The Truth About Quantum Computing & Bitcoin | Brandon Black

Once there's a fast quantum computer out there, sub 10 minutes, Bitcoin as we know it today is basically not usable because the coins will just be stolen by someone else once they try to move. As soon as there is evidence of clear logical qubit scaling, of progressive factorization, there's a very clear evidentiary standard here. And as soon as that evidentiary standard is met, we have to start doing stuff.

I can make a very defensible, logically tight claim that there is no way a cryptographically relevant quantum computer will happen in the next 10 years. What I think, never. I think it is never going to happen.

Brandon, how are you doing, man? I'm doing well. How are you, Danny? I am very good, thank you. I'm really looking forward to this conversation. So you've been kind of the quantum naysayer for a little bit now. And I've been going down this rabbit hole more and more over the last few days. Because maybe I'll frame this by like Nick Carter is someone who I know is controversial amongst Bitcoiners. I think he's really smart. I think he writes some amazing pieces on Bitcoin.

And when I first read his sort of quantum series that he started doing a couple of weeks, well, maybe a month ago or so, it made me think that quantum might be quite close. But the more and more I've kind of listened to stuff that you've been talking about and done my own research on this, I'm starting to think that I don't want to call it a scam, but maybe it's much further away than we actually think.

So I want to get into all of that with you today. But you want to start just by introducing yourself. This is the first time you've been on What Bitcoin Did. Yeah, sure. So yeah, I'm Brandon Black, root in code on the internet. I'm a software engineer. I guess I was a software engineer for 20 years, some of that time in management. About eight years of that in Bitcoin full time.

In Bitcoin, probably my greatest accomplishments in Bitcoin were when I worked at BitGo, launching the first ever Taproot multi-sig wallet and the first ever Musig2 into production. So those are things I kind of did in the Bitcoin world. That was the way I got introduced to talking with people at Bitcoin conferences was doing research to do the Musig2 implementation. I met Jonas Nick and I was asking him questions about it and got into the implementation and

everything there with him. So I guess that's like the broad strokes of me these days. This year, I'm launching a Bitcoin consultancy. I'm going to try to help people and businesses with their Bitcoin scripting needs and just general learning about Bitcoin. So if anyone needs me to come talk to them about Bitcoin, I do that. And yeah, that's what I'm up to. So when did you get into the quantum stuff? Because as like a Bitcoin developer, someone who, well, maybe not on like core, but

you've been working on like Bitcoin projects, like when did quantum come into this? Because this FUD has been around for quite a long time now, but it's really ramped up over the last, I'd say, 12 months. Yeah, yeah. I would say I am naturally interested in all such things, whether it's cold fusion or quantum physics or, you know, all impossible things are naturally in my interest. I think that's how I got into Bitcoin in the first place is that same natural interest

in these things. I was like, oh, magic internet money, that doesn't work until it turned out that it did. So I've naturally drawn to these kinds of things. And so I've been tracking the progress of quantum computing, gosh, for most of my professional career, just been watching it, seeing how things are going. So when the FUD comes up, I think I have a decent background to know, like, have we made a real step change that makes it now instead of 10 years to never

to suddenly five years? And many people, of course, this year are claiming that we've made that transition from 10 years to never to within five years. And I just don't see any evidence of that. Okay. So I want to try and like set the table here because quantum computing to me, when I try and understand it, it still sounds like this Fugazi thing. Like, I think it's really hard to actually, like if someone asked me to explain what a quantum computer does,

I'd really struggle. Can we start as basic as that? And can you explain what they're trying to do with quantum computers? Yeah. So the short idea of what quantum computing can do and what

digital computers struggle to do is that a quantum computer can have its qubits, as they're called, represent a superposition of possible states as opposed to a single state. So in a digital computer, the binary digital computer is what we all use, is what we're talking over right now. Every bit of information is either true or false. It's one or zero, and that's every single thing. In a quantum computer, you can have bits that don't have a defined state yet.

And then what you essentially do is you try to encode the properties of your real world problem, whether it's cryptographic problems or chemistry simulations, whatever the physical thing you want to work on into the possible states of the quantum computer. And then the properties of the quantum gate interactions within the qubits can make the correct answers have a lower energy state and therefore become more likely when you read out values.

So then you collapse these possible states into real states and read out the values. And what you get is the low energy state. So they call this quantum annealing. And that's kind of the current state of quantum computing is that it can be used in physics simulations to do this quantum annealing, where you encode the state of a physical system into the quantum bits. You kind of shake them up, so to speak, and then you read out the low energy state they come to.

And if you do that a few times, with high likelihood, you get the lowest energy state of that encoded system. So this is the magic of quantum computing and why it can do things that digital computers can't do. Because with digital computers, to do that same thing, you basically have to look through all the possible states that your system could get into to find the low energy one.

But with quantum computers, because all of the possible states are encoded across the qubits, it can essentially simulate the combination of inputs and states that gets you to that low energy all in one go, instead of having to iterate through every possible value of every input to get there. So this very clever guy, Shore, forget his first name, came up with an algorithm that can apply those properties of finding a low energy option out of some encoding to cryptographic systems.

And whether that's factoring or elliptic curves, the low energy state that we're looking for there in both cases relates to, well, in factoring, it's kind of a simpler problem to map. With factoring, you're like, oh, we got 15. Let me find three and five. And you can encode that so that the qubits resolve to lower energy state when you have inputs that multiply to the desired value, right? And so that's factoring.

And then with elliptic curves, you have to map it into this thing called a period finding problem. But again, it's the same basic problem where the amount of energy encoded in the bit is lower when you have found the correct sequence of movements through the elliptic curve to encode the underlying value of the secret key. And that's roughly what we're doing. We're using this quantum annealing process to find the period over which the secret key translates in the elliptic curve realm.

