Is the Quantum Threat to Bitcoin Actually Real? | Alex Pruden

there's a 50% chance that by 2033, you will have a cryptographically relevant quantum computer that can break Bitcoin. Whatever entity has the quantum computer owns all the Bitcoin on the network. This quantum computer can compute your algorithm fast enough, then it's like every Bitcoin is basically at risk. And that also effectively closes off any kind of on-chain migration option. Ownership fundamentally breaks. once you hit that threshold, you can scale very, very, very, very, very quickly.

The best way to ensure that you're not rushing a change is to ensure that you're not surprised. We should already be well on our way as the Bitcoin network to having post-quantum cryptography that's close to being ready to deploy. Don't be bystanders. This is extremely novel and new cryptography where the stakes are as high as they're going to be anywhere. Alex, welcome to the show, man. We are going to get into the hot topic of the day,

quantum cryptography, and if it's going to break Bitcoin. Let's start with your background. The first time you've been on the show, first time I've spoken to you, how did you get here?

Yeah, first off, it's a pleasure to be here. It's a great show. I'm a subscriber. And yeah, I really appreciate the work you do here. As for my background, I first got interested in Bitcoin a little over 10 years ago. At the time, I was in the U.S. Army, and I was a Green Beret working in the Middle East. And specifically, I was kind of in and around Syria and the Syrian civil war. And I discovered Bitcoin while working in Turkey, training Syrian rebels to fight the Assad regime and ISIS.

We briefly explored it, you know, conceptually as a way to basically support financially the guys that were fighting across the border, because at the time there were no US troops allowed in Syria. I never went anywhere. It was just kind of like a throwaway idea that one of the Turkish intel guys threw our way. But the concept stuck with me.

This idea of borderless money that was secured by cryptography and private keys or seed phrases that you could just put inside your head and then cross any border in the world. Let's say you were a refugee filling conflict.

You could just start over again because a lot of the people that I was around, as you can imagine on the Syrian-Turkish border, were people that were refugees from that conflict and had basically lost everything either because their physical wealth was tied up in real estate in syria or because their bank account was frozen explicitly or they just couldn't get to it because you know they were in turkey and their bank was in syria um and that was sort of the moment i was

like wow i knew nothing about technology i knew nothing about finance quite honestly i had gone to a military academy and studied arabic um but that was the moment where i was like this seems like really transformational so i left the army later i guess a year after that after i came back from that deployment and um yeah just try to figure out how to get into the space um i did what everyone does in their career when they don't know what to do next i went to business school

and so i was fortunate to get into stanford and uh honestly i spent most of my time at stanford just getting into computer science classes that i had no business being in um i think the cryptography class that i took which was the first computer science class i took not recommended starting point but i got a d um uh d is for diploma as they say but uh i just was really passionate about understanding how everything related to bitcoin worked and so uh you know and the professor

dan bonnet has done a lot of research in crypto currencies and blockchains and bitcoin um so yeah that was how i got you know more immersed in the space uh i was the co-founder of the stanford blockchain club uh i then worked at coinbase for a brief stint um and then i ended up actually getting a role at andreason horowitz when they had a they had a crypto team uh i was standing up this is 2018 is kind of the very beginning days of their crypto fund and i joined as a you know as

a venture or as a deal partner i was recruited by one of the one of the channel partners there uh i didn't love venture to be quite honest i just um wasn't really my thing i had a it was great experience i learned a lot from the smart people that work there but i wanted to be an an operator. So I went to join a startup that was in the zero knowledge space called Alio. It was a couple of Zcash co-founders had, yeah, basically had this vision to create

Zcash, but with smart contracts. And I got really excited by that privacy. You know, as you can imagine, my former world and thinking about Intel and espionage, I was like, oh, privacy is good and important for a variety of things beyond just those two. But yeah,

I spent four years, well, four and a half years there. I was the first employee, became CEO, took it from zero launch and uh and then yeah when after launch i kind of stepped back and handed the reins back over to the coo and cto and uh decided was wondering what to do next and that's what brought me to this moment as the yeah founding project 11 so i mean there's a lot of veterans that have come into the bitcoin space but i don't know if there's many that have gone

fully down the cryptography rabbit hole like that's a pretty big step you went straight in of the deep end there. Yeah. Um, I probably wouldn't recommend going that route. Um, maybe it's, yeah, my, uh, my misplaced or my, my ego, uh, I was like, oh, I could totally do this, but, um, I do like, as you know, I, for example, when I was in the middle East, I, I, I spent a lot of time learning Arabic because I really wanted to be able to have a one-on-one conversation

with the people I was working with. I didn't want a go-between. I didn't want an interpreter. I wanted to just know exactly what they were saying. And I spent, I mean, I easily spent 10 times as much time as my colleagues did on average to do that. And so I kind of view this as similar. Like I don't, I'm not very satisfied with kind of the high level answers. It's both a blessing and a curse, right? I have to know kind of as deep of a detail as I can stomach how things really work.

Yeah, you know, it's both a good and a bad thing, right?

I think on the one hand, it's my curiosity that's helped, I think, enable me to kind of have insights that are maybe come earlier than other people might have them it also i think can be you know it can be easy to get lost in details ultimately the challenge is figuring out how to synthesize those two things into into kind of yeah uh what is insightful and what what is impactful so you you left the uh the venture world in the previous start and you've gone

into the quantum side of things like where did that come about yeah so cryptography i mean so the connection is cryptography. So in cryptography, like I already explained, I studied Arabic. I don't have like a physics background at all. I mean, I went to a military academy. I took a physics class. But when I was getting into cryptography, quantum computing is kind of obliquely referenced as like this doomsday weapon that destroys everything. We think it's 20 years

away, you know, and just like forget about it. So that was my introduction to it. And, you know, I kind of, in, in, at Stanford and I kind of put it out of my mind for, you know, all the time I was working in the space. And then when I had a moment to come up for air and think about other areas of cryptography, um, that would be relevant. Cause, you know, Alio was kind of, I argue, right.

I view it as like, um, it was, it was an instantiation of, of kind of some advanced cryptography, zero knowledge. Right. And so I was really into that. And so I was like, what, what other kind of frontier areas of tech, of, of cryptography are, are up and coming. and post-quantum came up again. I mean, this was actually right around the time that Google's Willow paper. So Willow, actually Willow describes both a paper and a quantum computer that they built, very small scale.

But they had demonstrated this thing called below threshold error correction. I had no idea what any of that meant. But I sort of started doing a little bit of research and really what, so I concluded that maybe quantum was moving faster than people were giving credit for. But to be clear, I wasn't sure at the time.

But the one thing that I was pretty sure of was that blockchains and digital assets generally and Bitcoin had all seen tremendous adoption in the 10 years that I've been in the space. Like, I remember getting into the space and there was legitimate talk of Bitcoin being banned because it was viewed as literally only for criminals. And I mean, of course, nowadays, we're so far from that. The adoption is far and wide. We have stable coins, you know.

But I think the extent to which that adoption has happened also makes the challenge of migrating to a new form of cryptography like post-quantum cryptography quite acute. And that was sort of the moment where I was like, man, I don't know. I mean, we don't know if quantum is going to happen necessarily. I think maybe it could be sooner than we think. But it's certainly going to be hard to affect this transition. And so that was really kind of the genesis of the idea that led to Project Alone.

I mean you said that like jokingly this was 20 years away and that's always been the thing that quantum's always been 20 years away but the timeline seems to have really sped up in the last I don't know few years really from this the experts working in that field how far do you think an actual like cryptographically relevant quantum computer how far away from that are we okay so you know folks who've listened to your prior prior episode uh on this topic and you know

Look, I think I want to kind of maybe just, they'll have the context. Maybe I want to just make a statement to kind of frame how I'm going to talk about this generally. Look, I think there are a lot of unknown unknowns around how quantum computing as a frontier technology is going to develop and unfold. So I actually, you know, I kind of think more in terms of certainty and uncertainty.

