What Bitcoin Did - WILL QUANTUM BREAK BITCOIN? W/ Hunter Beast
Episode Date: March 11, 2025Hunter Beast is a Bitcoin researcher focused on mitigating the risks quantum computing may pose to Bitcoin. In this episode, we discuss the potential threat quantum computers pose to Bitcoin’s crypt...ographic security, whether Q-Day—the moment when quantum computers can break Bitcoin’s encryption—is an imminent reality, and how governments and institutions are preparing for this future. We also get into Hunter’s Bitcoin Improvement Proposal, BIP 360, which aims to introduce post-quantum cryptography to Bitcoin and the broader implications of quantum advancements, from national security to the possibility of a quantum arms race. MASSIVE THANKS TO OUR SPONSORS: IREN: https://www.iren.com/ RIVER: https://river.com/wbd ANCHORWATCH: https://www.anchorwatch.com/ CASA: https://casa.io/ LEDGER: https://www.ledger.com/ FOLLOW: Danny Knowles: https://x.com/_DannyKnowles or https://primal.net/danny Hunter Beast: https://x.com/cryptoquick
Transcript
Discussion (0)
On one side, there's like billions of dollars being spent in private industry.
On the other side, the government appears to have some concerns, and they're doing stuff.
And so, like, I'm just like, well, what is Bitcoin going to do?
What Bitcoin did is brought to you by our lead sponsor and massive legend, Iron,
the largest NASDAQ listed Bitcoin miner using 100% renewable energy.
Iron are not just powering the Bitcoin network.
They also provide cutting-edge computing resources for AI, all backed by renewable energy.
So whether you're interested in mining Bitcoin or harnessing AI compute power,
iron is setting the standard.
Visit iron.com to learn more, which is iri-en.com.
Okay, well, Hunter Beast, great to meet you, mate.
I'm looking forward to this one.
I've been looking forward to this as well.
The quantum thing is something I've kind of ignored for a long time
because I've never seen it as sort of truly an imminent threat to Bitcoin.
But there's been some updates recently on the sort of quantum side
that might be speeding that process up.
So I want to get into everything,
but I do want to frame this.
I know almost nothing about quantum.
So I want to go right back to the start
and get into it from sort of the very basics.
But before we do that,
do you want to introduce yourself
and why you're the person I'm talking to about this?
Yeah, so I'm Hunter Beast.
I have been working in the Bitcoin space
for about the past four years full time,
mostly on the
RGB project
which is
still in the works
but I
I've been
in the middle of last year
I sort of switched gears
to work on a project
that I found to be
a bit more
how did you say
like just it was something that I always felt that was a concern like a very legitimate concern in Bitcoin.
Like when people bring up what people call quantum fud, you know, I'm like, well, like behind every piece of fud is usually a kernel of truth or, you know, and unless it's like very like pedestrian fud, right?
But no, this is pretty potent fud.
This has some stickiness to it.
And so, I mean, I think that every bitcoins should probably be just a little concerned about the quantum, the threat that quantum computing could pose.
And so I started a company called Sermot Systems, and we later realized it,
there was no way to, we didn't really have a good way to monetize it, so instead we turned it into a nonprofit.
And so now we have the Cermont Systems Foundation, and they've been, we, this is, that's been kind of like the center I've been using for, uh, organizing, uh, like a, uh, a BIP and, uh, some work towards some research we've been doing and some projects that, uh, kind of help with, uh,
keeping an eye on the potential threat.
Let's just put it that way.
Okay, cool.
And when did you first, like, go down the quantum rabbit hole?
Well, that was, like, it's only been a year.
But I did, when I went down that rabbit hole,
I read a lot of books, quantum computing for everyone.
one was one of the first books I picked up. And there were a couple other books on like programming
quantum computers and things like that. And I just wanted to get a like a good understanding of
kind of the fundamentals and the like how they work what they do, you know, like kind of demystified
them. And what I can say is that it is very different.
like it's similar but different.
Technically, everything you could do
in a classical computer, you can do in a quantum computer.
They're just much more limited,
and at least in our current iteration of them.
But that's starting to improve as well.
So, yeah, that's basically the takeaway I have from there
is that they are, their capabilities are more of,
like a superset of classical computing.
And so it's almost like how graphics accelerators kind of are like the added additional
capability to a computer.
So they're very much like a way to accelerate certain kinds of computation.
Okay.
So can you demystify some of this for me?
Like I say, quantum computing is something that I don't have a good understanding of.
So what is a quantum computer and how is it different to a normal computer?
Yeah, so a quantum computer will generally have the capability to store states as a form of probability or superposition.
So they can
like store
kind of like intermediary states
between ones and zeros
and because of that they can
store practically infinite states between one and zero.
And is this because the qubits
can be both one and zero
simultaneously? Correct.
Okay, so what does that actually allow
them to do? Well, it's
actually they can't
be exactly one and zero at the same time, right? It's either one or zero, but it's a certain
probability of becoming a one or zero that you're kind of using in the circuits. Like, you're using
certain quantum gates that will adjust the probability of something becoming a one or zero
depending on other inputs. Okay. And so what's the benefit of that? Even if it's in like a
limited subset. What's the benefit of that over like a normal binary computer?
Well, you can run some real bangers on there, some real banger algorithms. One of them is
called Schor's algorithm. And you can program in the public key for a Bitcoin address and
it'll go through some steps and use, it needs like another piece of
for almost like working memory, and then it'll turn that number into potential factors,
factor numbers. And so the thing that secures elliptic curve photography is what's called the discrete log problem. And it's essentially a fancy name for the
the fact that it's difficult to factor very large numbers to find the factors to them.
And so there's kind of like this like this like mix of of elliptic curve cartography and quantum
computing that like it requires a good understanding of both. And I will admit I have maybe
a intermediary understanding of both. But I have a sense for.
for how it works a little bit, you know?
And then I'll, I developed some specifications as to like, you know,
once I have a decent understanding of, once I had a decent understanding of the problem,
what we can do to mitigate against it.
