Unchained - Why Bitcoin Developers Are Not Incentivized to Talk About the Quantum Threat
Episode Date: February 12, 2026Thank you to our sponsors! Figure Crypto Tax Girl Are bitcoiners underestimating the quantum threat to Bitcoin? That's the question Castle Island Ventures Partner Nic Carter has posed with ...some recent posts gauging the views of several leading Bitcoin developers on quantum computing. To help answer the question, Unchained reached out to Ethereum Foundation Researcher Justin Drake and Michigan University Professor Chris Peikert. In this episode, Justin and Chris, who is one of the foremost experts on lattice cryptography, break down the quantum computing threat to crypto and the potential timelines. Justin theorizes that Bitcoin developers may not be incentivized to talk about the quantum computing risk while still saying that a number of smart people are already taking it seriously and that may be enough. Conversely, Chris highlights the constraints that come with uncertainty around risks and timelines. Listen to find out what they conclude. Plus, could AI do crypto in before quantum computers? Guests: Justin Drake, Researcher at the Ethereum Foundation Chris Peikert, Professor, Computer Science and Engineering, University of Michigan Links: Ethereum and Optimism Lay the Groundwork for a Post-Quantum Future Q-Day Is Imminent. Can Bitcoin Survive the Quantum Threat? Solana Deploys Post-Quantum Signatures on Testnet Cracking Bitcoin Encryption Is Getting Much Easier, Google Says Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
We face of this very uncertain timeline of when and if quantum computers will emerge to the point where they can break our crypto is a very interesting kind of at an intellectual level, right?
How do you apportion your resources? How do you measure the risk? How do you predict, well, we've got a long migration ahead of us. When do we start?
If you have the fast flavor, so for example,
you have Google working on the superconducting stuff.
The estimate for the time it takes to crack a key is on the order of minutes,
like roughly 10 minutes.
And so what you could imagine is that Satoshi's coins would actually be stolen
at the same rate at which they were mined in the early days.
Hi, everyone.
Welcome to Unchained.
You're no-hype resource for all things crypto.
I'm your host, Laura Shin.
Thanks for joining this live stream.
Before we get started, a quick reminder, nothing you hear on Unchained is investment advice.
This show is for informational and entertainment purposes only, and my guest and I may hold assets discussed
in the show. For more disclosures, visit Unchained Crypto.com.
Quick note before we get into today's episode.
Bits and Bits Now has its dedicated feeds.
We're spinning off from the Unchained feed and moving to a new podcast and YouTube channel.
So if you want to keep up with our weekly live streams and macro meets, crypto breakdowns,
make sure to subscribe to Bits and Bips directly.
Don't publish there until March, but subscribe today so you can be ready for launch.
Be sure to subscribe to the new feeds at Unchained Crypto.com slash bits and bibs.
Did you know that figure is giving away $25,000 in USDC?
They're a decentralized digital asset platform for earning, borrowing, and lending.
Download the Figure Markets app using our link.
Figure Markets.com slash Unchained DP.
deposit into their democratized prime pools and earn about 9% APY paid hourly while you enter.
Every dollar you keep in for 25 consecutive days counts as an entry.
Again, the link is figuremarkets.co slash unchained DP for full details.
If crypto taxes feel overwhelming, you are not alone.
That's why Crypto Tax Girl, a team that's been helping crypto investors since 2017,
is offering $100 off on one-on-one crypto tax help.
To get $100 off your crypto tax services,
go to Cryptotaxgirl.com slash unchained.
Again, that's Cryptotaxgirl.com slash unchained.
Today's topic is the quantum threat to crypto.
Welcome, Justin and Chris.
Hi, Laura. Thanks for having us.
Great to be with you, Laura and Justin.
So, everyone, I know we're a bit,
late to this topic in the sense that others have been talking about this for a while. But we're also
quite early because the threat to crypto that quantum poses is, you know, going to happen at some
indeterminate point in the future. However, this threat is already influencing investment and it is
the kind of threat that will take a lot of coordination and planning to overcome, which is why we are
discussing it now. So let's just start by laying the groundwork. Justin, why don't you start by explaining
what quantum computing is and what threat it poses to crypto.
Sure.
So quantum computing is a form of computing that leverages microscopic physics, if you will,
that is hidden to the day-to-day world that we live in, but is very much present.
And using this hidden structure, you can run computation theoretically faster for certain
classes of algorithms, including algorithms that break the cryptography that we have right now
in terms of elliptic curves. And the major threat for crypto is that it breaks the current
cryptography that we have. So for a firm specifically, there's three pieces of cryptography
that are vulnerable. The first one for user transactions is called ECDSA. The second one is at
the consensus layer, we have something called BLS signatures. And then,
And then finally, at the data layer for the blobs, we have something called KCG.
And the common thread for all these three layers is elliptic curve cryptography, which
would get broken by computers.
And Chris, how would you describe quantum computing and the threat that it poses to crypto?
Yeah, I think Justin said it perfectly.
You know, this is a technology that is still in somewhat early and even speculative stages.
but there's been a lot of progress in building these quantum computers
by efforts that have invested billions of dollars
toward engineering these devices.
And a theoretical level and also at an engineering level,
we know and have known for several decades now
that quantum computers, if they are built at large enough scale,
can and would break all of the cryptography
that we've been using heavily on the internet and in blockchain applications and all around the world for several decades now.
And so I know timelines can be difficult to project, but I was curious when you both personally thought that quantum computing would pose a threat to crypto, you know, how many years from now?
And either of you can answer.
Sure.
Well, I started kind of going all in on quantum resistant cryptography research.
about 21 years ago. So at the time, I thought, you know, this is going to matter. This is going to be important someday. You know, in those 21 years, we still haven't seen a quantum computer, but the level of effort and investment that's gone in has has really skyrocketed in recent years. And so most people who are experts in this domain, I'm not sure I consider myself one of them in terms of actually building quantum computers.
but most people who are experts in this domain do believe that we will have them at some point in time.
And those timelines range from, well, how likely do you think a quantum computer is to emerge within a certain amount of time?
So I think most people believe that, you know, in the next three to five years, very unlikely.
But perhaps at the 10 year, 15 years out from now, it starts to become more of a significant probability.
and then predicting the future, even 20 years out, is a fool's game.
I don't think anybody can do that.
Justin, what do you think of the timeline?
Yeah, so at the Film Foundation, we've been thinking about this since 2018.
We actually gave a large grant, several millions of dollars to stockware back then to start building this technology.