Um, I think what has become more uncertain in the last year is that a quantum computer won't potentially exist within a decade. Um, so that's like kind of a very non-answer to your question, but I think it's an important framing because ultimately what's, what, you know, what we care about as Bitcoiners, as, you know, people that, you know, think about and care about the technology is, is, is the potential existential threat this represents.

And so when it happens, obviously there going to be have to be a lot of changes but we also have to prepare for those things in advance And so we have to kind of handicap what the chance that something bad could happen right And a way I like to think about this to illustrate a lot of times is seatbelts I don't get in my car expecting to crash or getting up in a fatal crash, right? But I wear my seatbelt anyway, because on the off chance that I do get in a crash, I'll be more likely to survive.

And that's sort of how I think about this. That all said, my non-answer to your question is complete. I'll give you my answer now.

I feel confident that there's a 50% chance, so it's like even odds, that by 2033, you will have a cryptographically relevant quantum computer that can break Bitcoin. So that is seven years away. I think it is plausible that it is even earlier than that, probably to 2029, 2030 timeframe. Of course, it could be further than that, but that's what I would say is my base case is 2033. Could be 2030, 2029. Could be further, but that's sort of how I view it.

If you already self-custody Bitcoin, you know the deal with hardware wallets. Complex setups, clumsy interfaces, and a seed phrase that can be lost, stolen, or forgotten. Well, BitKey fixes that. BitKey is a multi-sig hardware wallet built by the team behind Square and Cash App. It packs a cryptographic recovery system and built-in inheritance feature into an intuitive, easy-to-use wallet with no seed phrase to sweat over. It's simple, secure self-custody without the stress.

And time named BitKey one of the best inventions of 2024. Get 20% off at bitkey.world when you use the code WBD. That's B-I-T-K-E-Y dot world and use the code WBD. The thing that keeps me up at night is the idea of a critical error with my Bitcoin cold storage. and this is where Anchor Watch comes in. With Anchor Watch, your Bitcoin is insured with your own A-plus rated Lloyds of London insurance policy and all Bitcoin is held in their time-locked multi-sig vaults.

So you have the peace of mind knowing your Bitcoin is insured while not giving up custody. So whether you're worried about inheritance planning, wrench attacks, natural disasters, or just your own silly mistakes, you're protected by Anchor Watch. Rates for fully insured custody start as low as 0.55% and are available for individual and commercial customers located in the US.

Speak to Anchor Watch for a quote and for more details about your security options and coverage, visit anchorwatch.com today. That's anchorwatch.com. Do you want to pay less in taxes and stack more Bitcoin? Of course you do. Well, by mining Bitcoin with Blockware, you can. Under section 168k of the US tax code, Bitcoin mining servers qualify for 100% bonus depreciation. This means every dollar you spend on miners can directly offset your income in a single year.

and that's true for both business owners and W2 earners. If you have $100,000 in ordinary income, you can purchase $100,000 in miners and potentially offset your tax liability entirely. Blockware's mining as a service does all the heavy lifting. They secure the rigs, they source the low-cost power and they handle all the day-to-day maintenance. So you get to stack Bitcoin every single day while drastically shrinking your tax bill.

Get started today at blockwaresolutions.com forward slash WBD and use code WBD for $100 off your first miner. That's blockwaresolutions.com forward slash WBD Bitcoiners, as you know, with fiat money constantly debasing, wealth preservation isn't optional

That's why I recommend Swan Bitcoin A team of dedicated Bitcoiners who work with families and businesses to build and secure generational wealth with Bitcoin Strong relationships with clients are at the center of everything Swan does A dedicated Swan private wealth representative, which is a real person that you can text and call will help you build a Bitcoin wealth strategy using Swan's comprehensive platform of Bitcoin services, including tax advantage retirement accounts,

advanced Bitcoin cold storage using collaborative self-custody, inheritance planning with both trust and entity accounts, tax loss harvesting, asset-backed loans, and more. Swan have helped over 100,000 clients since 2020. And if you're serious about acquiring and securing Bitcoin, I recommend Swan.

Meet the team at swan.com forward slash WBD, which is swan.com forward slash wbd as i said to you before we started recording i am no quantum expert but when i hear things like that i have a few like alarm bells going off in my head that like i have some skepticism but let me hold that for a minute because i think we should get into what the threat is um which is really do you want to explain the attack vector for bitcoin

what happens with the public keys that are viewable on chain today and both the sort of sort of short and long range attack that is possible. Yeah, so a very high level way to think about the quantum threat to Bitcoin. First off, what is it not? It is not a threat to consensus for Bitcoin, right? Consensus in Bitcoin is done by mining. Mining is done by hash functions.

I think any serious scientific study of the quantum attacks on hash functions will tell you that, to the best of our knowledge today, Those attacks would require astronomically sized quantum computers that are just infeasible over any time horizon, quite honestly. The threat is to the digital signatures. And what's purpose do digital signatures on Bitcoin serve? They serve as an authentication for payments, right, for transfers, right?

So Bitcoin is effectively a distributed database maintained by this network of miners. and the database is changed as a result of people sending messages to the network. And those messages are signed. And that signature, the message is effectively something along the lines of Alex is sending one Bitcoin to Dan, signed Alex, right? So a quantum computer is able to basically force those signatures. How?

It's, you know, the way public key cryptography works, there's a public key and a private key, and then it's kind of all in the name. The public key is meant to be public. It's kind of your address, broadly speaking. The private key is meant to be only yours, and that's what gives the signature. So it's fine for me to share the public key. It should be in the classical sense. It's not fine for me to share the private key.

And if you only have the public key, you're not supposed to get the private key. But these things are mathematically related, but there's a hard math problem in between those two, right? Turns out that a quantum computer, actually one of the only known example of a quantum algorithm that is provably dominant over its classical alternatives is, the quantum computer able to compute that math problem that sits in between those two things,

right? So there's variants of this. The one that Bitcoin uses is called the discrete logarithm problem. Basically, it just lets you go the wrong way down the one-way road, right? You're only supposed to go one way from private key to public key, and this way lets you go the other way, right? And so what does that mean? That means that any quantum computer or anyone in possession of a quantum computer with knowledge of a public key effectively could compute the private key and

therefore sign on your behalf. And what does that mean? Well, in a real sense, it kind of means that whoever has it, whatever entity has the quantum computer owns all the Bitcoin on the network, right? Now, of course, there's a nuance here and you highlighted it. You know, Bitcoin addresses, the things that we send to are not naked public keys. They're hashed public keys, right? And by

the way, the early Bitcoin addresses were naked public keys. And so there's a whole bunch of satoshi coins that are in those addresses or in the in those utxo types that are exposed but broadly speaking most people today you know have addresses that are hash public keys so those aren't necessarily vulnerable to a you know i guess what is called like a slow clock quantum computer tech this is and the way to think about like slow clock and fast clock is basically is how fast can the

quantum computer compute this algorithm right and it depends it differs based on the architecture we can get in all that. But like, assuming you have only a slow quantum machine, you only got to worry about the Bitcoin that is exposed, you know, that is secured underneath an exposed public key. Now, that could be because it was Satoshi's coins under a, you know, early address type. It could be because it's on a multisig and, you know, it's a bridge and you have to like send to the multisig

multisig. So there's a signature that's been broadcast already. It could be, yeah, any number of things. You could have signed a lightning transaction. People were using addresses. People just signing a message. There's all kinds of ways you can expose the public key because I guess maybe it's just important. No, signing a message in any form reveals the public key, right? By the way, for people who kind of are interested in how Bitcoin wallets work, typically good wallet

hygiene is you send it. I send a transaction to Danny and then I send the other half of that amount to myself in a new address, right? So that way I don't have an exposed public key. That's, you know, and roughly, I don't know, two thirds of Bitcoin is under these addresses that are not exposed. Now, in a world where your quantum computer is fast enough, then you could

potentially front run transactions in the mempool. So say I send a message, I'm like, I'm sending you my Bitcoin, this quantum computer can run, let's say, inside of 10 minutes, then it can just reverse engineer my private key, send a new transaction as me in the mempool with a higher fee, and then the miners will buy that and it goes to, you know, quantum adversary, right?