Okay.
And so the big sort of problem with quantum computing, as far as I know it,
is that they'll throw errors very regularly.
So why is it that a quantum computer will throw errors where a normal computer doesn't in the same way?
Right. So there is something, there's noise that will interfere with the circuits.
And it's because they're cool to near absolute zero in order to entangle cubits with each other.
And for that entanglement to remain undisturbed through what quantum computer programmers will do is that
they'll implement error correction codes.
Or in the latest Microsoft announcement,
they actually are using sort of like a quasi-particle
to simulate a new state of matter called a myronopharmion.
And myronifermion's are much more isolated against noise
while still being able to maintain quantum states and tangled states.
And so they need far fewer of them to perform computation,
whereas like at the Google Willow processor,
they found, they made a major breakthrough as well,
but it took them about seven times seven like array of cubits,
of physical qubits to become one logical qubit.
So with like 105 qubits,
they're only able to come up with like two logical keybits.
And then with the Microsoft Myrona 1 announcement,
they have eight topological qubits,
which are essentially the kind that makes use of Myrona fermions.
This episode is brought to you by Anchorage Watch.
The thing that keeps me up at night is the idea of a critical error with my Bitcoin called storage.
This is where Anchor Watch comes in.
With Anchor Watch, you're protected by their time-locked multi-sig vault
and with your own A-plus rated Lloyds of London-backed insurance policy.
You get to hold your keys, Anchor Watch holds the risk.
Whether you're worried about inheritance planning, wrench attacks, natural disasters,
or your own mistakes, you're protected by Anchor Watch.
Rates for fully insured custody start as low as 0.55%
and are available for individual and commercial customers located in the US.
Speak to Anchorwatch for a quote and for more details about your security options and coverage.
Visit anchorwatch.com today, which is anchorwatch.com.
This episode is brought to you by River,
the best place for bitconers and businesses to buy Bitcoin.
With River, you can set up zero-fee recurring buys, making stacking sats effortless.
And while you're waiting for the perfect buying opportunity,
River lets you earn daily interest on your cash balance paid in Bitcoin,
which outperforms most high-yield savings accounts.
What really sets River apart is their unmatched dedication to security.
You have peace of mind knowing the River has monthly proof of reserves
and holds all Bitcoin in multi-sig cold storage.
And with US-based phone support, you'll always have someone ready to help.
To open an account, go to river.com forward slash WBD
and earn up to $100 in Bitcoin when you buy.
That's r-I-V-E-R.com slash WBD.
Okay, so I think you'll need to explain to me the, what's the difference between a physical qubit and a logical qubit?
Yeah, so a logical cubit essentially is a collection of physical cubits that are arranged in such a way that they implement quantum error correction.
So that's just reducing the noise that you get from the cubits?
Correct. And so it allows the circuit to be more stable and, and present.
provide like a better answer.
Okay.
And so where are we actually at with quantum computers?
Because as far as I understand it, they're pretty tiny at the moment.
They're not actually in the state that they're kind of usable.
Are these breakthroughs from like Microsoft and Google, are they really substantial?
Well, they're fundamental.
And what's interesting is that they've been working on this problem for over 20,
20 years, like in a real way.
Like, of course, you know, they didn't start out pouring billions into quantum computing,
but they are now.
And so it definitely feels like there's like a, like, a, like, like, the efforts building.
It's like, I'm forgetting the analogy, but basically it's, it's, it's starting to really
look like they're making.
real progress in that field.
When it comes to Bitcoin and breaking encryption,
which is obviously what this conversation is about,
is this like a five-year problem,
a 10-year problem, a 50-year problem?
Like, where are we on that kind of trajectory?
Yeah, I mean, I hope we have at least five years.
Five years would be really good.
And, like, Matthew Corallo on the mailing list,
he was like, no, it would be really great
if we even had like 10 or 20 years
to develop, like, the very best
post-chronum
cartography for Bitcoin
and that would be like one single
algorithm that does all the things we want
from it as developers that
you know like we've been able to do
with
elliptic curve cartography and snore signatures
and having you know signature
aggregation that doesn't increase the size
of the signature
and like
elliptic curve Diffie Hellman
like things like that was like
if we could have
you know, something like that for post-quant cryptography,
that would be really cool.
If we could prove that lattice cryptography is,
like, a valid way to secure against quantum computers,
that would also be important.
And, like, coming up with, like,
just, like, harder hash algorithms,
making sure that hash algorithms are more resistant
against other algorithms that quantum computers can run,
like,
Grover's algorithm, and so, which is, Grover's algorithm is for, so like, Shor's algorithm is for
factoring large numbers, whereas Grover's algorithm is more like reversing, like getting the inputs
to a black box function based on its output. And so you can essentially reverse a hash that way,
whereas with Shores algorithm, you can reverse an elliptical signature. Well, public-y.
Well, with the quantum computers we have today, how many logical cubits do they have, like, operationally running?
They, well, so, like, IBM has a quantum computer that has about 150 cubits.
They've had that for a little while.
You can just, like, if you, like, they actually give up free credits every week, and you can run, like,
limited quantum computing programs on there,
or if you want to run more involved quantum circuits,
you can pay them $1.60 a second,
and it works out to be like $5,000 an hour
for running on one of their machines.
And also, I'm not even sure they're even breaking even on that.
Like, their machines are so expensive that, like, even that is,
is, might be, I don't know.
So, and so like, really we're in like maybe the, like, low hundreds at best.
And that's for physical uncorrected cubits.
But so you're like, you could implement quantum error correction codes with those cubits,
but you wouldn't get much with them.
You'd get maybe like two or three, basically.
So we're two or three logical qubits?
Yeah, exactly.
Okay.
And if we get to the point where these are powerful enough to break encryption, how many logical
qubits do they need to get to?
About 1,500.
Okay.
So that obviously seems a long way off, but do you think with these advancements that they've
had, that's closer than we think?
