Ethereum’s Quantum Strategy with Justin Drake

A

One interesting shift of mindset for me in the last few months is that I've stopped thinking about post Quantum as a hurdle that we have to overcome. And I think of it more as an opportunity. It's an opportunity for Ethereum to stand out as the very first global financial system that is post quantum secure, not just relative to its competitors like Bitcoin and whatnot, but also relative to Fiat and Tradfi. And I think it would send a very strong message and kind of be a very natural security shutting point for the world to migrate over to Ethereum.

B

Bankless nation. We are once again joined with Justin Drake. We're going to talk about quantum computing as it relates to crypto, bitcoin and also Ethereum. Justin, welcome back to the podcast.

A

Hi guys, thanks for having me again.

B

So Quantum has become kind of a big looming threat to our industry. We've always kind of known this, we have known this, we have known that this is a thing, that quantum is a thing. It's been largely theoretical over the last, I'll say, six months or so. Quantum has firmly moved from theoretical to something materially impacting our industry, starting with, I'll say, just like bitcoin price. Just because fund managers, even BlackRock, has put out pieces about the threat of Quantum to the security and therefore the value of Bitcoin. And so we have anecdotally seen people de weighting their portfolio of Bitcoin, perhaps that is also suppressing the price of all the other assets in the industry. And not to just talk about price, but as we understand it, quantum really just impacts the way blockchains function. So this seems to be a fundamental problem of our industry as a whole, a hurdle that our industry has to get over, that when crypto blockchain was created in the first place, we were not, we are not equipped to become post Quantum of an industry. So maybe to start off that with context, what is the timeline here that our industry needs to be aware of the hurdle that's coming that we need to get over. When is that hurdle coming? I've heard this become called Q Day. When is Q day? How much time do we have to get over this quantum hurdle?

A

Yeah, so I just want to back up a little bit and kind of emphasize what you said, which is that in the last six to 12 months we've had major breakthroughs. One of them is this notion of error correction. So we're able to go from so called physical qubits, which are very noisy and error prone to these perfectly logical qubits. Right now we can basically manufacture one logical qubit and but it's still a very important zero to one moment. And now it's about scaling it to multiple logical qubits. Another big breakthrough is on the algorithmic side of things. Previously we thought it would take millions, actually tens of millions of physical qubits in order to break our beloved cryptography. But last year there was a paper that made a 10x improvement, bringing it down to 1 million physical qubits. And this year we have another 10x improvement, bringing it down To 100,000 qubits. So the goalposts are coming closer and closer and closer and you have this double exponentials in some sense that will eventually cross. And then another thing that has happened is on the investment side of things, a lot of the quantum startups have been raising billions of dollars. So last year I believe we're talking on the order of $5 billion. And this is unprecedented. Previously we were talking hundreds of millions of dollars. And I think the culminations of all of these things has really energized the public and led to this narrative, which has indeed potentially impacted the price of Bitcoin and Ether. Now projecting into the future. My personal Q day is in 2032. This is a little bit of an optimistic take in the sense that it's possible they'll arrive a little bit later, but we need to be prepared in some sense for the worst case scenario. So I'd say there's at least a 1% chance that Qday is in 2032, more likely than not. Double digit percentage that Qday is in 2032. Various experts that are super knowledgeable in the field will tell you somewhere between 2031 and 2030, 2038 maybe. And one of my friends who's in the industry, Steve Brierly, who's the founder and CEO of one of the biggest quantum error correction companies in the world, who happens to be based in Cambridge, where I am. Our children went to the same class. His personal Q Day was 2032, but he's had this date for 15 years and it's always stayed the same.

C

Wow, that's impressive continuity.

A

And basically you just need to extrapolate the exponentials and that's where you end up. And so what we're trying to do with Ethereum is to make sure that we have everything wrapped up well before 2032. And my completion date for Ethereum being fully post Quantum secure is 2029.