So that's like, there's this threshold for speed that's very relevant, where if this quantum computer can compute Shor's algorithm fast enough, then it's like every Bitcoin is basically at risk. And by the way, the important note there is that also effectively closes off any kind of on-chain migration option. Why? Because I could just mine it. I could front run your transaction when you're

trying to mine it, even if a post-quantum UTXO were to exist. And so, yeah, so I think really broadly, it's this concept of ownership fundamentally breaks in a world where there is a cryptographically relevant quantum computer. And there is not any kind of post-quantum cryptography mitigating that on Bitcoin. Yeah. So I think the, is it around 6 million coins currently have their public key exposed on chain at the moment? Yeah, roughly. We have a, like, we maintain a database. People

are interested. They can check project11.com. It's with the risk with a queue list. And so I think it around 6 million You can also enter your address in there If you worried you like Did I actually do six photos My keys You can enter your address and it tell you what UTXO type it is or whether the public keys ever been broadcast But yes roughly 6 million Okay. And then in that timeline, so in seven years, you think there may be a relevant quantum

computer that can break this cryptography. Is that on the sort of long range attack where it has as much time as it needs to derive the private key from the public key for things like Satoshi's old coins? Or is that actually doing the mempool attack where it can do it in quicker than nine, 10 minutes? My personal view is that the first cryptographically relevant quantum computers will be too slow to run real-time attacks. I don't know what the gap will be between the slow clock

and the fast clock architectures. And so I don't think that it's a good idea for stakeholders of Bitcoin to presume that one may predate the other by, you know, there's a guaranteed window of safety. Okay. So let's get into the skepticisms I have. And like

I say, I'm no quantum expert, but a few things that sort of stand out to me is like, if you look at what quantum computers can do today in terms of like factorizing numbers, I think the highest they can do is 21 and i i believe that was done in 2012 so like the why is this not moving faster and what gives you so much confidence that that is going to go from here to breaking cryptography in the next seven years yeah um great great question and by the way like skepticism is

totally warranted and welcome in this conversation again we're dealing with an there's fundamental uncertainty right and this is again to me like the key fact i'm not claiming that a quantum computer will happen. I'm not claiming to have stone tablets. We don't know. Why do I think we should worry? I'll answer your question. Okay. Factoring numbers. So technically, yeah, as you pointed out, I think the record for factoring a number was like 15 or 21. Several problems with

that. One is what secures your Bitcoin is not technically like a number in that it's an integer. It's a group element inside of an elliptic curve group. Okay, so like just picking a random integer out of the air and be like quantum number or quantum computer factor this, it's already not really what is relevant. That's thing one.

Thing two is, and by the way, like in terms of like elliptic, what you said though isn't still wrong because the biggest elliptic curve group element or this biggest like, you know, discrete logarithm problem that's been solved is somewhere in the order of like six or seven bits or something, right? So it's still small. Okay, so why haven't we gone bigger than that? I highly recommend it. I'll share a link to you folks in the show notes or you can put it in the show notes.

And Bas Westerbond from Cloudflare wrote a big post about this, as did Craig Kidney around like, hey, factory numbers, is this a good metric or not? The big TLDR is there's effectively a threshold that you need to reach in terms of quality for your quantum computer to be able to factor even small numbers.

But once you hit that threshold, you can scale very very very very very quickly from a very small number to a very big number in fact in the google paper that was released last week they actually call this out explicitly they say you know something to the effect of once you see evidence of a cryptographic or a quantum computer that could solve the discrete logarithm for a 32-bit number that effectively implies that you can solve it for a 256-bit number and by the way just to like

context here a 32 bit number roughly the number of people on the planet uh 256 bit number roughly the number of atoms in the observable universe so like enormous and so this is it and this is really like why is it like this it's because shore's algorithm is so efficient it's like this exponential speed up means that like you can run up the you know kind of the size of these numbers of the number line really, really quickly.

And, you know, so, and by the way, a 32-bit number, just for everyone's context, is not hard to factor. Like classical computers, I think, forget quantum, a classical computer can compute the factorization of like, I think up to like 100 bits. Okay, so like, so, okay, so in the field of quantum computing, people recognize this and they're like, okay, sure, we could maybe build a quantum machine that factors, you know, a 20-bit number. But it's like, who cares?

By the way, these things are super expensive. And by the way, like, you know, doing that would probably involve a bunch of bespoke things that wouldn't scale anyway. And so let's, like, the mentality, if you talk to any quantum physicist or any quantum people who are working on this, they're like, there's no point to demonstrate any of these number factorizations until you have this scalable platform that you could just factor any size number you want or any size ECDLP problem you want.

okay um so you mentioned the google paper there which has been obviously big news in the last week or so this is one of the other skepticisms i have because like i'm sure the most brilliant people are working on this i think the the breakthroughs that they're having i'm sure they're incredible i can believe that 100 but they're all like paper breakthroughs right and when does the like theoretical breakthroughs like where do the the lines intersect with the theoretical breakthroughs

and the actual technological breakthroughs, the engineers building these machines, like are they capable of building the machines that they can theorize? Great, so first off, it's important to note, because, okay, so the Google paper, and there was a second paper last week that I would argue is even more scientifically significant by a team out of Caltech, but both of them are the same character. They are resource estimates, right? And what is a resource estimate?

It is like, hey, taking some assumptions around what kind of quantum computer we're building, What variant of Shor's algorithm we're running? What kind of error correction we're doing? What other optimizations we can think of? How small could we make this problem, right? The Google paper and the Oratomic, which is this other paper, are notable because they specifically focus on elliptic curve cryptography.

One of the interesting things around the study of Shor's algorithm over the past few decades is that quantum physicists, for whatever reason, we're benchmarking Shor's algorithm against RSA, which is RSA is an older crypto system that is really not used anymore. But one of the notable facts about it is it has very long key lengths, 2048 bits. It turns out that Shor's algorithm, I mean, we've known that Shor's algorithm really kind of runs in time related to the length of key, right? And so

256 bits, which is a Bitcoin key size, is much shorter than 2048 bits. And effectively, that among many other things, when the Google and or atomic teams looked at this, they're like, hey, if you actually narrow the problems down to just elliptic curve cryptography that Bitcoin uses, this gets much easier.

In the case of, so, okay, so these are resource estimates, all right? And we'll talk about what the resource estimates are in a second, but maybe just to frame it, there's kind of two paths of progress for quantum. One is, to your point, how do we move forward?

We're here, I don't know, we got however many qubits, I don't know, a thousand superconducting keep us maybe and how are we getting at 2000 okay so we're walking like imagine walking down a football field we're walking down the football field i'm at the 10 yard line i'm at 20 year okay then the the important thing about these resource estimates is they basically set the how far away the goal is that you have to get to and so by getting clever and you know reducing

the requirements you can kind of move the goal forward and so sometimes i hear people describe like these google papers is not like progress and it's like true that it's not the quantum computer being built. But I guess, I mean, does it make a difference if I walk 10 feet towards a goal or the goal moves 10 feet closer? Not really, right? I mean, it's still arguably closer, right, for all intents and purposes. Now, that doesn't mean, though, that we should ask questions about progress.