And with all of the progress that we've seen recently, both on the quantum computing side
things, but also on the algorithmic side of things, my personal date is now 2032.
And I've partially stolen this from a friend in Cambridge who happens to be the founder and
CEO of River Lane, one of the top error correction companies in the world.
And we both have a son who sons who are in the same class, which is how I met him.
And he's been in the space for 15 years.
And his date 15 years ago was 2032.
And so I'm feeling pretty good about it.
And going back to what Chris said,
very few people believe that we're going to have
so-called cryptographically relevant quantum computers
by the end of this decade.
So we're talking 2030s.
But I think there's a reasonable chance, for example,
that in 2013, maybe a 1% chance, 2% chance,
maybe more that we'll have a quantum relevant computer.
And then it really increases steeply
the probability of having a cryptogram
graphically rather than a quantum computer.
And one of the things that I can share is that there's been this really big improvement
on the algorithmic side of thing.
So if you rewind the clock two, three years ago, the best known algorithm for breaking
Ethereum cryptography required about 10 million physical qubits.
And then about a year ago, so last year in 2025, we had a paper bringing that down
to one million cubits.
and in 2026 we're going to have another paper that brings it down even further.
And so I wouldn't be surprised if the end game is much closer to 100,000 qubits.
And so we have these two curves.
Eventually, we'll cross.
And because of the time it takes to migrate to new cryptography,
we have to be thinking about this several years in advance.
And if indeed I'm right that 2032 is the date.
then today is one we really need to get started.
And explain what a qubit is.
So a qubit is the fundamental quantum building block,
which is the equivalent of the bit.
So a bit can take two values.
A qubit can be in a superposition of states
and it can also be entangled with other qubits.
This is what gives its power.
And when we talk about qubits,
there's two flavors.
there's the logically perfect cubic, which we call a logical qubit.
And this is what the theoretical quantum algorithm designers will be using.
And then you have what's called the physical cubit, which is the physical insinciation
using atoms or photons or whatever it is.
And because of the noise involved, you have to do so-called error correction.
You have to take a collection of physical qubits in order to form one perfect, logical one.
And this ratio between physical and logical is very important, and it might be on the order of a thousand or 100 or maybe 10,000.
This is very much in the engineering stage.
But one thing that we should expect in addition to the algorithms improving is that the error correction will improve so that the ratio will improve.
And of course, we should see more and more physical qubits in the same way that we have
more slow that increases the number of bits and transistors that we have on a single chip.
Okay.
So as you said in the beginning, the threat that quantum computing poses to crypto is kind of
limited to a certain area.
Just to explain what that means in practical terms, like what are the actual dangers
that everyday users would perceive,
that businesses would perceive,
what are the things that could happen
if the crypto industry
and all these different chains
don't come up with ways
to protect themselves
against the quantum threat in advance.
Long story short,
with a cryptographically relevant quantum computer,
you can take a public key
and re-derive,
re-compute the private key from that.
So normally, you're meant to keep your seed phrase secret and your private keys safe and you only expose the public key.
But if we have a cryptographically-runnerable computer, it's basically game over.
It's systemically bad for the whole industry where the notion of property rights starts to crumble.
Yeah, I would add that cryptocurrency is built on the foundation of secure cryptography.
And there's all kinds of cryptographic primitives and tools of by various names, digital signatures and hash functions and encryption and all these different kinds of tools and primitives that we use so that we can build a secure cryptocurrency.
And when that foundation crumbles and becomes completely insecure, while everything built atop of it also collapses.
So it is, as Justin said, a completely systemic risk, as well as a particular risk to specific protocols that are out there, whether they be Ethereum or Bitcoin or any of the many other kinds of blockchains that are out there.
And so essentially, like, it's something like whoever creates a first quantum computer could steal as many coins as they want from pretty much any chain.
Is that sort of the doomsday scenario?
That's a fair description of what would happen, right?
If you can take any public key off of the blockchain, you could empty its account, right?
And just forge a transaction that transfers all the assets from this account to the account of your choice.
Those are some of the very simple to imagine consequences of having a cryptographically relevant quantum
computer. There are other sort of more subtle or nuanced situations like one could potentially
use a quantum computer to break consensus or cause some kind of fork in certain types of
blockchains that are protected by digital signatures that are vulnerable to quantum computers.
So Justin also mentioned this at the beginning. The actual consensus layer of many
blockchains is protected by cryptography that would be broken by quantum computers.
So whether an attacker would actually want to do this and destroy the entire consensus
of the network or not is an open question, but it's at least something that in principle
could be done.
And so that would be a systemic destruction of maybe all the value in that blockchain.
I do want to kind of share some up the nitrically details of quantum computers.
So there's several so-called modalities, which are different flavors of quantum computing.
There's, for example, trapped iron and neutral atoms.
And those involve, like, moving particles around, and they tend to be relatively slow in terms of their clock cycles.
And so if you were to run the algorithm to break our cryptography known as Grover's algorithm,
it might actually take several hours or several days.
And so if you only have a limited number of quantum computers at the very beginning,
then you should only expect a small number of keys to break if these are the modalities that are going to win.
There's other modalities, for example, supercomputing and photonics that are much faster because there's no moving parts.
And here you could expect a key to break in a matter of minutes.
But again, if there's a limited number of sufficiently powerful quantum computers, most addresses will actually be safe.
because, for example, Satoshi has a very large number of addresses,
each with 50 Bitcoin in the early days of mining Bitcoin.
And so one very easy mitigation, actually, is to just make sure that in your wallet,
you have less than 50 Bitcoin's worth of value,
because then the attacker will target Satoshi's coins first,
and we'll have a bunch of lead time.
seeing Satoshi's coins being drained before everyone else's.
Well, okay.
Yeah, I mean, the one thing, of course, is if Satoshi's coins get drained,
then that would cause like a systemic panic.
And so the price of Bitcoin might go south.
But let's say that now it was 2032.
We would wake up one morning and like, fine,
that all of Binance's wallets got drained, even like cold storage.
same with Coinbase.
Is that kind of how to think about it?
So a lot of the large exchanges for their cold wallet
actually implement a very easy mitigation,
or at least they should implement a very easy mitigation,
which is to not reveal the public key.
So on most blockchains like Bitcoin and Ethereum,
you have the address, which is the hash of the public key,
and then you have the public key
which needs to be revealed the very first time
spend from that address.
