Will Quantum Computing Kill Bitcoin? | Scott Aaronson & Justin Drake
02:04:37 Share

If let's say there's only a few entities in the world that have scalable quantum computers, right, that allows those entities to mine a lot more Bitcoin than everyone else. Now, eventually, if you got to a world where, you know, just about everyone had access to a quantum computer, then it's kind of amusing what would happen. Welcome to Bankless, where we explore the frontier

of internet money and internet finance. And today we're exploring the frontier of quantum computing and its effect on our internet money. What's it going to do? Are quantum computers going to take all of our Bitcoin? This is Ryan Sean Adams. I'm here with David Hoffman, and we're here to help you become more bankless. Guys, special episode. It's divided into multiple parts, I would say. The first part, we have Scott Aronson on the podcast. He is a theoretical computer scientist. He is a foremost expert in

quantum computing. We also have Justin Drake on the podcast for part of the first part and he asks Scott Aronson some questions as well, particularly about the effect of quantum computing and our cryptocurrencies like Bitcoin and Ethereum. Now, because the subject matter goes very deep,

in quantum fundamentals. You might feel, bankless listener, like you're hanging by the seat of your pants just trying to keep up with these big brains and some of the ideas propelled forward. So never fear. We have a final part of the podcast, a third part of the podcast, where it's just David, myself, and Justin Drake. And what we do is we try to synthesize everything we've learned. And that for me was one of my favorite parts of the episode because it was

taking everything big brain that Scott Aronson said, and applying it directly to Ethereum and Bitcoin, what could happen in the crypto sphere. So three parts to this episode, and you guys are welcome to skip to one of those parts if you get too lost in the weeds at certain sections. Yeah, I would say the first part of this episode are two high schoolers asking a PhD about quantum

computing and trying to get that PhD to really put it into simple terms. And I think I thought we did okay there. If you use 100% of your brainpower, Bankless listener, I think you'll kind of catch a vibe. You'll catch a direction for it, but it does get pretty technical pretty quickly. And then when Justin takes over, it starts to focus more and more on how this relates to crypto.

though. And so the way that this podcast starts is, what is quantum computing? How is it different? How does it work? How does it change and impact the world? And then as we move, progress further into this podcast, it's how is this going to impact our backs?

What's going to have to change? What are we going to have to change in Ethereum? How is Bitcoin going to have to navigate these changes, which is an even more difficult conversation that I'm less optimistic about. And overall, I just learned a lot. It's an honor to have Scott on the podcast. He's a big deal Chad in this space of quantum computing. And I would also say how quantum computing relates to crypto is going to be kind of a microcosm for how it impacts the rest of society.

Crypto is not the only industry that is going to be impacted by this. The rest of the world is going to be impacted by this. And like other examples, I think crypto is going to be a little bit of a spearhead, a canary in the coal mine, because we're going to tackle this first because we see it coming and we're futurists and we pay attention to stuff like this.

which is why we are doing this podcast. Yeah, we are. And it's actually a bigger deal than I thought going in. Like it will have a more fundamental impact on cryptocurrencies than I thought going to this episode. So guys, we appreciate it. Let's get right into the episode with Scott Aronson and Justin Drake. But before we do, we want to thank the sponsors that made this possible.

With over $1.5 billion in TVL, the METH protocol is home to METH, the fourth largest ETH liquid staking token, offering one of the highest APRs among the top 10 LSTs. And now, CMETH takes things even further. This restaked version captures multiple yields across CARAC, EigenLayer, Symbiotic, and many more.

making CME the most efficient and most composable LRT solution on the market. Metamorphosis Season 1 dropped $7.7 million in Cook rewards to METH holders. Season 2 is currently ongoing, allowing users to earn staking, restaking, and AVS yields, plus rewards in Cook, METH Protocol's governance token, and more. Don't miss out on the opportunity to stake, restake, and shape the future of METH Protocol with Cook.

Participate today at meeth.mantle.xyz. Celo is transitioning from a mobile-first, EVM-compatible Layer 1 blockchain to a high-performance Ethereum Layer 2 built on OP stack with EigenDA and one block finality. All happening soon with a hard fork. With over 600 million total transactions, 12 million weekly transactions,

and 750,000 daily active users, Celo's meteoric rise would place it among one of the top layer twos, built for the real world and optimized for fast, low cost global payments. As the home of the stablecoins, Celo hosts 13 native stablecoins across seven different currencies, including native USDT on Opera MiniPay,

and with over 4 million users in Africa alone. In November, stablecoin volumes hit $6.8 billion, made for seamless on-chain FX trading. Plus, users can pay gas with ERC-20 tokens like USDT and USDC and send crypto to phone numbers in seconds. But why should you care about Celo's transition to a Layer 2? Layer 2's Unify Ethereum, L1's

fragmented. By becoming a layer two, Celo leads the way for other EVM compatible layer ones to follow. Follow Celo on X and witness the great Celo happening where Celo cuts its inflation in half as it enters its layer two era and continuing its environmental leadership.

Bankless Nation, I'm honored to introduce you to Scott Aronson. He is a theoretical computer scientist, and he's a chair at the University of Texas at Austin, where he directs the Quantum Information Center. He's an expert in quantum, and over the last two years, he was actually on leave. He was working on AI safety at OpenAI. So it's safe to say we have an expert in at least two domains of interest today, quantum computing and AI.

Scott, welcome to Bankless. Well, thanks so much. It's great to be here. Joining us because this is kind of an intimidating subject matter for David and I. We're going to need help. We've got Justin Drake. You know Justin from the Ethereum Foundation as well. He's going to serve as technical co-host for a portion of this conversation. Justin, how are you doing? Doing great. Thanks for having me and a real honor to be on the podcast with Scott. Yeah, great to see you, Justin. Yeah, it's great to have Scott interacting with the crypto community.

because we have a quantum intersecting crypto here and that's kind of the genesis for this conversation. I think David and I have a simple goal for this episode, which is just to get crypto people up to speed on quantum computing, because I feel like we just don't know enough right now. We've heard the scary news that quantum might be used at some point in the future to break our cryptography and to steal our cryptocurrency. So that's kind of scary. And so what I want to do for bankless listeners is break this into two parts.

Part one will be what I call the kind of the little brain questions. As for David and myself, we're gonna ask you about the quantum 101, kind of the popular beliefs about quantum, make sure we have a good grounding and foundation. And then part two, Justin's going to lead. That's more the big brain side of things where you guys can talk about cryptography, quantum, will this break Bitcoin? Will this break Ethereum? And if so, how? We'll do our best to keep up. Yes, thank you. You guys ready for this?

Perfect. I got the head shake acknowledgement, which is just as good as the verbal. Let's get into the small brain, Quantum 101. Okay, so there was this thing that happened about a month ago. This was early in December. The CEO of Google tweeted something out. Sundar, the CEO of Google. He said, Willow, our new state-of-the-art quantum computing chip with a breakthrough that can reduce errors exponentially as we scale up using more qubits, cracking a 30-year challenge in the field. So introducing a new state-of-the-art quantum computing chip, Willow.

And this, I think, broke mainstream news. It broke into crypto and started us talking once again about quantum computing and how it might affect cryptocurrency moving forward. So there's a lot of worries around this. I want to start the question with maybe this tweet. The Google willow chip. Is this a major breakthrough from your perspective? I mean, you've been working in quantum for 20 years. How big of a deal is this? I mean, I would call it an engineering milestone.

So it's not that it overturns anything that was previously believed or represents some great new discovery. I mean, this is stuff that, as theorists, was predicted in the 1990s, right? That once you get qubits that you can act on with a low enough error rate, then you can do these very clever quantum error correcting codes.

that will protect your underlying logical qubits even better than the physical qubits are being protected. And in principle, you could then preserve encoded qubits for arbitrary amounts of time. So this is a theory that's been in place since 1996 or so. But what's exciting is that 30 years later, we are only now finally starting to experimentally demonstrate some of these predictions.

So the milestone that Google announced in December, it was actually a paper that they had online since the summer. So it was sort of old news to us by the time that Google announced it in December. But they have now built a chip with like 103 physical qubits, I think. That's what Willow is. It's superconducting qubits arranged in roughly like a 10 by 10 grid.

And they use them to implement something called the surface code, which is a quantum error correcting code. Again, as theorists, we've known about since 1997.

But for the first time, they're doing it in a way where as they scale to larger and larger surface codes, so like from a 3x3 array to a 5x5 to a 7x7 and so forth, they are preserving an encoded qubit for longer and longer amounts of time, right?

So they've passed the threshold where going to a larger code gives you more and more of a net win. It's kind of like the Fermi pile in 1942, past the threshold where each nucleus decaying is causing more nuclei to decay. This is some kind of important threshold. So now it's still not good enough to do a full

scalable, fault-tolerant quantum computation. I mean, for one thing, we're only talking for now about one encoded qubit that is just sort of sitting there. A next step would be to build multiple encoded qubits, have them interact with each other,

So that hasn't been done yet with encoded qubits of this quality. And, you know, if you really wanted to, I mean, we'll get into this later, but if you really wanted to break cryptographic codes, then you'd probably be talking about millions of physical qubits.

in, you know, possibly in hundreds or thousands of dilution refrigerators, you know, all with interconnects. So long story short, we're not there yet. Okay, but, you know, this is an important milestone, something that theorists talked about since the 90s. And it is exciting that just within the last year, you know, we've seen that cross, you know, and, you know, there have been skeptics of quantum computing who have, you know, I think, you know, firmly predicted that, you know, we would never get this far.

Right. That, you know, like we don't really understand quantum mechanics itself or, you know, there are sort of sources of correlated noise that violate the assumptions of the theory of quantum fault tolerance. And, you know, when we try to build this, we're going to see that it's going to make quantum computing impossible, you know, and we haven't seen any sign of any of that.

Everything seems to be working just like the theory in the 1990s said it would. So I would say that's the main upshot. Well, that does seem significant from the perspective of kind of the theories being worked out now in engineering. And so this is an engineering milestone, as you said. So a big question then is like, how much will this accelerate moving forward? Right. And are there any analogs? I mean, are we looking at kind of the transistor and Moore's law? Are we looking at something as explosive as AI, which

just seemed to, like, we went from Transformers and then suddenly there was, you know, GPT and now we're seeing monumental gains. Like, how fast could this accelerate moving forward? Yeah, I mean, you can always try to look for historical analogies, right? I do that as well. I do it all the time. It's also hazardous, right? Because each

situation is not quite the same as the previous ones, right? In this case, you know, I think my main caution would be, you know, some people just, you know, they hear all these exciting things about quantum computing and they expect that, okay, then this must just be the next frontier that is going to replace all of our existing computers, right? It will just revolutionize everything. And

And the hard part with a quantum computer is that in order for it to be useful, you have to beat a classical computer. Classical computers already exist. They are one of the triumphs of civilization. And we can get into this later, but it is mostly for certain very special tasks.

that we know how to get a huge advantage with a quantum computer over a classical one. And for many, many other tasks, for many, you know, I'd say the majority of what we do with our computers on a day-to-day basis, a quantum computer would probably help you little or not at all.

Right? It would, you know, you could use a quantum computer to check your email or to play Candy Crush, but it would be like using the space shuttle to taxi people around the parking lot. Right? It would just not make sense.

Okay, so, you know, you really have to look at, you know, these specific applications where a quantum computer promises an improvement, right? And even once, you know, we achieve the full promise of quantum computing, I mean, those are, you know, I think it's going to be certain specific industries where we're mostly going to see the effect. Okay, so that's, I think, the first thing for people to understand and that really differentiates this from AI, for example.

I like to say that the difference is with AI, you don't have to, you know, beat anything that humans can do. It is enough to achieve parity with a mediocre human. And that already changes the world.

Right? With quantum computing, you really have to beat classical computing, right? And it's a miracle that that ever happens. But, you know, it's mostly for certain specific problems where it does. Okay, so, you know, the types of problems where quantum computers can help or not help, you know, that we can discuss in as much detail as you like, right? Because in some sense, we know a great deal about that. And the timeline, how long this is going to take, that we know less about.