C

So a year ago we had yuan with Scott Aaronson, who is kind of A godfather in this space of quantum as well. And we asked some questions about kind of when Q day. And is a good definition of Q day, Justin, that that's the day in which quantum computers can, can break, break our signature schemes like ecdsa. Is that what Q day actually means?

A

Yeah, exactly. So we have this new term called croc, Cryptographically relevant quantum computer. If you squint a little bit, the, the Q in the middle becomes an O and it's like a crocodile crochet. Yes, that is when for us it becomes relevant. It's possible that there will be other applications that make quantum computers useful for chemistry or physics, but that will come a bit later. Okay.

C

I recall him saying he was kind of hedging at that time. This was a year ago, this was, I think in January 2025. And he said within 10 years we should have useful fault tolerant quantum computers. But he was very careful to say that doesn't mean that we would be breaking, able to break ecdsa. And generally he wouldn't commit to a date because he said it was a staggeringly hard engineering problem. I have noticed that his tone has changed a little bit over the past year and indeed he's actually joined some organizations and foundations to help cryptocurrencies navigate quantum. It seems like maybe his thinking has changed on this. Is this for the three reasons you emphasize. We've got breakthroughs in algorithms, we've got, you know, some fault detection, I think you called this, which allows us to scale logical qubits, which I think that is, that is the main thing that must be scaled in order to break ecdsa. And then also all of the billions in VC and funding that is poured into it. Has his opinion changed on this?

A

Yeah, I mean, I can't speak for him, but one thing that I guess we should note is that Scott is primarily a theoretician. So for a very long time he was working on the theory, not so much on the day to day, of quantum computers. And I think that was partially the reason why he was so hedged. I think what's happening more and more is that there's like real companies, real entrepreneurs building these things and he has an insider view and he's basically ingesting all this information. One of the things that he said recently is that the US Government is starting to intervene with the publication of ideas. So we have companies and academics that might come up with improvements, further improvements to Shor's algorithm, and those are not completely being disclosed potentially for national security reasons.

B

What if you could trade gold, forex and global markets with the same tools and speed that you use for crypto, that's exactly what Bitget Tradfi unlocks. After strong betas Demand including over $100 million in single day gold trading volume, Bitget TradFi is now live for all users. Inside of your existing Bitget account, you can trade 79 instruments across forex, precious metals, indices and commodities all settled directly in usdt. No platform switching and no fiat conversions. This is Bitget's universal exchange vision in action. Crypto and traditional finance side by side. You get deep liquidity, low slippage and leverage up to 500x letting you apply crypto strategies to macro markets new to Tradfi. Start with Gold. The Gold USD pair is liquid, macro driven and a familiar natural bridge between crypto and traditional markets. Try trading Gold on bitget now@bitget.com click the link in the show notes for more information. This is not financial advice Galaxy operates where digital assets and next generation infrastructure come together, serving institutions end to end. On the market side, Galaxy is a leading institutional platform providing access to spot derivatives, structured products, defi lending, investment banking and financing. With more than 1600 trading counterparts parties, Galaxy helps institutions navigate every phase of the market cycle. The platform also supports long term allocators through actively managed strategies and institutional grade staking and blockchain infrastructure. That scale is real. Galaxy has over $12 billion in assets on the platform and averaged a $1.8 billion loan book in late 2025, reflecting deep trust across the ecosystem. Beyond digital assets, Galaxy is also building infrastructure for an AI powered future. Its Helios Data center campus is purpose built for AI and high performance computing with more than 1.6 gigawatts of approved power, making it one of the largest sites of its kind. From global markets to AI ready data centers, Galaxy is serving the digital asset ecosystem end to end. Explore galaxy@galaxy.com bankless or click the link

A

in the show notes.

B

Wow.