They have made some very fundamental improvements in the approach that they're taking.
Microsoft sounds pretty confident, and hopefully, you know, the confidence is warranted.
I would hate for them to be lying to their shareholders, right?
Like, so there's that.
And that said, many physicists are very skeptical,
at least something I've heard,
is that there are physicists who are skeptical of what they've put together.
And so there's a lot of skepticism going around, you know,
and there's also a lot of bold claims, right?
So, like, it can be very difficult to figure out exactly
where we're at, like, even if you're in the thick of it, like, just reading every announcement
and looking into them and listening to what other people are saying, it's kind of, I feel like we're
in a quantum superposition already, you know?
And so one of the things that I'm unsure of is, if they do manage to get to the point
where they can break encryption, where does, like, Bitcoin fall on the list? Like, what are the first
things that are going to break?
Well, that would be the signatures.
So, like, basically the address is when you go to sign a transaction for, like, for coin
sent to an address, you have to create a cryptographic signature and reveal your public
key for that to be validated.
And so for that, that spend to be validated.
And so by other nodes on the network.
And so, yeah, the low-hanging fruit is definitely.
signatures.
Are we going to see like national security encryption get broken and planes falling out
the sky and bank encryption get broken?
Or is like where does it or is Bitcoin going to be kind of top of the list because
there's potentially such a big honeypot there?
Well, like the problem with the other systems is that if you break them, it's only going
to be temporary.
Like they can repair them, right?
They can upgrade them.
They can reverse the ledger if they can.
wanted to. They can track down people who still funds through the existing financial system,
right? Like, so like it's, it really is like, um, how would you say, like, just, uh, prohibitive,
I would say, uh, in terms of your rewards from, uh, if you were to target the existing
system with if you're like, you're a financially motivated attacker.
I see. Okay. So that makes sense. So in, if it's the public-private key pair that's like the kind of low-hanging fruit, I guess Satoshi's keys are going to be like the canary in the coal mine for this.
They could be, but like the thing about Satoshi's coins is that they are spread out amongst tens of thousands of public keys.
And so they're about 50 Bitcoin each. So it's not like one.
big address honeypot, right?
And the 50 Bitcoin is because that was the epoch one block reward, right?
Yeah.
The bigger honeypot is probably actually maybe the Binance or Cracken Cold wallets,
because those have been spent from.
We have the public key for that on chain.
And that's the other problem is like there are three,
generally there are three vulnerable address types.
There are paid to public key, which is what Satoshi's coins were in.
There's reused addresses.
So basically an address that you, any address type that you've received funds and then spent
from, and then finally tap root addresses.
Okay.
So can we go through them?
because so Satoshi's coins are paid to public key,
which was like the only address type then as far as I understand it,
which means when he was signing a transaction,
the public key actually goes on chain.
So why is that the easiest one to attack?
Because, well, I mean,
they're all kind of the same amount of difficulty.
It's just like,
like all of them can give you a 65-by public key, right?
Or 64-by public key.
in terms of the math of things.
But if you, yeah, so like,
it's really all about like the amount and also how much you think you can get away with.
And like, you know, maybe there's some like imitation game type theory where you'll try to take something,
maybe not the big, the big crack in and finance cold wallets, you'll take something like smaller,
like that people aren't necessarily watching so closely and maybe try to take that first and
maximize your earnings.
And then, of course, you'll, like, dump into something like Fiat, which, you know, you can
then depend on, even if there is, like, our quantum computers attacking the system, you could
depend on the authorities to, you know, protect that kind of activity.
And so it, and there's also certain ways you can use Bitcoin to, like, for it to behave in sort of like a quantum-aware way in that, like, you can, if you're aware of the quantum threat, you can design certain protocols for working with addresses and spends.
and just like trying to avoid, like, spend time avoiding certain, doing certain things to make it more difficult for a quantum attacker to take those funds.
And that's something I've also been researching.
But regardless, and that does not require a soft fork.
But that said, the best solution, in my opinion, would be a soft fork that introduces a new kind of cryptography that's resistant to quantum computers.
Okay, so let's get into how a quantum computer would actually derive a private key from a public key.
Is it just a case of it's more powerful so it can brute force it?
Or how does that work?
Well, the way the Google Willow, what White Paper described it,
was they observed such a high degree of efficiency that it's not really thermodynamically possible
to perform that much computation unless it has doing work in parallel
universes.
What does that mean?
Well, when
matter becomes entangled,
like when you have like a particle
that's entangled with another particle,
it really does seem like
that's your window into another universe.
Okay.
I don't understand that though.
You're going to have to explain that to me more.
Yeah.
So like quantum entanglement is tricky.
and weird and I'll admit I don't fully understand it other than just that like that's what
what it's looking like.
And also, humanity doesn't really quite understand parallel universes that well either.
So it's possible that through this technology we will discover more about like what that actually
means.
But that's, I mean, I can send you a snippet of the,
Willett white paper that it's really kind of juicy. It's like, I'm sorry, the what? You know?
Like, I feel you. Like, I feel you. I want to double click on that too. I think just about
everybody does. Like, we just don't know. Like, in some ways, we don't know. We only have theories as to
why these computers are so much more powerful than a classical computer is. But, I mean, yeah,
that blows our mind. I need to know more about that. But we know for a fact that it will break
ECDSA?
If you have enough qubits
that are air corrected,
we know exactly
the circuit that you would build
to
take a public key,
load it in, and then turn that into
a private key. Now,
the devil's always in the details, but
that's essentially like
you know,
the
threat model.
So, okay, so we know that all private keys are potentially compromised in this scenario then.
No, actually, let's not jump to that conclusion.
That's the second.
This is a little, so anytime a public key is revealed, that would be when you're vulnerable.
Yeah, okay.
Right.