Right? Or rather, you know, if I did know a lot about that, then I wouldn't be a professor, I would be an investor.

So, you know, all I can do is just sort of, you know, look at scatter plots, you know, look at, you know, what promises were made over the last 20 years by, you know, the various quantum computing efforts and how on track are they in delivering on those promises. And if you look at that, what you see is that, well, it seems like

We have come an incredible distance since where we were when I entered this field in the late 1990s. It's been more than 20 years now, right? But in the 90s, it would have been amazing to get just two qubits to talk to each other with, say, 50%.

fidelity, you know, 50% accuracy, right? And then, you know, we knew that, okay, if you could get that really, really close to one, like to, you know, 99.999% or something like that, then quantum error correction starts to kick in. And then you can push the effective error all the way down to zero. But you know, that just seemed like so far off from where people were. Okay, but

You know, over 25 years, what happened was that that 50% fidelity became 90%, became 99%. And now in, you know, the latest systems such as, you know, those of Google or Continuum or Quora, you know, it's 99.8% or 99.9%.

And in the meantime, the quantum error correction methods have also improved, right, so that they can cope with larger amounts of error. And so we are now at...

We're very, very near the threshold where, in principle, quantum error correction does become a net win as you scale up. Okay, so, you know, that's not to downplay the sort of enormity of the engineering work that is ahead of people, right? But, you know, if you just look at the error rates, right, as a function of time, you know, that looks pretty good.

And it looks like if people wanted this badly enough and were willing to spend enough money, I certainly can't rule out that within the next decade that they could get useful quantum advantages. I mean, it's sort of like asking a nuclear physicist in the 1930s.

Right, you know, how long until we're going to get a critical mass, right? And like Niels Bohr, for example, was asked that question, and he said, well, it's not going to happen for, you know, in any foreseeable future because you would have to convert an entire country into a uranium enrichment factory.

basically, right? It's just fanciful, right? And then, you know, apparently like in 1943, he toured the Manhattan Project and then he said, well, I see that that's what you've done. So, you know, at some point it just becomes a question of, you know, how much is someone willing to spend? You know, how badly do they want this, right? And so the timeframes, you know, depend on all sorts of things that, you know, I as a theoretical computer scientist, you know, I'm not

able to predict very well. Okay, but, you know, we'll get into this shortly, but I would certainly say that, you know, people who have encrypted data that they want to stay secret for the next decade, yeah, you know, if I were such a person, then I would probably already be, you know, looking to migrate to post-quantum or quantum-resistant methods of encryption.

I think that really helps us place ourselves in history as it relates to this quantum arc development. We are somewhere in the inflection point of going from research and theory into practicality, and it's kind of just becoming a matter of time of willpower and expense.

And Scott, I do kind of want to return back to something you were saying earlier about the differences between quantum computing and classical computing, because I think this is really the first big aha moment that I want listeners to really integrate into their brains. The metaphor that I've had to understand this for me personally that I think worked very well

is trying to get people out of the idea that quantum computers is not just a faster classical computer. For example, you know, there's an arc of automobiles that we can say first we had the Model T Ford and now we have, you know, Ferraris and Toyotas that work very well and they're very dependable. And that's a coherent directional arc of progress of that technology. I mean, the speed hasn't really increased all that much, certainly not exponentially.

But yes, they certainly look sleek. But what we're not doing with quantum computing is we're just making a better classical computer. It's much more like something where we're actually making a boat and we're going off into a different frontier that cars were not able to explore or navigate. It doesn't matter how good the engine you made and put it into a car. It's not going to help you on water.

And what quantum computing is like, well, we're actually changing the shape of the frontier that we're navigating. We're going into a different uncharted land. And now we are able to explore a different field of mathematics. And there's different applications. There's different utility out there. That was a really helpful metaphor for me. Maybe you can extend that metaphor and run with that and help explain that a little bit. Yeah. I mean, like most metaphors, that one has both good and bad to it. Correct.

I mean, you know, a quantum computer would really harness nature to do computation in a fundamentally new way, right? It's the first device since Alan Turing, really, that changes, you know, the basic rules of what is efficiently computable and what isn't, right? And it does that because it is exploiting the laws of quantum mechanics.

So quantum mechanics famously says that systems can be in what are called superposition states. So a quantum bit, what we call a qubit, can be in a superposition of the zero state and the one state, which means that you have some number, which is called an amplitude, which is attached to the possibility that the qubit is zero, and you have another amplitude that's attached to the possibility that the qubit is one.

right? And so it's not definitely one or the other. Now, if you look at the qubit, if you measure it to ask, you know, which one it is, then you'll get a definite answer, right? It will tell you, you know, either that it's zero or that it's one. And the probability of

of each possible outcome will be related to the amplitude by a very famous rule in physics called the Born Rule. It says you take the square of the absolute value of the amplitude to get a probability. But the key thing is that these amplitudes are not themselves just probabilities. What is a probability? It's a number from zero to one.

Right? You could talk about a 30% chance of rain or of, you know, someone winning an election, but you'd never talk about a negative 30% chance. That would just be nonsense. Okay? But amplitudes can be positive or negative. In fact, they can even be complex numbers. So this is the key, right? This is the key thing that we learned about reality, you know, in 1926.

that somehow under the hood, nature is using these numbers that are closely related to probabilities, but they're not because they're complex numbers, right? They're these amplitudes, okay? And so now that's already interesting if I talk about, you know, a single qubit, you know, which could mean like an electron that

could be in one of two locations, or that could be spinning either clockwise or counterclockwise about some axis, has some little degree of freedom. But it's even more interesting when I talk about multiple qubits.

because the rules of quantum mechanics, which have been experimentally confirmed over and over thousands of times for the last century, they are unequivocal that if I have, let's say, two qubits,

now I need four amplitudes. Okay, I need an amplitude for both qubits to be zero. So for this state zero, zero. And then I need an amplitude for the first qubit to be zero and the second to be one for zero, one. And then I need an amplitude for one, zero and an amplitude for one, one. Okay, if I have

three qubits, now I need eight amplitudes, right? One for every possible three-bit string. If I have, you know, a hundred qubits, two to the hundred power amplitudes, right? And if I have a thousand qubits, now that's actually more amplitudes than could be written down in the entire observable universe. Okay, it's two to the thousand power.

Right? So in some sense, ever since we've known quantum mechanics, like we've known that nature off to the side somewhere is storing this vast scratch paper, you know, with this unbelievable number of parameters, you know, just to keep track of the states of, you know, rather small numbers of particles, like a few hundreds or thousands, right? And every time something happens to those particles, nature has to cross off all of those numbers and replace them with new numbers.

Now, it's true that we never directly see those numbers. You never directly see an amplitude. But we need them to calculate the probabilities of the various outcomes that we do see.

So this is the basic story. So chemists and physicists have known about this for generations, this sort of exponentiality that is at the core of quantum mechanics because of this sort of explosion of amplitudes. They've known about it mostly as a practical problem. If you're trying to simulate chemical reactions or simulate materials using a classical computer, you have to solve

what's called the Schrodinger equation, which is the central equation of quantum mechanics, and which basically just tells you how the amplitudes are changing over time when a system is isolated, when your qubits are isolated from the outside world, like when no one is measuring them. And it just says that they change over time by a linear differential equation.

that preserves the property that the probabilities of all the different outcomes will always add up to one. That's all it says. Maybe the most important equation in physics. So in principle, we understand all that. It's even a very simple-looking linear differential equation. The trouble is just how many damn amplitudes there are.

And so as soon as people started trying to simulate, let's say, lots of entangled electrons on computers to calculate the properties of chemical reactions, they ran into that exponential explosion.

And so a lot of what chemists and physicists have been doing since the 50s and 60s has been inventing heuristics, approximations, hacks that let them avoid that exponentiality in various special cases by being clever. But in the early 1980s, a few physicists, most famously Richard Feynman and David Deutsch,

had this remarkable idea that if nature is giving us this computational lemon, like, why don't we try to make lemonade out of it? Right? So, why don't we build a computer that would itself take advantage of that same exponentiality? Okay, they called that a quantum computer. You know, of course, it was just a thought experiment at the time. Okay, but

They immediately faced the question, well, supposing that we built that device, what would it be good for? And at the time, they really only knew one answer to that question, which was, it would be good for simulating quantum mechanics itself. And I think...

more than 40 years later, you know, the truth is that is still the economically most important application of quantum computers that we know of, right? That, you know, they would give you this general purpose, you know, way to cut through this sort of exponential, you

you know, explosion in amplitudes and thereby simulate, you know, whatever quantum material, whatever high-temperature superconductor or photovoltaic or protein you might care about and, you know, possibly get a, you know, a much better simulation, a more accurate simulation in a shorter amount of time than a classical computer could give you, okay? But that was not the discovery that really put quantum computing on most of the world's radar.

As long as it was just a device for simulating quantum mechanics, it was mostly just this idea kicked around by a few strange physicists and computer scientists. And what really captured people's attention was the discovery in the mid-1990s that a quantum computer could also achieve dramatic speed-ups for at least a few purely classical problems.

Problems that have nothing to do with quantum mechanics. The most famous example there is the problem of finding the prime factors of a huge number. And some of your listeners may know this happens to be the problem that underlies the security of a large fraction of the encryption that currently protects the internet. Particularly anything that's encrypted with RSA. It depends on the belief that factoring is a hard problem.

And in 1994, Peter Shore showed that if you could build a large quantum computer, then there would be a fast method for factoring large numbers. Okay? You could factor an n-digit number using a number of steps that would scale only roughly like n squared. Okay? Whereas the best classical method takes a number of steps that grows exponentially with n, actually with the cube root of n. Okay?

So that was an exponential speedup over the best-known classical algorithm. And variants of that, as it turns out, could break most of the other public key encryption that we also use to protect the internet, including Diffie-Hellman, which is based on a problem called discrete logarithms, and even elliptic curve encryption.

Okay, that would all be broken by quantum computers. Okay, and so then that really got people's attention. Okay, but unfortunately, what happened like 30 years ago was that like a certain narrative took hold, you know, about how a quantum computer would do all of this.

that's been really, really hard to dislodge, even though I've been trying for 20 years on my blog. And the narrative basically says, well, the way that a quantum computer would do this is it would just try every possible divisor of your number in parallel. It would try everything in superposition, and it would basically just be like a massively parallel, exponentially parallel classical computer.

And I think that caught on because it sounded really good. Anyone could understand why that would be useful. And it even had some relationship to something true. But unfortunately, that's not how it works. It's false in a very important way. And so now I think we can really get to the heart of...

you know, how a quantum computer is different from a classical one, right? So it's true that with a quantum computer, you can create an equal superposition over every possible solution to your problem, even if there are exponentially many of them.

You know, that's even an easy thing to do with a quantum computer. The trouble is that for a computer to be useful, you know, at some point you have to look, you have to measure, you have to get an output, okay? And if you just did that, you know, to an equal superposition, not having done anything else, then the rules of quantum mechanics, you know, this Born rule, are very clear that all you're going to see will be a random answer, right? And if you just wanted a random answer, you could have just

flipped a coin a bunch of times. You could have just picked one yourself. You could have saved yourself all the billions of dollars of building this quantum computer. Really, the only hope of getting an advantage from a classical computer compared to just a classical computer with a random number generator is to exploit the way that these amplitudes, being complex numbers, work differently from conventional probabilities.

And with every algorithm for a quantum computer, including the famous Shor's factoring algorithm, the trick is,

is that you're trying to choreograph a pattern of interference in such a way that for each wrong answer, so like each number that's not a prime factor of your number, like some of the contributions to its amplitude are positive and others are negative, so that on the whole they cancel each other out. Whereas for the right answer, you know, you want all the contributions to its amplitude to be pointing in the same way.

so that they reinforce, so that they add up. And if you can arrange that, then when you measure your qubits, you're going to see the answer you want in the case of Shor's algorithm, the prime factors of your number with a high probability.

