What Bitcoin Did - Is the Quantum Threat to Bitcoin Actually Real? | Alex Pruden
Episode Date: April 9, 2026“There's a 50% chance that by 2033, quantum computers can break Bitcoin.” Alex Pruden joins me to explain why the threat may be much closer than most Bitcoiners think, what a real quantum attac...k on Bitcoin would actually look like, and whether bitcoin developers are doing enough to prepare. We get into the real risk to self custody, exposed public keys, whether Satoshi’s coins could become a target, how a migration to quantum resistant signatures might work, and why this debate could become one of the most important and divisive fights in Bitcoin’s future. THANKS TO OUR SPONSORS: ANCHORWATCH BLOCKWARE LEDN BITKEY SWAN CLUB ORANGE FOLLOW: Danny Knowles: https://x.com/\\\_DannyKnowles or https://primal.net/danny Alex Pruden: https://x.com/apruden08
Transcript
Discussion (0)
there's a 50% chance that by 2033, you will have a cryptographically relevant quantum computer that can break Bitcoin.
Whatever entity has the quantum computer owns all the Bitcoin on the network.
This quantum computer can compute yours algorithm fast enough.
Then it's like every Bitcoin is basically at risk.
And that also effectively closes off any kind of on-chain migration option.
Ownership fundamentally breaks.
Once you hit that threshold, you can scale.
very, very, very, very quickly.
The best way to ensure that you're not rushing a change
is to ensure that you're not surprised.
We should already be well on our way as the Bitcoin network
to having post-quantum cryptography
that's close to being ready to deploy.
Don't be bystanders.
This is extremely novel and new cryptography,
where the stakes are as high as they're going to be anywhere.
Alex, welcome to the showman.
We are going to get into the hot topic of the day
quantum cryptography and if it's going to break Bitcoin. Let's start with your background.
The first time you've been on the show, the first time I've spoken to you, how did you get here?
Yeah. First off, it's a pleasure to be here. It's a great show. I'm a subscriber.
And yeah, I really appreciate the work you do here. As for my background, I first got interested
in Bitcoin a little over 10 years ago. At the time, I was in the U.S. Army and I was a Green Beret
working in the Middle East.
And specifically, I was kind of in and around Syria and the Syrian Civil War.
And I discovered Bitcoin while working in Turkey training Syrian rebels to fight the Assad regime and ISIS.
We briefly explored it conceptually as a way to basically support financially the guys that were fighting across the border because at the time there were no U.S. troops a lot in Syria.
I never went anywhere.
It was just kind of like a throwaway idea that one of the Turkish Chintel guys threw it through our way.
But the concept stuck with me, this idea of borderless money that was secured by cryptography and private keys or seed phrases that you could just put inside your head and then cross any board in the world to say you were a refugee filling conflict.
You could just start over again because a lot of the people that I was around, as you can imagine on the Syrian-Turkish border, were people that were refugees from that conflict and it basically lost everything, either because their physical wealth was tied up in real estate in Syria or because their bank account was frozen explicitly or they just couldn't get to it.
because they were in Turkey and their bank was in Syria.
And that was sort of the moment when I was like, wow,
I knew nothing about technology.
I knew nothing about finance, quite honestly.
I had gone to a military academy and studied Arabic.
But that was a moment where I was like,
this seems like really transformational.
So I left the Army later, I guess a year after that,
after I came back from that deployment.
And yeah, just try to figure out again to the space.
I did what everyone does in their career when they don't know what to do next.
I went to business school.
And so I was fortunate to get into Stanford.
And honestly, I spent most of my time at Stanford just getting into computer science classes that I had no business being in.
I think the cryptography class that I took, which was the first computer science class I took, not recommended starting point.
But I got a D.
D is for diploma, as they say.
But I just was really passionate about understanding how everything related to Bitcoin worked.
And so, you know, the professor, Dan Bonnet, is a lot of research in cryptocurrencies and blockchains and Bitcoin.
So, yeah, I was how I got, you know, more immersed in the space.
I was the co-founder of the Stanford Blockchrane Club.
I then worked at Coinbase for a brief stint.
And then I ended up actually getting a role at Andrewson Horowitz when they had a, they had a crypto team.
I was standing up.
This is 2018 is kind of the very beginning days of their crypto fund.
And I joined as a, you know, as a venture or as a deal partner.
I was recruited by one of the channel partners there.
I didn't love venture, to be quite honest.
I just wasn't really my thing.
I had a, it was a great experience.
I learned a lot from the smart people to work there, but I wanted to be an operator.
So I went to join a startup that was in the zero knowledge space called Alio.
I was a couple of Zcash co-founders had, yeah, basically had this vision to create Zcash, but with smart contracts.
And I got really excited by that.
Privacy, you know, as you can imagine my former world thinking about Intel and espionage.
I was like, oh, privacy is good and important for a variety of things beyond just those two.
But yeah, I spent four years, well, four and a half years there.
I was the first employee, became CEO, took it from zero launch.
And then, yeah, after launch, I kind of stepped back and handed the reins back over to the COO and CTO and I was wondering what to do next.
And that's what brought me to this moment as the founding project 11.
So, I mean, there's a lot of veterans that have come into the Bitcoin space, but I don't know if there's many that have gone fully down the cryptography rabbit hole.
Like, that's a pretty big step.
You went straight into the deep end there.
Yeah.
I probably wouldn't recommend going that route.
Maybe it's just, yeah, my misplaced or my ego is, I was like, oh, I could totally do this.
But I do like, as, you know, I, for example, when I was in the Middle East, I spent a lot of time learning Arabic because I really wanted to be able to have a one-on-one conversation with the people I was working with.
I didn't want a go-between.
I didn't want an interpreter.
I wanted to just know exactly what they were saying.
And I easily spent 10 times as much time as my colleagues did on average to do that.
And so I kind of view this as similar.
Like I don't, I'm not very satisfied with kind of the high level answers.
It's both a blessing and a curse, right?
I have to know kind of as deep of a detail as I can stomach how things really work.
Yeah.
You know, and so it's both a good and a bad thing, right?
I think on the one hand, it's my curiosity that's helped, I think, enable me to kind of have insights that are maybe
come earlier than other people might have them. It also, I think, can be, you know, it can be easy
to get lost in details. Ultimately, the challenge is figuring out how to synthesize those two things
into kind of, yeah, what is insightful and what is impactful. So you left the venture world in the
previous start and you've gone into the quantum side of things. Like, where did that come about?
Yeah, so cryptography. I mean, so the connection is cryptography. So in cryptography,
like I already explained, I studied Arabic. I don't have like a,
physics background at all. I mean, I went to a military academy. I took a physics class, but
when I was getting into cryptography, quantum computing is kind of obliquely referenced as like
this doomsday weapon that destroys everything. We think it's 20 years away, you know, and just
like forget about it. So that was my introduction to it. And, you know, I kind of, at Stanford,
and I kind of put it out of my mind for, you know, all the time I was working in the space. And then
when I had a moment to come up for air and think about other areas of cryptography that would be relevant.
Because, you know, Aalio was kind of, I argue, I view it as like it was an instantiation of kind of some advanced cryptography, zero knowledge, right?
And so I was really into that.
And so I was like, what other kind of frontier areas of cryptography are up and coming?
And post-quantam came up again.
I mean, this was actually right around the time that Google's Willow paper.
So Willow describes both a paper and a quantum computer that they built very small scale.
But they had to demonstrate this thing called below threshold air correction.
I had no idea what any of that meant.
But I sort of started doing a little bit of research.
And really what, so I concluded that maybe quantum was moving faster than people were doing credit for.
But to be clear, I wasn't sure at the time.
But the one thing that I was pretty sure of was that blockchains and digital assets generally
at Bitcoin had all seen tremendous adoption in the 10 years that I'd been in the space.
Like, I remember getting into the space and there was legitimate talk of Bitcoin being banned
because it was viewed literally only for criminals.
And I mean, of course, nowadays we're so far from that.
The adoption is far and wide.
We have stable coins.
But I think the extent to which that adoption has happened also makes the challenge of
migrating to a new form of cryptography like post-warned cryptography.
like post quantum cryptography, quite acute.
And that was sort of the moment where I was like, man, I don't know, I mean, we don't
know if quantum is going to happen necessarily.
I think maybe it could be sooner than we think, but it's certainly going to be hard to
affect this transition.