But like all private keys, like, private keys, like, private keys, when they're turned into public
keys, the public key can be hashed, right? And so essentially, um, like if you hash your public key
and you put the hash of that public key on chain, that's safe. And so any addresses starts with
BC1Q, that's like a native sacred address. That's going to be fine. Any addresses starts with the number one,
that's going to be fine. So long as you don't, uh, uh, reuse that address. Uh, you, you,
you receive funds to it, but then you spent, like, if you spent from that again,
then you've reused it. And, and, like, you know, it's, it's, it's, it's, it's,
you've already revealed the public key for that, so it's not safe. But if you, you're,
if you're using a HD wallet, a proper HD wallet, like a hierarchical deterministic
wallet, and, uh, you are, um, like, that's Bit 32 compatible, right? Like a bit 32 wallet.
Uh, and it generates a new address for you each time you use one.
then, or even each time you request one, then you're going to be okay.
It's just, it's when you reuse addresses or if you're using taproot.
I think that would be another pitfall that viewers might actually be thinking about.
Okay, so if we know that the Segway addresses are safe,
then why do we need to move to a quantum resistant algorithm?
Well, because when you spend from them, an attacker with a sufficiently powerful quantum
computer could take your transaction in the MAMPOL.
I see.
Yeah.
So, like, any time you spend your, from your coins, you have to reveal your public key
at that point.
And when you put in the MMPL and, like, everybody can see it, then, because it's on all
the notes, then that's when the attacker could go ahead and do their thing.
before the transaction is mined.
And even if it is mined,
sometimes there are like reorgs and orphaned blocks
and those public keys are then available
and the transaction might not technically have been mined.
So there's definitely like a lot of considerations
when you're thinking about a potential quantum threat model.
Okay. And so this is just in the cropped up then.
And this isn't a long-term solution for everyone.
But theoretically, in a world where we have quantum computers that can do this,
if you were using Segway addresses and sending transactions out of band directly to miners,
would that get around this issue?
Well, yeah, except it doesn't solve for the problem of orphan blocks.
But yeah, like that's one that definitely increases your security substantially.
the only problem is like that kind of sucks right because you don't have like a free
mempool anymore and like like it's it's it's not the ideal solution it's it's one of like it's
it's like certain there's definitely like services out there like slipstream for example that you
could use like if you were to just create the transaction hex and say blue wallet and then copy that
and then put it in a slip stream instead that and make sure you have a high enough fee rate for it to be
selected in the next block, then you, that's a much better, much safer thing to do than just
publishing the transaction to them network. But then, but it's a shame solution. It really, it's,
it's not fair. It's not like a fair market, right? And so, um, it, in order for us to like preserve
the free market of the MMPL, we need to, uh, uh, essentially come up with a better one. Yeah, that
makes sense. Okay, before we get into
the solutions that you've kind of put forward for
this, what would it mean for
mining?
So, mining is a
little different. So
it depends on, like,
to you guys, I haven't seen a lot of academic
literature on
how
like shot 256
and in particular
how the
how actually like
like Bitcoin mining based on the difficulty, right, is, could potentially be compromised by
quantum computer. We believe it can be. I just, I'm not aware of the exact algorithm that you
would use other than just that it would probably be based on Grover's algorithm. It would be,
it would be using Grover's algorithm, but it would be an implementation of it that was specific
for the purpose of Bitcoin mining. And when you say compromise, do you is, does that mean that
the quantum computers will be able to outcompete the A6 that we have right now, or is it something
different? I've heard some people say they might. I've heard some people say, like, they might
substantially, they might just be competitive. It's hard to say. Like, if, there might be like,
kind of a middle ground where they're very good, but, like, you know, like one quantum computer
that costs a million dollars could replace.
you know, 10,000 A6, right? Like then, you know, like we're, we're still in good shape because
then the everybody will just update to quantum miners. Okay. So you've proposed BIP 360.
Do you want to explain what that is? Yeah. So BIP 360, a Bitcoin improvement proposal.
It's the it's, it's, they're actually, there are gaps in between them. By the way, I can't say
it's the 360th one. It's, it's, it's just Bip 360. That's what it's called. Uh,
And it is specifying a new address format call,
or what they call output type, actually,
is the technical term for it, is that starts with BC1R.
And it will essentially be a hash of a hash of a public key
that comes from a post-quantum
cryptography signature algorithm.
And so post-quanticotography or PQC allows you to...
Basically, the way it works is it...
It's just...
The whole idea behind post-quantanthogravies
is just to make it substantially harder
for a signature or public key
to...
for a quantum computer to do anything useful over it,
essentially.
And also, to be clear, hash algorithms are much harder for quantum computers to work over than signature algorithms.
And so Grover's algorithm, as I mentioned earlier, works over hashes.
It scales in a way that is not as efficient than public-key elliptic curve,
cartography.
Okay, so one of the big benefits with elliptic curve cryptography and schnoor signatures
is that they're very old algorithms that we have seen, like, tested for a very long time.
Are these post-quantum algorithms new?
Yeah, so one thing is, well, yes and no.
So, for example, the P-256K1 was specified in 2000, and we've had it for 255 years now,
and it's worked pretty well so far.
There are a couple, like, post-quantum algorithms that are used hashes.
They're hash-based post-chrono cartography signature algorithms.
There are a couple that are even older than that, though.
One is from 1977.
Leslie Lampert came up with the Lampert signature that uses hashes.
It's very large signature size and public-key size.
A total, it would be like 80 kilobytes, but they are known to be secure, and those have been around for a very long time.
Similarly, there's also another, there's also another one-turned-nitz-O-T-S, one-time signature that came out a few years after that in the 80s,
and that also is slightly smaller, but has its own limitations.
In fact, one of the limitations is that if you were to ever reuse it, people could come up
with the private key for it.
So that's why it's called a one-time signature.
So anyway, things like that.
And this might be a stupid question,
but how do we actually know they're quantum secure?
So they're believed to be quantum secure.
They're believed to be hard problems for quantum computers to solve.
And like, for example, if it uses a hash algorithm,
we know that hash algorithms are difficult for quantum computers to solve
in that they're more difficult than a elliptic curve cryptography or factoring large numbers like RSA or or an ECC.