But on that score, in the last five years, it's undeniable, in my opinion, that there has been significant progress. Okay, so even like Google uses, and to unpack this, we're going to have to get into a little bit more detail about how quantum computers are built. First thing to note is that a quantum computer is a concept describing if basically a normal computer that has special quantum mechanical powers that can be realized in a number of different ways, right? Kind of like a

regular computer can be realized in a few different ways. Like we all use silicon-based semiconductors, but there's no reason why you couldn't use a bunch of things to build a computer in its abstract form. So quantum is the same. What Google, if people are familiar with like Google quantum computer right now, what you'll find is you'll look for, you'll find an image. It's like a chandelier looking thing. By the way, that whole chandelier, there's nothing quantum about it.

It's just a bunch of refrigerators because like the chandelier, you know, this is called a superconducting qubit modality. And basically like the way that, and this is like kind of gen one quantum computers. the way these work is by super, super, super cooling particles down to like a nano Kelvin. And so that's what this chandelier thing is. It's a giant refrigerator to get a couple of qubits to maybe be able to do something very tiny.

So superconducting qubits, basically a wall in the early 2020s where we added physical qubits to them. But unfortunately, with adding scale to those systems without addressing the errors that would inevitably come up by virtue of the fact that quantum mechanics is very fragile and quantum computing, therefore, is very fragile. Like errors were outrunning the scale, the scaling, right? So it's like I'm adding physical qubits. It's actually making my life worse, not better.

This, by the way, is what was the major breakthrough of the Google Willow paper. The Google Willow paper demonstrated on a real system that like hey if you set things up in a certain way and you manage the errors in a certain way I can add physical qubits and the errors go down not up And not only do they go down, they go way down, right? And so now, so before 2024, this was not a settled question. Could I build a 1 million qubit computer and be able to keep errors under control?

not proven. In 2024, it was proven that at least at small scales, you definitely could. Now the question remains, can we scale that up and keep that below threshold behavior? Okay. But ultimately, these chandeliers, and you just look at a picture and be like, okay, well, that's cool. How do we make this a million times bigger? Complicated engineering problem, right? So this is why there's been other modalities or approaches to building a quantum

computer that don't suffer from kind of the same challenges. So in particular, there's trapped ions and neutral atoms that are used as a substrate for quantum computing. Trapped ions, you know, if you may have heard of a public company, IonQ, that's kind of what they do. And then the Oratomic team, which wrote this other paper last week, is kind of a, you know,

a pioneer in neutral atom quantum computing. The upshot here is that both the trapped ions and the neutral atoms are more reliable in terms of their quality. And they're slightly, they last slightly longer. And so they have some other trade-offs, but like arguably if you apply the same error correction techniques that you apply to the Google demonstration below threshold, you could take that over to these different kind of approaches and then scale them up way faster.

And so actually like a terminology that people like to talk about here is like physical qubits versus logical qubits. you know effectively it took google you know i don't know well it took the it took the super conducting field two decades to demonstrate one logical qubit right out of a hundred and in a relatively short time like the last five years the neutral atom computers have gone from having zero physical real physical qubits like there were none like two or five years ago people have like

little atomic arrays, not qubits. To today, you actually have hundreds of qubit computers that have up to 48 logical qubits. And by the way, there have been entangled arrays, kind of like you can think of these as like proto qubits, all the way up to 6,000 qubits. Now, by the way, why is that number relevant? Because the Oratomic paper actually describes a slow clock quantum architecture that could potentially run Shor's algorithm that only requires 10,000 physical cubits.

So there's still, and I want to take this pause for a second and just say like, everything I just said does not mean there are not huge engineering challenges remaining. But I also don't think you can plausibly claim that there has been no progress. And I think the question is now, how quick can these teams run up the ladder, right? And we just don't know, I think, right? So that's how I would kind of frame the state of the world as it is today.

Do you wish you could access cash without selling your Bitcoin? Well, Ledin makes that possible. They're the global leader in Bitcoin-backed lending. And since 2018, they've issued over $9 billion in loans with a perfect record of protecting client assets. With Ledin, you get full custody loans with no credit checks or monthly repayments, just easy access to dollars without selling a single sat.

Ledin exclusively offer Bitcoin-backed loans with all collateral held by Ledin directly or their funding partners. Your Bitcoins never lent out to generate interest. I recently took out a loan with Ledin. The whole process was super easy. The application took me less than 15 minutes and in a few hours I had the dollars in my account. It was super smooth. So if you need cash, but you don't want to sell Bitcoin, head over to ledin.io forward slash WBD and you'll get 0.25% off your first loan.

That's ledn.io forward slash WBD. If you haven't tried out Club Orange yet, then now is the time. It's my go-to place to find Bitcoiners whenever I'm traveling. Club Orange is a social app built for Bitcoiners where you can find meetups and events in your area and find merchants that are accepting Bitcoin. There are over 19,000 Bitcoiners on there and whether you're at home or traveling, it's a great place to keep in touch with Bitcoiners from all over the world.

I've been using Club Orange since it was Orange Pill App, and it really is awesome. So if you're on there, drop me a DM and say hi. And if you want to find out more and download the app, just search for Club Orange on your app store or go to cluborange.org. Okay, so I mean, it gets quite technical here. And maybe it's worth just explaining what the difference between a physical and a logical qubit is before my next question.

Great, yeah. And I dropped that. I'm glad you paused so we can explain that to your audience. Okay, so a physical qubit is a quantum bit. Okay, a cube, that's what I meant. I probably should start there. quantum bit, qubit. Okay, what is the difference between a qubit and a bit? So a bit is the thing that's inside your computer, and it's zero or a one. But zeros and ones all the way down, right? It's not zero and one, it's zero or one. Kind of the magic of qubits is they can kind of be zero

and one. And by the way, they can like kind of be entangled in these complicated states. It's not really important, but the point being is they can represent a much bigger possibility space than zero and one. That's exactly what makes them powerful. You can just think about this like factoring a number. How do you factor a number classically? You pretty much just got to brute force it, right? If I give you a seven-digit number, you're like, all right, well, is it even?

No. Does it divide by three? No, right? So like quantum computers solve this by effectively exploiting this large possibility space that qubits give them by kind of trying everything at once and then collapsing the answer back down at the end. That's very terrible. If a physicist hears this, they're probably going to kill me. But that's kind of roughly intuitively how to think about it. Okay, so those were qubits.

Okay, now physical qubits are kind of the physical way that this is realized, okay? And how do you think of this? Think about particles that are very, very small, where quantum effects come into play because quantum computers leverage quantum effects. The problem is that quantum effects are very fragile, right? So like, for example, you can have two particles that are entangled, right?

There's this famous physicist, Schrodinger, who he has this kind of, there's this thought experiment on this topic, which is Schrodinger's cat, right? Actually, sorry, this is like, this is a demonstration, a superposition on entanglement, but it's still useful. So Schrodinger's, one of the quantum, you know, an aspect of quantum physics is that things can kind of be in two things. they can be two things at once. And Schrodinger was like, okay, well, if I put a cat in a box,

is it alive or dead? And again, in quantum physics, in that world, you don't really know if it's alive or dead until you measure it. And it seems ridiculous, right? To consider that philosophically where you're like, well, the cat definitely must be alive or dead. But in the quantum physics world, it can be both alive and dead at the same time. Okay. So anyway, these effects, obviously it doesn't work on cats, right? Because cats are macro scale objects.

But at the very small scales, this is how it works. And by the way, just for everyone may not know this, but quantum field theory, which is the foundation of particle physics, is the most accurate physical theory that has ever been created by humanity. It's accurate down to like, I can't remember, it's like 10 nines, right? And this has been verified. It's like all the particle accelerators at CERN and everywhere else. Like this is exactly what they study.