And if you can do that, then you can get the secret key out of a public key. All right. So I do definitely want to get into the issues with factoring and elliptic curves. But before we do, these computers are never going to be like a general computer, right? they're going to be specifically targeted to either like breaking encryption or other like

like chemistry applications and things like that. That seems by far the most likely. Some people have proposed they could also be very useful for AI where essentially it comes out of the same thing where you would encode the properties of an LLM, let's say, into the quantum states. And instead of computing through a neural network, the output, you would quantum anneal to the output of

the LLM. So maybe you could also apply it to something like that. But yes, they're never going to be able to do the hardcore, just sending bits across the internet type stuff, because there's a setup and a readout process, and it's all about probabilities. There's not a clear answer. And of course, for sending bits across the internet, you want to have a clear one or zero on each bit you send, and quantum computers aren't super well suited for that.

Do you wish you could access cash without selling your Bitcoin? Well, Ledin makes that possible. They're the global leader in Bitcoin-backed lending and since 2018 they've issued over $9 billion in loans with a perfect record of protecting client assets. With Ledin, you get full custody loans with no credit checks or monthly repayments,

just easy access to dollars without selling a single sat. As of July 1st, Ledin is Bitcoin only, meaning they exclusively offer Bitcoin-backed loans with all collateral held by Ledin directly or their funding partners. Your Bitcoin is never lent out to generate interest. I recently took out a loan with Ledin. The whole process was super easy. The application took me less than 15 minutes and in a few hours I had the dollars in my account. It was really smooth.

So if you need cash but you don't want to sell Bitcoin, head over to ledin.io forward slash WBD and you'll get 0.25% off your first loan. That's ledin.io forward slash WBD. Privacy was never a priority for mobile networks. For companies like AT&T, T-Mobile, and Verizon, data collection and monetization is the default. But Cape is changing that. Cape is a premium US mobile carrier with nationwide coverage designed from the ground up with privacy and security at the core.

When you sign up, Cape collects the absolute minimum data required, stores it for the shortest time possible, and never sells it. They also make you significantly harder to track at the network level and protect against SIM swap attacks, which are becoming one of the biggest security risks out there, especially for Bitcoiners. Cape's SIM swap protection is fundamentally different. Instead of usernames and passwords, your account is secured by a 24-word passphrase similar to how

Bitcoin wallet works. No one can initiate a SIM swap or take control of your phone number except you. This isn't a burner phone or a workaround, it's a normal mobile service built properly. If you care about privacy and security, there is no better mobile carrier. To learn more and get 33% off your first six months, head to cape.co slash WBD and use code WBD at checkout. That's cape.co slash WBD. With fiat money constantly debasing, wealth preservation isn't optional.

That's why I recommend Swan Bitcoin, a team of dedicated Bitcoiners who work with families and businesses to build and secure generational wealth with Bitcoin. Strong relationships with clients

are at the center of everything Swan does. A dedicated Swan private wealth representative, which is a real person that you can text and call, will help you build a Bitcoin wealth strategy using Swan's comprehensive platform of Bitcoin services, including tax-advantaged retirement accounts, advanced Bitcoin cold storage using collaborative self-custody, inheritance planning with both trust and entity accounts, tax loss harvesting, asset-backed loans, and more.

Swan have helped over 100,000 clients since 2020, and if you're serious about acquiring and securing Bitcoin, I recommend Swan. Meet the team at swan.com forward slash WBD, which is swan.com forward slash wbd. Okay, so let's talk about factoring and elliptic curves,

because factoring isn't really applicable to Bitcoin, but it is to other cryptographic systems. Is that right? Yeah, so RSA is the famous one that's based on large prime numbers that are difficult to factor. Okay, and so this is where, like, I don't want to call it a scam, but this is something that when I was looking at really shocked me, is that the highest number that a quantum computer can factor right now is 21, I believe. And the bit that really surprised me is

they actually did that in 2012. So all the talk over the last few years of this really accelerating, they still can't factor a number bigger than that. Do you know why? So what I observe, and I think many others have made the same observations, I'm not alone on this, is that the basic properties of quantum of qubits are pretty well understood at this point. We can produce some qubits, we can map some state onto them, and we can resolve them into a desired state that we want to measure.

And that enables factoring very small numbers, because if you can get a couple of qubits together, you can factor a small number using a quantum computer. And so what the quantum researchers have been doing over the last decade has been trying to make that scale to larger numbers of qubits. And that turns out to be very, very difficult. And we've seen hundreds of millions or billions of dollars poured into trying to get that to scale.

And what seems to happen is that as you increase the number of qubits you're working with, the difficulty of correcting the errors in the qubits goes up exponentially. And so every time they come up with new technologies that seem to have lower error rates, and they've gotten much, much lower error rates on their individual qubits, but when they start trying to put more qubits together, they keep on seeing that the error rates rise exponentially as they go to more and more qubits.

And so this is something we saw very clearly with the recent Microsoft Majorana announcement where they have built a very cool, very low error rate, single qubit device.

and and so this is this is like oh we can manufacture lots of these single qubit devices and that's very cool and maybe there are applications for those but what they haven't demonstrated with all of these new announcements that have been made is no one has been able to demonstrate the ability to tie a whole bunch of qubits together on a single device and not have the error rates go up exponentially and so that's that's how we got to this state where

they did this thing many years ago and it hasn't really advanced the the closest to an advancement we've seen was someone used a quantum computing device to solve a six-bit elliptic curve key. Now, six bits is ever so slightly larger than 21, but it's still like, I joked that literally a child can solve a six-bit elliptic curve key. It's not something that requires great computing power. So it's in a similar realm of those 21-bit factorizations.

Let's give them their dues, right? Let's say they are making breakthroughs, things are going well in quantum computing world, they're putting billions of dollars in, What are they excited about Like why are they thinking that this is progressing so fast So a few things I seen that are interesting One is like I said better manufacturability of individual qubit devices. That was the Majorana announcement.