And, you know, if you don't see it, you can always just repeat the quantum computation several times, you know, until you do. Okay, but the whole game is to use this interference between positive and negative amplitudes to try to boost the probability of seeing the right answer, you know, to higher than you could get with a classical computer. Now, it's very...

It's like nature is giving you this really bizarre new hammer, right? It's not obvious a priori that there's any useful nails that that hammer can hit, you know, other than just simulating quantum mechanics itself. Right.

That's why it took people like Peter Shor to figure this out. It wasn't obvious because you have to arrange all this interference even though you yourself don't know in advance which answer is the right one, if you already knew what would be the point. And you have to do all of this faster than the fastest classical method. Or else, again, why not just use a classical computer instead? Right.

Okay, so this is the game with quantum computing, and this is why, you know, the applications of a quantum computer have been more specialized than some people would like. To go back to your boat analogy, right? Okay, in some sense, anything that a classical computer can do, you know, a quantum computer can also do. Right.

So maybe it's less like a boat than an amphibious vehicle. But just for most of what we do with classical computers, there's no point to using a quantum computer because it's not any better. It's only better to the extent that you can take advantage of this interference phenomenon to concentrate more amplitude on the answer you want faster than a classical algorithm could do the same thing. I think the intuition that I'm getting is that quantum computers are good at

very large number management. Scott, maybe I can ask perhaps our last fun, dumb question before we hand things off to Justin Drake here. These are not dumb questions. Oh, good, good. I'm glad, I'm glad. The simple question is the pictures of the quantum computers that I've seen, why do they look so weird? Yeah. Like why, like I'm used to chips that are these like very small, flat, square, you know, metal things that fit into like my motherboard. Right.

And that is not what I'm looking at right here. So what's the deal with this? Yeah, can you describe for people just listening to this, David, what we're looking at here? This is like a quantum computer image. There's a whole bunch. I mean, if I was in charge of making a sci-fi movie in the 70s or 80s,

about some ray gun thing that was on some spaceship and I wanted to make it look as crazy and futuristic as possible, I would make something like a quantum computer machine. It doesn't look real. It looks so incredibly complex that you don't even question the

Like, you wouldn't even question it, what it does, if you saw this in a movie. So I think that the key to answering your question is to just remember what classical computers looked like in the 50s, right? They also looked really, like, intimidating and science fictional, right? You know, of course, they would be much less powerful than anyone's iPhone is today, right? But, you know, because people were just learning how to build these things, right? You know, they didn't have all the components just, like, etched.

to one little microscopic chip, right? That, you know, it was all out there to be looked at. And I think that's the reason for the science fiction-y appearance. So in those pictures, you know, I should caution that I am not an experimentalist. You know, I do get taken on lab tours, you know, and talk to my experimental colleagues. But, you know, they make me promise up and down not to touch anything.

But again, in a lot of these pictures, what you're seeing is basically just a dilution refrigerator, right? So most of that fancy stuff, you know, all it's for is for cooling down your chip. So, you know, now it has to be cooled down very cold to, you know, with superconducting qubits, they typically cool them to about 10 millikelvin.

which is like a hundredth of a degree above absolute zero. And the reason for that is that it's only at such low temperatures that you really see your degrees of freedom behaving as qubits, you know, staying isolated from their environment, not getting measured by their environment, you know, and being able to persist.

for a long time, and by a long time, we might mean like 50 microseconds or something like that. So, you know, not long by human standards, but, you know, long enough to do something interesting with them, right? We need them to sort of stay in these superposition states without the environment getting in the way. Okay, so basically, when you're looking at those fancy images, you know, in many of the cases, a lot of what you're looking at is just a refrigerator. Okay?

Okay, and the actual chip itself, you know, just looks like a pretty standard computer chip, right? That's where the qubits are in a superconducting device. Okay, but the reason why those dilution refrigerators, they look kind of like upside down wedding cakes.

I've heard them described as, right? It's because like each layer is cooling to a lower temperature than the layer above it. So like you have one layer that's cooling to a few Kelvin and then maybe, you know, the next layer is cooling to, I don't know, you know, a few hundred millikelvin, right? And then, you know, you get all the way down to the temperature that you want. Let's say that's 10 millikelvin and that might just be in something that's the size of my fist.

And that's where you put the chip. Okay, and the chip is where the actual qubits are. So that's where the real action is happening. And then the other thing that you see is a lot of wires, right? Because, you know, at the end of the day, we need to tell these qubits what to do, right? And what operations should they do, you know, to affect their amplitudes, to create this interference pattern that we want. And all of that control is being done by classical computers.

So you have lots of just conventional classical computing hardware. You've got often some grad students or postdocs just sitting at a Linux box or a Mac or whatever, and they're just writing code that is going to control a microcontroller that is going to send commands into the dilution refrigerator, into the chip, to tell the qubits what to do.

Okay, so all that classical electronics, that's the other thing you're seeing there. Now, if we were talking about different kinds of quantum computing hardware, like trapped ion or neutral atom or photonic qubits, then you'd be looking at different things, right? But in some sense, like...

The pictures are fun to look at, right? But like all the real action is happening in this space that we never directly see. This what we call Hilbert space, right? The sort of abstract space of possible quantum states, you know, described by these different amplitudes.

And so, you know, when I visit labs and I talk to the experimentalists, it's like, you know, we have those cool-looking things that you showed as like a very cool backdrop, but then we just end up, you know, usually on a whiteboard just talking about quantum states. It's so wild and cool and exciting that these upside-down wedding cake refrigerators allow us to tap into nature's scratchpad, and a lot of what you said

was like just so fascinating to me and it shows there's so much to learn here. At this point in the conversation, I think we're done with the David and Ryan questions. We want to introduce Justin Drake. I think a lot of people at this point in the conversation, we have the foundation for what quantum computers are, what they can do. Now we want to know how they affect our cryptography because the basis of this entire cryptocurrency industry that we've birthed is part economics

and a lot cryptography. And so if we're saying quantum computers kind of break RSA, break some of the underlying assumptions, we need to know how many of those refrigerators it takes and by when, like at what point in time are Bitcoin, 4 million Bitcoin that aren't quantum secure could be like quote unquote hacked. Anyway, let me introduce Justin into the conversation. And Justin, I don't know what you want to do, but feel free to take the reins on the rest of this conversation and get into those topics with Scott. - Absolutely. So Scott, it sounds like

You know, everything's going to plan. We've had these theoretical predictions that are coming true with the engineering. And quite famously, a couple of months ago, you wrote this statement in one of your blog posts saying that you expect that

within the next 10 years, we should have a useful, fault-tolerant quantum computer, or we will learn something fundamentally new, maybe something fundamental about how physics works. I should clarify that by useful, that doesn't necessarily mean, you know, hacking Bitcoin or, you know, breaking RSA, right? You know, I think before we see that, we're going to see quantum simulations that can tell us interesting new things about nature.

Like that, I'll be very disappointed if we don't at least see that within the next decade. And the breaking RSA part, I don't know. I don't know how long it will take. So this morning, very coincidentally, I bumped into Steve Brierley, who is the founder of Riverlane. It's a quantum computing company in Cambridge. They do quantum error correction. And he told me that he believes it will cost...

$10 billion in R&D to break ECDSA. Does that sound reasonable to you? It sounds like about as good of a guess as anyone's. You know, he would probably know more than me. Yeah, I mean, the amount, you know, I was just at a conference called, you know, Q2B, Quantum to Business in December, and I heard an estimate there that there's about like $40 billion per year globally being spent on quantum information research.

right research and development now you know a lot of that probably depends on exactly how you define it right because there's a lot of people you know who you know have things that they would have done anyway but that you know that they've sort of redefined as being quantum information because it sounds cool right but you know the expenditures are reaching the billions of dollars i would say you know already like a decade ago they passed the point where sort of

academic labs could mostly hope to compete on pure scaling. Like a professor at a university might be able to raise a few million dollars. They can't raise hundreds of millions of dollars. And I think a few hundred million dollars at this point is table stakes for just having a state-of-the-art experiment like the kinds that Google or IBM or

Amazon or, you know, the various startups like Continuum, Quora, or Psi Quantum are doing. And now when you talk about scaling up, you know, to break ECDSA or other cryptographic standards, right? So, you know, you're talking about like a few thousand logical qubits.

just to run whatever version of Shor's algorithm you need to run. But now each logical qubit needs to be encoded using a quantum error-correcting code. And that itself might take hundreds or thousands of physical qubits.

Okay, so you get like thousands times thousands, basically. And so now you're talking about millions, maybe even hundreds of millions of physical qubits. Okay, and so these estimates were first done, I think, by Austin Fowler and others, you know, around 2008. You know, and they look pretty scary.

Right. I mean, it depends on how you look at it, right? It's again, you know, like think of the estimates in the 1930s of like, what is the critical mass for, you know, a nuclear weapon if you use U-235, right? Like on the one hand, it's very scary. On the other hand, it says, oh, if we merely did this, then we would have that.

Right? So now, you know, if, let's say for simplicity, we talk about superconducting qubits, right? So each chip, you know, I think can store up to a few hundred, maybe a few thousand qubits. Okay? And now if I need millions of qubits, now I'm talking about hundreds or thousands of chips. Right? And the trouble is each of these dilution refrigerators, right, only cools, you know, a pretty small volume. Right?

And so now if I need lots and lots of superconducting chips, now I'm talking about lots and lots of dilution refrigerators, whose chips all need to be connected to each other, have to be connected by sort of a quantum communications network.

And so now I'm envisioning potentially like filling a building, basically, with dilution fridges, right? Having this whole quantum network between them. Okay, this sort of thing hasn't been demonstrated yet. But, you know, if you wanted to build a scalable device using superconducting qubits, then it looks like that is where things would need to go.

In the interest of time, can I ask you some rapid-fire questions? All right. So I guess one of them that I'm curious about is when we do have a quantum computer that can break cryptography, is it going to break a very specific flavor of cryptography such as RSA or specifically BLS signatures or ECDSA? Or is it going to be a general-purpose quantum computer that can be reprogrammed to break all of the elliptic curve-based cryptography?

Oh, okay. So, I mean, once you have a quantum computer at all that is able to break, let's say, elliptic curve cryptography, I would strongly expect that to be a programmable device that you could then reprogram to break RSA, to break Diffie-Hellman, for example, you know, with...

all sorts of caveats depending on exactly what is the key size, exactly how many qubits do you have and do you need for each one of these codes, but I would expect it at that point to be a fully programmable device. But

It's very important to say that, you know, there are other cryptographic codes, most famously the ones based on lattices, for example, or just symmetric key cryptography, you know, things like DES, AES, that we don't know how to break efficiently, even using a quantum computer. Right.

Where even having a quantum computer would only make a modest difference. So that's a really crucial point. But for those codes that are breakable by a quantum computer, like the ones based on abelian group problems, so RSA, Diffie-Hellman, elliptic curve crypto, I would expect that once you can break one of them, then within very short order you can break the others also. Okay, understood. Another...

question I have is, once we have these computers, how much time will it take to break one key? And the reason is that on Ethereum we have a million validators. And so if it takes one day to break one validator, it would take a million days to break all of them. And in a similar situation with Bitcoin and Ethereum accounts, there's millions of them. Yes.

Yeah. So, like I said, the sort of initial estimates for, you know, what it would take to run a fault-tolerant quantum computation to break, you know, RSA or Diffie-Hellman are, you know, at interesting key sizes, you know, are pretty scary looking, right? You know, they involve many millions of physical qubits.

you know, possibly hundreds or thousands of dilution refrigerators. And, you know, the estimates that I've seen would be like to break a 2048-bit key, you might be running your quantum computer for a week, okay? You know, this is for a single key.

Right. But this, of course, you know, could improve in the future. Right. So you could imagine, you know, the NSA sort of building this to sort of use for very, very high value targets. Right. But, you know, you could easily imagine that there will be, you know, some interval in time when, you know, this exists.