And so like the hash algorithms are kind of,
hashes are kind of like a level above like quite a bit harder for chronic computers to solve, but they're not impossible.
And so there's also been work put towards what's called lattice crotography.
and that is essentially doing
like signatures in higher dimensions
and so we believe that by like increasing
the dimensionality of the problem, we can
make it more difficult for quantum computers to like parallelize.
This episode is also brought to you by Ledger.
If you're serious about protecting your Bitcoin,
Ledger has the solution you need.
Their hardware wallets give you complete control over your private keys
ensuring that your Bitcoin stay safe from hacks, fishing and malware.
With Ledger's easy-to-use devices and the Ledger Live app,
managing your Bitcoin has never been more convenient.
Whether you're a long-time holder or new to the world of Bitcoin,
Leger makes it simple to keep your assets protected.
If you want to find out more, visit ledger.com and secure your Bitcoin today.
That's L-E-D-G-R.com.
This episode is brought to you by CASA, the leading Bitcoin self-custody solution.
I've been using CASA since 2019, and I can't recommend them
enough. CASA have options for all Bitcoiners from a two of three multi-sig to a three of five
and a private client option for absolute best in class security. CASA also do inheritance,
which I very recently set up and it really couldn't be easier. My inheritance plan has gone
from a vague treasure map for my wife to a rock solid security plan that I have total confidence
in. To find out more about CASA, go to casa.io, which is c-a-s-a-o.
Okay, and we'll get into exactly what this means for Bitcoin, but if we were to implement something like this, is it a like one-time thing that fixes it forever, or is this going to be like an ongoing thing?
Well, if we had the perfect algorithm like Matt Carollo on it on the Bitcoin Dev's mailing list, then, of course, we'd just upgrade to that and that would be fine.
But unfortunately, we don't have that. We're not anywhere near that. We need like a good 10.5%.
or 20 more years of post-chronography research to get us like the perfect thing.
And so that's why in BIP-360 we actually specify three different algorithms because we don't know
which of them will ever prove to be unreliable.
And so like if one breaks or two breaks, you at least have a third, right?
And so it really is just like the best of what we have now.
And it's essentially like 5-360, it's not perfect, but it's the best of what we have now.
And so I just want this out there and us to have the software for it.
and we're actually going to build it.
And we're hoping, we're hoping actually to have a working implementation by the end of the year.
The intention ultimately is that we're not scrambling.
We're not like, we have, like, you know, look, like, if there is a, say, every IQ day, right?
Like, there's a, like, we come to realize that Bitcoin has, we come to realize that Bitcoin has been
compromised by quantum computers.
Then if we ever see that, if we ever see that,
if that ever occurs, then we have a way to potentially mitigate against that.
And so this is good for Q-Day.
This is also good for also if we just get a general sense that, you know,
like this is where quantum computers are going,
and there's a growing consensus that quantum computers could be a very real concern
more than just like an 8-bit experimental quasi-particle, you know,
setup, right? Like if Microsoft suddenly has, you know, a thousand or two thousand myronafermion
cubits, right, topological cubits, then, like, that would be like, okay, guys, like,
we might need to think a little bit more seriously about this. Yeah, exactly. So in terms of,
like, your goal for this, in the ideal scenario, is it that we wait 10, 20 years, however
long it needs to find the perfect quantum resistant algorithm.
Or do you think we need to move forward with 360 sooner than that?
Like, what I guess the question is, is this like you trying to open the conversation
and start something happening rather than you thinking this is the right solution?
Well, I think this is the right solution for right now if we're ever needed.
It's just like it really is like anyone's guests, whether we have 10 or 20 or maybe it's a
complete boondoggle, right? Maybe it's a complete, like, who knows what? Like, it's, you know,
it's, we really just don't know. And the fact that we don't know is essentially a source of fear.
And I think one of the best ways to, like, address that fear is to have a solution waiting in the
wings and, like, you know, basically ready to go if we ever need it. And, uh, and, uh,
like is has actual real code and a real spec and real implement you know just like and and and is
we're able to see how it works we're able to see you know uh like and if there's any impact
in block verification time right like or or uh how a node scales through regular usage if there's
like like things like that i want to see that scaled on test like see i want to run this on the test
that and see, you know, how this actually works with real money, yeah.
And so what are the effects on Bitcoin from this upgrade?
Is it that keys are way bigger and blocks take longer to validate?
Yeah, so blocks are bigger to validate and they are also can potentially in certain
configurations of the signature algorithms take a good amount of time longer to verify.
Maybe not.
actually it's I wouldn't say a good amount it's actually like roughly equivalent but like it's it would be something like two to four times slower which is not terrible compared to like you know one signature album we evaluated actually made things 15,000 times slower and the reason why we evaluated it was because it produced substantially shorter like smaller public keys and signature sizes
to the point where we might not even need to like do anything special about say a increasing a discount or or increasing a block size, right?
Like, but the problem is it makes the block, like if a block took a second to verify normally, it would take four hours to verify if it was full of that kind of signature algorithm.
So things like that, like you aren't completely obvious at first and then you just sort of like dig into it a little bit more and you're like, oh no, this actually won't work.
And so things like that, I want to kind of, like, I want to make sure there aren't any obvious pitfalls.
And that's why I want to actually just write the code and then get it out there and see how it works.
And then we'll have a better idea of like if this is, you know, a good design or not.
And if it is, then we'll have potentially like a solution.
and for those who are concerned or fear-mongering or saying Bitcoin is going to die due to quantum computers,
well, we can just point it to BIP 360 and say, well, no, we have a plan.
You mentioned block size there.
Do you have an idea of what this will do to block sizes?
Well, so that's, just to be clear, BIP 360 is a soft fork.
So it's not like a wholesale increase in block size.
it is essentially adding a new field to the transaction similar to the witness.
We call it an attestation.
It's just a synonym for a witness, but it's a different, it's a different, it has different rules.