So they went from, you know, it takes us like super customized, like hand-built, we get one working qubit out of 100 attempts, that level of difficulty of building qubits. With Majorana, they're like, this is a qubit, we can produce this qubit in a factory. Like everything that it takes to build this are things that we know how to put into factories. So that's a cool innovation right now.

Instead of it being like hand building in labs, individual qubits and getting them to work sometimes, now it's manufacturable. So that's a big step. We've also seen pretty big breakthroughs in error correction where for a given error rate in the qubits, the classical computing or digital computing needed to correct the errors has become a couple order of magnitude faster. So that's another big breakthrough they've made.

And then another one that we've seen is some folks have made innovations in what they've called gate-based quantum computing, where they build quantum gates that are a handful of qubits. I don't know the exact numbers, but like less than 10 qubits on a device. And then they interconnect them, which is kind of similar to how we build digital computers. In digital computers, we have essentially gates, you know, NAND, NOR, XOR, the binary operations. And we interconnect them on a chip.

So maybe we can do something interesting with quantum computing in a similar way, where instead of trying to get a whole bunch of qubits all tied together, in a single device, you build gates where each gate is a kind of a quantum unit interconnected to other gates. And so we've seen developments in that area.

The problem, as far as I understand it, and I'm not an expert on this, so maybe someone can correct me, call in and tell me I'm wrong, essentially, but I don't think that gate-based quantum computing can ever break cryptographic systems. Because if I understand correctly from reading Shor's algorithm, you need to have a certain number of qubits all in a single device working together to do the one step, kind of this critical step in the Shor's algorithm has to have all those qubits together.

It can't be separated across gate boundaries. Again, someone could correct me if I'm wrong, but I don't think that's something you can map between A and B. So there are other problems in physics and chemistry and stuff where the gate-based quantum computers may be very useful, but I don't think they apply to cryptosystems. So anyway, that's the things that I've heard where they've made major steps in the last decade or so.

Okay, so one last piece of sort of table setting before we get onto Bitcoin and what this potentially means for it. When you say qubits, are you talking about logical qubits or just normal qubits? And what's the difference between those two? Yeah, great clarification. I was wondering if we're going to get into that. It's important, so you're right.

So because qubits are these kind of flaky, difficult to deal with things, if you take a single qubit, which essentially a qubit is often a single electron or a single, I think, muon or kind of other subatomic particles or a single photon, it's very hard to get any kind of reliable setting and reading with a single physical qubit in one of those subatomic particles. is to do actual computation.

They take a whole bunch of physical qubits and they actually within the physical, interconnecting the physical qubits in a physical kind of device, let's say, they make it so that a bunch of physical qubits represent one state and they essentially self-correct each other within that so that there's a reliable state instead of a flaky, we can't really read it or write it state.

So by putting a whole bunch of physical qubits together, they're able to create a somewhat stable, we're talking in many cases stability over microseconds, but somewhat stable qubit state where the physical qubits reinforce each other to create a stable logical state. And that's what gives rise to the idea of a logical qubit.

Now, there's a lot of nuance and debate about this, and I was having a discussion on X with someone who works in this area where some people have said that doing this whole thing of mapping physical qubits into logical qubits is not necessary, and it's actually wrong-headed.

Basically, if you're doing a whole bunch of work to take, let's say, tens or hundreds of physical qubits to make one logical qubit, and then you're going to try and tie a bunch of logical qubits together to get a low error rate output, that's the wrong way to approach it. And the right way to approach it is to take all those physical qubits, map your problem directly onto those physical qubits, and then deal with the fact that they're flaky kind of internally to your algorithm.

So basically make almost like one giant logical quantum device rather than making a bunch of logical qubits and then tying those together. So it's not totally clear to me kind of which one of these approaches is going to bear fruit if either of them ever will. But that's the difference is that a logical qubit is a single stable quantum state represented by a bunch of physical qubits.

and that may be necessary in order to build computing devices out of quantum bits because the physical qubits are just too flaky to deal with on their own. Okay, I said last bit of table setting but I actually have one more question. Like in classical computing we have Moore's Law which I actually don't know the exact definition. Does it get everything gets twice as fast and half the price every few years?

It's actually the number of transistors in the same physical space doubles every 18 months. Okay. And that's, you know, over the history of computing, that's probably been accurate. In quantum computing, they have, is it Nevin's law? And can you explain what that is and what they, you know, if you believe in this?

Yeah, yeah. So first, I have to make one important distinction on Moore's Law. It really should have been called Moore's Observation, right? This wasn't Moore saying, oh, I predict that we're going to see a doubling of transistors on a device every 18 months. It was an observation. He looked back at computing, starting with the very early integrated circuits, and noticed that we're seeing a doubling of transistors every 18 months, and said, this may continue for some time into the future, and it got called Moore's Law.

So in quantum computing, they're saying there's Nevin's law, which would, and they talk about this interesting thing where they call it a double exponential in computing power is what the, I believe the claim of Nevin's law.

and the claim is that because and this is if quantum computing can scale there is truth to this first part because quantum computing represents a complete possible state space in its entangled bits your equivalent digital computing goes up exponentially with the linear increase in qubits and that's an important thing about quantum computing and I think why people get excited or scared about it, right?

If we can get quantum computing to work, it's absolutely true that the equivalent digital computing that you get out of a quantum device goes up exponentially with a linear increase in the number of functional qubits. That's very important. Then the claim comes that we will see a similar exponential rise in the number of useful qubits as we saw with useful transistors in a device. So that's a prediction right now, which has no historical justification.

And so unlike Moore's law, Nevin's law is making a prediction, not an observation. And that's why I am highly skeptical of it. And I keep saying on X and elsewhere, I'm waiting to see a couple of cycles of, you know, true scaling of quantum device complexity, where we see, oh, they factored 21, they factored 125, they factored bigger and bigger numbers over, let's say, five years, and then we'll be able to know what the correct rate of growth is for Nevin's Law.