It can be used if someone really, really cares enough to break one specific key. But even then, people might be able to go on using RSA because the breaking is very, very expensive.

Or at least it would depend who those people are. Anyone needing military-level security, they should definitely at that point be switching to lattice cryptography. But maybe for a casual user, RSA would still be safe enough. But like with most things in computing, you would expect the cost to come down over time.

So specifically with cryptocurrency, I think it's important for people to understand that there are two main places where cryptocurrencies are relying on cryptography. One of them is for digital signatures.

And the digital signatures right now, in both Bitcoin and Ethereum, as I understand it, are based on elliptic curve or other public key cryptographic codes that are quantumly breakable. So if you had a quantum computer, and if it was fast enough, then you could forge signatures, and in that way, you could steal people's crypto. Okay. But

But it would have to be quite fast. And it's possible that even after you have the first, you know, really large fault-tolerant quantum computers, they won't immediately be fast enough to actually break the signatures as quickly as you would need. So maybe you have a grace period, right? Maybe you have an interval where you can actually still use these signature schemes.

But, you know, the other important thing to say there is that we already know alternative signature schemes that plausibly resist quantum attack, right? So as you know very well, you know, people in the crypto community have already been talking about, should we migrate to these alternative signature schemes? You know, that could be a hard logistical or engineering problem. But, you know, Ethereum already demonstrated that it could do this merge thing.

That it could actually change the underlying basis of how Ethereum worked while it was still in use. And so maybe Ethereum has the capacity to do such things. With Bitcoin, maybe that's harder. But that's the signature scheme. So to a theorist like me, it's all a solvable problem.

Right? Because, you know, we know, you know, what signature schemes you could use that are plausibly quantum secure, you know, but it is a big headache to upgrade that. Right?

Right. And then there's a second big place where cryptography of some kind is used in cryptocurrency. And this is for proof of work. Right. Which Ethereum is no longer based on, but which Bitcoin and many other cryptocurrencies still are. Right. And so the proof of work is basically, you know, involves a hash function. Right.

where you have to find pre-images of some hash function in order to mine new cryptocurrency. And these problems generally don't have that abelian group structure that I was talking about before. And we don't know, even with a quantum computer, how to get exponential advantages for these sort of mining problems, these problems of inverting this hash function in order to generate new cryptocurrency. Okay.

Okay, for those types of tasks, what we know with a quantum computer is how to get a more modest advantage using a different quantum algorithm, which is called Grover's algorithm.

And Grover's algorithm compared to Shor's algorithm has a much, much wider range of application. It really does apply to just about any problem that involves searching a giant list of possible solutions. It doesn't require any abelian group structure or fancy periodicity or anything like that. But the disadvantage is that Grover's algorithm gives you only a much more modest speedup.

It's not an exponential speedup. It can basically solve just about any search problem in roughly the square root of the number of steps that a classical computer would need.

So that's clearly something, but, you know, the square root of an exponential is still an exponential, right? Like the square root of two to the thousand power is two to the 500 power, for example, right? And now the trouble is, you know, if you're going to be running a quantum computer with all this error correction, right, that induces an enormous overhead, you know, like optimistically, let's say a factor of a million, you

you know, compare it to just, you know, if you didn't need error correction, right? And so now let's say you have a problem with n possible solutions, like you're trying to mine some new crypto and, you know, you have a hash function with, you know, n possible pre-images. Okay, so then the best case would be that our quantum computer using Grover's algorithm reduces n to square root of n, right?

But really, because of the error correction, let's say we're replacing n by a million times square root of n. And so now we have to worry about that constant pre-factor. And eventually, the quantum computer becomes a net win, but only when a million times square root of n is less than n. So when does that happen? That happens when n is a trillion.

Okay. So basically for mining problems, you know, you could eventually see an advantage with Grover's algorithm, but, you know, it might not be for a while. Even after you can build a fully fault-tolerant quantum computer, you know, it still might not be a win for mining cryptocurrency, you know, until things get a lot better than they are, right? Whereas for Shor's factoring algorithm, because the

advantage is exponential, there you would much, much more quickly see the way. Okay, so I feel a need for a little brain to hop into this big brain conversation. Justin, from a crypto perspective, would you be able to summarize kind of what will break? So Scott is painting a world, a future world, not immediate, where we

might have sophisticated enough quantum computers to break some things in crypto. I guess from a practical perspective, what breaks within Bitcoin? What breaks within Ethereum? How would users feel this if like suddenly tomorrow we have such a quantum computer? Yes, I think what Scott alluded to is that there's different layers to the blockchains. There's the application layer, the consensus layer. Within the application layer, one of the most worrisome things

is that the accounts that hold the balances could get cracked, meaning that from the public key you can derive a private key to forge messages, forge signatures, and therefore steal money. So that means if there was an Ethereum account with, say,

hundred million dollars in it, right? And you would assume an attacker, a quantum computer attacker, would prioritize the big value accounts. They're not going to come steal my five dollars worth of ETH in some MetaMask private key that I have. They're going to go for the big ones. And that could theoretically be done right now on Ethereum, also on Bitcoin? Yes, so both Bitcoin and Ethereum use the same cryptography. It's called ECDSA. And

The reason why I ask this question of time it takes to break a key is, as you said, an attacker would presumably attack the bigger fish before the smaller fish.

And I asked the same question, it's interesting, to my friend Steve from Riverlane, and he said in his estimate it would take a few seconds. So it looks like the experts really can't agree on even the order of magnitude. Well, it depends enormously on what architecture we're assuming, right? Is it trapped ions? Is it superconducting qubits? Right, you know, superconducting qubits would be like, you know, the gate times would be a thousand times faster.

So yeah, so you can get wildly different estimates depending on what numbers you plug in. I see, that makes sense. This almost feels, Justin, sort of like the AI conversation of how fast takeoff is towards AGI. It's just like, we don't know all of the intricacies, not to open up another can of worms, Scott. I know you're in that field as well. But Justin, it seems like a really big deal if accounts can be hacked online.

on Bitcoin and Ethereum. That's like existential level stuff. And I know Scott was also talking about proof of work, which could be susceptible to some of this too, but maybe let's take the big thing, which is accounts getting hacked. I mean, that kind of destroys both Bitcoin

and Ethereum, again, if we had one of these quantum computers overnight, what's kind of your reaction to that? And like, are we all doomed? Because that was basically the Genesis conversation when I talked about the Google CEO rolling out Willow. There was a lot of conversation about, well, Bitcoin is doomed.

You know, like, unless it hard forks in some way, and because it's very difficult for Bitcoin to hard fork, you know, it could be susceptible to these types of attacks. So what's kind of the crypto community's reaction to this? Like, what do we do? I mean, I think Ethereum's reaction is that we use what's called account abstraction to allow for accounts that hold balances to define their own signature scheme, which could be post-quantum secure. So Ethereum today, without any hard forks, can support Bitcoin.

post-quantum signatures. It's more of a standards and an adoption process that needs to happen through the wallet.

One of the downsides of post-quantum signatures is that they tend to be roughly 10 times larger than the pre-quantum signatures, and so you'd have to pay 10 times more gas to get them through on-chain. Okay, that's a huge downside though, right? And how about Bitcoin as well? Yeah, so I guess one positive note for the signature size is that we can have Snarks aggregate the post-quantum signatures into a single proof, and that can be a very nice batching optimization.

In the case of Bitcoin, unfortunately, there is no real solution. There are some mitigations that you can take. So one of the big ones is that you don't expose your public key. So what you do instead is you expose the hash of the public key so that an attacker without the public key can't find the private key and attack your system. And

The idea is that you only reveal your public key for a small period of time, maybe just a few minutes until your transaction gets included in the block. And if Scott is indeed right that it takes a whole week to crack a single key, then any in-flight ephemeral key will actually be secure. As I said, that week could certainly come down, right?

I mean, you know, what is doable in a week, you know, one year maybe, you know, may indeed be doable in a few seconds in a future year. Yeah, absolutely. And so eventually, plausibly, Bitcoin will have to do some sort of a fork in order to protect itself. It'll have to introduce a new signature scheme.

But then even if it does that, there is another problem, which is the lost coins. Satoshi has a million coins that haven't moved. And unfortunately, Satoshi's coins are vulnerable in the sense that it's using an old version of Bitcoin script where the public key does go on-chain. And so anyone can go ahead and mine these coins. I have a bit of an optimistic take, which is that

Satoshi's one million Bitcoin is about a hundred billion dollars today. And if Bitcoin was to achieve parity with gold, it would be a trillion dollars. And it would basically be a hugely valuable societal bounty to basically push forward the development of quantum. And actually my friend Steve

This morning, totally unprompted, he basically asked me about Satoshi's coins because he's been thinking about potentially starting a company to do just that. - I mean, whether it's a societal benefit or not would seem to depend entirely on who gets those coins. - Who do you think that might be, Scott? Like who's the most likely party of people out there? Nation States, a tech company, who do you think can get there first?

I mean, you know, all we can say is like who is, you know, ahead right now in the race to build scalable devices. And, you know, the companies, you know, it is mostly being led by private companies. You know, I'd say for the past decade, you know, the ones that people mostly talk about are Google, IBM doing superconducting qubits, Quantinuum, you know, maybe some others like IonQ, Rigetti, PsiQuantum doing photonic qubits.

And then in China, we have less visibility into what is going on there, but the government is certainly much more heavily involved in China. I just want to make sure I understand the state of Bitcoin. So from what you're saying, Justin, what you're saying, Scott, is basically with Bitcoin, there is an upgrade path. It would require a hard fork. We all know how difficult hard forks are in Bitcoin. But say Bitcoin could...

do some sort of a hard fork to implement, you know, quantum secure cryptography, then that could be done. And that would protect most of the value on Bitcoin, most of the Bitcoin in existence. But there is a subset of Bitcoin, the early Bitcoin, including Satoshi's 1 million, which is kind of locked in the Satoshi wallet and hasn't moved since the very early days. But

not inclusive of that. I saw some other estimates that was between one and four million Bitcoin supply. So as you said, if you kind of extrapolate that forward, we could be talking about hundreds of billions of dollars or trillions of dollars, and that cannot be upgraded. So even if you did this post-quantum cryptography upgrade for Bitcoin, you can't really upgrade that one to four million in Bitcoin supply. So that's kind of a

problem. And I know the Bitcoin community has talked about this, and this is sort of the aftermath of what we saw early in December. What do you do? Do you burn the Bitcoin? Do you do something else with it? Do you slash it in some way? And that, of course, is very much against, you know, Bitcoin religion and Bitcoin, you know, canon.

And so what you're saying is this presents almost like a, not a bug bounty, but a bounty for whoever builds a quantum computer like fastest to go snatch up that Bitcoin. What a weird world we live in. I can't believe that's the reality. Is what I said just like approximately true? I hadn't thought about it in those terms before. Like Satoshi's Bitcoins is like a pirate's booty to be, you know,

snagged by whoever first builds a quantum computer, I guess, if their ethical scruples allow for that. Well, but they don't have to be ethical, to your point earlier, Scott. I mean, they could be nefarious actors. I mean, honestly, it could be North Korea. We have a lot of North Korean-based hacks in Ipto today, but that's a bug bounty incentive. And so, Scott, when you're saying there's like

$40 billion a year being put into quantum computers. Well, this increases the economical value. Well, I think that's for all of quantum technology, but, you know, however people define that. But yeah, I mean, there are lots of governments that have, you know, made significant investments. You know, the U.S.

China, Singapore, Australia, you know, the UK, the EU. But I think the leading efforts to scale this up are mostly private companies, at least as far as we know in public, you know, mostly in the US and Canada, right? But, you know, of course that could change. Justin, let me get your perspective on Bitcoin. Do you think that this is existential for Bitcoin? I mean, observing the Bitcoin community for, you know, the decade or so that you've been doing this, what do you think actually happens here in this scenario? Yeah.