But if you have a cold storage address for which you've never made any spends,
then the public key has not been revealed,
and that's actually secure against quantum computers.
So the very easy mitigation is to make sure that you're hiding your public key
behind the hash, which is your address.
Now, there is a company called Project 11 that has this.
a tracker website that will tell you what percentage of keys are protected behind the hash and
those that are not. And I believe we're talking roughly 30%. Don't quote me on this. Just check the
website. And some of the top addresses are indeed exchanges. So if you are a security officer at one of
these exchanges or your parts of management, do consider this very simple mitigation.
of putting all your cold storage in an address that has never made a single spend.
Okay. Okay. Yeah, I guess. From what I understand, you know, the way these exchanges work,
they have cold storage. They'll have like a lukewarm storage, right? For what it's called.
And then the hot wallet. So presumably there are times when certain cold storage wallets might need to transact with the
lukewarm wallets or whatever they're called but um but yeah it's probably pretty infrequent um okay so
now let's talk about um something that chris kind of alluded to he said you know if whoever
develops the first computer wants to go after these coins i'm so curious there must be a race to
develop this type of computer first so who were sort of the different players and are any of them
ones that, yeah, might be motivated to attack crypto.
Sure.
Well, we know of many of the public players, at least.
So Google has a serious high dollar investment in building various types of quantum computers,
engineering them.
And as Justin mentioned before about error correction, just last year,
Google had a major breakthrough in the quality of error correction.
that it was able to attain.
That's one of the most important ingredients
in ultimately building a large-scale quantum computer.
You also have IBM
and a large number of,
moderate number of startups of various names
that are all trying different engineering approaches.
And then you have the not-so public players.
We know that governments around the world
of various large countries
are very interested in this kind of technology.
They don't report out their progress to a large degree.
And so we don't really know where they lie and whether the private sector that's making
public announcements is ahead of them or catching up, it's very hard to say.
But, you know, naturally the U.S. government, the Chinese government, all kinds of rich countries
are almost certainly investing a lot of effort into building quantum computers.
Yeah.
And in the public quantum computing industry, there's a bunch of companies that have gone public,
and there's been a little bit of speculation around those.
So some names that Chris didn't mention, there's like Cy Quantum and Quantum and Continium and Rigetti.
Now, one, I was talking to the Google team recently, and one thing they mentioned is that in China,
instead of having many different commercial companies working on this,
it's mostly centralized at the government level and they're extremely quiet.
So I would say those are the two primary polls,
the public companies and the Microsoft, the IBMs and the Googles,
versus a government like China.
Yeah, I feel like, I mean, this is sort of something that's been said a lot,
in crypto, but, you know, a government like China is probably one of the few players that would be
very motivated to try to attack blockchains in this way. So, yeah, I could see that being a threat.
Okay. Well, I'm so curious, and I know you guys are kind of affiliated with certain chains,
but you probably have made an assessment of which chains are maybe more vulnerable than others
and which ones are least vulnerable. So I'm just curious to hear the lay of
the land, like what your opinion is on if there are any particular coins that you think probably
are better positioned and which ones need to, you know, up their game.
So when migrating to post-quantum cryptography, there's really two challenges. One is a technical
one and the other one is a social one. In my opinion, the major technical challenge is what's
known as the size problem for post-quantum cryptography. We're dealing with signatures that
are at least 10 times larger than ECDSA.
So ECDSA has 64 bytes signatures,
and the smallest NIST standardized scheme is called Falcon, 512,
and it has signature sizes of 66 bytes.
And then there's all sorts of other schemes that have even larger signatures.
And so if you maintain the...
the block size, which for pretty much any blockchain is like the scarcest resource that you have,
your throughput, and you increase your size of your transactions by a factor of 10, then your TPS,
your throughput is going to go down by a factor of 10.
So imagine Bitcoin going from 3 TPS to 0.3 TPS, or a film going from 25 to 2.5 or Solana going
from 1,000 to 200.
it. In my personal opinion, this is just a non-starter, just from a commercial standpoint. It would
just be way too disruptive. And so what the Affirm Foundation has been investing in to solve
this technical size problem is what's known as signature aggregation. So the idea is to take
multiple, all of the signatures corresponding to all of the transactions in the block and to
snarkify them into a single proof that would get published alongside the,
the block. And this is something that we've been working on for a while now. We have something
called Lean VM, and we have the variance of the NIST standardized signatures that are much more
friendly to this aggregation. Now, putting aside the technical problem, which is real,
for some other blockchains, there's an even more real problem, which is the social one.
First of all, they need to recognize that indeed there is a problem. And then
even once they've recognized, they need to put in place all of the coordination infrastructure.
And the topic blockchain that I have in mind here is Bitcoin.
You have leaders like Adam Beck that are in complete denial that quantum computers could be coming in the early 2030s.
He's talking about at minimum decades until cryptographically relevant quantum computers come.
And Nick Carter wrote this report recently where he went through,
the whole list of Bitcoin high priests.
And of the 10 that he identified, only one of them, Jonas Nick, was worried about quantum
computers and the nine others didn't seem too worried.
And Bitcoin is a chain that only makes upgrades extremely infrequently.
In the last 10 years, it's only made two upgrades.
And it's plausible that it would take them at least five years.
to upgrade to post quantum cryptography
and that quantum computers could come within that time frame.
Now, one of the things that I'm hoping will happen, ironically,
is that there's a collaboration between Ethereum and Bitcoin.
Because what happened in 2009 when Satoshi launched Bitcoin
is that he created a de facto,
standard for signatures. So he went with ECDSA, he picked a specific curve,
sec 256, sec P 256 K-1. And then most of the chains just just copied this. And this was
really good because it meant that you had the same key derivation standards across all of
the chains. You have the same wallet infrastructure, the same hardware wallets. You had the same
MPC protocols, etc., etc. And it would be pretty catastrophic, in my opinion,
if every chain were to come up with its own solution.
And so the strategy that we're taking at the Affirm Foundation
is actually to try and pill the Bitcoiners
to reuse whatever we have
so that if Bitcoin and Ethereum together
have the exact same solution,
that all of the other chains most likely will just copy it.
And so the Lean VN that I mentioned
is built with Bitcoiner security in mind.
We're trying to be as conservative as possible,
not cutting any corners.
And we're also collaborating with Bitcoin researchers.
So there's Mihal Kudina, for example,
we wrote four different papers, academic papers,
with him in 2025, in early 2026.
These are papers on post-quantum cryptography.