And so we just need a different name for it.
And so, yeah, the, the attestation, yeah, if you stuff it full of, like, so it depends, it depends.
Like, so first of all, the attestation is a,
much stricter rule set, only valid public keys and signatures. Only valid public key and
signatures can go into the attestation. So they have to sign for the transaction. And then
also they have to be committed to an advance. And although you can do like a threshold signature
and you can like kind of like put a hash there instead and you will always still still need
to provide a valid public in signature.
And so that's that really just dramatically reduces
the amount of shenanigans that can be had with a attestation
versus like a witness.
And so there's that.
And the, if we were to provide a, say, a 16x discount
versus the 4x discount that Segwit provided, if we were to,
in the software we could,
call it qubit with a capital B.
A qubit discount of 16x would result in,
worst case scenario, 16 megabyte blocks when they're serialized on disk.
They're not, you know, like, it's not raising the 1 million,
uh, um,
the 1 million V byte, right?
Like, like, uh, uh, cap.
It's, it's just, uh, um, it's just,
fudging the math on how we account for the size of the block, the weight of the block, what they call,
these terminology that they came out with in the Segwit days that we've been wrestling with ever since.
But yeah, if we just like quadruple that discount, then that should be relatively sufficient for us to maintain roughly the same amount of throughput.
It might be a little reduced if every transaction is a post-quantanical retirement transaction.
It'll be somewhere between.
So, like, also, one thing to understand is that because we're providing three different signature algorithms,
we can also, like, users will choose how many they want to put on their transaction,
or the address, really, to encumber their address with.
It's almost like a multi-sig, but in a quantum perspective.
And so like you're having like you're basically tripling, you could potentially triple the number of signatures you put on ordinary transaction.
If you were like using all three different algorithms, if you were particularly paranoid about, you know, when you want to go spend these coins.
So like if you are cracking or Binance or BitFenex or Coinbase or Microsoft.
strategy, right? Like if you're one of these big institutional players with a large amount of coins that you want to secure,
then you'd probably want to increase the number of signatures you include in your transaction. And so
that would be something like no more than 20x, larger if you use all three. So it's somewhere between
two and 20 depending on like how badly you want to secure your coins, like how much value you want.
to secure. And in a way that also leads to kind of like an MEV kind of behavior and that like some
some of the really high value transactions will pay more, not only in fee rate, but also in for these
signatures. And also it, so in that way, it kind of also addresses the security budget concern because,
you know, like some people have proposed reducing the block size and I'm like, well, why not just
make transactions bigger? So just to like try and put that into layman terms, so I'm
understand. Does that mean that instead of having like whatever we have now, 4,000 transactions
in the block, it might be a thousand transactions in the block? Yeah, like maybe more like
3000, uh, one or one to three thousand, yeah, like still in the thousands. Okay. So it's not like
the biggest reduction in the world. Um, so what have the like general reception of this been like
in dev circles? Uh, well, um, um, um, um, um, um, um, um, um, um, um, um, um, um, um, um, um, um, um,
The developers, so there's definitely like, pretty much every core dev I've talked to or anybody who's like a longstanding, like, contributor to Bitcoin is just entirely skeptical that like, you know, we're going to see any, we have any concern.
And like Peter Woolley, right, he.
He was the one who, actually, can you help me with the pronunciation of his name?
You know, you would know it.
Well, I thought it was Peter Willer, yeah.
I think you got it.
Well, okay, great.
So, awesome.
Well, if I'm getting that from a European, then actually, not European, you're Australian.
That's different.
Well, I'm English, but I live in Australia.
Oh, okay, cool.
Yeah.
But yeah, I thought it was Peter Willer.
Okay, Willer.
Okay.
So Peter Willa, he's the guy who basically, for those who don't know, he implemented Taproot,
or really just kind of like pushed it through along with Jeremy Rubin and his contributions to that.
But he was also one of the contributors, kind of like he's the lead maintainer of the SECP-256K1 implementation used by Bitcoin.
and OG legendary dev
Oh yeah
Amazing guy
Like legendary dev
Exactly OG
Very talented
And he's answered so many questions
I've asked on Link Bequin Sack exchange him and merch
Right
Legends right
So Peter Willa
He's
He acknowledges like
This is a potential threat model
But he also is still
skeptical that it will ever happen.
And he also has recommended that we potentially confiscate vulnerable coins because it could definitely,
like he said, according to him, he says that it would, like, we, of course we have to do this,
you know, and I'm like, wait, of course not, I don't think so.
I don't think, of course, we need to confiscate all the vulnerable coins.
But, you know, it's, that's a different line of discussion altogether.
But I think that's a really interesting line of discussion.
So I very briefly spoke about the quantum stuff with Alex Leachman when he was on the show.
And one of the things he brought up was this idea that in like a post-quantam world,
all those old coins that are vulnerable, like Stoci's coins being a perfect example,
like they've never moved.
We assume they're never going to move.
And in a post-quantum world, something has to happen with them.
Either Satoshi moves them, which I don't think is likely, they get confiscated, like you say, or they get stolen.
And I feel like there's a kind of an analogy to the Ethereum Dow hack, where it's like it's a very kind of critical moment where we have to be really careful about what we do.
And I don't think confiscation is a viable solution at all.
Yeah, I think it's a terrible idea, in my opinion, that's like kind of breaking one of the original promises are free of money.
right? Like censorship resistance. And so, um, there's that. Uh, there's also like, you know,
the, there, there is one potential compromise I've heard, uh, that, you know, might, like,
be a good, like, you know, uh, middle ground between the confiscators and the liquidators, right?
and that is to restrict the spending of pay to public key addresses to one per block.
And so even if quantum computers are going at it at that point, like before QDay, like one per block,
like we hardly ever see them anyway, so like you'll be able to get it through just fine.
after Q-day, it'll be a free-for-all.
And instead of, like, you know,
there being, like, you know, a bunch of,
um, uh, like, uh, transactions going into a block,
going right to straight to Coinbase and it's like a sudden exit rush of liquidity, right?