I basically see two scenarios. Scenario number one is that the Bitcoiners are very, very purist and don't want to touch the supply of Bitcoin because, you know, that violates the property rights of some people, including Satoshi. There is another, you know, direction, which is more subtle, which involves

freezing the coins up until there is a point where the owners can provide a proof of knowledge of the initial seed, the seed phrase that generated the public keys and the private keys. And so...

If you have an entity, for example, Satoshi, that generated their addresses from a seed, then because the key derivation process uses hash functions, then you can actually use the seed as the new private key, the new secret. That's a very nice idea. I hadn't heard about that.

Nor did I even know about the use of hash functions at that stage of it, which is crucial to that idea. Yes, exactly. It's not my idea. It's one that's been around for a few years. But unfortunately, Satoshi's coin specifically wouldn't apply. More likely than not, he'd just generate those randomly as opposed to from a seed because the 12-word...

seed standard that we have today post-dates Satoshis. - Oh, wow. So even in that case, even with your kind of like plan B solution, that 1 million Satoshi coins would just likely be, I wonder what happens, right? Does the Bitcoin community fork? Is there kind of Bitcoin quantum and then original Bitcoin, right?

Again, this won't play out overnight, as what we found out for the big first part of the podcast with Scott. But at some point, this is coming. At some point, this is inevitable. And whether it's like, you know, 2030, or whether it's, you know, 2050, we just like don't know. But I guess the clock is ticking. Is that what you would say, Justin? Yeah. And one of the very nice things is that not all of Satoshi's coins are in the same address.

Satoshi's coins are scattered over many, many addresses that each have 50 Bitcoin because that's the amount of Bitcoin that you would get when you used to mine a block in the early days of Bitcoin. So it's many, many 50 Bitcoin bounties out there, not one lump sum. Exactly. And so you could think about it as quantum issuance that could extend the secure lifetime of Bitcoin because we all know that Bitcoin has this security problem where issuance goes to zero. Well, now we have this new, fresh,

50 Bitcoin per unit of time, where the unit of time is dictated by how fast these quantum computers can operate. And so if it takes, for example, one day to break one Satoshi address, that's maybe a totally reasonable thing where you just...

unlocking 50 Bitcoin per day and that actually secures the Bitcoin blockchain for another few years. Wait, wait, wait. Run that by me again. How does that secure the Bitcoin blockchain? So let's say it happens gradually, we see it on-chain, we're like, "Oh, you know, a quantum computer just took 50 Bitcoin in bounty and then tomorrow we see the same thing, the next day we see this." How does that secure Bitcoin? Yeah, so the way that Bitcoin is ultimately secured is people buying hardware and burning a lot of energy.

And for them to do that, they need to get paid to pay for the hardware and electricity. And Bitcoin has a decaying issuance. And so unless the fees grow dramatically by two orders of magnitude, which I don't think will happen, then we need to have some sort of a solution for Bitcoin security.

Now, these 50 Bitcoin is basically an incentive to go pay to buy hardware, in this case, quantum hardware, and to pay the electricity to power the quantum computer. And if we're talking 50 Bitcoin per day, then that will extend the secure lifetime of Bitcoin over a few more years.

That's wild. Okay, so that's the Bitcoin story. How about Ethereum? How is Ethereum positioned for this, Justin? Yeah, so actually the Bitcoin story, as Scott alluded to, is not completely finished because proof of work is itself going to be more likely than not disrupted. Oh, well, let's talk about that then first. What happens with proof of work with Bitcoin? So with the proof of work, you know, like I said, eventually you can get an advantage from Grover's algorithm.

And then that allows, if let's say there's only a few entities in the world that have scalable quantum computers, that allows those entities to mine a lot more Bitcoin than everyone else. Now, eventually, if you got to a world where just about everyone had access to a quantum computer, then it's kind of amusing what would happen, which is that the proof of work just disappears.

has its hardness just set automatically based on how much mining people have been able to do recently, right? And so all that would happen would be that the pre-images would have to satisfy an ever more stringent condition.

And, you know, so that basically the proof of work would automatically, in Bitcoin anyway, would automatically just be made harder, you know, to compensate for Grover's algorithm. And we would all just be back where we started. I mean, I have a slightly different take. I agree with you over the very long term. But the transition from classical to quantum might be very problematic. And the reason is that at no point in time do we want one single entity to have more than 50% of the hash rate. Right. And...

More likely than not, there will be a first mover. And even the second, third, fourth mover might have very big discrepancies relative to the best performer. It might be a 10x delta in performance or in energy efficiency or even orders of magnitude difference. And so my expectation is that for several years, there will be one dominant actor, which, as Scott said, would likely be either the Chinese government or...

or a company like Google or Amazon. And that's kind of scary. And so the good news that Scott pointed out is that more likely than not, we're looking at Grover disrupting Bitcoin mining way after it breaking ECDSA. Oh, I see. Yeah.

This is a longer term future, maybe on a 30 year time scale, if I were to. And Justin, could proof of work be fixed by implementing a sort of a quantum resistant proof of work algorithm that would require another hard fork, presumably, and just like be a big social like upheaval in Bitcoin? But could that happen? So unfortunately, I think the answer is no. I think...

Scott, do correct me. I mean, there are proof-of-work tasks that would give you more quantum resistance, right? More resistance to Grover's algorithm. But the truth is that at the point where you're talking about doing a fork, right, you could also just talk about, well, you know, once we get past this transition, then, you know, you just take the existing proof-of-work and you make it appropriately harder.

I mean, I've seen in the literature, like proofs of work, where a quantum computer would only give you like an n to the two-thirds power advantage, as opposed to a square root of n advantage. There's also proof of space, you know, type of protocols, like I know Bram Cohen, like Chia, has been very interested in those, and those would probably see little or no quantum advantage.

as far as I know. So you could consider forking to something like that, to proof of space. But any task that involves just pure searching through a whole bunch of pre-images to a hash function should be susceptible to a Grover speedup. If we change to a different kind of task,

like I want to find collisions, you know, I want to find two inputs to this hash function that map to the same output. Then I can find tasks of that sort where the advantage from a quantum computer is less than a square root or it's only, you know, n to the two-thirds or even, you know, n to the three-quarters or something smaller like that. So I do want to highlight something very cool, which is that

Quantum might actually be the endgame of Bitcoin, which sounds completely crazy. And the reason is that even though Quantum might disrupt the consensus of Bitcoin, Bitcoin the blockchain, not BTC the asset,

There's also this vision of quantum money where you don't even need consensus. Where basically you have money which acts like cash, where I give you a piece of cash. The whole world doesn't have to know about it. Only you and I have to know about it. And the way that it works is that...

The private keys are themselves quantum objects. They're a private superposition. And when you sign a message with your key, you're effectively destroying the private key and thereby not being able to double spend it. Yeah, so even more simply, one of the fundamental facts in quantum mechanics is called the no-cloning theorem. And as the name suggests, it says that there is no way to...

copy an unknown quantum state, right? So if I have some qubits in a superposition state and I want to make new qubits that are in the same superposition state, I can't do it, right? You know, I can measure my old qubits, but measuring not only won't tell me everything I need, it will even destroy the one copy that I had.

And so one of the oldest ideas in the history of quantum information, going all the way back to the 60s, was the idea that you could use this no-cloning theorem to create physically unclonable cache.

And this was an idea of Stephen Wiesner. He proposed a scheme that would do this with provable security, but it had the drawback that if you wanted to verify a bill is genuine, then you had to take it back to the bank that printed it.

Right. So around 2009, I sort of revived the interest in the subject of quantum money. And I came up with some proposals for schemes of quantum money that anyone could verify. Right. Not just the bank. So what we called publicly verifiable quantum money. Now, some of my and others' original proposals were then broken.

Okay, but now we have proposals for publicly verifiable quantum money that seem to be secure, you know, based on some barely accepted cryptographic assumptions. You know, we could do a lot better, but, you know, based on things like indistinguishability obfuscation, you know, if those exist in a way that's secure against quantum computers, right, then you can build this...

publicly verifiable quantum money. Now, the main drawback would be a technological one. In order to do what Justin and I were talking about, not only would you need quantum computers, you would need quantum computers that can keep quantum states, preserve them for arbitrary amounts of time, like however long you needed this money for. So you would need to keep your quantum state, maintaining it

It's superposition. It's coherence for weeks, months, you know, whatever, right? And with many of the schemes, you would also need the ability to send these states around, you know, like from the sender to the recipient, which would then require like a quantum communications network, you know, a quantum internet, right?

But these are all things that you could imagine doing in some future. Now, your listeners might be amused to know that the first time that I heard about Bitcoin was in 2010 or so, 2011, when I was going around giving talks online.

about my new ideas for publicly verifiable quantum money. And then people would come up to me after the talks and they would say, you know, there's this other way of getting, you know, unclonable electronic cash. You know, there's this Bitcoin thing. You should really look into it.

Right. And so I did. And I said, oh, well, well, OK, of course you could do it that way. But then, you know, you basically require, you know, this whole distributed process over the Internet to serve as your trusted third party. And you require this blockchain that's going to grow without bounds.

right, as the thing continues. So, you know, surely no one really wants that, right? But fine, I'll have to mention this in my talks as a thing that quantum money could someday be better than, right? And, you know, of course, it never once occurred to me to say, you know, should I be buying up this Bitcoin? Should I be investing my life savings in it and holding it, right?

So Ryan, to finish off your question about what to do about it and what the impact, I think we've covered Bitcoin. In the case of Ethereum, there's one thing that we do need to change as well, which is the consensus layer. So today, the cryptography that we use in the beacon chain is called BLS signatures. It's very powerful because you can aggregate the signatures, but unfortunately, it's not post-quantum secure. And the good news is that we have...

knowledge of cryptography that can give us the same aggregation property and is post-quantum secure. There's actually a paper from the Ethereum Foundation researchers and collaborators that will be published this month. And once we do the migration, then it's end of story. There's no more doubts about proof of work potentially leading to centralization of

And so in some sense, proof of stake is much more secure against quantum computers than proof of work as it's a final solution as opposed to one which is much more uncertain. Okay. So the overall story is there's a lot going on in Bitcoin with the advent of quantum compute, both on the ability to kind of like take funds from individual accounts and also in the proof of work algorithm. And so some major...

Upgrades might be in store. However, at the end, there's a light at the end of this tunnel, which is like quantum money. That's a concept that could continue to be iterated and worked on. Or even before that, just quantum resistant, you know, conventional cryptocurrencies are also a light at the end of the tunnel.

and that would make Ethereum effectively quantum secure. Just last question on this, Justin, are there any trade-offs with deployment of using quantum resistant cryptography for Ethereum? Like does the whole thing get slower? Are there any downsides to this? So the major trade-off is that the signatures are about 10 times larger. So the consensus participants, they're casting attestations or votes

And in order to have as many attesters as possible, we want to have the messages be as small as possible.

Right now, in the context of the Beam Chain, which is meant to be this proposal to make Ethereum post-quantum secure, we're de-risking the most risky part of the design, which is specifically the post-quantum signatures and the fact that they are roughly 10 times larger. And one of the things that we're looking into right now is new ways to spread the bandwidth load in the peer-to-peer network.

So, we're going to be doing experiments with the library that we use called libp2p and basically slicing and dicing the peer-to-peer network slightly differently with a different architecture. But other than that fact, the verification costs, the signing costs, all of that is extremely good. Justin, what's your personal take on how soon we need to do that for Ethereum? Given the estimates, I know it's just like a moving target. No one really knows. What would make you feel comfortable? So,

So I think the quantum narrative is one which will age like fine wine over many, many years. I wouldn't say there is a specific rush, and actually that's one of the reasons why it's better to do the beamchain properly so that we have a solution that will stand the test of time as opposed to rushing something.

What I would like to see is on a five-year timescale having post-quantum cryptography. Part of the reason, something that I learned very recently, is that ECDSA is being deprecated by NIST. So I have some dates here. So in 2030, ECDSA will be deprecated and it will be disallowed in 2035. And so what I expect could happen as a consequence is that

highly regulated institutions might just be disallowed from touching Ethereum if we don't do these upgrades ahead of time. Yeah, and NIST held a competition to agree on standards for post-quantum cryptography, which ran from about 2017 to 2022. And that converged around what's called lattice-based cryptography.