And last year, we organized a workshop in Cambridge in October.
This was a three-day post-quantum workshop,
which he came to.
He's a great guy.
I'm basically hoping that Mihal can single-handedly be the bridge between the Bitcoin world and the Film World.
And I forgot to mention that Mihal works at Blockstream, the primary company that has, you know, soft power over Bitcoin upgrades.
Yeah, and that is run by Adam Back, who actually, you mentioned really with not, yeah.
But yeah, Jonas Nick is also at Blockstream.
So maybe Adam Beck could be convinced if Michael and Jonas joined forces.
Okay.
And I'm curious, Chris, what you think of that idea about if Bitcoin and Ethereum are using the same strategy or the same solution,
if that would be something that other chains would naturally do because I don't know if it is even an issue.
But in my head, I'm like, oh, but does that reduce resiliency?
for the industry if everybody's using the same model that potentially could later on become
vulnerable? I don't know. Yeah. In terms of cryptography and the standards that are underlying
the technologies themselves, I think it's a very good thing to have broad industry standards
that are well understood, that have been well vetted. And as Justin mentioned,
You know, the Falcon signature scheme is one which has been selected by the U.S. National Institute of Standards and Technology now through a many-year post-quantum cryptography process.
So that started back in 2017 or so and is just coming to the conclusion of its main activities in the past year and upcoming year.
And so it's very good if the industry can all agree on one standard so that things are interoperable.
You get many fewer cryptographic disasters or unexpected incompatibilities or security issues.
You know, speaking of some of the other projects out there that have taken post-quantum cryptography seriously, for example, I've been connected to Algarand since 2020.
through Algaran Technologies.
That's a company that works on
cryptographic research and protocol security.
And one of the reasons I got excited to do that at the time
was they specifically wanted to understand
the post-quantum cryptography landscape
and to bring their chain up to date
and understand what it would take
to build in post-quantum resiliency.
So through those years,
we developed something very similar
to what Justin was talking about to address this size problem.
It was called state proofs, and it uses the Falcon signature scheme.
And it basically offers a fairly frequent but periodic checkpoint, a post-quantum secure checkpoint
about the state of the Al-Gran chain, for example. So it allows you to say, you know, every
256 blocks, which is every few minutes on Al-Grand, you can get signatures, Falcon signatures from
many, many different validators and accounts that attests to the state of the chain.
And then there's a thing called a state proof that kind of condenses these falcon signatures down
to a small number of them that together prove that a large percentage of the stake in the
AGRAN system has attested to, yes, this is the state of the blockchain at this point in time.
And that's a post-quantum secure attestation or proof.
And so it allows one to, for example, interact with other chains or have a long-term post-quantum secure kind of snapshot of what the chain actually looked like.
And that keeps it secure even in the ultimate future when quantum computers emerge and might try to, you know, fork the chain through a historical path or try to convince a light client that the chain looks like this when it actually looks like that.
So light clients and other users can look at these state proofs and determine, yes, this is the actual state of the chain at this point in time.
And then recently, Ogrant also added these post-quantum secured wallets.
So you can actually give post-quantum-secured transactions for using the same Falcon signature scheme.
Okay. And for the transaction, that just means, like,
that the transaction wouldn't be vulnerable to a quantum computer?
Exactly.
Yeah, the transaction, the signature, transaction has a signature.
It's a Falcon signature.
That's a post-quantum secure signature.
And those, the idea is that a quantum computer would not even be able to forge such a signature.
It would not be able to, you know, empty your wallet if you've got this feature enabled that requires post-quantum signatures on its transactions.
Oh, got it.
Okay. Okay.
So these are addressing sort of the two layers that Justin mentioned at the top of the show where you have, you know, there's protection for individual accounts and wallets.
And then there's protection at the base layer of the blockchain itself and the consensus layer.
And, you know, does everybody agree that the same thing is happening?
Okay. Got it. That makes sense. All right. So in a moment, we're going to talk a little bit more about some of the other efforts that are being made.
but first a quick word from the sponsors who make this show possible.
Bits and Bits Now has its dedicated feeds.
We're spinning off from the Unchained Feed and moving to a new podcast and YouTube channel.
So if you want to keep up with our weekly live streams and macro meets crypto breakdowns,
make sure to subscribe to Bits and Bips directly.
We won't publish there until March, but subscribe today so you can be ready for launch.
Be sure to subscribe to the new feeds at UnchainedCripto.com slash Bits and Bips.
Want a chance to win $25,000 in USDC?
Figure, a platform to earn yield, borrow against crypto, and access lending markets
is running a $25,000 USDC sweepstakes tied to their democratized prime product.
Here's how it works.
Download the Figure Markets app using our link,
Figure Markets.com slash Unchained DP,
deposit into a democratized prime lending pool,
and leave your funds there for 25 consecutive days.
Every dollar equals one entry, so $1,000 equals 1,000 chances.
While your funds stay in the pool, you're also earning around 9% APY, paid out hourly.
To learn more and enter, go to figuremarkets.com slash unchained DP, which is also available in the show notes.
If you're looking for help with crypto taxes, Crypto Tax Girl is offering $100 off for unchained listeners.
They provide personalized crypto tax reports and returns, and spots before April 15th are limited.
Go to Cryptotaxgirl.com slash Unchained to save $100.
Once again, the link is Cryptotaxgirl.com slash unchained.
Back to my conversation with Justin and Chris.
So are those all the different types of problems that could happen with quantum cryptography, sorry, quantum computing?
Or are there any others that might affect blockchains?
There's another type of attack that we haven't really mentioned so far,
and it's of lesser significance to the blockchain space,
but still can have some important implications,
and that is what's known as a store now, decrypt later attack.
This primarily affects encryption.
So if you have data that you want to keep secret,
let's say your account balance is private,
or you're using a chain that offers some privacy to the transactions, that usually uses a
technology called encryption. And just like with ECDSA signatures that Justin mentioned earlier,
all of the predominant encryption methods of the past several decades are also vulnerable
to quantum computing attacks. And so would that affect like pretty much all the privacy
coins and all the privacy chains? Is that?
It might. It would depend on what kind of level.
of privacy that they provide.
But what it would allow is if there's some encrypted data that is stored on the
blockchain, for example, and is meant to remain secret for a long time, when a quantum
computer ultimately emerges, it can look at that encrypted data, break the key, and
decrypt the data, and learn what was supposed to remain private.