Uh, instead of doing that, uh, we could just, uh,
like kind of throttle that bandwidth down and to like just,
according to consensus rules, miners can only include in a valid block one paid to public key
spend, spend transaction. And so if they were to do that, then they would smooth out basically
that potential exit. And there's like about 34,000 paid to public key keys. And so it would take like basically,
It would lengthen it over the course of a year or so because there's about 50,000 blocks in a year.
So you're saying that the general pushback from the dev community is that this is just not important.
And this is something you hear a lot in Bitcoin.
A lot of Bitcoiners just assume that this isn't a real threat.
We don't have to worry about it.
I hope they're right.
In many ways, I hope they're right.
Well, I hope they're right too.
but but what is it that you're seeing that that makes you think they're not right well just that okay
yeah so that's a great question so there are you know uh multiple billions of dollars being poured
into these programs uh these quantum competing programs there uh there are uh companies like
Microsoft Amazon Intel Google uh IBM uh they're all they'll have big
quantum computing programs very well funded.
They also have, there's also like small startups like
CyQuantum, Rigetti, IonQ, that are also looking into this.
And then there's also defense contractors like Honeywell and Raytheon.
And there's also a company the U.S. has.
It's a really interesting company.
It's called Incutel.
It's apparently a...
CIA.
Yeah.
So they, they, so we have no idea also just
be clear if somebody even has a good enough quantum computer because there have been some real
spooks, you know, like going at this for even a longer time than up, even private industry has
been. Interesting. So can we put our tinfoil hat on for a second? Because one of the questions
that I have is that like, Bitcoin's obviously one part of this, but if all encryption breaks,
there's no secrets anywhere, right? And so if we, if like all government's
secrets, we're now out in the open. That's obviously a mask off moment in a way that we can't even
imagine. If we use the like they, I don't know who they are, but do you think they will let
quantum computing get to that point? Oh, yeah. I mean, like, if, if, like, it's arguable that
they already have that capability and they're just like, kind of, you know, like, uh, uh,
turning through records in their Utah facility already, right? Like, that could be the case. Um,
There's also, like, I'm not sure I 100% understand your question.
Like, you're saying like, will the authorities?
Like, does the three letter agencies let this happen because then all their secrets are out?
Okay.
So the federal government has a guideline for this.
It's called the CNSA 2.0.
And it's basically their like roadmap for how we handle the potential threat of quantum computers.
and they're basically saying that we need to stop using elliptoccur photography in new systems by the year 2030.
That's only five years away.
And by the year 2035, we need to have completely sunset our use of elliptic curve photography in government systems.
So they're preparing for this.
They are preparing for this.
So on one side, there's like billions of dollars being spent in private industry.
On the other side, the government appears to have some concerns.
and they're doing stuff.
And so, like, I'm just like, well, what is Bitcoin going to do?
Because, like, it's not like we can just roll back the ledger, you know, like, I mean,
I guess we could, but that would fucking suck.
And also, just to be clear, also, Ethereum, which is a lot more centralized governance
than Bitcoin has and regularly hard forks, they had this big hack, and they were not able
to get their governance structure in a way that would reverse that that flow.
And it's arguable that they couldn't have because now there's like tether.
Are you talking about the bibet hack here?
Yeah, the bibet hack, exactly.
And they moved all in a tether and so like the tetherbridge isn't going to want to like
readjust, you know.
And so like there's like there's a limited amount of time.
that you could roll back a chain as significant economic activity occurs on it.
And at which point, like, you know, it might just be too late when we realize that, you know,
there has been a hack that can be somehow attributed to being due to a quantum computer,
even though that's very difficult to prove.
So what's your, like, goal with this now?
Is it to, because if the devs aren't really on board with this, like, is it now just like an
education thing for you where you need to get out and explain what you're doing and why you're doing it?
That's essentially one of the things I'm doing. Yeah, I'm going out to different conferences and
advocating for this bit and trying to establish support and consensus in addition to actually
implementing it. And so I hope that this is like taking seriously as a potential solution.
and maybe there are better ones.
I'd like to see people work on better ones.
Because, you know, like, I mean, I've, I, I've only been working in Bitcoin full time for four years.
So I have, you know, my limitations and my understandings of Bitcoin even still.
Like, you could work on Bitcoin for 10 years and you could still, there's still things you could probably not know about it.
And so it's, yeah, like, it's, there's a joke that, like, people will,
start with Bitcoin before going into other cryptocurrencies to learn about them,
and then they just never stop learning about Bitcoin because there's too much to know.
The interesting thing here is down to consensus, right?
We know that with things like CTV, which I would love to see in Bitcoin,
getting that implemented is going to be hard because it's not urgent.
What do you think, like if this gets to a point where it does become urgent,
Do you think there's going to be, it's going to be easy to gain consenters, or do you think that's still going to be a big push?
It should always be a big push, right?
Like, it always should be a mind and mental undertaking to ever want to change Bitcoin.
I'm very much in the Asifers camp, just because, like, this is a one to two trillion dollar asset class.
You know, like, I would hate to break it.
We have to be very rigorous and make it very good.
good case, a very well-reasoned, obvious case for it to be a no-brainer to upgrade to it,
right? Otherwise, it would compromise the very reason why we're here, right? So, no, I mean,
like, as much as I love Jeremy Reuven's work in CTV and as cool as that is and CSFS, I hope that,
you know, I mean, a part of me is like, I hope we get that because that looks really cool. But then
the other part of me is like, well, but also there's like two trillion.
dollars that we're securing here and so we also need to be really careful. That's interesting to
say you say you're in the OSPIRE camp because I would have assumed with the work that you're doing,
you'd be like a strong push for these new upgrades. I mean, I understand them very well. I've worked
very closely with a lot of people who are like in that field and it would be very cool if we have
that. But like, and I wouldn't say,
say I'm a complete 100% ossifier. In fact, a lot of people who call themselves
ossifiers probably would make an exception if Bitcoin were security were completely compromised,
right? Definitely. So like, like for like very like it has to be a very good reason for us to
upgrade in my opinion. Um, you know, like some, the counter argument of course is that like, you
know, uh, Bitcoin could be a 10 trillion dollar asset class only if we had covenants,
you know, uh, something like that. And I'd be like, well,
maybe that could also be the case for quantum resistance.