You know, learning with errors based cryptography is sort of the main quantum resistant alternative that is standing. And so NIST is, I think, already urging people to start this transition. And I recently learned that companies like Google are apparently already doing this.

So the transition to post quantum crypto is already happening to some extent. This has been amazing, Scott, Justin. So it sounds like we are not doomed that cryptocurrency will be able to get out of this on the other side, that it will require some significant upgrades.

And it's not happening anytime soon, massive quantum computers that can break our cryptography, but it could happen. And I guess we should be on the lookout for those Satoshi Bitcoin, 50 at a time, starting to leave the accounts. If we start to see something like that, then maybe we sound the alarm. And Scott, if you would please sound the alarm as well, if you feel like this is approaching sooner. Yeah.

And the crypto industry needs to take some action. Please come back and let us know. Okay, okay. I mean, look, I blog about these things when I'm asked. But, you know, I would say if you want to worry about something dooming the world, worry about AI. Oh, my. That's another subject. I was going to end this episode asking you. The threat to cryptography from quantum computers, that feels more like Y2K, right? It is a headache, but it is a survivable one.

That's fantastic context. We'll have to have you back on and ask you your PDoom and get into the AI safety, but that's not for this podcast. Scott Aronson, thank you so much for joining us. Justin Drake, thank you so much for co-hosting. This has been tremendous. Thank you. Yeah, thank you. That was fun. Bankless Nation, got to let you know, of course, crypto is risky. You could lose what you put in, particularly if your addresses are not quantum secure decades in the future, but we are headed west. This is the frontier. It's not for everyone, but we're glad you're with us on the bankless journey. Thanks a lot.

The Arbitrum Portal is your one-stop hub to entering the Ethereum ecosystem. With over 800 apps, Arbitrum offers something for everyone. Dive into the epicenter of DeFi, where advanced trading, lending, and staking platforms are redefining how we interact with money. Explore Arbitrum's rapidly growing gaming hub, from immersed role-playing games, fast-paced fantasy MMOs, to casual luck battle mobile games.

Move assets effortlessly between chains and access the ecosystem with ease via Arbitrum's expansive network of bridges and onrifts. Step into Arbitrum's flourishing NFT and creator space where artists, collectors, and social converge and support your favorite streamers all on-chain. Find new and trending apps and learn how to earn rewards across the Arbitrum ecosystem with limited time campaigns from your favorite projects. Empower your future with Arbitrum. Visit portal.arbitrum.io to find out what's next on your Web3 journey.

Uniswap Labs is making history with the largest bug bounty ever, $15.5 million for critical bugs found in Uniswap v4. This isn't just any update. Uniswap v4 is built with hundreds of contributions from community developers and has already undergone nine independent audits, making it one of the most rigorously reviewed codebases to be deployed on-chain. And with $2.4 trillion in cumulative volume process across Uniswap v2 and v3, without a single hack, the commitment to security and transparency is rock solid.

Now Uniswap Labs is taking an extra step to make v4 as secure as possible with a $15.5 million bug bounty. Head to the link in the show notes to dive in and participate in the Uniswap v4 bug bounty. All the details from eligibility and scope to the rewards are there.

Hey, Bankless Nation, this is a debrief. We thought we would include Justin Drake on this so he could synthesize from that episode because it was a lot. It was a lot. You know, Scott went deep in certain areas and, you know, came back. And anyway, let's start to synthesize some of this. So, Justin, what do we need to take away from just like the basics of quantum computers? Can you parse that for us? Yeah. So one basic concept is that there's two types of qubits. There's the physical qubits and the logical qubits.

If we want to do digital computation that breaks cryptography, we need these more fancy logical qubits. But the building blocks, the bricks that make up the logical qubits are what's called physical qubits. And unfortunately, the physical qubits are extremely noisy, and so we need what's called error correction. So we need to take the noise, remove it, so that we're left with pure signal, which is binary digital signal.

I think the very beginning of our conversation basically was with this Willow breakthrough where essentially we have for the first time a

a logical qubit. I see. A logical qubit, one of them. So we're able to take 101 physical qubits, put them in a lattice, and basically have this error correction happen. And that gives us this meta-building block, which is the logical qubit. And then, if we want to go actually break cryptography, we need to put

thousands, tens of thousands, maybe hundreds of thousands of these logical qubits together to form what's called a scalable, fault-tolerant quantum computer. Okay, so I'm sort of getting the picture. Of course, you know this, you're an Ethereum researcher, but things in Ethereum or crypto at large are just like basically research theory type phase, and then they become an engineering challenge.

It feels like that's kind of where we're at with quantum computing, where we've been in this kind of research theory type phase, but now we've hit this threshold of, oh, now it's just an engineering and scale problem. And humans are really good at that. That's why Scott kept going back to like, I don't know when it's going to happen. It depends how much capital is there. I'm just like, well, capital is easy. Yeah, that's a solvable problem. I mean, as soon as there's something to scale, we know that capital will go and then we'll push the button, we'll scale that. So he was talking about 40 billion a year. I'm like, pfft.

40 billion, what's that? I mean, like you get nation states involved. Like this could be hundreds of billions very easily. And now it's just a matter of scaling it. And you measure the scale with these two bits, right? So like right now we're one, but when we start to break cryptography, we're getting into the millions of,

of qubits and then that's when we can start breaking cryptography. Is that about right? Yeah, so millions of physical qubits and about tools of magnitude less of logical qubits because it's roughly speaking a hundred physical qubits for one logical qubit. Is there something like notion of Moore's law here? Like can we apply like Moore's law to quantum computing and if we're at one, maybe in a couple of years we'll be at 10 and a couple of years after that we'll be at a hundred and then not too long after that it'll be higher than we can count.

Yes, there is an equivalent of Moore's law, and I think it's faster than Moore's law. I'd have to go look it up exactly. But one of the reasons is that there's multiple layers of the stack that are improving in parallel. The physical qubits where the so-called fidelities or the error rates are improving.

And then that has compounding effects with the way that we do the error correction. So we have these new surface codes and all sorts of other fancy mathematics that basically allows you to correct and detect the errors. And then there's also improvements at the algorithmic level. And to me, this is extremely reminiscent with Snarks. Snarks is a multi-decade journey that started 30, 40 years ago.

And there's various layers of the stack. There's the proof system. There's the arithmetization. There's the hardware that you use to prove that itself is growing with Moore's law. And then there's the algorithms that you use to do the FFTs and the MSMs.

And all of these things compound with each other. And my rough take is that, you know, snarks improve by a factor of five every single year. So it's like- - That's very fast. - Moore's law taken to the extreme. And I would imagine that quantum has a similar effect. - All right, so we're somewhere on an S curve, basically. A new S curve, a quantum compute type of S curve. And we're very early, but you know what S curves do, right? They're exponentials. Okay, so that's quantum computers. Let's talk about then, let's go over once again and parse.

everything we just talked about for Bitcoin. So quantum computer, let's say it happens overnight. Some government has a quantum computer that is in the millions of qubits. What happens to Bitcoin? What are the vulnerabilities? Right, so there's,

two classes of algorithms that affect cryptography. And Bitcoin got extremely unlucky because these are like two very, very narrow problems that quantum computers are good at, which is basically breaking elliptic curves and doing search over a very large search space. And unfortunately, Bitcoin has both the elliptic curves, in this case, ECDSA to store the balances, and it has the search on

Specifically the golden nonce search, right? Like you have these miners just spending tons of energy just to find this one golden nonce. That's the proof of work part. That's the proof of work part. And so in some sense, Bitcoin is like doubly effed. Doubly screwed because it uses proof of work. And then also, you know, like the accounts, I know they're not accounts in the Bitcoin world, but you basically get at the private keys as well because they're not quantum safe either. Yeah. The account balances, I should say. Yeah.

Correct. The good news is that Bitcoin will most likely have to tackle them sequentially. First, ECDSA, and then the proof-of-work question. For ECDSA, as we discussed, basically there's various possible outcomes. Outcome number one is that nothing changes, and then the Bitcoin effectively becomes this bounty or issuance, if you want to think of it that way, to keep the chain growing and to incentivize proof-of-work.

And we're talking, quantifying that, about one to four million or so supply of Bitcoin? We know that we have the one million coins from Tatsushi. And we know that today, if we look at the balances where the public key is known, that's about four million coins. But of those, some of them are active in the sense that they can always migrate to an address that doesn't have Bitcoin.

the public key exposed. And so really what we're concerned about is the lost coins for which the owners have died, for example. Which could be some subset. Stagnant coins where the coins won't simply just move when we learn that quantum computing is here. Correct. And so one possible outcome here is that the community says, we know that we have quantum computers, so we need to do something. And any coin that hasn't moved in 10s

10 years, for example, is going to be just completely destroyed. And that's going to include Satoshi's coins. But what I find interesting about this, Justin, is that even that choice, what we're talking about right there, it's not just a tech choice, okay? It's a tech plus it's a social choice because you have to do something different with property rights. It's no longer immutable property rights, right? I mean, correct me if I'm wrong, but there's no way to do this without doing something with that one to four million Bitcoin that is kind of like lost, right?

and kind of out there. Like you have to have some policy that requires social consensus that was not in the original, like, you know, sayings of Satoshi in the white paper. You have to make that decision somehow. And so how does that kind of factor in?

I think we need to see what the concrete data on the ground is. If indeed it takes a very long time to crack just a single key, if we're talking days or weeks, then actually I think we're fine. If my friend Steve is correct and we indeed can crack keys in a matter of seconds, then someone will just crack all of the keys and then just steal millions of Bitcoin in one go. And that would be the equivalent of the DAO hack.

whereby a very large percentage of coins are in the hands of one single entity and that jeopardizes, it's an existential risk for Bitcoin. And what they could do as well is just

roll back and basically freeze the coins that all moved at the same time. How are they going to do that though? Let's do a scenario here because no one knows with the example of an attacker and they're going to attack the high value Bitcoin addresses. They're not going to do the 50 at a time type thing. They'll do the one with like thousands of Bitcoin in it first.

obviously. So let's say you see that on chain, you have no idea, someone sees that, I guess, maybe you don't even know if it's a hack, it could just be an old address that has maybe moved. But you see that happening. And you have no idea whether the attacker has the ability has spent years to do that one address, or has just done it in like a second, I guess you have to see that the next time it happens, and you kind of can measure how quickly they're able to do this. But like,

Scenario that out, like you've been in the case of a DAO hack, imagine you're kind of Bitcoin core, Bitcoin community, and you start to see some of these addresses on the move and you think they might be quantum. Like, what do you do next? Yeah, so the good news is that in order to freeze coins, you only have to do a soft fork. So basically you have to censor transactions. Transactions that were previously valid are no longer valid. That's the definition of a soft fork.

And the software can be enforced by various entities. It can be enforced by those running nodes.

But actually it can also be enforced by the mining pools. And it turns out that like two or three mining pools control 51% of the hash rate. And so what the mining pools could do as a preventative measure is basically say, if we see a Satoshi coin, we'll just not include it in our blocks. We'll just send a tweet saying, hey, warning, warning, Satoshi is alive or we have a quantum attacker. Please start debating whether

whether or not as a community, we want to soft fork in order to freeze Satoshi's coins. I feel like it's a little too late at that point. But also you equated this with kind of like a DAO type scenario, right? And quite famously, Bitcoiners, it came down quite harshly on the DAO scenario for Ethereum because they said, you guys are invading property rights. This is an immutable blockchain. We thought that's what Bitcoin is. And somebody's got to make that soft decision. And Bitcoiners quite famously like,

You know, how do you find social consensus? There is no social consensus. There is no layer zero in the Bitcoin community. So like, how does that even work? Do you think it will break brains and like break the entire system? So we do have a precedent for this. Back in the early days of Bitcoin, maybe it was 2010 or 2011, there was this overflow bug. Right.