And so you have this problem where if you're encrypted data,
things today with
cryptography that would be vulnerable to quantum computers,
you have a problem because if you're trying to keep it secret for 10 years,
for example,
and quantum computers emerge in six,
or as whatever the prediction is,
you can't,
you're going to lose,
right?
You're not going to be able to keep it secret for that long.
So it means that if you want to keep secrets for a longer term period,
then you need to start using quantum,
quantum secure cryptography right now.
Laura, you're asking about the privacy chains.
So I have a piece of good news and a piece of bad news.
The piece of good news is that quantum computers will break the soundness of these privacy schemes like Zcash, but they will not break privacy.
So, you know, someone can spend coins that are not theirs, but at least the whole, you know,
least the whole history of past transactions will not be like magically decrypted.
So that's the good news.
The bad news is that I think privacy coins like Zcash are going to be the very first target
of a quantum computer.
And the reason is that you can steal funds without anyone noticing.
So within the privacy pool, you can just empty the privacy pool and no one will know.
And so you mentioned Laura that there would be kind of mass panic if Satoshi's coins were
to move.
Well, there wouldn't be any mass panic if the Zcash coins were to move because no one would really notice.
Oh, my gosh. Yeah, that is, that's really scary.
And would this also affect, because there's, you know, as I'm sure you know,
there's a bunch of layer twos that have privacy on Ethereum.
You know, I just interviewed Aztec back at DefConnect when they launched.
Like, you know, there's a bunch.
So would those also be affected?
Yes, unfortunately, they would be affected.
And really the solution here is to try and migrate as quickly as possible to post-quantum snarks,
because a lot of these are based on snarks.
And hash-based stocks are basically the only solution that is production grade today.
Now, in addition to deploying new technology, one of the social problems is trying to force the community to exit
one system and move to another one.
So for example, in the context of Zcash,
they have these multiple shielded pools.
I think one is called sapling,
and they have various names.
And one thing that you can do is basically keep track
of the total amount of funds
that have been deposited in the privacy pool
and the total amount of funds that have left.
And so what you could potentially do
is have a policy that says, you know, by this date, we need to have this specific, vulnerable
privacy pool be emptied. Otherwise, all of the coins might be deemed, might be destroyed
as a policy decision by the community. And one of the things that I want to highlight going
back to Bitcoin is that they have this big issue around what do you do with the Satoshi
coins, which is about a million BTC, which has done.
you know, tens of billions of dollars.
And, you know, there's basically potentially going to be a contentious fork here
with one side wanting to burn them and the other side saying,
no, no, no, privacy rights are sacred.
We definitely cannot burn them.
The good news for Ethereum is that there's, roughly speaking,
0.1% of the eF circulating supply, which is known to be lost,
of all, you know, belief to be to be lost.
And so that's essentially a rounding error.
And I don't think we'll have this consensus fork in Ethereum land.
And wait, so I'm sorry, just to understand, are you saying for something like Bitcoin
that in order for any coins to be saved, all the owners have to voluntarily move?
No.
For any chain, we need to have the owners perform an action where they spend their coin,
from a quantum insecure wallet and migrate them to a post-quantam secure wallet.
There is this like one exception, which is that it is possible to basically have a proof of knowledge
of the seed phrase as opposed to a proof of knowledge of the private key.
And that would allow you to migrate without any user action.
But this is not something that many chains are.
are considering as the default path.
They are considering, for example, as an emergency path.
So if, let's say, tomorrow, we had a quantum computer that was able to crack Ethereum addresses at will,
what would probably happen is that we would just shut down the chain,
and then we would have a mechanism for people to prove that they own the seed phrase,
which is, you know, a post-quantam secure thing
as opposed to proving that they know their private key
because that's something that the attacker would know.
And then we would have this reboot mechanism
that would take several weeks, potentially several months.
So, yeah, it is being considered right now
as an emergency backup, but it's not the default path.
Wait, and I'm sorry, like to quote-unquote shut down the chain,
you have to get all the individual miners, all the stakers, I get like, but I guess because there's a lot of, so you'd have to get all the solo stakers and all the, you know, kind of like places like Lido and whatever that are doing it for, for individuals.
Like you'd have to get them all to do that, right? Or?
So there's two separate problems. There's the users and the validators.
for the users,
the community more likely than not would say,
hey, like any transaction that has been made from this point onwards
is just considered a null and void.
What we're going to do in order to prove your ownership of a specific address
is we're going to ask you to prove that you know your seed phrase.
So just to back up a little bit,
the way that you go from the seed phrase to the private key
involve some hashing.
And hashing is quite,
quantum secure. So that step here is quantum secure and it can be leveraged to do an emergency
reboot for the users. You could also do a similar thing for the stakers. So Ethereum has roughly
$100 billion of stake and each validator can have a zero knowledge proof that they know
the corresponding seed phrase and then use that to basically send the EF to a new
new post-quantam-secure address. But this is a process that would take many weeks,
potentially many months. And so for a period of time, the Ethereum chain would go down.
But having said all this, the plan right now is to upgrade every single piece of
Ethereum cryptography to be post-quantum secure by 2029. And so hopefully this should not be
an issue if indeed 2022 is 2032 is the correct date.
Okay. Yeah. Yeah. Obviously you want to do it ahead of time because what you just described sounds like chaos. But Ethereum has done similar things in the past. Like if I think about the Dow hard fork, like there are messy situations that it's come across. And yeah, okay, maybe the solution was messy in its own way. But like it worked, you know, basically. So, okay, that is that's for.
really interesting.
So Chris, well, yeah, so okay, so now Justin just briefly gave us a little bit of a glimpse
of like how how Ethereum is thinking about trying to tackle this.
Like, does Algrin have any plans or do you know of any other chains that have like certain
plans around, you know, how to kind of transition before the threat arrives?
Yeah, there are, you know, several chains that are thinking, I think,
seriously or to some degree of seriousness about how to do these kinds of upgrades and transitions.
I think it's absolutely important to do it very deliberatively and iteratively.
So the approach at Algonaut for example has been,
let's deploy this state proofs, right, for the underlying consensus and chain and a long-term
viability and accuracy of the chain. And then let's learn from that and let's iterate. And then they
moved it to post-quantum transactions, post-quant protected transactions. We'll learn from that
and discover new techniques, new ideas that allow to move forward to other pieces of the picture.
And so I think another reason to start early in addition to the ones that Justin has mentioned about
you know, the uncertain timeline of when are we going to be at Q day, right?
When are we going to hit the cupocalypse?