Like, maybe that's what's holding us back.
So, you know, like, there's, it's really hard to say.
It's hard to predict the future.
There's a lot of unknowns.
And, like, the work we're doing is to de-risk that.
I don't know if, like, CTV or CSFS can be derrised more than they already have been,
just because they've been around for so long.
Yeah.
Whereas B.360 has only been around for,
like maybe at most, if I'm being generous, like at most, maybe about a year.
And so it definitely needs some more time in the oven, need some more tweaks, need some more,
like, just love.
And hopefully, you know, we'll follow its evolution.
But, yeah, that's, we're working hard on it.
And hopefully we'll have a good solution for if it ever is needed.
Like, and, you know, I mean, I, I, I, I,
I'm a Bitcoiner, first and foremost.
I'm not like, you know, fully invested in this quantum thing.
And so, like, you know, I would be perfectly happy if quantum computers were just like this fool's errand.
And like, or, or maybe they can solve, you know, the things they want to solve with them, like,
uh, simulating fusion power or like coming up with enzymes for forever chemicals, right?
Like, that would be pretty cool.
if they could do that without also breaking Bitcoin.
But that's a big if.
Yeah, it's really hard for me to say where I stand on Bit360
because I don't understand how imminent the threat of quantum computers are.
But if it is real and if it does turn into something,
then I'm very glad that this conversation is starting.
I guess that's where I'd be.
I'm glad the conversation's happening,
but there's obvious trade-offs to Bitcoin that,
unless this is a very real, very imminent threat,
I wouldn't be interested in.
Does that make sense?
Oh, yeah, without a doubt.
Without a doubt.
Yeah.
I mean, like, it's just like, it really is the kind of thing where, like, I just want people to have in their back of their minds as they're reading these Fudd articles, you know, coming out that like, oh, Bitcoin's going to die because now we have myirona fermions.
Like, you know, hopefully that, like, the fact that Bip 360 exists keeps people from running away from Bitcoin.
Yeah.
Yeah, that's fair.
So you said in the dev community, it's kind of been a bit nonchalant in terms of the response to this.
Outside of the dev community, what has the response been?
Are you an attack on Bitcoin yet?
Actually, you know, what's so funny is that although I have been called an attack on Bitcoin,
whenever I'm doing an in-person event, like what we just had, we handed out a bunch of hats,
It was really cool.
Bit360 hats.
And we're going to be doing a bit devs dedicated to Bit360 on 36, at least in North America,
we'd call it Mark 6.
Yeah, on 6.
Nope, different bit.
Yeah.
So, no, Bit 360 day is, yeah, that's, yeah, that's, yeah, we're doing a bit devs then and then.
And, but regardless, even the events that we had last week were, uh, people would come up to me
and just thank me for the work that I'm doing because, you know, it is a concern that a lot of
plebs have, you know, like, it's just a lot of people who aren't devs who are, like, just
trying to make their way into stacking stats, you know, and, and fiat mining, right?
Like ordinary bitcoiners, you know, like, if there's, if that's even a real term, right?
like, Bitcoiners are ordinary, but that said,
Bitcoiners, right?
In general, are usually very grateful for the fact that I'm at least giving this potential concern
the time that it needs for us to really fully understand
and potentially develop mitigations against it.
Yeah, it's very cool.
I mean, I'm definitely glad the work is happening.
I hope we never have to use your work, but it looks like maybe we will.
So these events, have these been at Space Denver?
Yeah.
How's that going?
Oh, it's so great.
We have like, I think, 78 members now.
And next month is when, in April, it would be kind of like our one year mark when we first started collecting dues from members.
We didn't have a space back then.
And so we just kind of built a bit of a war chest.
and then we got a space
and then we sometimes hold Bitcoin events
we're very picky about what kind of events we hold
Heat Punk was one of them
that was very well
we had Peter Todd and Troy Cross come to that
and that was only about a week ago now
and that was
yeah no like all those events were just so cool
and it's just going really well
and so
what's interesting is that
when we first started the space
we offer discounts to new members because we didn't have a space yet.
And those discounts will expire next month.
And so after next month, when those dues come do and all the members,
the space members are all real close friends.
I don't think anybody's going to wash out just because we raise the prices a little bit.
Then, you know, I think we will be set financially for like being a sustainable
co-op of Bitcoiners in Denver with an actual place to hold events and meet and work.
That's amazing. So this is like Denver's equivalent of Bitcoin Park or the Commons or whatever.
I think these third spaces are so important for Bitcoin. I love to see it. I'll definitely
try and get out to Denver some point this year. It would be really cool if you did. And then maybe we
can do another one of these in person. Yeah, for sure. Hopefully the quantum threat is not any more
severe then. But Hunter Beast, I appreciate the time. This has been good. I've definitely learned some
stuff about quantum, so it's been great. Is there anything you want to do, I don't want to say before we
close out? Oh, just go to surmount.com. There we have a link for the BIP, and we also have some
donation links for the foundation. It's a non-profit. And so there's a silent payment link and a
Bolt 12 link and that's because we don't want to reuse addresses.
And also, we don't use Noster.
We do have an X, but we don't use Nostr specifically because all Nostr endpubs are public keys.
So that'll be maybe another, once we, once we have everything figured out on the Bitcoin
side, maybe we'll try to go and figure out what Nostr needs to.
We need quantum resistant and pubs.
Yes.
Love it.
Well, thank you very much for the,
time.
I will try and get out to Denver at some point this year and we can do it again.
All right.
Thank you, Denny.
Appreciate it.