Maybe it's doubling every 10 years. Maybe it's actually linear. Maybe it's not exponential the way transistors were. We just don't know yet because we don't have the observations. Moore made a prediction based on observations. So I don't believe in Nevin's Law as of right now. I mean, anything that claims a double exponential, I'm immediately skeptical of. But so in terms of like quantum computing for such a long time has always been this thing that's like a 30 year away problem.

And then in the last couple of years, people think this is becoming more and more imminent to the point where we have people working on quantum proof addresses on Bitcoin, like Hunter Beast doing Bit360. Nick Carter's saying that this is an imminent threat. Where are you on that scale? Do you think it will ever be a threat or how far out do you think it is? I have two answers to that question.

I think I can make a very defensible, like logically tight claim that there is no way a cryptographically relevant quantum computer will happen in the next 10 years. It just requires too much increase in the number of logical qubits on a device. There's no way from a kind of human, even with AI enhancement development process, the industrial production ability it can't be developed in less than 10 years. So that's a defensible, I think there's a strong

logical claim of that. My personal emotional, like what I think, never. I think it is never going to happen. I suspect that there are physical laws that prevent it from happening, but that's an emotional thing, not something I can like do a scientifically rigorous study of or anything. Okay, so let's go with the 10-year prediction then. It's at least 10 years off. is still worth talking about as of maybe now. 10 years isn't that long a time.

And we know that changes take a long time to be implemented in Bitcoin. Let's get into what the actual threat to Bitcoin is if we get a quantum computer that can break cryptography.

So what will happen first? Yeah, so the relevant thing, as I mentioned earlier, is Shor's algorithm. And Shor's algorithm would enable the quantum attacker with a cryptographically relevant quantum computer to take our public keys and turn them into secret keys. And if they could do that, of course, then they could spend anyone's Bitcoin. And so that's the threat. And so we don't know exactly how that would play out because it's very hard to game out.

Let's say you are the first person that develops a cryptographically relevant quantum computer. What are you going to do first? Are you going to go for Satoshi's coins? Are you going to try and hack into North Korea? Are you going to try to hack into Russia? Are you going to try to hack into the US government? What's the first target if you get that device?

And it's very hard to know because there's different game theoretical reason to do each of those things. You know, a certain entity might find just kind of slowly siphoning Bitcoin away to be the best use of that device. But another entity with the exact same device might think that infiltrating the president of, I don't know, the Ukraine even might be their first target. Like, we just don't know.

and so I don't know what happened first what I do know is that Bitcoin's public keys would become vulnerable to such a device and this is where we get into then this like long exposure versus short exposure that everyone likes to talk about and so if you are someone whose public keys are just as secret as your secret keys meaning you've never used an address you've never exposed your x pub you've never exposed your descriptor you've never you've not used a taproot address

or a pay to pub key address you've only used address is ending in H, as Hunter likes to call them, and you've been absolutely perfect about your key discipline, your public keys are as secret as your secret keys, the quantum attacker cannot steal your Bitcoin at rest because your public keys are not known. And the only thing that a quantum computer is likely to be able to do when it's first developed, a relevant quantum computer,

is to reverse public keys into secret keys. At some point, and if this happens, it's hard to know exactly the timeline here, but at some point after the first cryptographically relevant quantum computer, there will come a time where such a device can take a public key and develop a secret key in the 10 minutes it takes to find a Bitcoin block.

And when that happens, then even those of us that maybe have perfect public key security, our public keys are absolutely secret from everybody, are then vulnerable to the quantum computer as well, because they can see our transaction, maybe even see it after it gets confirmed and have a deal with a miner to mine an alternate block that takes those coins to themselves instead, right?

Once there's a fast quantum computer out there, if sub 10 minutes, Bitcoin as we know it today is basically not usable because the coins will just be stolen by someone else once they try to move. So that's the threat to Bitcoin is, yes, with Shor's algorithm, a sufficiently powerful quantum computer can start taking people's coins.

Okay, I think it's worth diving into that a bit deeper because there's, I think, in Payt's PubKey, which is a very old address format, I think there's about 2 million coins that we know of in that address format. So those ones are essentially gone immediately for the reason being that you can see those public keys on chain at any one time. Is that right? Yeah, they're at risk immediately because the public keys are readily available.

Yep. Okay. And then for anyone else who's using like SegWit addresses, the public key isn't exposed until you actually make a transaction. So as long as the quantum computer can't break the cryptography in less than 10 minutes, less than it takes to get in a block, you're going to be okay.

if you've had perfect public key security and you've never leaked your XPUB and never leaked your public key and never leaked your descriptor, which I've said this in a few other places, this is a really strange security assumption. So I like to say there's really no difference that Bitcoin is broken once there's even a slow quantum computer, because to me, the idea that we're going to hang our hats on people having perfect public key security is very, very strange. I don't accept that as a

security claim for Bitcoin. No, I totally agree with that. I think I would probably say the majority of my Bitcoin addresses will be fine, but I bet there's one in there that's not. I wouldn't be sure. But so why do people focus so much on Bitcoin with quantum computing? Because if quantum computers do break this cryptography, then there's a wide array of things they can go after.

Why is Bitcoin the focus here So I think there is a legitimacy there in that Bitcoin is hard to change And so you know we saw with the Y2K you know well at least I did I don't know if you're as old as I am. But with Y2K, everyone said the world's going to end, but then it didn't. Why? Because a bunch of software engineers busted ass and made it not end. And that's true for all the other systems.