And this is every single prediction of quantum field theory effectively has been shown to be correct. So it's a very reliable theory. Okay. So now we have these physical cubits that, you know, leverage quantum mechanics, blah, blah, blah, blah. Okay, great. Why don't we just build a computer? Okay. Well, issue, you know, any kind of little noise that interferes with their operation or their entanglement or their superposition basically knocks the whole thing

over. So you got to really insulate them from noise. And in fact, it's actually impossible to insulate these things from noise because how are you going to control the computer? There needs to be some kind of signal. So like, okay, so there's definitely going to be noise and it's, you know, bad things are going to happen. So then the question is, how do you mitigate

this? How do you error correct, right? As you're going through the computation. So the concept of a logical qubit is basically, you can think of like, all right, we're going to get a bunch of physical qubits together and we're going to do some fancy algorithms to basically make them redundant. And so the output of these physical qubits is one or more logical qubit that like we can just think of as a reliable unit of computation without having to worry about is this thing going

to fall over or not. So we think of in terms of like physical qubits versus logical qubits, these turns get conflated all the time and so I think the important thing for people to recognize is that physical qubits alone

are not what you need. Ultimately you need physical qubits to be error corrected and those give you logical qubits those logical qubits are enabling basically what the building block is of course Okay, so the logical qubits are the thing that matter what's the largest quantum computer built so far in terms of logical qubits? I think it's, so I believe it's 98 logical qubits on a trapped ion machine from Quentinua. For a neutral atom machine, it's about 48 logical qubits.

Now, one other important caveat about logical qubits is they're not all created equal. Because ultimately, right, like, you know, it sort of depends on how big of a computation you want to run as to like what the threshold is for a logical qubit, right? So you can imagine if I want to run my quantum computer for 50 years, my logical qubit better be really damn robust, right? Which means that I got a lot of physical qubits in there to make sure, right?

But if I only want to run my quantum computer like 15 minutes all right well i can i can probably afford to have a more error prone logical qubit right so this is like a dial and this comes back to shore's algorithm then comes back to the google paper because one of the things that the google paper showed was like hey turns out like our calculations show you only need 500 000 physical qubits and i can't remember how many

logical qubits they had in there i think it's 1200. um they but they're importantly they were like Like you only need these, like this computer to run. It's basically like a million times, you know, fewer operations than the old record, right? So now two things happen. One, you actually needed less physical qubits to make the logical qubits that like you needed at all, right? So you need like, there's a minimum width. So I have to have that many logical qubits at least.

And then you basically lowered the bar for quality because now these qubits don't have to last forever. They actually only have to put concrete numbers on this. It was 100 billion operations before. And the latest Google paper showed it could be done in 70 million operations. That is significant. Four orders of magnitude. And that means that the threshold of quality is that much lower. Okay. So in terms of being a threat to Bitcoin, are we a couple of orders of magnitude off that at the moment?

Yeah. So I mean, okay. Well, like most operations that's ever been demonstrated, thousand maybe few thousand um or in terms of number of physical qubits for a superconducting machine like google was theorizing 500 000 to a thousand so i don't know two orders of magnitude even the oratomic paper which is the neutral atom machines which arguably have been advancing the best and are the best candidate in my view to be cryptographically relevant soonest you're still

looking at a couple orders of magnitude both cubic count and reliability and there's a bunch of unsolved problems around decoders and connections and all kinds of stuff we're not even talking about right um so yeah undoubtedly we're not there there is no question about that but so this is really like the big question i have around the actual like engineering challenges of building this are they engineering challenges that we understand and it's just a case of scaling up what we already

have or is there going to be new engineering challenges in this look this is the part where I think, you know, me and your prior guests would differ. I think, and the majority of physicists that work on quantum computers that are building them think, right? And so maybe they're biased because they're building these things and they like to believe that what they're doing is irrelevant. They think that this is just an engineering challenge of scaling up what we have.

And I think the view, I think that is the consensus view in the field is that the below threshold demonstration was really the key thing there, right? Because that was a big theoretical question. Could you even get below threshold? That was solved. So now I think most people believe, yes, you could scale these up. Now there is a question that when you scale this up, like it's not quite so simple of like, okay, we've got one qubit below threshold and now we just

copy and paste that a thousand times, right? That's not how it works, obviously, right? So there's a question like, all right, if I copy and paste a thousand times, am I still below threshold? The answer is probably not. And so we got to be a little bit more clever about what we're

doing. How much more clever? It really depends on the type of machine you're building. For the superconducting qubits, its biggest challenge is one, you have this nano Kelvin dilution refrigerator that's extremely power hungry, extremely sensitive to any kind of temperature fluctuations. You have to connect all of the individual qubits physically by wires, right? So however many qubits you want, that's how many wires you have divided by two, I guess, or minus one.

So that's a big challenge there. Advantage of that system is that it runs really fast. So back to the fast clock and you can get all the Bitcoin, that would let you get all the Bitcoin if you could build it. The neutral atom machines, what's their big advantage? Or what's their big challenge? Their big challenge is the paper in particular that was released last week talks about this new form of error correction. that's way more efficient.

So you're talking about potentially just, you know, in the Google below-threshold demonstration, it was 100 physical qubits got you one logical. In this oratomic paper, they're like, hey, you could get four physical qubits to get you one logical. That's obviously huge. But this is a newer technique. There is, it's not as well-developed. And by the way, you need to have classical decoders figure out how to apply these error corrections in real time. So that was much more speculative there.

Their biggest advantage of the neutral atom machines is that you can actually arbitrarily connect any two qubits together throughout the system. Because basically the way these things work is like they trap individual neutral atoms with lasers. And you just keep shooting lasers all over the place as you're going through it. You're kind of making this laser computer. It's kind of cool, actually. So both have significant challenges. Both have potential pathways to scale.

neither of those have been fully solved i mean neither of them have solved the engineering challenges though this is one of the really hard things because i i don't understand quantum computers like i and i think very few people do and probably even fewer people that understand cryptography actually understand quantum computing and in bitcoin there's an annoying thing that happens where you have like a group of people that just will say quantum computers nonsense ignore it we

don't need to worry about this. I don't think that's particularly helpful. And you have the people on the other side who are like, this is going to break Bitcoin in five years, which again, I don't, and that we need to like rush some kind of change, which I also don't think is useful.

Like rushing a change is not going to be the best solution for this. What is your take on what Bitcoiners should be doing now? I actually think the way you just framed it is the perfect way that I think is the way that I think about it. Bitcoin should not rush a change. So we don't want to be, by the way, no one who's deploying new cryptography should rush a change. That's not, that's what goes beyond Bitcoin, right? The best way to ensure that you're not rushing a change

is to ensure that you're not surprised, right? And by the way, in case it was people just tuning in, maybe fast forward to the beginning, Alex Pruden is not a quantum physicist, right? And even quantum physicists cannot definitively tell you how long it's going to take to make a quantum appear. But What they can tell you is there has been progress. The bar has been lowered.

There are now pretty big incentives to push things to the finish line, which by the way, a part of those incentives involve not revealing the latest capabilities of these various machines. And that was also part of the Google paper, right? So you're getting to this world where things become more and more uncertain. So just exactly to what you said, we don't want to rush it. Therefore, we should just play it safe.

Even in a world where it's only a 1% chance, in my view that a quantum computer exists by 2029, one of these various attempts to make one, we should already be well on our way as the Bitcoin network to having post-quantum cryptography at the very least researched and then tested and hopefully in a world that's close to being ready to deploy. So that way, there's no risk. Assume a different world where we just kick the can

and it's 2030. By the way, by 2030, all sensitive government systems will have migrated because the NSA has told the government, you must migrate by 2030. And then boom, out of nowhere comes a quantum computer in that world. And then we have to rush. Well, that's where you're going to get a rush, right? Because by the way, if you have a quantum computer, what are you going to do with it? At least if you're an economically rational actor, you're going to sell it to a government

so they can do espionage. Or you're going to go try and take money on Bitcoin. I mean, you go look at that risk list. There's 6 million Bitcoin worth a lot of money out there for the taking. And I think people will have to be naive to think that that's not going to get looked at as a juicy target. I mean, one of the things you said there is another part of this sort of discourse that's been frustrating to me is that there's people out there shouting at Bitcoin

developers saying you're not doing anything. And that's just like not true. We have BIP360 where people are working on this. What's your take on the BIP360 stuff and the at least potential quantum resistant algorithms that people are working on? Well, first off, I want to acknowledge that being a Bitcoin developer and being an open source developer generally is a hard and thankless job. Okay, so that is without a doubt true.