And so that was really kind of the genesis of the idea that led to project alone.
You said that like jokingly, this was 20 years away.
And that's always been the thing that quantum's always been 20 years away.
But the timeline seemed to have really sped up in the last, I don't know, a few years really from
the experts working in that field. How far do you think an actual, like,
cryptographically relevant quantum computer, how far away from that are we?
Okay. So, you know, folks who have listened to your prior episode on this topic.
You know, look, I think I want to kind of maybe just, they'll have the context.
Maybe I want to just make a statement to kind of frame how I'm going to talk about this generally.
Look, I think there are a lot of unknown unknowns around how quantum computing as a frontier
technology is going to develop and unfold.
So I actually, you know, I kind of think more in terms of certainty and uncertainty.
I think what has become more uncertain in the last year is that a quantum computer won't
potentially exist within a decade. So that's like kind of a very non-answer to your question,
but I think it's an important framing because ultimately what, you know, what we can,
about as Bitcoiners, as, you know, people that, you know, think about and care about the
technology is, is the potential existential threat this represents. And so when it happens,
obviously there's going to have to be a lot of changes. But we also have to prepare for those
things in advance. And so we have to kind of handicap what's the chance that something bad
could happen. Right. And a way I like to think about this to illustrate a lot of times is
seatbelts. I don't get in my car expecting to craft.
or getting it had been a fatal crash right but I wear my seatbelt anyway because on the off chance that I do get in a crash I'll be more likely to survive and that's sort of how I think about this that all said my non-answer to your question is complete I'll give you my answer now I feel confident that there's a 50% chance so it's like even odds that by 2033 you will have a cryptographically relevant quantum computer that can
break Bitcoin. So that is seven years away. I think there is a, it is plausible, it is plausible
that it is even earlier than that probably to 2029, 2030 time frame. Of course, it could be
further than that, but that's what I would say is my base case is 233. Could be 2030, 2029. Could be
further, but that's that's sort of how I view it. If you already self-custody Bitcoin,
you know the deal with hardware wallets. Complex setups,
clumsy interfaces and a seed phrase that can be lost, stolen or forgotten.
Well, Bitkey fixes that.
BitKee is a multi-sig hardware wallet built by the team behind Square and Cash App.
It packs a cryptographic recovery system and built-in inheritance feature
into an intuitive, easy-to-use wallet with no seed phrase to sweat over.
It's simple, secure self-custody without the stress.
And time named BitKee one of the best inventions of 2024.
Get 20% off at bitkey.world when you use the code WBD.
That's B-I-T-K-E-Y-D and use the code WBD.
The thing that keeps me up at night is the idea of a critical error with my Bitcoin cold storage,
and this is where Anchor Watch comes in.
With Anchor Watch, your Bitcoin is insured with your own A-plus rated Lloyds of London insurance policy,
and all Bitcoin is held in their time-lots multi-sig bolts.
So you have the peace of mind known your Bitcoin is insured while not giving up custody.
So whether you're worried about inheritance planning, wrench attacks, natural disasters,
or just your own silly mistakes,
protected by Anchor Watch.
Rates for fully insured custody start as low as 0.55%
and are available for individual and commercial customers
located in the US.
Speak to Anchorwatch for a quote
and for more details about your security options and coverage.
Visit anchorwatch.com today.
That's anchorwatch.com.
Do you want to pay less in taxes and stack more Bitcoin?
Of course you do.
Well, by mining Bitcoin with Blockware you can.
Under Section 168K of the US tax code,
Bitcoin mining servers qualify for 100%
bonus depreciation. This means every dollar you spend on miners can directly offset your income in a single year.
And that's true for both business owners and W2 earners. If you have $100,000 in ordinary income,
you can purchase $100,000 of miners and potentially offset your tax liability entirely.
Blockware's mining as a service does all the heavy lifting. They secure the rigs, they source the low-cost power,
and they handle all the day-to-day maintenance. So you get to stack Bitcoin every single day while drastically shrinking your tax bill.
Get started today at blockware solutions.com forward slash WBD and use code WBD for $100 off your first miner.
That's blockware solutions.com forward slash WBD.
Bitcoiners, as you know, with Fiat money constantly debasing, wealth preservation isn't optional.
That's why I recommend Swan Bitcoin, a team of dedicated Bitcoiners who work with families and businesses to build and secure generational wealth with Bitcoin.
Strong relationships with clients are at the center of everything Swan does.
A dedicated Swan Private Wealth representative, which is a real person that you can text and call,
will help you build a Bitcoin wealth strategy using Swan's comprehensive platform of Bitcoin services,
including tax-advantage retirement accounts, advanced Bitcoin cold storage using collaborative self-custody,
inheritance planning with both trust and entity accounts, tax loss harvesting, asset-backed loans and more.
Swan have helped over 100,000 clients since 2020, and if you're serious about acquiring and securing Bitcoin, I recommend Swan.
Meet the team at swan.com forward slash WBD, which is SWAN.com forward slash WBD.
As I said to you before we started recording, I am no quantum expert.
But when I hear things like that, I have a few like alarm bells going off in my head that, like I have some skepticism.
But let me hold that for a minute because I think we should get into what the threat is.
Which is really, do you want to explain the attack vector for Bitcoin, what happens with the public keys that are viewable on chain today and both the sort of sort of short.
and long-range attack that is possible.
Yeah, so a very high level way to think about the quantum threat to Bitcoin.
First off, what is it not?
It is not a threat to consensus for Bitcoin, right?
Consensus in Bitcoin is done by mining.
Mining is done by hash functions.
I think any serious scientific study of the quantum attacks on hash functions will tell you
that to our best of our knowledge today, those attacks would require astronomically-sized
quantum computers that are just infeasible in any, over any time horizon, quite honestly.
The threat is to the digital signatures.
And what's purpose do digital signatures on Bitcoin serve?
They serve as an authentication for payments, right, for transfers, right?
So Bitcoin is effectively a distributed database maintained by this network of miners.
And the database is changed as a result of people sending messages to the network.
and those messages are signed,
and that signature,
and the message is effectively,
you know,
something along the lines of,
Alex is sending one Bitcoin to Dan,
signed Alex, right?
So a quantum computer is able to basically
force those signatures.
How?
It's, you know,
the way public key cryptography works,
there's a public key and a private key,
and then it's kind of all in the name.
The public key is meant to be public.
It's kind of your address, broadly speaking.
The private key is meant to be only yours,
and that's what gives the signature.
So it's fine for me to share the public key.
it should be in the classical sense.
It's not fine for me to show the private key.
And if you only have the public key,
you're not supposed to get the private key.
But these things are mathematically related,
but there's a hard math problem in between those two, right?
Turns out that a quantum computer,
actually, one of the only known example
of a quantum algorithm that is
provably dominant over its classical alternatives,
is the quantum computer able to compute that math problem
that sits in between those two things, right?
So there's variants of this,
the one that Bitcoin uses is called the discrete logarithm problem.
Basically, it just lets you go the wrong way down the one way road.
You're only supposed to go one way from private key to public key, and this way lets you go
the other way.
Right.
And so what does that mean?
That means that any quantum computer or anyone in possession of a quantum computer
with knowledge of a public key effectively could compute the private key and therefore
sign on your behalf.
And what does that mean?
Well, in a real sense, it kind of means that whoever has, whatever entity has the quantum
computer owns all the Bitcoin on the network, right? Now, of course, there's a nuance here,
and you highlighted it, you know, Bitcoin addresses, the things that we send to are not naked public
keys. They're hashed public keys, right? And by the way, the early Bitcoin addresses were
naked public keys. And so there's a whole bunch of Satoshi coins that are in those addresses or in
those UTXO types that are exposed. But broadly speaking, most people today, you know, have addresses
their hash public keys. So those aren't necessarily vulnerable to a, you know, I guess what is called
like a slow clock quantum computer tech. And the way to think about like slow clock and fast
clock is basically is how fast can the quantum computer compute this algorithm, right? And it depends,
it differs based on the architecture. We can get in all that. But like, assuming you have only a
slow quantum machine, you only got to worry about the Bitcoin that is exposed, you know, that is
secured underneath an exposed public key. Now, that could be because it was Satoshi's coins under a,
you know, early address type.
It could be because it's on a multi-sig and, you know, it's a bridge and you have to, like, send
to the multi-same multi-sig.