C

Okay, so governments are getting involved in this it sounds like. So we're not actually sure. All the work that's going on behind the scenes, even we're aware of the commercially viable work at that point at this point. Okay, so on the logical qubit piece you said we have like one logical qubit right now there's physical qubits and logical qubits and the thing to scale is logical qubits. In order to break ecdsa, how many logical qubits do we actually need to break these algorithms? Because that's a metric that I'm looking at. But is that even the right number to look at if we're at one? I've heard people talk about, well, you need 1000 or maybe 1500, something like this. Is this a number we should be paying attention to? And what do you think about this?

A

Yeah. So there's like multiple relevant metrics. There's the total number of physical qubits, there's the total number of logical qubits, and there's also the total number of steps it takes to run the algorithm. And this has a real impact because it's going to determine if it takes a minute to break a key, a day, a week or a month or

C

a year, and what are the scalars for each of those physical logical and then time to the algorithm.

A

Yeah. So roughly speaking, the number of physical qubits to get one logical qubit today is a few hundred, Call it a thousand. And what should happen is that the quality of the physical qubits, the so called fidelities, should increase. And also we should come up with better erasure coding codes that will basically improve this ratio. So it's possible that in the future we'll only have 100 logical qubits for every 100 physical for every logical one or maybe just 10. So that's going to improve. And then when you look at the algorithm to break the discrete log and ecdsa, roughly speaking, it's a small multiple of the number of bits in the curve. So we're working with this curve called secp256k1. The 2556 stands for 256bit. So you take this number and then you multiply it by five or six or something and that will give you roughly the number of logical qubits that you need. So let's call it 1500. And so, because today we're at one logical qubit, in some sense we're three orders of magnitude away, like three 10xs in order to get there. But again, what will happen is that we're going to have improvements at the error correction side of things. So right now the 1000 to 1 will become maybe 100 to 1 or 10 to 1. And also we're going to have improvements on the algorithmic side of things that will reduce the number of physical qubits. So logical qubits. Now, on the runtimes, this is kind of interesting because there's two flavors of quantum computers. There's the so called fast clock and the slow clock. So the fast clock operate really fast Kind of at the speed of light. So you have the so called superconducting quantum computers and you have the photonic quantum computers and you. Photonic, as the name suggests, it's using photons light, which explains why it's like so fast. And then you have the other flavor which is the slow clock, you know, they call trapped ions and neutral atoms. The names don't really matter, but roughly speaking, they operate a thousand times slower. And each architecture and so called modality has its own advantages and disadvantages. And so it's quite possible that in the beginning we might see a slow clock modality win out in the sense that they will be the first one to break a key, but it will take them a long time, it might take them a week or a month. And so in some sense qday is not totally black and white. Like there will be a little bit of a period where it's kind of broken, but only for the very, very top high value addresses.

C

Interesting. But qday could also happen without, you know, behind the scenes, without us knowing, you know, how far along we really are.

A

Yes. And if indeed it is going to be a nation state that has access to these quantum computers first, you know, unless, you know, crypto plays a major systemic role in the world, more likely than not they'll use their powers to attack things in a stealthy way, for example, spy on their adversaries. So that plays in our favor. But if you're dealing with a purely rational entity that's motivated by dollars, they might indeed go for Bitcoin or Ethereum.

C

Last question on Qubits. So are quantum computing data centers being built out? Right now we have this massive data center build out AI. Is something similar starting to happen with quantum computers?

A

Yes. So I was reading this press release, I believe from Quantinuum, they're building kind of this photonics based quantum computer and they're very, very stealthy. They raise a lot of money, billions of dollars, partly from the Australian government if I understand correctly. And they kind of want a one shot quantum computer. So a lot of, lot of what the other companies are doing is that they're building like small proof of concepts and then ramping up, you know, they want to build the whole thing, you know, from, from day one. And so they're building this massive data center and you can see pictures on the Internet. And you know, I think this is because of the modality where we're dealing with photonics which doesn't require like the really cold temperatures that some other modalities for Example, supercomputer conducting requires. And so you can take a much more traditional looking data center and put your quantum computer there.