You know, if quantum computers look like they're around the corner, you know, governments, most governments and most computers, operating systems and all that stuff can change to other cryptography in the timeframe necessary to protect their users. It's less clear that Bitcoin can do that. I think that's where Nick is kind of doing this like, oh, because of this slowness, we have to act now, even though quantum

is only maybe a thing. It's like, yes, Bitcoin's hard to change. And so that's why the real focus on Bitcoin is that it might take five years to make a change to Bitcoin, and that might be too long. So there's a legitimacy there. Yeah, I guess the other thing being there's no recourse with Bitcoin. So if someone, you know, if you own the private key, you own the Bitcoin. It's not like you're able to claw back money through the banking system or however it might be. There's no insurance

here. Like this, if you own the private key, you own the Bitcoin. So there are obviously, there are things we can do to mitigate this attack. But when do you think the conversation really needs to ramp up from something that is like cool for developers to be working on? We should be thinking about this. But when does it get to the point where you're like, oh shit, something needs to happen now?

Yeah, so I've said this on the internet before, but I think it's really worth saying in many different forums over and over. As soon as there is evidence of clear logical qubit scaling, of progressive factorization or reversing of electric curve keys that gets greater bit counts reversed with sub-exponential scaling of energy input, right? There's a very clear evidentiary standard here. And as soon as that evidentiary standard is met, we have to start doing stuff.

But as of right now, no one has gone from, you know, reversing a 6-bit EC key to a 10-bit EC key using sub-exponential increases in time and energy. And until there's a sub-exponential increase in the difficulty of doing that, we still have the exact security model we've always promised with elliptic curves, which is that it is exponentially difficult to break elliptic curve keys of a certain size. And as long as it's scaling exponentially with energy input, we still have

that. So it's very easy to change my mind. The evidence can be just put out, hey, look, someone made a quantum device that for a 6-bit key takes X energy and for a 12-bit key takes Y energy and that's sub-exponential scaling. Oh, okay, shit, we got to do something. If you're already self-custody your Bitcoin, you know the deal with hardware wallets. Complex setups, clumsy interfaces, and a seed phrase that can be lost, stolen, or forgotten. Well, BitKey fixes that. BitKey is a

multi-sig hardware wallet built by the team behind Square and Cash App. It packs a cryptographic recovery system and built-in inheritance feature into an intuitive, easy-to-use wallet with no seed phrase to sweat over. It's simple, secure self-custody without the stress. And Time named Bitkey one of the best inventions of 2024. Get 20% off at bitkey.world when you use the code WBD. That's B-I-T-K-E-Y dot world and use the code WBD. This episode is brought to you by Anchor Watch.

The thing that keeps me up at night is the idea of a critical error with my Bitcoin cold storage and this is where Anchor Watch comes in. With Anchor Watch your Bitcoin is insured with your own A-plus rated Lloyds of London insurance policy and all Bitcoin is held in their time-locked multi-sig vaults. So you have the peace of mind knowing your Bitcoin is insured while not giving up custody. So whether you're worried about inheritance planning, wrench attacks, natural

disasters or just your own silly mistakes, you're protected by Anchor Watch. Rates for fully insured custody start as low as 0.55% and are available for individual and commercial customers located in the US. Speak to Anchor Watch for a quote and for more details about your security options and coverage. Visit anchorwatch.com today. That is anchorwatch.com. What if you could lower your tax bill and stack Bitcoin at the same time? Well, by mining Bitcoin with Blockware, you can.

New tax guidelines from the Big Beautiful Bill allow American miners to write off 100% of the cost of their mining hardware in a single tax year. That's right, 100% write-off. So if you have $100,000 in capital gains or income, you can purchase $100,000 of miners and offset it entirely. Blockware's mining as a service enables you to start mining Bitcoin right now without lifting a finger. Blockware handles everything from securing the miners to sourcing

low-cost power to configuring the pool, they do it all. You get to stack Bitcoin at a discount every single day while also saving big come tax season. Get started today by going to mining.blockwaresolutions.com forward slash wbd. Of course none of this is tax advice, speak to your accountant or tax advisor to understand how these rules apply to you And then head over to mining.blockwaresolutions.com forward slash WBD.

And you'll get one week of free hosting and electricity with each hosted miner purchased.

I mean, it's funny because like I probably buy some of the stuff that Nick's saying. Like I can believe that there's plenty of people who would willingly allocate money to Bitcoin that see the quantum computer threat, think that this is real and is closer than it may be in reality, and then be cautious of ever like touching Bitcoin because of that. I think that probably exists.

I think it's probably a small minority at the moment, but it's probably going to grow as well as the hype around quantum computing grows. So we do have people working on solutions. What are those solutions? So quantum proof cryptography, like maybe explain how that works and why it's not an ideal solution, at least right now. Yeah, so there's two major camps of quantum resistant cryptography out there being proposed for Bitcoin at least right now. And those are hash-based and lattice-based.

I understand hash-based mostly. I don't understand lattice-based mostly. But they, for the moment at least, have somewhat similar problems, which is that they require much more data to prove ownership and validate signatures than elliptic curves. Elliptic curves were chosen for a lot of cryptosystems because they have a really, even compared to RSA, which was a previous cryptosystem that has similar properties in many ways to

elliptic curves. They have much smaller keys and signatures. So like a Bitcoin key is 32 bytes, 33 bytes, depending on things. And a Bitcoin signature is 64 to 70 bytes. These are very small amounts of data to prove the ownership of something. Really, if you think about what you're doing and the ability to move Bitcoin and prove ownership with a total of 100 bytes is just shockingly efficient. And quantum resistant algorithms, whether hash-based or lattice-based, are many kilobytes.

So not many, several kilobytes at least, many kilobytes for kind of simple systems to do that same job of proving ownership and transfer of Bitcoin. So that's the big problem right now. Recent research has made great strides in reducing the cost of these things, especially the compute cost.

So there's been some posts going back and forth on the Bitcoin dev mailing list about these post-quantum schemes and how they've really gotten the signature verification, which is probably the most important to optimize portion of the Bitcoin process, to about the same compute cost as elliptic curve verification. So that's like a huge innovation and great progress has been made there.