So there's a signature that's been broadcast already.
It could be, yeah, any number of things.
You could have signed a liking transactions.
People were using addresses.
People were using addresses.
People just signing a message.
There's all kinds of ways you can expose the public key because I guess maybe it's just
important note, signing a message in any form reveals the public key, right?
By the way, for people, you know, who kind of are interested in how Bitcoin wallets work,
typically good wallet wallet hygiene is you send it i send a transaction to dany and then i send another
i send the other half of that amount to myself in a new address right so that way i don't have an exposed
public key that's you know and roughly i don't know two-thirds of bitcoin is under these addresses that are
not exposed now in a world where your quantum computer is fast enough uh then you could potentially
front-run transactions in the mempool so say i send a message i'm like i'm sending you my bitcoin
this quantum computer can run let's say inside of 10 minutes then
And it can just reverse engineer my private key, send a new transaction as me in the mempool
with a higher fee, and then the miners will bind that.
And it goes to quantum adversary, right?
So that's like, there's this threshold for speed that's very irrelevant where if this quantum
computer can compute yours algorithm fast enough, then it's like every Bitcoin is basically
at risk.
And by the way, the important note there is that also effectively closes off any kind of on-chain
migration option.
Why?
because you could just mine you I could front run your transaction when you're trying to mine it,
even if a post-quantum UTXO were to exist.
And so, yeah, so I think really broadly it's this concept of ownership fundamentally breaks
in a world where there is a cryptographically relevant quantum computer,
and there is not any kind of post-quantum cryptography mitigating that on Bitcoin.
Yeah, so I think the, is it around 6 million coins currently have their public key exposed on chain
at the moment?
Yeah, roughly. We maintain a database. People are sure they can check Project11.com.
It's with a risk with a queue list. And so I think it's around $6.2 million. You can also enter your address in there.
If you're worried, you're like, did I actually do expose my keys? You get into your address and it'll tell you like what UTXO type it is or whether the public keys ever been broadcast.
But yes, roughly $6 million. Okay. And then in that timeline, so in seven years, you think there may be a relevant quantum computer that can break this cryptography.
Is that on the sort of long range attack where it has as much time as it needs to derive the private key from the public key for things like Satoshi's old coins?
Or is that actually doing the Mempool attack where it can do it in quicker than nine, ten minutes?
My personal view is that the first cryptographically relevant quantum computers will be too slow to run real-time attacks.
I don't know what the gap will be between the slow clock and the fast clock are.
And so I don't think that it's a good idea for stakeholders of Bitcoin to presume that one may predate the other by, you know, there's a guaranteed window of safety.
Okay. So let's get into the skepticism I have. And like I say, I'm no quantum expert, but a few things that sort of stand out to me is, like if you look at what quantum computers can do today in terms of like factorizing numbers, I think the highest they can do is,
21. And I believe that was done in 2012. So why is this not moving faster? And what gives you so
much confidence that it's going to go from here to breaking cryptography in the next seven years?
Yeah. Great, great question. And by the way, like, skepticism is totally warranted and welcome
in this conversation. Again, we're dealing with, there's fundamental uncertainty, right? And this is,
again, to me, like the key fact. I'm not claiming that a quantum computer will happen. I'm not
claiming Devstone tablets. We don't know. Why do I think we should worry? I'll answer your question.
Okay, factoring numbers. So technically, yeah, as you pointed out, I think the record for factoring a
number was like 15 or 21. Several problems with that. One is what secures your Bitcoin is not technically
like a number in that it's an integer. It's a group element inside of an elliptic curve group.
Okay, so like, just picking a random integer out of the air and being like quantum number or quantum
computer factor this, it's already not really what is relevant.
That's thing one.
Thing two is, and by the way, like in terms of like elliptic, what you said, though,
isn't still wrong because the biggest elliptic curve group element or this biggest like, you know,
discrete logarithm problem that's been solved is somewhere in the order of like six or seven
bits or something, right?
So it's still small.
Okay.
So why haven't we gone bigger than that?
I highly recommend, and I'll share a link to you with folks in the show notes,
or you can put in the show notes,
and Boss Westraband from Cloudflare,
wrote a big post about this,
as did Craig Kidney around like, hey, factory numbers,
is a good metric or not?
The big TLDR is there's effectively a threshold
that you need to reach in terms of quality
for your quantum computer to be able to factor even small numbers.
But once you hit that threshold,
you can scale very, very, very, very quickly
from a very small number to a very big number.
In fact, in the Google paper that was released last week,
they actually call this out explicitly.
They say something to the effect of,
once you see evidence of a cryptographic or of a quantum computer
that could solve the discrete logarithm for a 32-bit number,
that effectively implies that you can solve it for a 256-bit number.
And by the way, just to like context here,
a 32-bit number, roughly the number of people on the planet,
a 256-bit number, roughly the number of atoms in the observable universe.
So, like, enormous, and so this is, and this is really, like, why is it like this?
It's because Shores algorithm is so efficient.
It's like this exponential speed-up means that, like, you can run up the, you know,
kind of the size of these numbers, of the number line really, really quickly.
And by the way, a 32-bit number, just for everyone's context, is not hard to factor.
Like, classical computers, I think, forget quantum.
A classical computer can compute the factorization of like, I think, up to like 100 bits.
Okay, so like, so, okay, so in the field of quantum computing, people recognize this.
And they're like, okay, sure, we could maybe build a quantum machine that factors, you know, a 20-bit number.
But it's like, who cares?
By the way, these things are super expensive.
And by the way, like, you know, doing that would probably involve a bunch of bespoke things that wouldn't scale anyway.
And so let's like the mentality, if you talk to any quantum physicists or any quantum people to working on this, they're like, there's no point to demonstrate any of these number factorizations until you have this scalable platform that you could just factor any size number you want or any size ECDLP problem you want.
Okay. So you mentioned the Google paper there, which has been obviously big news in the last week or so. This is one of the other skepticism I have because I'm sure the most brilliant people are working on this. I think the breakthroughs that they're having, I'm sure they're incredible. I can believe that 100%. But they're all like paper breakthroughs, right? And when does the like theoretical breakthroughs? Like where do the lines intersect with the theoretical breakthroughs and the actual technological breakthroughs? The engineers building these machines.
Are they capable of building the machines that they can theorize?
Great.
So first off, it's important to note because, okay, so the Google paper, and there was a second paper
last week that I would argue is even more scientifically significant by a team out of Caltech,
but both of them are the same character.
They are resource estimates, right?
And what is a resource estimate?
It is like, hey, taking some assumptions around what kind of quantum computer we're building,
what variant of Shores algorithm were running, what kind of,
kind of error correction we're doing, what other optimizations we can think of. How, how small
could we make this problem, right? The Google paper and the Oratomic, which is this other paper,
are notable because they specifically focus on elliptic curve cryptography. One of the interesting
things around the study of Shores algorithm over the past few decades is that quantum physicists,
for whatever reason, we're benchmarking Shores algorithm against RSA, which is RSA is an older
crypto system that is really not used anymore.
But one of the notable facts about it is it has very long key lengths, 248 bits.
It turns out that Shores, well, I mean, we've known that Shores algorithm really kind of runs in time related to the length of key, right?
And so 256 bits, which is a Bitcoin key size, is much shorter than 2048 bits.
And effectively, that among many other things, when the Google and Or Atomic teams looked at this, they're like, hey, if you actually
narrow the problems down to just elliptic curve cryptography that Bitcoin uses, this gets much
easier. In the case of Goose. So, okay, so these are resource estimates. All right. And we'll
talk about what the resource estimates are in a second. But maybe just to frame it, there's kind
of two paths of progress for quantum. One is, to your point, how do we move forward? We're here,
I don't know, we got however many cubits, I don't know, a thousand superconducting qubits maybe.
And how are we getting at 2000? Okay, so we're walking like, you imagine walking down a football field.
We're walking down the football field. I'm at the 10-yard line. I'm at the 20-year.
Okay. Then the important thing about these resource estimates is they basically set how far away the goal is that you have to get to.
And so by getting clever and, you know, reducing the requirements, you can kind of move the goal forward.
And so sometimes I hear people describe like these Google papers is not like progress.
And it's like true that it's not the quantum computer being built.
But I guess, I mean, does it make a difference if I walk 10 feet towards a goal or the goal moves 10 feet closer?
not really, right?