Is you have to learn and you have to iterate and you have to try some things that might not work and adjust your approach.
Because the performance profiles of these post-quantum schemes is very, very different from what people are used to with the current classical cryptography.
So, you know, the sizes are much larger.
there's, you know, on the plus side, verifying signatures is much faster in post-quantum schemes like Falcon.
And so, you know, for blockchain applications, fast verification is a very useful fact.
You want to be able to verify a lot of signatures very quickly because there are so many of them on the chain.
There are going to be a lot of tricky implementation issues with a lot of these cryptographic permitives.
They work completely differently from what we're used to.
And so all the lessons of the past actual few decades in terms of sticky points and trip-ups
that people have made with insecure implementations and things of that nature, we might have to
relearn some of these lessons or at least pay close attention to the mistakes that were made
in the past and make sure we don't make versions of those mistakes again with a new cryptography.
So, you know, it takes a long time.
All of these things are slow and deliberative.
And one needs to start early because it's a marathon, right?
It's not a sprint.
You don't want to be sprinting for 26 miles.
You're going to fall over dead at the end if you do.
You'd rather have a nice, you know, well, my pace would be four miles an hour if I were running a marathon, maybe less.
But, you know, you want to be able to be going carefully.
and deliberately, and that means starting very early and going piece by piece.
And so Justin, as you mentioned, the Ethereum Foundation just announced this post-Quantum team.
And, you know, you kind of already gave a little bit of a glimpse into what you guys were thinking.
But just like tell us a little bit more about your plan and, you know, what goals you have.
Right.
I guess before that one thing that I want to share as a prediction is that I think the blockchain industry is going to
suck in a lot of post-quantum talent in the months and years to come.
One thing that, you know, it might not be clear to your audience is that Chris is like one
of the very top experts in the world on lattice-faced cryptography.
And it's fantastic that he is in blockchain land working with Algorand.
And, you know, Blockstream very recently hired Mikhail and we, you know, at the Firm Foundation,
we had already a team of cryptographers and we're increasing that, for example,
recently we hired Emil to work on Lean VM full-time.
Now, the specific plan that we have is to solve this size problem via hash-based cryptography.
So specifically, we're hoping to have hash-based signatures that are unaggregated,
and then use hash-based snarks to aggregate the hash-based signatures.
Now, why hash-based?
The reason is that one of the primary reasons is that there's uncompromising security.
One of the goals of blockchains is that they're going to be securing hundreds of trillions of dollars over centuries.
And hash-based cryptography is believed to stand the test of time.
and is by far like the most conservative and minimal assumption that you could hope for.
And, you know, hashes in some sense are sunk cost for blockchains.
We have them everywhere, you know, with our Merkel trees.
Even in signature schemes like Falcon, which are called like hash and sign,
you have the hashing that's part of the signing process.
So we're going with absolute uncompromising security.
And again, that's part of the strategy to try and appeal to the Bitcoiners.
Now, if you were to ask a person on the street or a cryptographer of the street is using hash-based cryptography, a wise choice for blockchains, they might actually say no.
And the reason is that hash-based signatures are larger than the other flavor, which is called lattice-based signatures.
So it seems paradoxical.
Why would you choose the hash-based signatures?
And the way that I think about this is that it's a what I call the hash-gambit.
So we have these larger signatures, but then we're solving the size problem with this other tool,
which is the hash-based snocks.
And what you end up with is a very small and fast-to-verify snock-proof
that you post with.
every single block.
And the only place where the larger signatures show up is off-chain in the mempools.
So there's a solution there, which is called sharded mempool.
So instead of having one mega mempool for all of Ethereum, you know, we might have 64 mempool
each with 164th of the transactions flowing through.
And that's perfectly fine.
It's an easy design.
but really the scarce resource that we want to be preserving is the on-chain data availability throughput.
And for that, we would take all the signatures and snarkify them.
And ironically, when we do that, it's actually a scalability boost relative to what we have today.
And the reason is that today we are consuming 64 bytes of ECDSA data availability per transaction,
whereas in the future we wouldn't be having this fixed cost per transaction.
And so if you look at a, you know, a blockchain like Bitcoin, the total amount of signature data that goes per block is actually larger than a single proof, which is on the order of 200 kilobytes.
So that is a strategy, you know, to take the hash gambit, have slightly larger signatures, but then aggregate them.
and by going with hash-based signatures, in addition to the uncompromising security,
we also have very elegant designs.
So hash-based signatures are some of the simplest things that you could imagine.
They were actually invented close to half a century ago.
So a small historical fact is that Ralph Merkel invented Merkel trees in 1979.
and what was the context of that?
It was Merkel signatures,
which are hash-based signatures.
And what we're hoping to put in production
that the consensus layer is basically a small variant
over these Merkel signatures.
So we've been taking the Merkel tree part of his invention
that's almost 50 years old in blockchains,
and now we're kind of going back to the roots
and also using it for signatures,
which is a fun anecdote.
And in addition to the,
security and the elegance, there's a further advantage of hash-based cryptography, which is that
it's been heavily deployed in production.
You know, hash-based snarks, sometimes known as stocks, you know, are the common, now the de facto
standard for snarks, for roll-ups, for example, and they're extremely performant and certainly
performance enough to be able to aggregate the signatures for all blockchains.
Okay.
And yeah, I mean, what you just explained sounds so interesting, but I'm sure Chris,
being an expert in a different type of, I guess, post-quantum computing,
I'm curious, Chris, what your thoughts are on that.
And if you can explain, like, you know, what a different way to approach it might be.
And not just for Ethereum, but like, for any change.
Sure. Yeah, it's a really exciting time because there's such a wide spectrum of possible solutions to these problems we face. And there's a lot of different tradeoffs that emerge and that in one context may make a great deal of sense. And in another context, you know, don't make any sense at all. Right. So I think the thing, the system that Justin just described is, it sounds really cool. It's, uh, these hash based signatures are, as he said,
one of the oldest and most classical things, you know, you teach in crypto 101.
And often things in crypto 101 that we teach, you know, we say, oh, this is like a completely
theoretical thing because it's so inefficient.
But then with a bunch of engineering and a lot of hard work and very clever systems work,
it turns out, hey, this is completely practical and you can do it in reality.