And so we're just really, I would say in the Bitcoin world, we're looking for a sufficiently developed post-quantum crypto system that doesn't have major downsides for the system like multi-kilobyte keys. And the issue there, like in layman's terms, is it takes Bitcoin from being, I don't know, do you know how many transactions a second? I even hate that metric, but how many transactions? Seven transactions per second is often cited.

Okay, but then it's going to go down to probably less than one if we go to these larger signatures. Yep, exactly. And so if we have 10 years, how small do you think we can make those signature sizes? And how close to what we're working with now? I am not a cryptographer, so I'm hesitant to even put a prediction on it.

What I would guess is that over 10 years, we can make sufficient developments in kind of layered Bitcoin technologies, whether that's ARCs or Lightning or BitVMs or whatever else people are working on. So that we can work with the larger signatures, however big, however small we can get them in the same time. So let's kind of attack it from two sides, right?

make Bitcoin more efficient with layering and reduce the size of the signatures sufficiently over the course of the time so that we can build a system that really works for people by the time we need to. It's one of those funny things where I guess the ideal solution here, if you assume quantum computing is real and it's going to be able to break cryptography at some point in the future, you want to make the change as late as possible so you have the best solution

possible. But to get that, you do need people working on today, which we do have. But if we do get there and we need to make a change to Bitcoin, is this a soft fork or a hard fork? Soft, yeah. Everything here can be done in a soft fork. And I think there'd be a really interesting discussion on the same way that segregated witness was a soft fork that technically

added block space. If we've made significant strides in the validation cost and we've seen increases in storage capacity on typical devices and stuff, it might make sense to do another thing like SegWit where, okay, we get post-quantum and we make a special quantum signature block that lets us keep about the same transaction throughput. So there's a lot of conversations

to be had here when the time comes. In the meantime, as you said, the right thing to do right now is to continue developing these post-quantum signature schemes, making them better and better and better over time so that we're ready. One of the most interesting things I've heard you say on this is that you think regular computers might break cryptography before quantum computers.

Explain that. What do you mean? As many as people have said, crypto systems have a shelf life. You know, RSA 1024-bit was secure when I first started using cryptography, but soon after I had to upgrade my RSA keys to 2048, and then I upgraded further to 4096-bit keys. SHA-1 is no longer secure. MD5 is no longer secure. You know, crypto systems have a shelf life. and elliptic curves.

The nice thing about modern cryptography, like we're kind of several generations in, obviously, of cryptography, is that we have pretty strong proofs of security. Like we have, here's the assumption. If you don't break this assumption, this system is secure. But there's still new math being discovered every year.

And there's no way to know for sure that some genius working in a university somewhere doesn't come up with a way to basically attack the underpinnings of the very elliptic curve system. You know, the SCCP-256K1 curve that we use in Bitcoin has a specific formula that describes the shape of the elliptic curve. And then on that curve, our whole cryptosystem revolves around moving a point around on that curve based on secret keys and public keys, right?

What if there's a vulnerability in that curve and the points on the curve can be predicted based on the public key? That's a possibility. I don't think so. It's been around for long enough, but to me, that's a more likely attack vector for Bitcoin than quantum computing because we've seen that happen many times. You'll hear, I kind of go with evidence. And the evidence is that crypto systems are broken by innovations in mathematics and cryptography.

they're not broken by like brand new types of computers. They're broken by math. And that's what I would think is the most likely vulnerability. Now, the great thing is that the solution to both of these is the same thing. We should keep developing other crypto systems that might be suitable for Bitcoin. And we should implement one in Bitcoin when the time is right. Oh, great, we'll do that.

I mean, I imagine AI is gonna also, like people talk about the breakthroughs that may come in math and physics through AI. Like that is probably one of the most realistic ways that current cryptography is broken. It's funny. I was actually talking to AI the other day and I was like, how would you break ECDSA? And it won't tell you. Like it just refuses to answer that question or it did for me at least. I mean, not that I was going to understand anything that it said anyway.

But so, okay, if we need to soft fork,

then that's one of the really interesting parts of this conversation is like, what do we do with the old coins that will otherwise be stolen? And there's going to be like part of the Bitcoin community that think that those should be confiscated I, at least as of right now, I'm very strongly against that. Like one of the key principles in Bitcoin to me is property rights. And I don't think we should steal someone's coins, just the threat that a bad actor steals the coins later.

Where do you fall on that whole thing? Yeah, I found people arguing with me on both sides of this because I'm in the middle. If there is a sudden quantum break, let's say tomorrow we find out that there's actually already a quantum computer active stealing coins, right?

So I think it's never happening, but tomorrow someone proves, hey, look, I'm doing it right now. Here's your secret key. Then we should confiscate the coins because there was no opportunity for anybody to retain their ownership. And so the entire system's ownership has just been invalidated suddenly.

So in that case, we confiscate the coins and we create some kind of a claim system where some people can reclaim their ownership, but we don't just leave it vulnerable to the quantum attacker because everyone's ownership was simultaneously ruined, essentially. On the other hand, if what is, I think, a much more reasonable expectation, we see a gradual progression and let's say in five years, quantum computers start factoring 20-bit numbers and we say, okay, it's time to do something.

So a year later, we activate a soft fork that has quantum-resistant cryptography in it. And then that year, they factor 32-bit numbers and they keep progressing. Then people have time from the time we deploy that quantum-resistant soft fork to move their coins to quantum-resistant addresses. and at some point down the road, that quantum attacker is going to first break a meaningful Bitcoin key. They're going to factor a 256-bit number and break a Bitcoin key.

But by then, everybody who was active in Bitcoin has already started using the new soft fork. So then we just say, fine, they can have such these coins, they can have all the dead coins. It's going to be a race between different quantum actors who gets which coins. And as you said, we enforce the ownership and say, no, whoever gets those keys is the owner because that's the only thing we know in Bitcoin. So mostly I'm with you.

unless it a sudden thing where tomorrow someone starts stealing quantum coins or quantum vulnerable coins See I don know if I even agree with that part Like it just it feels very like Ethereum DAO type situation where you not happy with an outcome. So therefore you kind of roll back the chain and give people their Bitcoin back.