I mean, it's still arguably closer, right, for all intents and purposes.
Now, that doesn't mean, though, that we should ask questions about progress.
But on that score, in the last five years, it's undeniable, in my opinion, that there has been significant progress.
Okay, so even like Google uses, and to unpack this, we're going to have to get into a little bit more detail about how quantum computers are built.
First thing to note is that a quantum computer.
this is a concept describing if basically a normal computer that has special quantum mechanical powers
that can be realized in a number of different ways, right?
Kind of like a regular computer can be realized in a few different ways.
Like we all use silicon-based semiconductors, but there's no reason why you couldn't use a bunch of
things to build a computer in its abstract form.
So quantum's the same.
What Google, if people are familiar with like, if you Google quantum computer right now,
what you'll find is you'll look for it.
you'll find an image that's like a chandelier looking thing.
By the way, that whole chandelier, there's nothing quantum about it.
It's just a bunch of refrigerators because like the chandelier, you know,
this is called the superconducting qubit modality.
And basically like the way that, and this is like kind of the gen one quantum computers,
the way these work is by super, super, super cooling particles down to like a nano-keleton.
Okay.
And so that's what this, the chandelier thing is.
It's a giant refrigerator to get a couple of qubits to make.
maybe like, you know, be able to do something very tiny.
Okay, so superconducting qubits basically a wall in the early 2020s where we added physical
cubits to them.
But unfortunately, with adding scale to those systems without addressing the errors that would
inevitably come up by virtue of the fact that quantum mechanics is very fragile and
quantum computing therefore is very fragile, like errors were outrunning the scale, the scaling,
right?
So it's like, I'm adding physical cubits and it's actually making my life worse, not better.
This, by the way, is what was the major breakthrough of the Google Willow paper.
The Google Willow paper demonstrated on a real system that, like, hey, if you set things up in a certain way and you manage the errors in a certain way, I can add physical cubits and the errors go down, not up.
And not only do they go down, they go way down, right?
And so now, so before, before 2024, this was not a settled question.
If I, could I build a one million cubic computer and be able to keep Arizona control?
Not proven.
In 2024, it was proven that at least at small scales, you definitely could.
Now the question remains, can we scale that up and keep that below threshold behavior?
Okay.
But, you know, ultimately these chandeliers, and you can just look at a picture and be like,
okay, well, that's cool. How do we make this a million times bigger? Complicated engineering
problem, right? So this is why there's been other modalities or approaches to building a quantum
computer that don't suffer from kind of the same challenges. So in particular, there's trapped ions
and neutral atoms that are used as a substrate for quantum computing. Trapped ions, if you may have
heard of a public company, IonQ, that's kind of what they do. And then the Oratomic team, which
wrote this other paper last week, is kind of a pioneer in the, you know, a pioneer in the, you know,
neutral atom quantum computing.
The upshot here is that both the trapped ions and the neutral atoms are more
reliable in terms of their quality.
And they're slightly, they last slightly longer.
And so they have some other tradeoffs, but like arguably, if you apply the same error
correction techniques that you apply to the Google demonstration of below threshold, you could
take that over to these different kind of approaches and then scale them up way faster.
And so actually, like a terminology that people like to talk about here is like physical qubits versus logical qubits.
You know, effectively it took Google, you know, I don't know, well, it took the superconducting field two decades to demonstrate one logical qubit, right, out of a hundred.
And in a relatively short time, like the last five years, the neutral atom computers have gone from having zero real physical qubits.
Like there were none.
Like five years ago, people had like little atomic.
arrays, not cubits. To today, you actually have hundred of cubit computers that have up to
48 logical cubits. And by the way, there have been entangled arrays, kind of like you can think of
these as like proto-cubits, all the way up to 6,000 cubits. Now, by the way, why is that number relevant?
Because the Oratomic paper actually describes a slow clock quantum architecture that could potentially
run Shores algorithm that only requires 10,000 physical Cuba. So there's still, and I want to
take the pause for a second and just say like, everything I just said does not mean there are not
huge engineering challenges remaining. But I also don't think you can plausibly claim that there
has been no progress. And I think the question is now, how quick can these teams run up the
ladder? Right. And we just don't know, I think. Right.
So that's how I would kind of frame the state of the world as it is today.
Do you wish you could access cash without selling your Bitcoin?
Well, Leiden makes that possible.
They're the global leader in Bitcoin-backed lending,
and since 2018, they've issued over $9 billion in loans
with a perfect record of protecting client assets.
With Leiden, you get full custody loans with no credit checks or monthly repayments,
just easy access to dollars without selling a single sap.
Linden exclusively offer Bitcoin back loans
with all collateral held by Lennon directly
or their funding partners.
Your Bitcoin's never lent out to generate interest.
I recently took out a loan with Leden.
The whole process was super easy.
The application took me less than 15 minutes
and in a few hours I had the dollars in my account.
It was super smooth.
So if you need cash but you don't want to sell Bitcoin,
head over to leddon.io forward slash WBD
and you'll get 0.25% off your first loan.
That's L-E-D-N-0-4-S-W
If you haven't tried out Club Orange yet, then now is the time.
It's my go-to place to find Bitcoiners whenever I'm traveling.
Club Orange is a social app built for Bitcoiners where you can find meetups and events in your area
and find merchants that are accepting Bitcoin.
There are over 19,000 Bitcoiners on there, and whether you're at home or traveling,
is a great place to keep in touch with Bitcoiners from all over the world.
I've been using Club Orange since it was Orange Pill app and it really is awesome.
So if you're on there, drop me a DM and say hi.
And if you want to find out more and download the app,
just search for Club Orange on your app store or go to cluborange.org.
Okay, so, I mean, it gets quite technical here.
And maybe it's worth just explaining what the difference between a physical
and a logical cubit is before my next question.
Great, yeah.
And I dropped that.
I'm glad you paused so we can explain that to your audience.
Okay, so a physical qubit is a quantum bit.
Okay, cube.
That's what I'm surprised to start there.
Quantum bit, qubit.
Okay, what is the difference between a qubit and a bit?
So a bit is the thing that's inside your computer, and it's zero or one.
But zeros and ones all the way down, right?
It's not zero and one.
It's zero or one.
Kind of the magic of qubits is they can kind of be zero and one.
And by the way, they can kind of be entangled in these complicated states.
It's not really important, but the point being is they can represent a much bigger possibility
space than zero and one.
That's exactly what makes them powerful.
You can just think about this like factoring a number.
How do you factor a number classically?
you pretty much just got to brute force it.
If I give you a seven digit number,
you're like, all right, well, is it even?
No.
Does it divide by three?
No, right?
So like quantum computers solve this
by effectively exploiting this large possibility space
the qubits give them by kind of trying everything at once.
And then collapsing the answer back down at the end.
That's very, that's like a very terrible,
if a physicist hears this, they're probably going to kill me.
But that's like kind of roughly intuitively, I'd think about it.
Okay, so that's, those were qubits.
Okay, now physical qubits are kind of,
kind of the physical way that this is realized, okay?
And how do you think of this?
Think about particles that are very, very small,
where quantum effects come into play
because quantum computers leverage quantum effects.
The problem is that quantum effects are very fragile, right?
So, like, for example, you can have two particles that are entangled, right?
There was this famous physicist Schrodinger, who he has this kind of,
there's a thought experiment on this topic, which is Schrodinger's cat, right?
Actually, sorry, this is a demonstration,
superposition on to anyone, but it's still useful.
So Schrodinger, one of the, one of the quantum, you know,
an aspect of quantum physics is that things can kind of be in two things,
they can be two things at once.
And Schrodinger was like, okay, well, if I put a cat in a box,
is it alive or dead?
You know, and again, in quantum physics, in that world,
you don't really know if it's alive or dead until you measure it.
And it seems ridiculous, right, to consider that philosophically,
where you're like, well, the cat definitely.
must be alive or dead. But in the quantum physics world, it can be both alive and dead at the
same time. Okay. So anyway, these effects, obviously it doesn't work on cats, right? Because cats are
macro scale objects. But at the very small scales, this is how it works. And by the way, just for,
everyone may not know this, but quantum field theory, which is the foundation of particle physics,
is the most accurate physical theory that has ever been created by humanity. It's accurate down
until like, I can't remember it's like 10 nimes, right?
And this has been verified.
It's like all the particle accelerators at CERN and everywhere else.
Like this is exactly what they study.