So, you know, that's what's one of the exciting.
parts of this post-quantum
cryptography field for me
and many others I think is
there's like a thousand flowers blooming
all over the place and oh look at this one
it looks completely different from this one
and it has its own like cool advantages
and you can do these kinds of things
with it which well we could never do that before
or oh but like oh it's got a very fragile
stem well okay we can like shore up the stem and make it
much more strong with this other tool right so all these
combinations of really cool
almost magical
cryptography
allow you to do these
sort of miraculous things.
The work,
you know, the area that I work in
is called lattice-based cryptography
and in addition to
hash-based cryptography, those
are the two categories
of schemes that
NIST did ultimately select for its
standards, its post-quantum
cryptography standards.
So both areas are
old-ish,
lattice-based cryptography goes back to the mid-1990s.
So it's kind of getting long in the tooth as well,
which in cryptography is a good thing
when something's been around a long time.
That generally means it's stood the test of time
and can be considered to have good security.
People have looked at it for a good deal of time,
which is necessary before you start putting
billions and trillions of dollars of assets at work
secured by such cryptography.
So the other thing I love about lattice-based cryptography
is maybe some things we'll be talking about
in five or 10 or maybe even three years,
it has these amazing other features you can do
with respect to privacy and what's called
fully homomorphic computation,
fully homomorphic encryption
that enables all kinds of miraculous applications.
it's still in the relatively early days of being practical enough to deploy,
but there's been a great deal of effort on it at the scientific side and the engineering side
over the past 15 years or even getting a little bit more than that.
And I think in, you know, five and 10 years, we will be pretty amazed by what we can do
with those kinds of technologies as well.
All right.
So now let's talk about Bitcoin.
because that's really the chain that kind of kicked off this conversation.
As Justin alluded to Nick Carter of Castle Island Ventures, a few months ago,
released a bunch of different essays.
And he talked about how he had done a bunch of interviews.
And he felt like the Bitcoin core devs were not really taking the quantum threat seriously.
And he found that concerning because it's the most decentralized chain with the,
I guess, what you could say is least codified.
governmental infrastructure or practices for decision making and group action. And obviously,
Bitcoin is easily the most important asset in crypto. And I just wondered if you, you know, had
thoughts on what he was saying. You know, Justin, as you mentioned, some of the people who are
very prominent Bitcoin are a little bit dismissive of this threat. And I wondered, you know, if he
felt that, you know, Nick maybe kind of was making a stronger point or if you felt like you
agreed more with the Bitcoin devs or, yeah, how, and either of you, you know, can answer. But I'm just
for you to describe what you think are the quantum threats to Bitcoin. I think Nick is
directionally correct on pretty much all of the points. I guess I would add two caveats.
The first one is that there's this weird game theory where maybe the Bitcoin developers don't have an incentive to talk about the risk, even though they themselves kind of personally, privately, appreciate the risk.
And I think there might be something similar going on with the security budget.
I know with very high confidence that Bitcoin is not going to stand the test of time because of the security budget and the,
and the happenings.
And, you know, there's some very smart people that probably understand that,
but, you know, don't have an incentive to speak about it.
And maybe we see something similar with quantum.
The other thing that I want to kind of push back on a little bit with Nick is that
there are, like, a couple of very smart people that are taking it seriously,
especially Mikhail and Jonas.
And, you know, at the technical level,
You don't need an army of researchers necessarily.
A small group of people, especially with the advance of AI,
can do a lot.
And I think there is a reasonable path here where, you know,
in parallel to the main net, there's some test nets or some dev nets
that are led by people like Mihal.
and Jonas
and that
thanks to companies like Project 11
there is a
reasonably swift migration
now one of the
data points worth sharing
is that if you're going to cycle through
every single
UTXO on Bitcoin
it's going to take about three months
if the chain is dedicated to doing nothing
other than cycling through
these UTXOs
And so, you know, realistically, maybe we're talking, you know, more like a whole year to do the migration.
But yeah, I think the bigger issue is going to be how are they going to solve this aggregation problem.
There's the technically naive way of solving it, which is just increase the block size 20x to kind of counterbalance the fact that the pop keys and the signatures are.
are that much larger.
But there was a whole holy war that was fought on Bitcoin block sizes.
And the small blockers win.
And I think it would be not super palatable to increase the block size by 20x.
And so the solution that I'm presenting to the table for Bitcoiners is maximum security
with hash-based signatures, a solution which gives them a scalability boost over what they have
today and doesn't require them to increase the block size. So my hope is that in the three-day
post-quantum workshop that we're organizing again this year, we're going to have more than just
one Bitcoin there, hopefully a handful of them. And if you'd like to come, my DMs are open,
and I'd be more happy to host you. Chris, what do you think? Yeah, I mean, I would say at the
sort of higher level, just, you know, backing away from the specific situation of Bitcoin,
in the issue that we face of this very uncertain timeline of when and if quantum computers
will emerge to the point where they can break our crypto is a very, you know, interesting
kind of at an intellectual level, right? How do you apportion your resources? How do you measure
the risk? How do you predict, well, we've got a long migration ahead of us.
where, when do we start that is really a challenging, a challenging thing.
And so, you know, reasonable people can come to different conclusions about that in their own
context and projects.
But I think overall, you know, I would say there does not seem to be any intrinsic blocker
to quantum computers eventually scaling up to break cryptography.
I think more and more people are coming around to the idea that, you know,
It's a matter of engineering.
It's a matter of are people going to put in enough budget to actually engineer these devices?
And the directional that seems to be going is, yes, it's going to happen sooner or later.
And technology is very hard to predict.
We have many examples in history where technology came on much faster than it was maybe expected to.
And we have many instances where certain technologies took a lot longer.
to come out than some of maybe the reasonable predictions had made.
So I did want to ask about the issue about Satoshi's coins, which we brought up earlier,
because Satoshi has such a large number of coins.
And from what I understand, the coins that Satoshi mine have a public key structure
that is more susceptible to the quantum threat.
And obviously because of the high and dollar value on that number of coins,
that, you know, would be something that maybe somebody who developed quantum competing early could be motivated to attack first.
Could be the canary in the coal mine, yeah.
So I'm curious, like, do you feel like Satoshi's coins in particular pose sort of a unique threat that Bitcoin out of all the blockchains has?
Or do you, I don't know, what do you think about that?
Yeah, I would say it is unique.
it's 5% of the Bitcoin supply.
And I don't know if many chains that have such a large amount of believed to be lost coins for which the public key is exposed.
As I mentioned previously in the show, the equivalent number for Ethereum is 0.1%.
So about 50 times less of a problem from a quantitative standpoint.