Like, I don't know if I can ever get on board with that because like one of the issues that I think people will have here is they'll see that, you know, I don't know, 2 million coins or whatever it is in paid pub key addresses are going to hit the market. that's going to have a massive impact on Bitcoin price. And therefore they're like, that's a bad thing.

But if you completely remove or invalidate one of the value propositions of Bitcoin, which is property rights, like what does the long-term value actually become? Like, I think the number is far lower in the long-term, even if you have a short-term huge impact on price. I don't know. I feel like confiscating coins at any point is wrong, whether it's tomorrow or it's in 10 years. No, I love that perspective. I mean, I think it's a very kind of baller perspective to take, essentially.

I think realistically, and this is the plain reality of Bitcoin, and I was talking about it actually on Tone Vase Show the other day, it's a market question. And neither of us knows what the market will do. I would bet that if we do see there's a sudden quantum adversary where no one knew it was coming and suddenly all the coins were starting to move, we would see a chain split rather. So a chain split would happen. There'd be the one that retains ownership, exactly as you said,

it's just, it's Bitcoin. We add quantum resistance and people start kind of fighting each other to get their coins quantum resistant. And like, we just kind of YOLO, it's, we're baller, we're going to go with it. And on the other hand, we have people where we cut off the quantum vulnerable cryptography and we make some kind of a claim process. And we try to preserve ownership the best we can within that scenario. And I have no idea really which one would have more value.

I know that I prefer one of them, but I'm only one market actor with a small number of coins. I don't know what the future would hold on either one of those two coins, but I think we'd have a clear chain split.

Yeah, and the funny thing is like, even though I feel quite strongly that you can't ever confiscate coins under any circumstances, I also could see a world, like if you do take the Ethereum DAO analogy, where I would be on the side of like the Ethereum classic, which fades into insignificance. That would definitely be a chain split where I'd never sell the coins on either side. Right, exactly. And I think a lot of people do that.

Yeah, but I do think it's probably one of the most interesting sort of dilemmas that may occur if we do actually get this. If that happens, so if we have a soft fork, so let's say we know quantum computing is coming, we've seen the progress, like it's an imminent threat, we make a change, we have a soft fork, would everyone then have to migrate keys to a quantum proof address. Yeah, everyone have to move their coins, which would be a big privacy impact for many people. Huge privacy impact.

And also it would take a very, very long time, right? Like block space is limited. Like how long would that process take? I think it's like for all the UTXOs, it's like three or four years right now. No, not that much. Okay. I'm not exaggerating. It's a good while, but it's measured in years, not decades for sure.

Okay. So you basically then are in that situation where you need to move your coins as quickly as possible because the idea is if the quantum computing progress is so fast that not only can it break cryptography, but it can now do it in less than 10 minutes, then those coins are also going to be lost forever, essentially. Yep. So miners are going to be happy. Fees are going to go through the absolute roof. Yeah, I think that's right.

Does it have any other impacts apart from the, like, does it have any impacts in mining quantum computing? Very unlikely. There's an algorithm out there called Grover's algorithm that can reduce the difficulty of finding a SHA-256 collision by a square root factor, basically. But the reality

is that Bitcoin's difficulty adjustment can handle that. So if quantum miner is square root faster, it's okay it doesn't matter um as far as anyone researching has has figured out so far there's not really a problem for mining because we have a difficulty adjustment and so as quantum miners start to roll out like we've seen bigger improvements in mining already in the cpu gpu asic migration than you would see from a quantum device okay so if anyone listening to this has

been panicking about quantum you think they can relax for a good a good deal of time right now Yeah, I mean, like I said, I can only say with confidence, like serious confidence, it's going to be more than 10 years. And so we should watch and we should look for the evidence. And I think even to go further than that, it makes sense to start taking whatever steps toward improving Bitcoin's resistance to an EC break.

We can take the day that are clearly good steps for Bitcoin, that they don't have downsides, whatever. We should just do them. I mentioned, I think, Hunter Beast once in this already. He developed a BIP with some other folks called BIP360, which adds a taproot type address, but without an exposed public key. And that would give options for quantum resistance in the future. It also would reduce the cost of certain types of on-chain contracts that people want.

And so it's like, oh, that's a good thing regardless. Let's just do it. I think it makes great sense to take concrete steps today that we know are good steps and keep watching the quantum computing and the post-quantum cryptography in the meantime. And last question on Bitcoin, well, on this side of Bitcoin, I do want to get into how contentious

a soft fork may be in this scenario, but does it have any impact on mining? Obviously, to open a channel, you have to do a transaction, so it has an impact there. Is there anything else? Definitely. Things are so complicated here, right? So we've been developing Bitcoin with with elliptic curve keys in mind for a decade and a half already. And so we have hierarchical deterministic wallets use elliptic curve key transformations to derive the keys.

Musig2 and Frost are elliptic curve key aggregation protocols. We've got lightning point time lock contracts being worked on. Those are key based. We've got silent payments, which is a very elliptic curve specific method of doing more private addresses. We've got all this stuff that's all based on elliptic curves. And so absolutely, it impacts everything about Bitcoin. You know, DLCs, like all these technologies that we rely on for Bitcoin are based on the elliptic curve math.