And this is every single prediction of quantum field theory effectively has been shown
to be correct.
So it's a very reliable theory.
Okay.
So now we have these physical cubists that, you know, leverage quantum mechanics, blah,
blah, blah, blah, blah.
Okay, great.
Why don't we just build a computer?
Okay, well, issue.
You know, any kind of little noise that interfere.
fears with their operation or their entanglement or their superposition, basically knocks the whole thing over.
So you got to really insulate them from noise.
In fact, it's actually impossible to insulate these things from noise because how are you going to
control the computer?
There needs to be some kind of signal.
So like, okay, so there's definitely going to be noise.
And it's, you know, bad things are going to happen.
So then the question is, how do you mitigate this?
How do you error correct, right, as you're going through the computation?
So the concept of a logical qubit is basically.
you can think of like, all right, we're going to get a bunch of physical cubits together
and we're going to do some fancy algorithms to basically make them redundant.
And so the output of these physical qubits is one or more logical qubit that we can just think
of as a reliable unit of computation without having to worry about is this thing going to fall over
or not.
So we think in terms of like physical cubits versus logical cubits, these turns get conflated
all the time. But I think the important thing
people to recognize is that physical qubits alone
are not what you need. Ultimately, you need physical
qubits to be error corrected. And those give you
logical qubits. Those logical qubits are basically what
the billing block are is of shores. Okay.
So the logical qubits are the thing that matter. What's the
largest quantum computers that are built so far in terms of
logical qubits? I think it's a so I believe it's 98
logical cubits on a trapped ion machine from quantinua. For a neutral atom machine, it's about 48
logical cubits. Now, one other important caveat about logical cubits is they're not all created equal.
Because ultimately, it sort of depends on how big of a computation you want to run as to
what the threshold is for a logical cubit. So you can imagine if I want to run my quantum computer
for 50 years, my logical cubit better be really.
really damn robust, right?
Which means that I got out a lot of physical qubits in there to make sure, right?
But if I only want to run my quantum computer for like 15 minutes, all right, well, I can
probably afford to have a more error-prone logical qubit, right?
So this is like a dial.
And this comes back to Shores algorithm, then comes back to the Google paper because one
of the things that the Google paper showed was like, hey, turns out like our calculation
show you only need 500,000 physical qubits,
and I can't remember how many logical qubits they had in there.
I think it was 1,200.
But importantly, they were like,
you only need these, like this computer to run.
It's basically like a million times, you know,
fewer operations than the old record, right?
So now two things happen.
One, you actually needed less physical cubits
to make the logical qubits that like you needed at all, right?
So you need to like, there's a minimum width, so I have to have that many logical cubits at least.
And then you basically lowered the bar for quality because now these cubits don't have to last
forever.
They actually have to say to put into concrete numbers on this, it was 100 billion operations before.
And the latest Google paper showed it could be done in 70 million operations, right?
That is significant, four orders of magnitude, right?
And that that means that the, like the threshold of quality is that much lower.
Okay.
So in terms of being a threat to Bitcoin, are we a couple of orders of magnitude?
off that at the moment.
Yeah.
So, I mean, okay,
most operations that's ever been demonstrated,
a thousand, maybe, a few thousand.
Or in terms of number of physical qubits for a superconducting machine,
like Google was theorizing,
500,000 to a thousand,
so I don't know, two orders of magnitude.
Even the Oratomic paper,
which is the neutral atom machines,
which arguably have been advancing the best
and are the best candidate in my view
to be cryptographically relevant soon as.
You're still looking at a couple orders of magnitude,
both cubic count and reliability,
and there's a bunch of unsolved problems
around decoders and connections
and all kinds of stuff we're not even talking about, right?
So yeah, undoubtedly, we're not there.
There is no question about that.
So this is really like the big question I have around
the actual engineering challenges of building this.
Are they engineering challenges that we understand?
And it's just a case of scaling up what we already have
or is there going to be new engineering challenges?
this. Look, this is the part where I think, you know, me and your prior guest would differ.
I think, and the majority of physicists that work on quantum computers that are building them,
think, right? And so maybe they're biased because they're building these things and they like to
believe that what they're doing is irrelevant. They think that this is just an engineering challenge
of scaling up what we have. And I think the view, I think that is the consensus view in the field
is that the below threshold demonstration was really the key thing there, right?
Because that was a big theoretical question.
Could you even get below threshold?
That was solved.
So now I think most people believe, yes, you could scale these up.
Now, there is a question that when you scale this up, like, it's not quite so simple,
like, okay, we've got one qubit below threshold, and now we just copy and paste that a thousand times, right?
That's not how it works, obviously, right?
So there's a question like, all right, if I copy and paste a thousand,
sometimes am I still below threshold?
The answer is probably not.
And so we got to be a little bit more clever about what we're doing.
How much more clever?
It really depends on the type of machine you're building.
For the superconducting qubits, its biggest challenge is one, you have this nanofelvin dilution
refrigerator that's extremely power hungry, extremely sensitive to any kind of temperature
fluctuations.
You have to connect all of the individual cubits physically by wires.
Right? So how many qubits you want, that's how many wires you have divided by two, I guess, or minus one.
The, you know, so that's a big challenge there.
Advantage of that system is that it runs really fast.
So back to the fast clock and like you can get all the Bitcoin, that would let you get all the Bitcoin if you could build it.
The neutral atom machines, what's their big advantage?
Or that what's their big challenge?
Their big challenge is the paper in particular that was released last week talks about this new form of error correction.
that's way more efficient.
So you're talking about potentially just, you know,
in the Google below threshold demonstration,
it was 100 physical qubits got you one logical.
In this Oratomic paper, they're like,
hey, you could get four physical qubits
to get you one logical.
That's obviously huge.
But this is a newer technique.
There is, it's not as well developed.
And by the way, you need to have classical decoders
figure out how to apply these error corrections in real time.
So that was much more speculative there.
Their biggest advantage of the neutral atom
machines is that you can actually arbitrarily connect any two qubits together throughout the
system because they basically, the way these things work is like they trap individual neutral
atoms with lasers and you just keep shooting lasers all over the place as you're going through
as you're like kind of making this laser computer. It's kind of cool actually. So that both have
significant challenges. Both have potential pathways to scale. Neither of those have been fully
neither of them have solved the engineering challenges, though.
This is one of the really hard things because I don't understand quantum computers.
I think very few people do, and probably even fewer people that understand cryptography
actually understand quantum computing.
And in Bitcoin, there's an annoying thing that happens where you have like a group of
people that just will say quantum computing is nonsense, ignore it, we don't need to worry about
this.
I don't think that's particularly helpful.
And you have the people on the other side who are like, this is going to break Bitcoin
in five years, which, again, again,
Again, I don't, and that we need to like rush some kind of change, which I also don't think is
useful.
Like rushing a change is not going to be the best solution for this.
What is your take on what Bitcoiners should be doing now?
I actually think the way you just framed it is the perfect way that I think is the way
that I think about it.
Bitcoin should not rush a change.
So we don't want to be, by the way, no one who's deploying new cryptography should
rush a change.
That's not.
That goes beyond Bitcoin, right?
the best way to ensure that you're not rushing a change is to ensure that you're not surprised, right?
And by the way, in case it was people were just tuning in, maybe fast forward to the beginning,
Alex Pruden is not a quantum physicist, right?
And even quantum physicists cannot definitively tell you how long it's going to take to make a quantum appear.
But what they can tell you is there has been progress.
The bar has been lowered.
There are now pretty big incentives to push things to the finish line, which, by the way,
a part of those incentives involve not revealing the latest capabilities of these various machines,
and that was also part of the Google paper.
So you're getting to this world where things become more and more uncertain.
So just exactly to what you said, we don't want to rush it.
Therefore, we should just play it safe.
Even in a world where it's only a 1% chance, in my view, that a quantum computer exists by 2029,
one of these various attempts to make one, we should already be well on our way.
as the Bitcoin network to having post-quantum cryptography at the very least research and then tested
and hopefully in a world that's close to being ready to deploy. So that way, there's no risk.
Assume a different world where we just kick the can and it's 2030. By the way, by 2030, all sensitive
government systems will have migrated because the NSA has told the government, you must migrate by 2030.
And then, boom, out of nowhere comes a quantum computer in that world. And then we have to rush.
Well, that's where you're going to get a rush, right?