As an inflation bug. Which basically allowed for the creation of arbitrary number of Bitcoins. And this was just so obviously a systemic risk to Bitcoin that they had to fix it.

And I think it would be potentially a similar thing for quantum mining here. But that was 2011. I don't know. That 2010 rollback is meaningfully different than post-Michael Saylor era of Bitcoin. When people have, even you Justin, have suggested like possible futures for Bitcoin, which includes like proof of stake and other outcomes, like including EIP-155.9.

And all of these suggestions, many of them include a hard fork. And when I hear people suggesting a hard fork for Bitcoin, in my mind, I immediately say, well, that's just not happening. Like, that just can't be done. Particularly a hard fork that does something with property rights. Exactly. Or the Bitcoin supply or addresses or the thing that the Bitcoin community says is immutable and has been since, I guess, 2010, 2011, that bug. Mm-hmm.

Yeah, it's very hard to tell. My personal thesis is that the cleanest way for Bitcoin to survive long term is for the asset BTC to decouple from the chain and for the asset to go live on something secure like an Ethereum. Hard to court Bitcoiners I don't think will accept that.

I don't think there is for hardcore Bitcoiners who do kind of set the value system of Bitcoin that it's untenable to say that separate Bitcoin from Bitcoins. I don't see Bitcoin surviving on a period of decades. Oh my God. So here's what I was trying to figure out, right? So like when this willow news from Google, you know, came out, there was a massive reaction and some people, you know, went as far as to say, well, you know, Bitcoin is doomed.

And it feels like the reality is like, well, not today. And there are upgrade paths, of course. And this will take many years to play out. But like what you just said is over the long run, basically, this will require a massive social fork of some kind. Plus, you know, the tech is not so hard. It's more like what do we do with the kind of the property rights of the 4 million Bitcoin?

to such an extent that it may not survive. We're not even talking about the problems with proof of work that will happen after that. That's just kind of wave one of quantum when quantum computers are strong enough to start attacking individual addresses. So at some level, this is as big an existential deal as some of the fudsters and doomsdayers were making it out to be. It's just not going to happen in the next decade.

Three years, probably five years, but 2030s-ish? The next cycle problem. Yeah, I mean, efficient markets should be able to price this in right now, but markets are not super efficient. But you're right, there's a conundrum. Either you socially intervene, in which case you jeopardize the whole story of Bitcoin and the monetary premium, which is the only thing it has, or you don't intervene, and

And Bitcoin is just not going to work. Technically, it's always going to have one entity that's going to control a very large percentage of all the coins, something like double-digit percentages.

So let's play out a scenario where they decide not to intervene on the property rights, because we're just assuming that maybe they would do something with the one to four million Bitcoin. But it seems like it could be a path where they just say, nope, we're just going to let it be. We're not touching that Bitcoin. In fact, there could be multiple forks, like one fork of Bitcoin that says, no, we're going to do something with the property of the one to four million Bitcoin. And another fork that says, no, this is the real Bitcoin, Bitcoin classic. We could have that type of a scenario. Anyway, it seems like a viable path where they

implement the post quantum cryptography. And they just let the one to 4 million Bitcoin be susceptible to some sort of quantum computer attacker. And whoever's first, whoever gets there gets the spoils. It's kind of the pirate's booty of the sunken treasure ship at the bottom of the ocean and whoever gets it gets it. I mean, that's viable as well. Can you play that scenario out? Is that a realistic scenario? In some ways, it feels more realistic to me. But what do you think?

There is this conspiracy theory that Satoshi is actually the NSA and that basically this is a secret master plan where the US government will retain dominance economically by controlling a million Bitcoin. And they actually have the private keys. And by the way,

I'm a little shocked that if Satoshi didn't want to spend his coins, why didn't he burn them? There's a very, very easy way to destroy them. Provably, that would have eliminated tons of FUD. Maybe he has a plan, and maybe this story has some legs. But the way that I would see the scenario playing out in the other direction is basically where the Chinese government, which is the most likely entity that could stealthily build a quantum computer...

would basically have the same master plan as the conspiracy theory, where they basically said, "Okay, let's build this quantum computer to get a million Bitcoin and retain dominance economically in the world."

I guess that is a possible outcome and the Chinese government would have to basically work the social layer very, very strongly to stealthily and basically hide the fact that they are the new entity controlling these coins. Okay, we said earlier Bitcoin was kind of doubly screwed. So that's the first, you know, path where they're screwed. People can kind of, you know, hack individual Bitcoin accounts and private keys. But the second path, once quantum computers are strong enough to do that, they'll also be strong enough to accelerate

like proof of work mining. And then you were describing, you were talking to Scott back and forth in the episode, you basically said, you could very easily envision that just some group, some centralized actor has the first quantum computer that just blasts past everyone else. And so, you know, there's no equilibrium, I guess, where everyone has access to the same tech. It's just like one super group with a super powerful quantum computer that kind of wrecks havoc

on proof of work. So talk about that scenario. And like, does that mean proof of work is doomed? So what would likely happen in that scenario is that for a period of some years, there would be one entity who would control the vast majority of the hash rate. And so what that allows them to do actually is to get all of the issuance and all of the fees essentially for free, because what they can do

is that they can set the difficulty to be much higher than what all of the classical miners can do. So all of the classical miners will basically shut off, but not spend so much energy, so not increase the difficulty so high that they have to spend a lot of energy. So they would have basically...

acquired the Bitcoin network, it would be theirs and they wouldn't have to spend much to maintain it and receive all of the rewards. But then there's another more worrisome attack, which is that

they can change the fee schedule. So right now, in the dynamic of competitive miners, you basically have what's called a first price auction, which is that the transactions that are willing to pay the most get included, and sometimes 10 cents, that's enough for you to get included. But when you control the chain, you have monopoly power over what transactions go in. And so you can have a policy which is not a first price auction. You can have a minimum fee. So you could say...

you know, Visa style, please pay 3% of all your Bitcoin. So every time Michael Saylor wants to move his Bitcoin, 3% goes away. Or, you know, you could go Apple style and say 30%, that's my cut. And basically, once you've acquired Bitcoin, there's kind of two ways to make money. You can try and keep it alive and

and just milk the fees, the issuance, and the small fee. Or you can do something much worse, which is try to kill Bitcoin and basically short it on the perp markets. And one of the really scary things is that there's about $40 billion of open BTC perps, which means that as an attacker, if I want to short in size tens of billions of dollars, I can totally do that, and it will be relatively cheap.

And the cost of attacking Bitcoin is most likely not going to be way, way less than that number. It already is less today in the context of proof of work. But if you project yourself into the future, what will happen is that issuance will go down relative to the total supply. And so the issuance relative to the PERP market is going to go down. But

But also, if you have this monopoly power on technology and IP, this quantum IP, then you'll likely have to spend, let's say, $1 billion, and you'll be able to short hundreds of billions of dollars. Because presumably in 10 years' time, the Bitcoin perps markets will be in the hundreds of billions, if not billions.

trillions of dollars. But these scary scenarios only happen if like one actor, you know, kind of gets this quantum super ASIC basically. And they are so the only ones that can produce it. If a different world plays out where all of the nation states kind of compete and they all kind of, you know, graduate together and we have larger proliferation, I

of quantum super ASICs, then can't we still preserve proof of work in kind of the same way? It's just everything has kind of leveled up by orders of magnitude in terms of the hashing power. But since everyone's leveling up together, the proof of work algorithm still works? - Yes, so theoretically speaking, if we all level up together, then it kind of works. There is this one paper titled "On the Insecurity of Quantum Mining"

where basically there's some edge cases where basically, if you're interested, the way that the algorithms work is that you start your problem and then you do what's called a Grover iteration. And when you're doing the iterations, you don't know whether or not you'll be successful. And then after a certain number of iterations, you observe your quantum system and you see whether or not you found a golden nonce.

And the rational strategy in quantum mining is that when someone produces a block, everyone else is incentivized to observe all of the work that they've done so far and see whether or not they've also won or not. And what that will create is high correlations between blocks being produced. So basically there's going to be a lot of uncles and orphans and reorgs, much more so than there is today because there will be high correlation between when the blocks are produced.

Now, putting that detail aside, what I expect will happen is that we won't all level up at the same time. And the reason is that

Quantum is extremely, extremely advanced technology that will take years, maybe decades to commoditize. And really the principle that Satoshi was leveraging with one CPU, one vote is this idea of commoditization and linearity, right? You have two CPUs, you have two votes. You spend two jewels, you have two votes, right?

What I expect will happen is that we're going to see massive differences in the performance of the systems. You might have Microsoft that's going down the superconducting path and then some other team going down the trapped ion path. And they're going to have completely different performance characteristics. And even if you have two teams going down the same technology path, one might have an algorithm which is just orders of magnitude better than another. And so my expectation is that

the difference between the best miner and the second best miner is going to be orders of magnitude. And today, if you have a special ASIC, which is, let's say, three times better than the next best one, you dominate the market. And so Bitcoin mining is very, very susceptible to these relative differences in performance. And I think quantum will just massively amplify just because it's not yet commoditized.

Okay, so that's Bitcoin and its problem set, which seems pretty significant, pretty vast. Now contrast that to Ethereum. It seems like Ethereum doesn't have a two-prong problem, so it doesn't have the proof-of-work problem at all. We're fine from that perspective. Still does have a set of cryptography that's not post-quantum secure.

But we can get there with a hard fork as long as this doesn't happen tomorrow. Yeah, what are the prospects for Ethereum kind of upgrading and being fine on the other side of the quantum compute revolution here? Right, so there's four different places where we...

might use pre-quantum cryptography. There's the BLS signatures in the beacon chain. That's something that's under control in the sense that we have a plausible upgrade path within the next half decade, say, and that's more than enough time.

Then we have ECDSA that is used for the account. And here it's a similar situation to Bitcoin, except that we have two advantages. Advantage number one is that we have account abstraction, meaning that the process of migrating to a different signature scheme does not require a fork and it can start

today. If we have some large holders that want to be very conservative, they can start the process of migration today. And Justin, can this be upgraded for the lost coins, let's say, on Ethereum or kind of the passive coins as well? Or does it require an active address, an active opt-in? Yeah, so this is where there's a couple observations. The first one is that we don't have the equivalent of Satoshi on Ethereum. We don't have someone who controls 5% of the supply on an exposed address and who's presumed to be dead.

And then the second advantage that we have is that from day one, we had these addresses that were the hash of the public key as opposed to being the public key itself. So what is, you know, 4 out of 20 million Bitcoin, 20% on Bitcoin might be a much, much smaller number for Ethereum just because from day one, we had this protection. So if you, just to be concrete,

For example, if you participated in the Ethereum... Actually, this is a real story. There's some people who participated in the Ethereum presale. They have thousands of Ether and they just lost their secret. These are lost coins.

but because the only thing that you see on chain is the hash of the address and not the pub key, these are actually not exposed to quantum computers. Okay, so what I'm trying to get to in this is like the set of post-quantum upgrades that Ethereum needed to do. Remember with Bitcoin,

there was kind of the technical piece and then there's also kind of the social property rights type piece. Does Ethereum have an equivalent problem? Obviously it has similar technical, but is there a property rights component to it with some certain amount of Ether or tokens or addresses where we actually have to make a decision whether we freeze, like what we do with that? Yes, there is a similar problem, but

From a quantitative standpoint, it's very different. I think for Bitcoin, it will be double-digit percentages, whereas for Ether, I'm expecting it to be single-digit perspective. And so in some sense, ironically, the Ethereans might be able to take the more purest path of not intervening socially just because the total percentage is much smaller. It's like 5% of ETH? Or do we have any estimates for how much ETH and tokens or addresses would be not able to upgrade?

There was this study that was done at one point on all of the lost coins in ETH. And I think we were talking maybe a couple hundred thousand ETH. So like very small amount.