B

We, you just Talked about how QDay isn't really black and white is on a binary. There's a bunch of different things about a blockchain that are relevant to quantum. Each one has a different level of quantum susceptibility. But I want to take the position that actually qday is a, an acute specific event. It's when the actual attack happens, and as a result of the attack, something breaks. And maybe that's different for different blockchains, because different blockchains risk profiles aren't uniform. But we can talk about like the Q day for, for Bitcoin under the assumption that Bitcoin doesn't do anything. So if we, if we assume that Bitcoin doesn't adapt, it doesn't solve its quantum susceptibility, then there is a specific day that will happen where like Bitcoin is attacked. What, what does that look like? What will, what would happen on that day? Do we have an idea of the way that like Bitcoin is the most susceptible first, like, what's the lowest hanging fruit for a quantum computer to attack

A

Bitcoin, Basically, you need to look at the incentives to attack. And you know, the rational move for an attacker is basically to go fetch like the largest addresses and actually maybe even before that to go fetch either addresses where there's like perfect privacy or addresses where there's plausible deniability. So let me go through these one by one. So the very first target will probably be zcash, because if you attack zcash, you can mint an arbitrary number of ZC and no one will know. So qday won't be made public.

C

Wait, just to be clear, zcash is not post quantum secure right now.

A

Correct.

C

Even though it's using zk like snarks and all this?

A

Yeah, it's using snarks that are based on the elliptic curve that are liable to be broken by quantum computers.

C

Okay, okay.

A

And then one potential set of victims might be people who have died, for example, and they've just lost their coins. And so if someone steals their coins, no one's going to complain. There's like some amount of plausible denial, deniability. But then eventually, you know, we would notice that.

C

I mean, like if, if we started seeing coins from people.

A

No, because we're already seeing it today. Like, you know, every quarter or so there's like some zombie address that hasn't moved for, you know, 13 years, they, they, they, they resurrect and no one knows the, the real reason it could.

B

Right. It's like a 13 year old Bitcoin wallet that hasn't had a transaction since they mined the 50 bitcoins forever ago. And it makes its first transaction in 13 years. Whether that person is still alive and just waking up a dormant wallet, or it's a quantum computing, who's to say attack? You don't. Externally, a naive viewer just looking at the bitcoin blockchain was like, I don't know how to tell the difference. These look the same to me.

A

Exactly. Yes. And then you'd probably go and attack the biggest fish, which might be some exchange that hasn't put in the correct infrastructure to protect themselves. So it turns out there's a very easy mitigation to quantum computers. The very first ones at least, is to not reuse your addresses. Because when you reuse your address, you reuse the public key. And that means that an attacker has the time to go crack the corresponding private key and then steal your funds the second time you use the address. And so really the best practice should be that if you're holding any funds in long term cold storage, it should be a clean address for which the corresponding public key has never been revealed. And just to make this crystal clear, what a quantum computer allows you to do is to go from the public key back to the private key. So it really jeopardizes the foundations of property rights.

B

So long dormant coins, no matter what, blockchain long dormant coins that have had their public key exposed, which is not all dormant coins, but it is a large percentage of them are at risk. These are the satoshi coins. Satoshi coins and maybe a handful of others. But as I understand it, satoshi has his coins in a wallet that people know. This is why we know, we know that they're called the satoshi coins, because we know where they are. To what percentage of bitcoins are susceptible to this.

A

Yeah, so there's this web page called the risk list, it's spelled with a Q instead of a C by this company called Project 11, where they have this, you know, this dashboard that gives you a live view of vulnerable addresses. And I believe it's on the order of 35%.

B

You know, we're talking 35% of bitcoins.

A

Yes. So, you know, millions of bitcoins, let's say 6 or 7 million, something like that. Yeah. That's hundreds of billions of dollars. And you're right that it does include the 1 million, roughly 1 million BTC that Satoshi holds. Now, one of the interesting features of Satoshi's BTC is that they're all of increments of 50 Bitcoin, because basically that was the rewards that you would get. And he would use a fresh address every time he mined. That's how the default software was programmed back then. And if it takes, let's say, a day or Even, let's say, 10 minutes to hack one pub key, you will see Satoshi's coins being drained by at roughly the same rate that they were mined back then, you know, once every 10 minutes or so. So it will be a process that will be extended through time. And one interesting consequence is that if you're a small fish and you have like significantly less than 50 bitcoins worth in your address, then you're fine. You're kind of shielded by satoshi.