Because by the way, if you have a quantum computer, what are you going to do with it?
At least if you're an economically rational actor, you're going to sell it to a government so they can do espionage.
Or you're going to try and take money on Bitcoin.
I mean, you go look at that risk list.
There's 6 million Bitcoin worth a lot of money out there for the taking.
And I think people have to be naive to think that that's not going to get looked at as a juicy target.
I mean, one of the things you said there is another part of this sort of discourse that's been frustrating to me is that there's people.
out there shouting at Bitcoin developers saying you're not doing anything. And that's just like not
true. We have Bip 360 where people are working on this. What's your take on the Bip 360 stuff
and the at least potential quantum resistant algorithms that people are working on?
First off, I want to acknowledge that being a Bitcoin developer and being an open source
developer generally is a hard and thankless job. Okay. So that is without a doubt true. And I have
very appreciative of every Bitcoin developer and yeah, that does what they do and maintains the
core protocol. And I don't pretend that their job is easy. Look, with regard to BIP 360,
I think BIP 360 is a step in the right direction, but it's far from sufficient. What does BIP
360 do? It disables part of TapRue that effectively revealed your public key on a transatlantic
transaction, right? So there's the key path spend. So what Bit 360 does is kind of disables that. So you can't make your life worse by accidentally exposing your public key. But it, and it kind of talks about in the future, maybe we'll use TapScript to do some post-quantum stuff, but it's all very intangible. Look, I think, I think there's a bit of a risk here that people are a little bit too focused on kind of ideas and research. And people are a little bit more focused on kind of ideas and research. And people,
are not focused on enough on just implementing and testing this post-quantum cryptography,
because this is extremely novel and new cryptography that we're talking about,
where the stakes are as high as they're going to be anywhere.
By the way, this new cryptography comes with significant tradeoffs in terms of size of
signatures, speed of signing or verifying potentially, size of public keys,
size of private keys, like none, there's no world that we're going to go to where you're going
to have what we have today in terms of elliptic curve level performance. None. Or, and by the way,
like there's all these, there's completely new assumptions that are being baked in all over the
place that could be classically broken for all we know. So look, I think for the, so for that reason,
I think it's just important to me, I'm on a big proponent of let's ship stuff. Let's put something
out there and let's see what happens. Can it get broken? Can we put it on a CigNet? Then let's put it on a
test net. Let's just implement shrimps or shrimps or S-I-G-S-SA, whatever it is. Let's just do it.
And let's fund people who are doing that. Let's prioritize actual postcardan cryptography
and deployed as wide in as many contexts as widely as possible, as soon as possible.
I think the risk is people try and bike shed over what's the most optimal thing and, oh,
could we do this and optimize this and let's write some more papers. And, you know, it's 2030 and
we're like, oh, shit, we haven't done anything yet. We still have to do all the engineering.
See, that's an interesting take because my perspective on this has always been that we'll probably see quantum computing coming quite far out.
I know you disagree with that and we should get into that.
But if that was the case, then surely spending time just working on how to make these signatures as efficient as possible is going to be the best option.
Because if we just ship something now, it's not going to be the perfect sort of solution.
Whereas if we could spend five years researching it, we might find new ways of doing things that are, you know,
novel and make Bitcoin a more efficient.
Because the trade-off here is that it's going to crush throughput, right?
Because Signature is going to be way larger.
So is it not worth spending five years researching that to make it the best upgrade we can
if we need to make a quantum-resistant change?
I think both of these positions are straw men, right?
Like on the one hand, it's clearly, like, we shouldn't rush to implement something right
now that could be suboptimal.
That would be probably not ideal.
Also, I don't think, though, like, you can always.
make an argument for we should spend more time researching and making it more
optimal because if I get the signatures out of 2,000 bytes well I've got a new idea it's like
1,99 bytes you could spend I mean I like I studied a Stanford cryptography I like
worked in a bunch of like frontier like people will do this all day long because people like to do
this it's a fun cool thing but I think and what do people not like to do generally
put these things into practice where the tradeoffs because
I'm a parent and you just have to learn to live with them.
That is painful.
That is uncomfortable.
Everyone would much rather think of a world where they don't have those tradeoffs.
But I think the risk is you just overshoot then.
So, look, I think in my view, it's both.
There can be, there's nothing stopping.
There being four different post-quant algorithms being live on various test nets today.
And then we can have real world numbers with potentially real world network activity
that can inform what really is the tradeoff.
if not because that's kind of the other thing with research is like it's always clean room lab
codes you're like ah in ideal conditions it's this the real world is not ideal conditions right and so
no matter what you come up with you're going to have to put it through those paces anyway
might as well use this as an opportunity to learn and inform the research so i'm a big fan of doing
both things in parallel let's take what we have now and then worst case we're all wrong quantum
peter shows up tomorrow we got something or we can keep working on and iterating on these various
algorithms make them better and then guess what we maybe have more time great now we've all saved
ourselves some pain in the future and maybe prevented having to do a soft fork later.
Just on the like this attack coming from nowhere or having sort of prior warning,
why do you think this will come from nowhere? Because are we not going to see other systems
break before Bitcoin? Surely there are easier things to target. I feel much more confident
about this. I think I don't I don't think you're going to I don't think you're going to,
I don't think it's a certainty at all that you'll see other things break. First off,
it's important to note that a quantum attack like Shores does not
come with like a signature.
Or there's not like a beacon in the sky that's like,
this was a quantum attack.
This is absolutely just going to look like someone lost control of their
private key, whether it's in the context of military communications or
whether it's in the context of an exchange wallet, it's just going to look like
something happened.
And only by a lot of back, like reverse engineering might you discover that
this was actually a quantum computer.
So, you know, and by the way, like,
in the first scenario that I highlighted around military communications,
I mean, you could see there's an obvious reason why governments,
that by the way, are dumping hundreds of billions of dollars in quantum,
wants this capability to be secret.
Like if I tell, if you're China and I'm the US, I'm like, hey, guess what?
I'm not a quantum computer that breaks all your cryptography next year.
What are you going to do?
You're going to move everything.
I'd actually way rather you just think that your cryptography is fine for as long as it's fine,
and then I can just read your mail without you knowing, right?
So this is, I think, one of the really tricky things.
A good analogy to this that Scott Aronson,
who's a physicist at UT Austin,
writes about in his blog,
is kind of what nuclear physics was like
in the late 30s, early 40s.
Basically, everyone realized that this thing might be possible.
And then they realized that they, it was very important
to control the information around it,
so it's not to potentially reveal capability
before the actual bomb dropped.
So I think it's not clear, A, we'll know when it happens.
And also, I think,
back to like other systems you could target.
Okay, sure.
Like, yes, there could be some espionage type stuff.
But like, okay, let's pick another example that people often like the straw man.
Swift, the Swift, I could go attack Swift, right?
The interbank transfer system.
Like, Swift is a database effectively run by a consortium of big banks.
If something happens that they don't agree with that consortium, they're just going to roll it back.
Like it's a, it's not like a decentralized blockchain.
They're like, okay, well, does everyone agree that we should just delete?
beat that last entry in this database and everyone would be like, yes, I did not want that to happen.
And there you go, okay, it's done. And so your attack effectively, you've revealed that you have
this capability, you've made no money on it, right? So why is crypto or blockchain or Bitcoin
way more attractive in this way? Well, you could just make money potentially much more immediately.
And there's no easy way to roll these transaction back. In fact, that was the entire point
of Bitcoin, right? Satoshi made Bitcoin as a reaction to like the central banks, printing money,
like financial system was rigged and, you know, they control everything.
That was the whole point of Bitcoin.
And that means in this case, it's much more vulnerable to someone that is able to break
the underlying cryptography and potentially profit from it.
So Satoshi's coins really are the canary in the coal mine.
I guess if you were a smart attacker, you wouldn't even touch them.
Correct.
Because if they've not moved in 17 plus years, like as soon as they move, you have to
assume that's a quantum attack.
So really, you're going to go after other addresses with their publicly exposed.
So most fun parlor conversation for Bitcoiners is what would happen if you had a quantum computer, right?
Because there's like a million scenarios.
I wrote a blog post called Quantum War Games.
Nick Carter is written as like a short story.
They're all kind of fun thought experiments.
I mean, the reality is we don't know.
But to your point, any public keys exposed, one potential way it could play out.