And we would have to kind of redevelop them for whatever type of post-quantum signature we build. So there's a lot of work coming up. Okay, so let's get into the juicy topic of an actual softball.

happening like the idea of a soft fork happening to just improve bitcoin or change bitcoin in a way that you might get like i don't know ctv or whatever it might be these have become already like really hot button topics like it seems like i don't think bitcoin's ossified but it's it's always trending more and more towards ossification like these are getting more and more contentious do you think this would be an easy soft fork to actually implement

I think that the ossification kind of narrative is largely an artifact, I would say, of the past, of the block-size war and of other things.

and I don't know I can't predict the future of course but I think there is a memetic shift that will happen when the right combination of proposal and person and timing happens maybe it's this quantum narrative right now that creates that shift so that we see BIP360 as the kind of best example right now being implemented as a soft fork and people seeing kind of a different viewpoint on Bitcoin softworks, where instead of Bitcoin softworks being the big SegWit change

that added more block space or the big taproot change that took away certain kind of weird restrictions in how Bitcoin could be used, we see instead, oh, Bitcoin is improving in a slow and steady, responsible way to mitigate future risks that maintain the security of the system. And so I think the whole narrative will change at some point because everything is driven on memes. That's the fundamental learning of our lives on the internet and of Bitcoin. And the memes will shift at some point.

And instead of there being this ossification narrative, there'll be just the natural thing of, oh, yeah, we're going to solve quantum gradually. We're going to do BIP 360 today. We're going to do some other thing tomorrow. And we're going to add quantum-resistant signatures at some point later when they're ready. And that's just the obvious natural thing. So I do think it'll happen. I don't know if it's going to be easy, but I think we'll just see a shift in memetics and it'll just happen.

So I'm going to put you on the spot and make you do a prediction. Do you think a quantum soft fork will be the next soft fork? If we count BIP 360 as a quantum soft fork, which is how it was originally built, I'm going to go with yes. I would say yes, that is the most likely next soft fork. I think the other option that's really out there for our next soft work is probably the consensus cleanup. And I think that's also a good change. I think it will go at some point.

But it has much more to talk about. Not even that any of it is wrong or weird. It's just got more stuff. Whereas Bit360 is a very focused, very single change that I think makes sense for a whole bunch of reasons. And so it's going to be easier to have the conversation about Bit360. So I think it's more likely to be the one that shifts the memetics.

The funny thing with that one would, if there was a huge breakthrough in quantum computing, and we thought we didn't have three years or two years, however long it takes to migrate all of these coins, and we needed to put a block size increase in it as well. Like, that's how this could get really contentious. Man, that'd be a mess. Yeah. And there's so many messy things out there. because James and Lott proposed confiscation and we should start confiscating soon.

And that, of course, was like, whoa. So there's a lot of controversy to be had. And I think that's why Bit360 is very appealing as a next software because it basically dodges all the controversy. It's just a stepwise improvement. It's better for certain contracts today. It's better for both Quantum in the future. It has support from all different circles. Lightning developers like it for certain things. Arc developers like it for certain things. Everyone likes it.

So I think, yeah, I'll go with yes. A quantum change, BIP 360 in particular, is the next soft fork. That might be bearish on CTV. Why does Jameson think we should start confiscating coins now? I've not seen that.

So I think the idea was that we should deploy post-quantum crypto, and as soon as it's deployed, we should start a clock that includes confiscation X, Y, or Z years after, like, it stops the creation of new quantum vulnerable coins after three years and then stops the spending of quantum vulnerable coins after five years, something like that.

So it wasn't, like, immediate conversation, but it was, like, as soon as we can do a post-quantum fork, we should, and as soon as that's done, we should start a clock. And I think you and I would agree that we should not do that. If we have a post-quantum fork, people can voluntarily move their coins, and the other coins are the quantum attackers. That's part of the definition of the system. But at least, it's not as crazy as I first made it out

to be. Sorry, Jameson. I think when you, if you look at Satoshi's coins, like, I don't know, people estimate it has a million. They're in a ton of different PacePub key addresses. He talked about quantum computing, I think. He must have known that this was a potential future thing and he still left his keys vulnerable. Like, I think you just have to accept that decision that he made.

I don't disagree. Yeah. It's going to be interesting. Is there anything else on the quantum side that you're like really paying attention to at the moment? Well, the one thing I mentioned already of the idea of maybe we don't need logical qubits and maybe that we should be building logical devices rather than logical qubits and then tying those together. That's something I'm definitely following.

The particular person I was talking to was not totally compelling on that topic, but if that were to be the case, it could reduce one more hurdle in the way of quantum computing ever working. So, yeah, I think people who know me know I'm open to having my mind changed, but it takes evidence. As of now, there's no evidence that quantum is a kind of a current threat.

Yeah, I mean, I've really liked both listening to your work and seeing what you've been putting on Twitter, because like I said, I was just kind of going along with the narrative that a load of changes were happening in quantum. It was getting really close. And I think listening to you has made me far less worried about this. I don't think it's a never problem, but I think it's a long way away. So Bitcoin's going to be fine. We're going to make changes if we need to.

And it's going to be interesting. We'll have a lot of content out of it. The podcast industrial complex will survive. Exactly. Brandon, this has been awesome. Thank you, man. Is there any way you want to send anyone if they want to check out everything that you're doing? Yeah, follow me on X. I'm mostly, as Robin Linus likes to call me, I'm an addict of X. I'm there all the time. I post about Bitcoin stuff and other topics there. As I said earlier, I'm starting a consulting business this year.

So if you need help with anything Bitcoin related, hit me up. I'm happy to talk about how we can help with your Bitcoin questions and do Bitcoin stuff. So what are you doing? Are you targeting like startups and businesses that might need help? That's the thought. Mostly, yeah, is if you're writing a new Bitcoin wallet or a new Bitcoin script, I have expertise in scripting and kind of security modeling for Bitcoin applications.

So if someone needs some help, they're either building it or reviewing it. I want to make myself available. Awesome. If you're vibed coding an app and you actually can't read code, speak to Brandon. This has been awesome. Thank you, man. I will definitely follow up with this. Hopefully it's in 10 years and it's still 10 years away. But appreciate the time, man. It's been cool. It's been great. Thanks, Danny. you