And I am very appreciative of every Bitcoin developer that does what they do and maintains the core protocol. And I don't pretend that their job is easy. Look, with regard to BIP 360, I think BIP 360 is a step in the right direction, but it's far from sufficient. What does BIP 360 do? It disables part of Taproot that effectively revealed your public key on a transaction, right? So there's the key path spent.

So what BIP 360 does is kind of disables that so you can make your life worse by accidentally exposing your public key But it and it kind of talks about in the future maybe we use Tapscript to do some post quantum stuff but it all very intangible um look i think i think there's a bit of a risk here that people are a little bit too focused on kind of ideas and research and people are not focused on enough on just implementing and testing

this post-quantum cryptography because this is extremely novel and new cryptography that we're talking about um where the stakes are as high as they're going to be anywhere by the way this new cryptography comes with significant trade-offs in terms of size of signatures, speed of signing or verifying potentially, size of public keys, size of private keys. There's no world that we're going to go to where you're going to have what we have today in terms

of elliptic curve level performance. None. And by the way, there's completely new assumptions that are being baked in all over the place that could be classically broken for all we know. So look, I think for that reason, I think it's just important. To me, I'm a big proponent of let's ship stuff. Let's put something out there and let's see what happens. Can it get broken? Can we put it on a SIGnet? Then let's put it on a testnet.

Let's just implement shrinks or shrimps or SLHGSA, whatever it is, let's just do it. And let's fund people who are doing that. Let's prioritize actual post-chronic cryptography and deployed in as many contexts as widely as possible, as soon as possible. I think the risk is people try and bite shed over what's the most optimal thing. And, oh, well, could we do this and optimize this? And let's write some more papers. And, you know, it's 2030 and we're like, oh shit, we haven't done anything yet.

We still have to do all the engineering. See, that's an interesting take

because my perspective on this has always been that we'll probably see quantum computing coming quite far out. I know you disagree with that and we should get into that. But if that was the case, then surely spending time just working on how to make these signatures as efficient as possible is going to be the best option. Because if we just ship something now, it's not going to be the perfect solution.

Whereas if we spend five years researching it, we might find new ways of doing things that are novel and make Bitcoin a more efficient. Because the tradeoff here is that it's going to crush throughput, right? Because signature is going to be way larger.

so is it not worth spending five years researching that to make it the best upgrade we can if we need to make a quantum resistant change i i think both of these positions are straw men right like on the one hand it's clearly like we shouldn't like rush to implement something right now that could be suboptimal that would be probably not ideal also i don't think though like you can always make an argument for we should spend more time researching and making it more optimal because if i get the

signatures down to 2000 bytes. Well, I've got a new idea. It's like 1999 bytes. You could spend, I mean, I like, I, I studied at Stanford cryptography. I like worked in a bunch of like frontier. Like people will do this all day long because people like to do this. It's a fun, cool thing. But I think, and what do people not like to do generally? Put these things into practice where the trade-offs become apparent and you just have to

learn to live with them. That is painful. That is uncomfortable. Everyone would much rather think of a world where they don't have those trade-offs. But I think the risk is you just overshoot them. So look, I think in my view, it's both. There can be, there's nothing stopping there being four different post-quantum algorithms being live on various test nets today. And then we can have real world numbers with potentially real world network activity that can inform what really is

the trade-off or not? Because that's kind of the other thing with research is like, it's always clean room lab coats. You're like, ah, in ideal conditions, it's this. The real world is not ideal conditions, right? And so no matter what you come up with, you're going to have to put it through those paces anyway. Might as well use this as an opportunity to learn and inform the research. So I'm a big fan of doing both things in parallel. Let's take what we have now. And then worst case,

we're all wrong. Quantum Peter shows up tomorrow. We got something. Or we can keep working on and iterating on these various algorithms, make them better. And then guess what? We maybe have more time, great. Now we've all saved ourselves some pain in the future and maybe prevented having to do a soft fork later. Just on this attack coming from nowhere or having prior warning, why do you think this will come from nowhere? Because are we not going to see other systems

break before Bitcoin? Surely there are easier things to target. I feel much more confident about this. I don't think it's a certainty at all that you'll see other things break. First off, it's important to note that a quantum attack like Shores does not come with like a signature. There's not like a beacon in the sky that's like, this was a quantum attack. This is absolutely just going to look like someone lost control of their private key.

Whether it's in the context of military communications or whether it's in the context of an exchange wallet, it's just going to look like something happened. and only by a lot of back, like reverse engineering, might you discover that this was actually a quantum computer.

So, you know, and by the way, like, you know, in the first scenario that I highlighted around military communications, I mean, you could see there's an obvious reason why governments that, by the way, are dumping hundreds of billions of dollars in quantum want this capability to be secret. Like if I tell, if like you're China and I'm the US, I'm like, hey, guess what? I'm going to have a quantum computer that breaks all your cryptography next year. What are you going to do?

You're going to move everything. I'd actually way rather you just think that your cryptography is fine for as long as it's fine, and then I can just read your mail without you knowing, right? So this is, I think, one of the really tricky things. A good analogy to this that Scott Aronson, who's a physicist at UT Austin, writes about on his blog is kind of what nuclear physics was like in the late 30s, early 40s.

Basically, everyone realized that this thing might be possible, and then they realized that it was very important to control the information around it so as not to potentially reveal capability before the actual bomb dropped. So I think it's not clear. A, we'll know when it happens. And also I think back to like other systems you could target. Okay, sure, like, yes, there could be some espionage type stuff, but like, okay, let's pick another example that people often like to straw man.

Swift, the Swift, I could go attack Swift, right? The interbank transfer system.

look swift is a database effectively run by a consortium big banks if something happens that they don't agree with that consortium they're just gonna roll it back like it's a it's not like a decentralized blockchain they're like okay well does everyone agree that we should just delete that last entry in this database and everyone's gonna be like yes i did not want that to happen and they're okay it's done and so your attack effectively you've revealed that you have this

capability, you've made no money on it, right? So why is crypto or blockchain or Bitcoin way more attractive in this way? Well, you could just make money potentially much more immediately. And there's no easy way to roll these transactions back. In fact, that was the entire point of Bitcoin, right? Satoshi made Bitcoin as a reaction to like the central banks printing money and like financial system was rigged and, you know, they control everything. Like that was the whole point

Bitcoin. And that means in this case, it's much more vulnerable to someone that is able to break the underlying cryptography and potentially profit from it. So Satoshi's coins really are the canary in the coal mine. I guess if you were a smart attacker, you wouldn't even touch them. Correct. Because if they've not moved in 17 plus years, like as soon as they move, you have to assume that's a quantum attack. So really you're going to go after other

addresses where they're publicly exposed. So most fun parlor conversation for Bitcoiners is what would happen if you had a quantum computer, right? Because there's like a million scenarios. I wrote a blog post called Quantum War Games. Nick Carter's written as like a short story. They're all kind of fun thought experiments. I mean, the reality is we don't know. But to your point, any public key is exposed. One potential way it could play out if you were smart and you didn't want to signal the

canary in the coal mine, you'd go for a second or third tier exchange. Thousands of Bitcoin easily, maybe hundreds of thousands. Those things get hacked all the time. So would anyone really notice? They're like, ah, those idiots over in like, I don't know, some countries, you know, tier three exchange, lost their private keys again, idiots, you know? And then, but no one's the wiser, right? I think that's just as possible as someone going after Satoshi.

