, whereas Ethereum has sort of a
history of this. And this seems almost like less of an upgrade than something like the merch,
right? It feels like it's less difficult. But what's your assessment of kind of the Richter scale
impact on these respective networks? Yeah, I think I agree with you. I think,
the impact on Ethereum will be relatively small because we can have all of these upgrades.
On the other hand, for Bitcoin, it kind of goes against the grain of the social layer.
You can choose either you upgrade and make yourself future-proof, but then you jeopardize your
social contract of not upgrading or you don't upgrade and you potentially jeopardize the whole
system. And so Bitcoin is in this massive conundrum. It's stuck and something has to break.
On the other hand, for Ethereum, it almost goes with the grain of Ethereum.
And this has to do with this desire to improve and change with time.
I mentioned it with the blobs.
It's a great pretext to have a better design.
But it's a similar thing for the beam chain.
We know for sure that we have to change.
And so this is an opportunity to clean up technical debt and do things properly from day one.
And that will give us an opportunity to have a system which plausibly can last for decades and centuries.
without having to ever touch.
And ironically, this is the better strategy
to achieve long-term ossification.
The strategy of saying
the very first alpha version
of blockchains, Bitcoin in 2009,
is the endgame.
That is just very naive.
And I think the better way of thinking about it
is 20 years of innovation and research
all condensed in a chain
like the beam chain,
which can plausibly be left alone
and fully ossified.
Now, because this is a
problem that's probably for the 2030s and more than five years out, I don't think this has been priced
in. I don't think many people are considering it. But of course, it's kind of a long-term thing that
listeners to the Bacleston podcast should consider. As we approach it, it probably starts to turn into a
game of chicken with the market where it's going to be invisible into the market and then it's
going to get priced into the market in the acute event, probably. I mean, we could just like look at
what Cubits are doing, right? It's like we're at one right now. You know,
physical and logical two bits. So will this get priced in when we're at 1,000? Will this start
to get priced in? Or how about 100,000? Well, then we're kind of on the cusp and how quickly does
that happen? Maybe we start to see some reaction to that. And of course, this is a social community.
And so maybe the Bitcoin core team kind of responds to these attacks with various plans in
different ways and maybe they have a plan for it. But it will be interesting. Maybe the last thing
to touch in kind of this synthesis episode, Justin, which is like really helped me, honestly,
because there was a lot from Scott there.
And I think bankless listeners will appreciate this as well.
The concept of quantum money.
Now, this feels like it's not here.
It feels like it's decades out, potentially, right?
Because there's a lot of preconditions for this.
But it almost sounds like it could be a better Bitcoin than Bitcoin, a better
Ethereum than Ethereum.
And I'm not sure I've got my head wrapped around that.
I'm not sure anybody does, quite honestly.
Even Scott, his original proposal back in 2009, apparently, was
already a leapfrog of what Bitcoin was proposing, but clearly we don't have the capability for
this now. How would you just summarize quantum money for us? So it's not an improvement for
Ethereum. And the reason is that you can't do smart contracts with quantum money. The only thing
you can do is simple payments. But it is an improvement for Bitcoin because just like gold,
it no longer needs to be secured. Like gold, you know, is just this rock and you don't need to
constantly secure it through fees or issuance. When you move to quantum money, basically everyone has
that piece of gold. And if they want to transfer it, they sign a message, they send the message over
the internet, they give that to someone else. And someone else magically has that pot of gold.
But you don't need proof of work. You don't even need proof of stake. You don't need any form of
consensus. Why? Because you're using nature's notepad?
Exactly. Using nature's notepad in the same sense that gold is, you know, nature's ledger that was
in a supernova or whatever the story is,
and it doesn't need to be secured.
Unfortunately, what I think will happen
is that there's going to be a progression
where quantum money will only be practical
after Grover and after Schorl's algorithm.
And there's a X% chance
that Bitcoin will die off in the first event
and then Y% chance that it dies off in the other event.
And so it might never have the opportunity
to see itself become quantum money.
or that ledger could be forked into some quantum,
like basically the ledger of accounts of everything,
who owns what in Bitcoin,
could be forked into some future version
of a quantum money type of ledger chain.
Well, the interesting thing is, like,
from a historical perspective,
talking about Bitcoin, Bitcoin is gold,
what if Bitcoin is silver?
And there's actually like a super predator,
a quantum money gold out there that is actually gold.
You know what I mean?
Like, this could happen quite quickly,
at least from a historical money,
perspective could happen in the span of decades. We don't know. The race isn't concluded yet. We're just in
the second decade of digital, you know, scarcity and these types of systems. So maybe we're still
waiting for the gold. Yep. Now, going back to one of your questions, which is, is quantum money
useful for Ethereum? I actually want to revise that question a little bit, because there is a technology
called one-shot signatures, which is extremely related to quantum money. And this does allow us to
upgrade Ethereum. It would basically
allow us to
have what's called perfect finality
because today what we have
is called economic finality, which means
that if you're an attacker that
can somehow create two inconsistent
finalized checkpoints, we
have this guarantee that at least one third
of all of the EF staked will get slashed.
So there's about a hundred billion dollars
of EF staked, and so a
finality attack will
cost you at least $33
billion of EF, which is fantastic.
But what's even better than $33 billion is infinity dollars, where you can't even perform the
attack in the first place because you have perfect finality.
And the reason why we have the possibility for an attack is what's called equivocation,
which is that you as a validator, as an attester, you can vote for chain A and you can also
vote for an inconsistent chain B.
But with one-shot signatures, the fundamental property is that you can only sign a single
message and then the private key destroys itself. And so you can either vote for A or for B, but you can
never vote for A and B. And then what you can do basically is create these chains of one shot signatures
where you can only sign a single message per epoch number. So today as a validator, I get to
sign one message per epoch and if I sign two, I get slashed. But with one shot signatures, it's
physically impossible for you to sign two messages with the exact same epoch number. Now,
that's something that you can emulate with TEEs, and actually it's a way for you as an individual
miner, if you're worried about getting slashed, you can put your private key in the TEE that will do
the double-signing signing protection in effectively emulating one-shot signatures for you,
but if you want to do that trustlessly and enshrine it in consensus, you would need a trustless
system and one-shot signatures is a potential sci-fi futuristic path to get there.
And it solves this another problem for Ethereum, which is this idea.
of delegation with LSTs.
So today, basically, every operator has a different slashing profile.
And basically, the best solution that we have is something like Lido, where we put dozens
and dozens of operators in a melting pot.
And then we kind of give each of them a small sliver of the steak, and then you abstract
away and wrap everything in an LST.
But once we have these one-shot signatures, then because the operators can't
create a slashable fault. You don't need to trust them anymore as much as you trust them today.
And then you don't need all of this fancy infrastructure to create LSTs and delegated staking.
It becomes much more straightforward. If I have EF and I want someone else to be doing the staking,
but I don't want to trust them, well, you can do so. The worst thing that could happen is that they just go
offline. But if they go offline after, let's say, one day, then you just change operator and you send
your funds to a different operator.
And one-shot signatures, do they depend on the number of qubits that we've unlocked?
Are they sort of a quantum adjacent type of thing that's developed in parallel?
How much does it depend on quantum computing itself?
It depends highly, highly on quantum computing.
At a minimum, you would need to be able to run Grover's algorithm.
So this is kind of going to happen, in my opinion.
After we have Grover and Shaw is going to kind of be this third generation of applications.
Wow.
Justin Drake, thank you so much.
This has been a great synthesis and very helpful, I think, for bankless listeners. We appreciate you.
Thanks for having me.