If you were smart, you didn't want to signal the canary in the coal mine, you'd go for a second or third tier exchange.
Thousands of Bitcoin easily, maybe hundreds of thousands.
Those things get hacked all the time.
So would anyone really notice?
They're like, ah, those idiots over in like, I don't know,
some countries, you know, tier three exchange.
Yeah, we lost their private keys again.
Idiots, you know, and then, but no one's the wiser, right?
I think that's just as possible as someone going after Satoshi.
The thing with Satoshi's coins that I think maybe the unique risk there is that
some of the quantum computing companies that are building these systems have expressed
to me personally in conversation that they're like,
oh, this is a business opportunity because Satoshi's coins are lost treasure.
It's like digital salvage.
It's like some Spanish galleon sunk in the Caribbean, and I can just go take the,
I can go dive down there and get the goal.
You know, obviously they don't really understand, like, what that would happen if they were to do that.
But I don't necessarily think it would stop them from trying because the attractive thing
about Satoshi's coins is kind of legally, I don't know, it's a gray area.
Is it stealing?
Is Satoshi alive?
I don't know, right?
So, you know, that's maybe a world in which that's not totally off the team.
So to implement a change here, does this need to be a hard fork or can it be a soft fork?
I have this argument with people all the time.
I think it's a distinction without a difference.
Technically, it can be a soft fork.
But I think if you're talking about burning, let's say, Satoshi's coins, if that's an aspect of your solution, that is quite controversial.
And so, like, it might as well be hard work in terms of like the work that you're going to have to do to get consensus around it.
So I don't think the distinction between software and hard of work here is meaningful.
I think it's going to be extremely controversial.
And so we should just plan our timelines accordingly.
What's your take on the freezing of Satoshi's coins or not?
Look, ultimately, my take is the community ultimately passed to the side.
And I think it's really tough because philosophically, there's two things in tension here, right?
There's the integrity of the network and the, you know, the value that it represents, which is implicitly like the strength of the digital goal thesis.
And there is the philosophical principles that motivated the network.
Not your keys, not your crypto.
These things are in complete tension here.
There is not an easy answer.
If you put a gun to my head and you say, hey, Alex, you have to answer the question, I probably would err on the side of burning them because I think at the end of the day, that's better economically.
I think the real challenge, though, is like it's easy when it's Satoshi's coins.
You're like, oh, whatever, Stoci's coins.
But there's 15% or so the network is estimated to be lost.
And so only two thirds of that or so is Satoshi's coins.
But how do you know you're not, it's not someone.
who's just like, you know, all my thumb drives and my, you know, my base and I dig it up one day.
And now my coins are gone.
Who, where's the dev that pressed, you know, push that update?
Where's my lawyer?
Like, it's quite fraught, right?
When you think about kind of on the margin, what is a lost coin?
I mean, that's, I think that's another aspect that a lot of people don't consider is like, how do you deal with that?
I mean, the way that some people like Jameson Lopper proposed is like, oh, you get people like a super long window, you know, 12 years.
But again, if you take that to the extreme, it's like no different than just believing them for the quantum computer, right?
But yeah, I think probably burning them is right on balance.
But, you know, again, I don't, I definitely understand and sympathize with people that have the opposite view.
Yeah, I would definitely have the opposite view there.
Only because, like, I understand the idea of, like, the digital gold narrative.
And if those coins did get stolen by a quantum computer attack, then it's going to be really detrimental to price if you have six million coins or however many are left at that point,
hitting the market. But if you completely undermine the property rights of Bitcoin by
by essentially stealing someone else's property before who you consider a bad actor steals that
property, like what is the long-term value property proposition of Bitcoin then? Like if the
property rights are broken is long-term value proposition way lower anyway because you've proven
you can do it once and who's to say there's not going to be a future attack that means you have
to do it again? I just think those coins have to be stolen by a quantum computer.
in that situation.
Yeah.
I mean, it's hard, right?
Like this is, yeah, it's a tradeoff.
And by the way, like, maybe just to quantify these views,
I was at the Presidio Bitcoin conference last year where there's a bunch of
core developers and supporters of Bitcoin, you know, large holders, miners, developers.
And they pulled the audience and the question was basically split down the middle.
Like, what do we do?
And so I think just the reality is the community, at least today, there is not consensus
among either the broader community or the key institutions that represent stakeholders.
Yeah, this is another part of the debate that's going to be really interesting.
I think it's a really cool sort of philosophical debate, but it's going to make the whole thing really messy.
And going back, sorry, just to quickly plug in there, it's going to make it really messy.
That means it's going to take longer than we probably expect.
That means we should start sooner because overall, like, it's going to be a bigger hill to climb than we think it is.
So that really, if I could still the core of my argument, it's that.
Yeah, that makes sense.
And if we have both this fast and slow attack,
so any public key that's on chain now, obviously they're at risk.
But if it can also do the Mempool attack where it can derive the private key
from the public key in less than 10 minutes,
is there any change in the upgrade we need to make to Bitcoin for those two different
attack vectors?
Or is it the same fix fixes both?
Probably, I mean, like, ultimately it probably doesn't change that much.
Oh, I take it back.
It does change quite a bit, right?
Because if you think, for example, if you, let's just take the case where it's like fast clock attacks or let's say it's a physics paper comes out tomorrow and be like, all right, quantum computers just physically cannot run faster than an hour.
It's just impossible.
Oh, in that world, like, as long as you continue using the Bitcoin network, you know, and not reusing your public keys, you'll probably find.
I mean, I think it would probably impact how practically things like multi-sigs are implemented, right?
You'd have to, I mean, people today just aren't really that diligent about rotating those,
and it would make infrastructure a pain in the ass.
But you could probably live with it.
You would just have to figure out this question of Satoshi's keys or not.
I think ultimately, though, you know, there's no, again, to the best of our physics knowledge,
there's nothing preventing a fast clock computer from existing.
And by the way, as these, like, one of the things that's, you know, both of these papers kind of talk about is as you scale these systems,
you can effectively run this computation more and more parallel and it's exponential
advantage.
So like if you even get just a few more cubit, logical qubits, you can run this thing way faster.
That's to again, the best of our knowledge, how we think it could play out.
So ultimately, I don't think we should overly focus on let's deal with the slow cock attacks
now and talk about Stoci's book.
I think like this is a messy issue.
It's going to be a messy issue no matter what.
Let's just mash the two messy issues together and let's just deal with it all at once.
I think that would be better than having two very common.
controversial forks that potentially have an equal chance of splitting the community and the network.
Yeah, that's something I totally agree with.
We may as well get all the mess out the way now, do one upgrade.
So you were saying that was it 23, you were 50-50 on whether a quantum computer will be able to break ECDSA?
So if that's the case, how quickly do we need to implement a change to it?
And again, in this scenario, let's assume they can do the MMPAL attack.
How quickly do we need to implement a change so enough people can move or everyone can move to quantum resistant signatures?
Okay. So my answer would be, even if, you know, my answer would be we should start as soon as possible and move as quickly as possible because my estimate is there's plenty of uncertainty to it, right?
So this is an estimate. This is estimate has uncertainty. So we should still, nothing to, nothing about that changes. So, but how long would it practically take? Let's just say, 233. So let's say we wanted to get in before that.
I mean, look, I think if we, if first off, coming to consensus that this is a problem, which quite frankly has only happened in the last couple of weeks.
I think there have been like, and you highlighted a bit 360.
Look, I think the team's done great work there, but by and large, it was kind of an isolation for a long time.
And the broad view of many, you know, core developers of Bitcoin was that this is not a top power.
Right.
And so I think first, they probably is going to say six months to converge around this is actually a problem.
And then I think, you know, implementing and doing research and getting the suite of algorithms that we could potentially deploy and then tests, that's probably going to be a couple of years, right?
And then, by the way, Bitcoin does not exist in isolation.
You have a wallet.
This wallet must support this new cryptography.
Theoretically, do you want to buy it?
That's got to be supported on Coinbase.
All of these things, like only at that point can they all start upgrading.
And then when that's all done, let's just say you've got a multi-sig and your keys exposed.
At the end of all that, can you send the UTXO to yourself to new quantum secure multisick, right?
So look, I think that's seven years.
What did I say?
233?
Well, maybe just make it, right?
Look, maybe, obviously it's both of these things are uncertain timelines, quantum computer
and migration.
But like, let's take an example from Bitcoin's history, recent history.