The thing with Satoshi's coins that I think maybe the unique risk there is that some of the quantum computing companies that are building these systems have expressed to me personally in conversation that they're like, oh, this is a business opportunity because Satoshi's coins are lost treasure. It's like digital salvage. It's like I have some Spanish galleon sunk in the Caribbean and I can just go take it. I can go dive down there and get the gold.

Obviously, they don't really understand what would happen if they were to do that. But I don't necessarily think it would stop them from trying because the attractive thing about Satoshi's coins is kind of legally, I don't know, it's a gray area. Is it stealing Is Satoshi alive I don know right So you know that maybe a world in which that not totally off the team So to implement a change here does this need to be a hard fork or can it be a soft fork

I have this argument with people all the time. I think it's a distinction without a difference. Technically, it can be a soft fork. But I think if you're talking about burning, let's say, Satoshi's coins, if that's an aspect of your solution, that is quite controversial. And so it might as well be hard work in terms of the work that you're going to have to do to get consensus around it. So I don't think the distinction between soft work and hard work here is meaningful.

I think it's going to be extremely controversial. And so we should just plan our timelines accordingly. What's your take on the freezing of Satoshi's coins or not? Look, ultimately, my take is the community ultimately has to decide. And I think it's really tough because philosophically, there's two things in tension here. There's the integrity of the network and the value that it represents, which is implicitly like the strength of the digital gold thesis.

and there's the philosophical principles that motivated the network. Not your keys, not your crypto. These things are in complete tension here. There is not an easy answer. If you put a gun to my head and you said, hey, Alex, you have to answer the question, I probably would err on the side of Burning Man because I think at the end of the day, that's better economically. I think the real challenge though is like, it's easy when it's Satoshi's coins. You're like, ah, whatever, Satoshi's coins.

But there's 15% or so of the network is estimated to be lost. And so only two thirds of that or so is Satoshi's coins. But how do you know you're not, it's not someone who's just like, you know, oh, my thumb drives in my, you know, on my base, then I dig it up one day. And now my coins are gone. Who, where's the dev that pressed, you know, pushed that update? Where's my lawyer? Like, it's quite fraught, right? When you think about kind of on the margin, what is a lost coin?

I mean, I think that's another aspect that a lot of people don't consider is like, how do you deal with it? I mean, the way that some people like Jameson Lopper propose is like, oh, you give people like a super long window, you know, 12 years. But again, if you take that to the extreme, it's like no different than just leaving them for the quantum computer, right? But yeah, I think probably burning them is right on balance.

But, you know, again, I don't, I definitely understand and sympathize with people that have the opposite view.

yeah i would definitely have the opposite view there only because like i i understand the idea of like the digital gold narrative and if those coins did get stolen by a quantum computer attack then it's going to be really detrimental to price if you have six million coins or however many are left at that point hitting the market but if you completely undermine the property rights of bitcoin by allowing like by essentially stealing someone else's property before who you consider a bad actor

steals that property. Like, what is the long-term value proposition of Bitcoin then? Like, if the property rights are broken, is the long-term value proposition way lower anyway? Because you've proven you can do it once. And who's to say there's not going to be a future attack that means you have to do it again? Like, I just think those coins have to be stolen by a quantum computer in that situation.

Yeah, it's hard, right? Like, this is, yeah, it's a trade-off. And by the way, like, maybe just to quantify these views. I was at the Presidio Bitcoin conference last year where there's a bunch of core developers and supporters of Bitcoin, large holders, miners, developers. And they pulled the audience and the question was basically split down the middle. Like,

what do we do? And so I think just the reality is the community, at least today, there is not consensus among either the broader community or the key institutions that represent stakeholders.

yeah this is another part of uh the debate that's going to be really interesting i think it's a really cool sort of philosophical debate but it's going to make the whole thing really messy and going back sorry just to quickly just to quickly plug in there it's going to make it really messy that means it's going to take longer than we probably expect that means we should start sooner because overall like it's going to be a bigger hill to climb than we think it is so that

really if i could distill the core of my argument it's that yeah that makes sense and if there's any if we have both this fast and slow attack so any public key that's on chain now obviously they're at risk but if it can also do the mempool attack where it can derive the private key from the public key in less than 10 minutes is there any change in the upgrade we need to make to bitcoin for those two different attack vectors or is it the same fix fixes both probably i mean like ultimately it

probably doesn't change that much. Oh, I take it back. It does change quite a bit, right? Because if you think, for example, if you let's just take the case where it's like fast clock attack. So let's say it's a physics paper comes out tomorrow and be like, all right, quantum computers just physically cannot run faster than an hour. It's just impossible. In that world, like, as long as you continue using the Bitcoin network, you know, and not reusing your public keys,

you'll probably find. I mean, I think it would probably impact how practically things like all these things are implemented, right? You'd have to, I mean, people today just aren't really that diligent about rotating those, and it would make infrastructure a pain in the ass, but you could probably live with it. You would just have to figure out this question of Satoshi's keys or not.

I think ultimately, though, you know, there's no, again, to the best of our physics knowledge, there's nothing preventing a fast clock computer from existing. And by the way, as these, like, one of the things that, you know, both of these papers kind of talk about is as you scale these systems, you know, you can effectively run this computation more and more parallel, and it's exponential as an advantage.

So like, if you even get just a few more qubit, logical qubits, you can run this thing way faster. That's, again, the best of our knowledge, how we think it could play out. So ultimately, I don't think we should overly focus on, let's deal with the slow cock attacks now and talk about Stoic's book. I think like, this is a messy issue. It's going to be a messy issue no matter what. Let's just mash the two messy issues together, and let's just deal with it all at once.

I think that would be better than having two very controversial forks that potentially have an equal chance of splitting the community and the network. Yeah, that's something I totally agree with. Like we may as well get all the mess out of the way now, do one upgrade. So you were saying that, was it 2033, you were 50-50 on whether a quantum computer will be able to break ECDSA. Yeah. So if that's the case, how quickly do we need to implement a change to it?

Like, and again, in this scenario, let's assume they can do the mempool attack. How quickly do we need to implement a change so enough people can move or everyone can move to quantum resistant signatures? Okay, so my answer would be, even if, you know, my answer would be we should start as soon as possible and move as quickly as possible because my estimate is there's plenty of uncertainty to it, right? So this is an estimate. This is estimate has uncertainty.

So we should still, nothing about that changes. So, but how long would it practically take? let's just say 2033. So let's say we wanted to get in before that. I mean, look, I think if we, if first off coming to consensus that this is a problem, which quite frankly has only happened in the last couple of weeks, I think there have been like, and you highlighted Bit360. Look, I think the team's done great work there, but by and large, it was kind of an isolation for a long time.

And the broad view of many, you know, core developers of Bitcoin was that this is not a top priority, right? And so I think first, probably it's going to take six months to converge around this is actually a problem. And then I think, you know, implementing and doing research and getting to a suite of algorithms that we could potentially deploy and then test. And that's probably going to be a couple of years. Right. And then, by the way, Bitcoin does not exist in isolation.

You have a wallet. This wallet must support this new cryptography. Theoretically, if you want to buy it, that's got to be supported on Coinbase. There's all of these things like only at that point can they all start upgrading. and then when that's all done, let's just say you've got a multisig and your keys exposed. At the end of all that, can you send the UTXO to yourself to your new quantum secure multisig, right? So look, I think that's seven years. What did I say? 2033?

Well, maybe just make it, right?

Look, maybe, obviously, both of these things are uncertain timelines, quantum computer and migration, but let's take an example from Bitcoin's history, recent history. Taproot. So Taproot was implemented over the course of around, I think, four years, right? And by the way, widespread consensus that it was a good upgrade. So there was like no argument. And there were some, but I mean, there was like relatively few arguments around like we shouldn't have it. And even in that.