But because the delta is so big, it has qualitative different consequences.
So in the case of Bitcoin, it's going to be a whole debate, it's going to be a contentious fork.
In the case of Ethereum is going to be a rounding error, no one's going to care that 0.1% of the coins are going to get stolen.
Okay.
So even though we've kind of been arguing that like Bitcoin maybe has a little bit more of a threat,
21 shares just came out with an essay that I wouldn't say they're like minimizing the threat,
but they are saying at least that they feel the way that it's been portrayed has been overstated.
And so they did analysis and they are actually saying that they believe only 10,000 or 20,000
bitcoins are actually going to be vulnerable.
And that only that they said so about 10,000 would be able to be suddenly,
quote,
suddenly and unexpectedly brought to market from compromised private keys,
and the remaining coins sit in 24,000 individual Bitcoin addresses that hold about 50 Bitcoins,
and that it would take decades to steal those, quote,
even with the most wildly optimistic technological breakthroughs.
So in that regard, then it sort of felt like, oh, maybe the threat has been overstated.
I don't know.
What did you think of their analysis?
I haven't read their reports, but I can imagine what they're saying.
And this goes back to what I was saying previously in the show that there's different quantum computing modalities.
You know, there's the fast computers, the superconducting and photonics, and then the slow ones, the trapped ions and the neutral atoms.
If you have the fast flavor, so for example, you have Google working on the, on the, on the, on the,
superconducting stuff. The estimate for the time it takes to crack a key is on the order of
minutes, like roughly 10 minutes. And so what you could imagine is that Satoshi's coins would
actually be stolen at the same rate at which they were mined in the early days. And, you know,
Satoshi only mined for a period of, you know, two years or something like that. I need to check
exactly. And so it would take, you know, roughly two years to empty Satoshi.
she's 1 million coins.
But that's with a single computer.
But of course, you know, you could just have multiple quantum computers.
You could have, you know, 10 of them, in which case the timeline shrink by a factor of 10x.
So this conclusion from, you know, 21 shares doesn't make sense to me.
Chris, what did you think?
Yeah, I mean, putting aside the specific numbers here, I think it's important to realize that when a
when a technology kind of achieves liftoff, it grows very quickly.
So the time to go from one quantum computer that can break a key in a few minutes
to the time where there are 100 such computers is going to be a very short period of time.
And once you're in that window, it's far too late to act.
And you certainly don't want to be staring that down.
So, you know, it's sort of a zero to one type of situation.
situation, right, where you for a long time do not have the technology to do a task, and then
all of a sudden it's there, and then very soon after, it's ubiquitous.
There's also a little bit of game theory where if you do have a quantum computer, maybe your
best move is not to attack addresses immediately. What you could do is kind of scale it up to
10 computers and then kind of attack those in private and then all in one go, kind of kind of
of steel's
Satoshi's coins.
It is, yeah, we should probably
mention, right, that for the
situation where you have a public key that's
actually public, you can
run the attack in your
basement,
not telling anybody, and
you can discover the secret
key, and you can accumulate all the secret
keys that you need quietly
without taking any external
action. And then now, when
you have all the secret keys, you use
them to make the transactions that empty the wallets. So it's not a matter of, oh, the quantum
computer has to be out there actively making itself known while it's doing these cryptographic
attacks. It's a quiet attack. And then when you're ready, you take your action.
Oh, wow. This reminds me of the BitFinex hack where the hacker knew what all the account balances
were and drained the biggest ones in order going down to the ones that
had fewer coins. So basically, the upshot is that any chains that want to prevent this type of
attack have to act before quantum computing poses a threat to blockchains. Is that the basic
takeaway? That's the bottom line. And really, that action, that action to upgrade things is a
long, slow one that's going to take a matter of years. One kind of tangents, but I still
think it's intellectually interesting is that the current elliptic curves that we have
used a so-called discrete log assumption. And it is possible that a non-quantam computer, a so-called
classical computer, could break these things. And the reason is that there's a lot of structure
in these elliptic curves. And you could imagine some sort of a mathematical breakthrough to happen.
Now, traditionally, these mathematical breakthroughs have happened by humans, by mathematicians, you know, over periods of decades.
But what we're seeing with AI is that time is shrinking and we're starting to potentially see AI as being much better than humans at mathematics.
And so maybe they can find these kind of clever breakthroughs that leverage the structure of elliptic curves within a similar timeline or a shorter timeline.
than that of quantum computers.
So this migration to post-Quantum cryptography
is also a migration to post-A-I cryptography
and is one that, in my opinion,
should be done relatively quickly.
And Chris mentioned the amazing world
that would be available to us with lattices.
So for example, this technology called FHE,
fully homomorphic encryption,
that uses lattices.
There's even more fancy stuff
like witness encryption
and, you know, obfuscation.
And these are all things that we want.
But there is a possibility
that, you know, lattices
get broken by an AI,
partly because, you know,
lattices involves these like very structured
mathematical objects and it is at least plausible
that there will be a breakthrough there.
And so my personal thought here is that at the very foundations of blockchains,
we should be avoiding these structured assumptions.
So we should be going with maximally unstructured things like hash-based cryptography.
And the vast majority of assets, let's say 90% of them should be conservatively secured.
And then there's kind of the more exotic stuff that leverages the fancier assumptions.
that can be done on top.
And if and when there is a break,
it's actually not catastrophic and systemic
to the whole industry.
Yeah, as my PhD advisor said,
cryptographers seldom sleep well at night
because there's always this prospect
that, you know, your baseline mathematical assumptions
about what is and isn't secure turn out to be wrong, right?
And we have to make the best bets we can
with the information we have available.
But, you know, as with quantum computers,
the ground can shift under you quite quickly.
One final thought.
Historically, the way that we've been thinking about post-quantum cryptography is as a
defensive technology against quantum computers.
But in recent weeks and months at the Firm Foundation, we've actually changed our mindset.
We now think of post-quantum cryptography as being an aggressive strategy in order to attract,
institutional capital, for example.
And we're now hoping to be the very first global financial piece of infrastructure
that is post-quantum secure.
And that could potentially be used as a way to attract capital from TratFi into Ethereum.
Yeah.
You've probably seen some people on Twitter making that point that Ethereum as an asset is looking
very good from an investable standpoint, partly because you guys are being so proactive about
the quantum threat. So yeah, I think your strategy is a good one there. All right, everyone,
this isn't just fabulous. Thank you so much. It's great talking with you. Thanks, Laura.