Taproot.
So taproot was implemented over the course of around, I think, four years, right?
And by the way, widespread consensus that it was a good upgrade.
So there was like no argument.
And there were some, but I mean, there was like relatively few arguments around like we shouldn't have it.
And even in that before taproot, not necessarily post-tap-rute.
Yeah, fair enough.
Yeah.
Yeah.
And even probably during Taproot, I'm sure if, you know, Peter Will over here, he'd be like, oh, that's not how it went down.
But, yeah, anyway, I think on the spectrum of changes to Bitcoin, it was relatively non-controversial.
Certainly, I think less controversial than this will be.
And so I think, I don't know, just pick your multiplier on that as well.
2x too much is 1.75x? Yeah, I don't know. So to me, like the five to seven years probably
feels right. Maybe five years is aggressive, seven is conservative. Again, if you think 2033 is the
day, that means it's got to start now. But it's not even just the change. You know, like block
space is scarce. Will people be able to move their Bitcoin in that time? Yeah. So actually,
we've done some research around this. I mean, if you if you shut down the Bitcoin network
for, you know, in everything except for migration transactions,
it would take just based on the number of UTXOs and the block time and the block size
on the order of 75 to 100 days to migrate everything.
Now, of course, maybe you're not going to shut down the whole blockchain.
Maybe you're just going to reduce it to, you know, you're going to limit it to 10% of all
transactions or migration transactions.
And that gives you a year, right?
So, you know, we have to account for that.
We have to give people time to migrate.
So probably a year is minimum.
I mean, you're not going to shut down the whole blockchain, I don't think.
But, you know, maybe you could in an emergency.
I don't know.
But, yeah, broadly speaking, I think a year is probably a good planning factor to give people
enough time.
I mean, mine is going to be very happy.
Oh, yeah.
Think about the fees you're willing to pay, right?
Yeah, exactly.
I mean, think about the fee.
Binders are going to be happy, especially if there's a quantum computer lurking in the
corner because think about the fees you're willing to pay then.
You're like, ooh, I got to make sure.
my transaction gets through and the quantum computer is like, I'm going to front run it. And so then
the miners are going to be like, yes, pay me the fee. I guess until then they get hacked by the
quantum computer and then they're screwed. But, you know, I don't know. That's when all the miners
that have moved to where I come back to Bitcoin. But it's going to be a real mess. I think I'm
maybe still skeptical on sort of those really short timelines, but I'm very willing to accept
that this is probably an issue we are going to have to deal with in the future. And I think
I agree with you that probably more work needs to be done, although I do think there's some
interesting stuff happening there. And I think I also believe that like, like you said, this is
becoming more of an issue amongst the sort of developer community. I think it's going to
accelerate. It's going to be interesting, man. Yeah. And I think it's, I mean, we'll end on an optimistic
note. There's no reason why Bitcoin can't lead the charge here. No reason at all. I mean,
Bitcoin is a financial innovation unlike almost any that's ever existed. It is compared to most
to most uses of cryptography.
I think this is one of the most important deployments
of cryptography in the world.
And it's been maintained by an open source community
of developers throughout its entire life.
The founder was totally anonymous, right?
We don't even know who they are.
And it's look at us now, right?
The ETFs are issued on this, is trillions in market cap.
No reason why Bitcoin can't continue to be, you know,
effectively the torch in the darkness showing how,
a decentralized open source community can affect a very complex cryptographic migration.
All it takes is will.
All it takes is awareness.
And I think the last thing I would say, new to your listeners, is don't be bystanders,
be advocates for what you think is right.
You've heard two views.
You've heard multiple views on this show around whether this is a near-term threat or
a long-term threat.
I think be involved, be an advocate.
I think one of the biggest risks that I see, you know, potentially affecting the, you know,
Bitcoin in the face of the quantum threat is not so much the quantum computer itself. It's the apathy,
the reverse bystander effect. I'm like, ah, well, some core developers I heard are working on it
inside, I'm good. And I look, I mean, ultimately the strength of this network comes in our collective
belief in its longevity. And that perversely is directly correlated to how much each person is willing
to invest in that, right? And part of that investment is being involved, being informed, and advocating
as, you know, a member of this community as a holder of Bitcoin for what you think,
is right. I think to me, that is the most important thing. If people take away nothing else from
this podcast, that's what I would leave them with. I mean, Alex, that would have been the perfect way
to end the show, but I have one more question for you. Do we know that quantum resistant signatures
will actually remain quantum resistant? No. Short answer, no. There are two categories of
quantum resistant signatures that are standardized today and standardized by that.
I mean standardized by NIST, the National Institute of Standards Technology.
Broadly speaking, they're based on hash functions, which we believe are quite safe, or something called lattices.
Lattices is a bit more speculative.
Everyone likes the hash functions because we already know they're probably going to be safe in a quantum world.
The main challenge there is their size and performance.
So a lot of effort, in fact, Blockstream Research and Jonas NIC have published some work called Shrinks and Shrims, which attempts to a
the size issue by making these signatures effectively limited use.
So you can only sign a million times instead of effectively infinite times.
And there's optimizations like that that are interesting to explore.
It does change.
I mean, it is still different than the way that signatures work today.
Because if you re- importantly, if you reuse the same nonce in the signing process,
you leak your public key or you leak your private key and then anyone can still
your Bitcoin.
Not just the quantum computer.
or anyone. And so, you know, there's things like that that have to be considered. On the lattice side,
lattices are what broadly speaking, the internet is going to. So ML Chem, which is not signatures.
It's key exchange for TLS connections. ML Chem is using a lattice-based, it's a lattice-based
key exchange mechanism. And that's what NIST has said to like Google and Cloudflare and banks,
hey, this is your primary algorithm because of its performance characteristics. But look, I think broadly
probably the you know we need to be prepared for a world where the cryptography continues to be
broken because there is no you know there's no mathematical guarantee that um the cryptography that
we're going to invent in the future even though that based on hash functions couldn't also be broken in
some way and so i think this really calls for uh what i guess there's like the term in the industry is
crypto agility like people need to bake into the system the fact that the crypto that they're
imp deploying may not live forever and there needs to be ways in which to easily migrate to new
stuff. I mean, the quantum computing thread is just kind of the most in-your-face version of this.
It's like everyone's got to move, but there's absolutely no guarantee that a quantum computers
can't turn out to break other things that we thought were secure or even classical computers.
Or, by the way, AI that maybe leverages both quantum and classical beaters comes up with new
approaches that we had never seen coming. So yeah, and I guess like maybe one cool thing,
since I gave my big speech,
and now I've got to give people something else to end on.
One cool thing to note about quantum is,
I think a lot of times the discourse around it is really negative.
But look, there's actually really cool stuff with cryptography that you can do too.
Because quantum physics is physical and kind of like the most fundamental way that we know,
you can leverage it to create new forms of cryptography and encryption and various things.
Like one cool thing, it's like a theory from several, many years ago that's been refined,
but just in simple terms, it's you can,
you can share key material by entangling effectively quantum particles.
And that sharing of key material happens not on a classical channel, right?
So there's no possible way that an adversary could intercept the transmission
because in effect it uses this weird quantum effective entanglement such that like your
side and my side automatically are the same no matter what I do to my side.
And that's amazing.
Like it's like it's something that's fundamentally new and cool and could,
honestly be the foundation for, you know, how we use Bitcoin or other forms of cryptography in the
future. And there's, and again, this is just the surface. We don't even know what's below that.
Maybe there's many, many other cool things that we could do with quantum computing that, you know,
pushes forward the frontiers of cryptography and Bitcoin as well.
Very cool. Alex, I've really enjoyed this. Thank you for coming on. The next few years are
going to be a mess, and I'm going to be here for the ride. But yeah, I appreciate your time, man.
Cool. Thank you very much. Yeah. Appreciate being here. Thanks a lot. Actually, Alex, before we close.
out, where do you want anyone to go to follow you or you work?
Yeah. If you want to yell at me for my views on quantum computing, you can find me at A Pruden
08 on X. I spend most of my time there. And also, Project 11, if you want to check out the
risk list, or we've written a bunch of blog posts about various things related to this topic,
Project 11 spelled out, E-L-E-V-E-N dot com. That's where you can find more info about what we do.
Awesome. Thank you for the time, man. It's been great. Yeah, this is a lot of fun. Really appreciate it.