And I think half of that was actually the parity wallet hack, which itself is not exposed because it's a contract where you just can't move the coins as opposed to being a normal address, which is exposed. So if I were to make an estimate, it would be basically 100,000 coins divided by 100,000

100 million supply, which would be 10 basis points, 0.1%. That's very little. So I would imagine then if it is that amount, if it's greater than that amount, I don't know. But if it is that amount, that 10 basis points kind of number, then I imagine the community just like lets it go. Probably. I would think that would be in the best interest of ETH holders and the property rights of Ethereum to just like do something like that. Yep, correct. And one of the cool things you can do in Ethereum as well is you can implement what's called a quantum canary.

So you can have all of the efficiencies of pre-quantum cryptography, which is 10 times smaller. And then when someone provides a proof that small quantum computers exist, small enough to prove that they are indeed quantum, but not big enough to be able to break the cryptography, then anyone can produce one of these proofs on-chain and basically trigger the canary so that the small contract has a different behavior and, for example, migrates to the post-quantum cryptography.

So this is a way to have an immutable smart contract where you don't need governance to turn on that switch. It happens automatically and you get the best of both worlds. You get the security in the world where quantum computers exist and you get the efficiency while we wait for quantum computers.

Okay, but I interrupted your flow. I think you were going more on the technical side of what's susceptible and what upgrades are required in general. So just finish that thought out. Right. So we've covered BLS, we've covered ECDSA, there's two more. One is the blobs. They use this technology called KZG, which is basically elliptic curve-based. That's going to have to be upgraded.

And actually, I think this is a great thing. And the reason is that I'm not super satisfied with the blobs as they are today for various technical reasons. For example, they're very large. They're not variable size. So if you want to consume, let's say, just one kilobyte of data availability, then you have to consume a whole blob. And so this means that you have to do blob sharing and blob packing. And it's this whole complication.

We now have, and this is something that hasn't been shared publicly, I guess sharing it now, there's this idea called blob abstraction, where we can completely abstract away the notion of blobs from developers. Basically, developers return to just consuming data availability, but then in the backend, there's this super blob that is effectively the whole consensus and execution block taken together, and we do data availability sampling on that directly. So

It's a massive improvement to DevX. And the fact that we have to move away from the current blobs because they're not post-constant secure is a great, I guess, pretext to push this new and improved design called blob abstraction. Very cool. And would that be in sort of BeamChain?

Concept, conceptual design, that four or five year time range? Yeah, I think so in terms of the time range, but it would be a different layer of the stack. We have three layers in Ethereum. We have the consensus layer, data layer execution. Right, beam is consensus. Beam is consensus, that would be data. Okay. And then there's a fourth place where pre-quantum cryptography might enter, which is vertical trees. So today we actually have what's called a Patricia Merkle tree,

for the Ethereum state, and that is post-quantum secure. And what we're thinking of doing is moving to cryptography, which is not post-quantum secure, because it gives us this efficiency advantage, where the witnesses, the equivalent of the Merkle paths, are basically much smaller. But we need to be careful, right? Because...

It would be kind of awkward if we do the vertical fork and then a few years after that, we say, hey, hold on, we now need to upgrade again to be post-quantum secure. And so at least within Ethereum Foundation research, I think there's growing, I guess, maybe not consensus, that's maybe too strong of a word, but directionally there is

a growing interest in going directly to having a binary Merkle tree, so basically a revamped version of the Patricia Merkle tree where the hash function is more snark-friendly than what we have today, which is Ketchak.

So if you replace Ketchak with a hash function like Poseidon, you can get all of the efficiency benefits of vocal trees, where you take all of the witnesses for statelessness and then you compress everything in a single SNARK, and you also get the post-quantum security. So in my personal opinion,

this may be like the more long-term viable approach and it would avoid us to have to do this intermediate vertical fork. Okay, so in contrast to Bitcoin, Ethereum has some of the technical challenges, but it feels like there's a roadmap to solve that and we could do that well before quantum computers are actually a thing. So we're talking the five to seven year time range, something like that. Is that the general idea here? Yep, exactly. We have a plan for everything.

Okay, and then in contrast to Bitcoin, of course, hopefully does not have the social problem of like, what do we do with the property rights of a massive amount of value on chain, it can just kind of sidestep that because we don't have one to 4 million Bitcoin worth of ether that's kind of like stuck in these addresses that can't be passively upgraded to be quantum secure. So it doesn't have that challenge.

I'm trying to get kind of like order of magnitude on the Richter scale or something, like the earthquake that quantum computers will hit these networks with. And it feels almost like to me, like, you know, it's a kind of a four earthquake. Like you feel it for Ethereum. It's, you know, four on the Richter scale, but it's not collapsing buildings. It's not destroying things. For Bitcoin though, I feel like this is higher on the Richter scale. I mean, we might be at a five, six or seven on the Richter scale for the shake thing.

up that this will cause in Bitcoin, because there's just like a lot of challenges and Bitcoin has not hard forked in this way ever before. Whereas Ethereum has sort of a history of this. And this seems almost like less of an upgrade than something like the merge, right? It feels like it's less difficult, but what's your assessment of kind of the Richter scale impact on these respective networks? Yeah, I think I agree with you. I think the impact on Ethereum will be relatively small because we can have all of these upgrades and

On the other hand, for Bitcoin, it kind of goes against the grain of the social layer. You can choose. Either you upgrade and make yourself future-proof, but then you jeopardize your social contract of not upgrading, or you don't upgrade and you potentially jeopardize the whole system. And so...

Bitcoin is in this massive conundrum. It's stuck and something has to break. On the other hand, for Ethereum, it almost goes with the grain of Ethereum. And this has to do with this desire to improve and change with time. I mentioned it with the blobs. It's a great pretext to have a better design. But it's a similar thing for the Beam Chain. We know for sure that we have to change. And so this is an opportunity to clean up technical debt and do things properly from day one.

And that will give us an opportunity to have a system which plausibly can last for decades and centuries without having to ever touch. And ironically, this is the better strategy to achieve long-term ossification. The strategy of saying the very first alpha version of blockchains, Bitcoin in 2009, is the endgame, that is just very naive and unwise.

I think the better way of thinking about it is, you know, 20 years of innovation and research all condensed in a chain like the Beam chain, which, you know, can plausibly be left alone and fully ossified. Now, because this is a problem that's probably for the 2030s and more than five years out, I don't think this has been priced in. I don't think many people are considering it. But of course, it's kind of a long-term thing that, you know, listeners of the Make List podcast should consider. As we approach it,

It probably starts to turn into a game of chicken with the market where it's going to be invisible into the market and then it's going to get priced into the market in an acute event, probably. I mean, we could just like look at what qubits are doing, right? It's like we're at one right now, you know, a physical and logical qubit. So,

will this get priced in when we're at a thousand? Will this start to get priced in or how about a hundred thousand, right? Well, then we're kind of on the cusp and how quickly does that happen? Maybe we start to see some reaction to that. And of course, this is a social community. And so maybe the Bitcoin core team kind of responds to these attacks with various plans in different ways, and maybe they have a plan for it, but it will be interesting. Maybe the last thing to touch in kind of this synthesis episode, Justin, which is like really helped me honestly, because there was a lot from Scott there.

And I think bankless listeners will appreciate this as well. The concept of quantum money. Now, this feels like it's,

Not here. It feels like it's decades out, potentially, right? Because there's a lot of preconditions for this. But it almost sounds like it could be a better Bitcoin than Bitcoin, a better Ethereum than Ethereum. And I'm not sure I've got my head wrapped around that. I'm not sure anybody does, quite honestly. Even Scott, his original proposal back in 2009, apparently, was already a leapfrog of what Bitcoin was proposing.

But clearly we don't have the capability for this now. How would you just summarize quantum money for us? So it's not an improvement for Ethereum. And the reason is that you can't do smart contracts with quantum money. The only thing you can do is simple payments. But it is an improvement for Bitcoin because just like gold, it no longer needs to be secured. Like gold, you know, is just this rock and you don't need to constantly secure it through fees or issuance.

When you move to quantum money, basically everyone has that piece of gold. And if they want to transfer it, they sign a message, they send the message over the internet, they give that to someone else, and someone else magically has that pot of gold. But you don't need proof of work. You don't even need proof of stake. You don't need any form of consensus. Why? Because you're using nature's notepad?

Exactly. You're using nature's notepad in the same sense that gold is nature's ledger that was created in a supernova or whatever the story is, and it doesn't need to be secured.

Unfortunately, what I think will happen is that there's going to be a progression where quantum money will only be practical after Grover and after Shor's algorithm. And, you know, there's an X percent chance that Bitcoin will die off in the first event and an Y percent chance that it dies off in the other event.

And so it might never have the opportunity to see itself become quantum money. Or that ledger could be forked into some quantum, like basically the ledger of accounts of everything, of who owns what in Bitcoin could be forked into some future version of a quantum money type of ledger chain.

Well, the interesting thing is like from a historical perspective, talking about Bitcoin, Bitcoin is gold, Bitcoin is gold. What if Bitcoin is silver and there's actually like a super predator, a quantum money gold out there that is actually gold? You know what I mean? Like this could happen quite quickly, at least from a historical money perspective, could happen in the span of decades. Like we don't know. The race isn't concluded yet. We're just in the second decade of digital, you know, scarcity and these types of systems. So maybe we're still waiting for the gold.

Yep. Now, going back to one of your questions, which is, is quantum money useful for Ethereum? I actually want to revise that question a little bit because there is a technology called one-shot signatures, which is extremely related to quantum money. And this does allow us to upgrade Ethereum. It would basically allow us...

to have what's called perfect finality. Because today, what we have is called economic finality, which means that if you're an attacker that can somehow create two inconsistent finalized checkpoints,

we have this guarantee that at least one third of all of the ETH staked will get slashed. So there's about a hundred billion dollars of ETH staked, and so a finality attack will cost you at least 33 billion dollars of ETH, which is fantastic. But what's even better than 33 billion dollars is infinity dollars, where you can't even perform the attack in the first place because you have perfect finality.

And the reason why we have the possibility for an attack is what's called equivocation, which is that you as a validator, as an attester, you can vote for chain A and you can also vote for an inconsistent chain B. But with one-shot signatures, the fundamental property is that you can only sign a single message and then the private key destroys itself. And so you can either vote for A or for B, but you can never vote for A and B.

And then what you can do basically is create these chains of one-shot signatures where you can only sign a single message per epoch number. So today as a validator, I get to sign one message per epoch and if I sign two, I get slashed. But with one-shot signatures, it's physically impossible for you to sign two messages with the exact same epoch number. Now that's something that you can emulate with TEEs and actually it's a way for you as an individual miner

If you're worried about getting slashed, you can put your private key in a TE that will do the double-signing protection and effectively emulating one-shot signatures for you. But if you want to do that trustlessly and enshrine it in consensus, you would need a trustless system, and one-shot signatures is a potential sci-fi futuristic path to get there. And it solves another problem for Ethereum.

which is this idea of delegation with LSTs. So today, basically every operator has a different slashing profile. And basically the best solution that we have is something like Lido, where we put dozens and dozens of operators in a melting pot. And then we kind of give each of them a small sliver of the steak, and then you abstract away and wrap everything in an LST. But once we have these one-shot signatures, then

Because the operators can't create a slashable fault, you don't need to trust them anymore as much as you trust them today. And then you don't need all of this fancy infrastructure to create LSTs and delegated staking. It becomes much more straightforward. If I have ETH and I want someone else to be doing the staking, but I don't want to trust them, well, you can do so. The worst thing that could happen is that they just go offline and

But if they go offline after, let's say, one day, then you just change operator and you send your funds to a different operator. And one-shot signatures, do they depend on the number of qubits that we've unlocked? Or are they sort of a quantum adjacent type of thing that's developed in parallel? How much does it depend on quantum computing itself?

It depends highly, highly on quantum computing. At a minimum, you would need to be able to run Grover's algorithm. So this is kind of going to happen, in my opinion, after we have Grover and Shor. It's going to kind of be this third generation of applications. Wow. Justin Drake, thank you so much. This has been a great synthesis and very helpful, I think, for Bankless listeners. We appreciate you. Thanks for having me. Thank you.