Before Taproot, not necessarily post Taproot. Yeah, yeah. Fair enough. Yeah. Yeah. And even probably during Taproot, I'm sure if, you know, Peter Willow were here, he'd be like, oh, that's not how it went down. But you know anyway I think on the spectrum of changes to Bitcoin it was relatively non Certainly I think less controversial than this will be And so I think I don know just pick your multiplier on that Is 2x too much Is 1 Yeah, I don't know.

So to me, like the five to seven years probably feels right. Maybe five years is aggressive. Seven is conservative. Again, if you think 2033 is the day, that means it's got to start now. But it's not even just a change, you know, like block space is scarce. Will people be able to move their Bitcoin in that time?

Yeah. So actually, we've done some research around this. I mean, if you shut down the Bitcoin network for everything except for migration transactions, it would take just based on the number of UTXOs and the block time and the block size on the order of 75 to 100 days to migrate everything. Now, of course, maybe you're not going to shut down the whole blockchain. Maybe you're just going to reduce it to, you know, you're going to limit it to 10% of all transactions or migration transactions.

And that gives you a year. Right. So, you know, that we have to account for that. Right. We have to give people time to migrate. So probably a year is minimum. I mean, you're not going to shut down the whole blockchain, I don't think. But, you know, maybe you could in an emergency. I don't know. But yeah, broadly speaking, I think a year a year is probably a good planning factor to give people enough time. I mean, miners are going to be very happy. Oh, yeah.

Think about the fees you're willing to pay, right? Yeah, exactly. Think about the fee. Miners are going to be happy, especially if there's a quantum computer lurking in the corner. Because think about the fees you're willing to pay then. You're like, oh, I got to make sure my transaction gets through and the quantum computer is like, I'm going to front run it. And so then the miners are going to be like, yes, pay me the fee.

I guess until then they get hacked by the quantum computer and then they're screwed. But, you know, I don't know. That's when all the miners that have moved to AI come back to Bitcoin. But it's going to be a real mess. I think I'm maybe still skeptical on sort of those really short timelines, but I'm very willing to accept that this is probably an issue we are going to have to deal with in the future. And I think I agree with you that probably more work needs to be done.

Although I do think there's some interesting stuff happening there. And I think I also believe that, like you said, this is becoming more of an issue amongst the sort of developer community. I think it's going to accelerate. It's going to be interesting, man. Yeah. And I think it's, I mean, we'll end on an optimistic note. There's no reason why Bitcoin can't lead the charge here. No reason at all. I mean, Bitcoin is a financial innovation unlike almost any that's ever existed.

It is compared to most uses of cryptography. I think this is how, you know, one of the most important deployments of cryptography in the world. And it's been maintained by an open source community of developers throughout its entire life. The founder was totally anonymous, right? We don't even know who they are. And it's look at look at us now, right? The ETFs are issued on this trillions in market cap.

No reason why Bitcoin can't continue to be, you know, effectively the torch in the darkness showing how a decentralized open source community can affect a very complex cryptographic migration. All it takes is will. All it takes is awareness. and I think the last thing I would say new to your listeners is don't be bystanders. Be advocates for what you think is right. You've heard two views. You've heard multiple views on this show around whether this is a near-term threat or a long-term threat.

I think be involved. Be an advocate. I think one of the biggest risks that I see potentially affecting Bitcoin in the face of the quantum threat is not so much the quantum computer itself. It's the apathy, the reverse bystander effect. I'm like, ah, well, some core developers I heard are working on it. And so I'm good. And look, I mean, ultimately, the strength of this network comes in our collective belief in its longevity.

And that perversely is directly correlated to how much each person is willing to invest in that, right? And part of that investment is being involved, being informed, and advocating as a member of this community, as a holder of Bitcoin, for what you think is right. I think to me, that is the most important thing. if people take away nothing else from this podcast, that's what I would leave them with.

I mean, Alex, that would have been the perfect way to end the show, but I have one more question for you. All right, cheers. Do we know that quantum-resistant signatures will actually remain quantum-resistant? No. Short answer, no. There are two categories of quantum-resistant signatures that are standardized today, and standardized by that, I mean standardized by NIST, the National Institute of Standard Technology.

Broadly speaking, they're based on hash functions, which we believe are quite safe, or something called lattices. Lattices is a bit more speculative. Everyone likes the hash functions because we already know they're probably going to be safe in a quantum world. The main challenge there is their size and performance. So a lot of effort.

In fact, Blockstream Research and Jonas Nick have published some work called Shrinks and shrimps, which attempts to address the size issue by making these signatures effectively limited use. So you can only sign a million times instead of effectively infinite times. And you know that there's optimizations like that that are interesting to explore. It does change.

I mean, it is still different than the way that signatures work today, because if you re importantly, if you reuse, you know, the same nonce in the signing process, you leak your public key or you leak your private key and then anyone can steal your bitcoin not just the quantum computer anyone and so you know there's things like that that have to be considered on the lattice side lattices are what broadly speaking the internet is going to so ml chem

which is not signatures it's key exchange for tls connections ml chem is using a lattice based it's a lattice based key exchange mechanism and that's what nist has said to like google and Cloudflare and banks, hey, this is your primary algorithm because of its performance characteristics.

But look, I think broadly, we need to be prepared for a world where the cryptography continues to be broken because there is no mathematical guarantee that the cryptography that we're going to invent in the future, even though that based on hash functions, couldn't also be broken in some way. And so I think this really calls for what's, I guess there's like the term in the industry is crypto agility. Like people need to bake into the system, the fact that the crypto

that they're deploying may not live forever. And there needs to be ways in which to easily migrate to new stuff. I mean, the quantum computing threat is just kind of the most in your face

version of this. It's like, everyone's got to move, but there's absolutely no guarantee that a quantum computers can't turn out to break other things that we thought were secure or even classical computers or by the way, AI that maybe leverages both quantum and classical beaters comes up with new approaches that we had never seen coming. So yeah. And I guess like maybe one cool thing since I, you know, I gave my big speech and now I've got to give people something else to end on.

What one cool thing to note about quantum is I think a lot of times, you know, the discourse around it is really negative, but look, there's actually really cool stuff with cryptography that you can do too. because quantum physics is physical and kind of like the most fundamental way that we know, you can leverage it to create new forms of cryptography and encryption and various things.

Like one cool thing, it's like a theory from several, many years ago that's been refined, but just in simple terms, you can share key material by entangling effectively quantum particles. And that sharing of key material happens not on a classical channel, right?

So there's no possible way that an adversary could intercept the transmission because in effect, it uses this weird quantum effective entanglement such that like your side and my side automatically are the same no matter what I do to my side. And that's amazing. Like it's like, it's something that's fundamentally new and cool and could honestly be the foundation for, you know, how we use Bitcoin or other forms of cryptography in the future. And there's, and again, this is just the surface.

We don't even know what's below that. Maybe there's many, many other cool things that we could do with quantum computing that pushes forward the frontiers of cryptography and Bitcoin as well. Very cool. Alex, I've really enjoyed this. Thank you for coming on. The next few years are going to be a mess and I'm going to be here for the ride. Yeah. But yeah, I appreciate your time, man. Cool. Thank you very much. Yeah, appreciate being here. Thanks a lot for the idea.

Actually, Alex, before we close out, where do you want anyone to go to follow you or your work? Yeah. If you want to yell at me for my views on quantum computing, you can find me at apruden08 on X. I spend most of my time there. And also Project 11, if you want to check out the risk list, or we've written a bunch of blog posts about various things related to this topic, Project11, spelled out, E-L-E-V-E-N.com. That's where you can find more info about what we do.

Awesome. Thank you for the time, man. It's been great. Yeah, this was a lot of fun. Really appreciate it. Thank you.