B

You'll see it coming for you, right?

A

Yes, exactly.

B

In the running away from zombies, you just need to not be the slowest one. And in this case, we need to not have the largest wallets that are quantum insecure, because they'll just go for the larger wallet.

A

Exactly.

C

So Q day happens in a Justin Drake scenario, and maybe a zcash is the first to have some form of an attack. And then you might see some addresses on chain that aren't very noticeable because the attacker won't want to draw their attention to it. Some addresses on bitcoin, but then the attacker would kind of step things up and go for larger and larger treasure sources on bitcoin. Now, my understanding, I, I, we talked about this a little bit last year when he came on. We talked about quantum, and then I've read some Nick Carter pieces currently is that there is a portion of bitcoin supply that is kind of in the lost coin type of scenario, which is like either the individual has passed away, lost their private keys, their satoshi themselves, and I think Nick estimated this to be potentially up to the minimum threshold for that is like 1.7 million Bitcoin. I know there are different estimates of this, which would be 8.6% of the mine supply. So this is less than the 35% that you were talking about. Maybe 35% is susceptible to an attack. You have to imagine people who are trying to stay one step ahead of the zombie attack. They will, and they'll just move addresses to one that is not susceptible to this type of attack. But if the, the coins are lost, if there's no access to private keys, then of course you can't move to an address that is less, that is not quantum attackable. And so 1.7 million bitcoin would be about 8, 0.6% of supply. And then the other estimates, you know, say that there could be as high as 15% of Bitcoin that's susceptible to this type of thing. What numbers have you seen and what percent of bitcoin do you think is just like lost and going to be susceptible to a post Q day attack?

A

Yeah, so the rough number that I have in mind is in line with those that were shared. It's 2 million Bitcoin, which let's say is 10%. So we have the 1 million from Satoshi and then we have roughly another million that hasn't moved for a very long time. Now we need to discount some of that because you know, some zombie addresses that are legitimate, you know, will, will revive over the coming years, but we should also increase it because there might be some like recently spent addresses that will be lost. And so, you know, 5 to 15% I think is the correct range. And I would bet around 10, 12% or so, which is very sizable. It's definitely in the hundreds of billions of dollars. And one could kind of think through the game theory here. Option A is to try and burn the coins. The advantage here is that you don't have the hundreds of billions of dollars of sell pressure. So if you analyze this with a short term lens, that's the rational move. But then the whole story of bitcoin is to be strong property rights. And so if you have a longer lens, then you should not want to burn the coins. And it's very difficult to know which way the community will go. It's possible that ultimately the decision will be made by large holders. For example, Michael Saylor and N Strategy. Because these large holders, they will receive a copy of both versions of the bitcoin, the one with the burn and the one without the burn, and they can choose to dump the one that they don't like. And we know that Saylor is in favor of burning and so he can single handedly, potentially, quote, manipulate the market and get the outcome that he wants.

C

Can we be clear on what you mean when you say there's two options? Like two options for who? So we have a scenario where post a Q day. So if you believe in a Q day and you clearly do that it's coming at some point in time we will have say 10% of all bitcoin supply that can be attacked by whoever has the best quantum computer at that time and attack just means, you know, they can go and reach in and get the bitcoin. And that can happen in relatively short, short order over days and weeks and maybe months. But they can pick these addresses off one by one and effectively that 10% can be taken by someone. You're saying that the bitcoin community has some options with what to do with that 10% on, I guess the social layer on the hard fork layer. And those options are twofold. Either they can burn or freeze the coins. They can effectively say, no, Satoshi, this 10%, Satoshi's amount and some others. These are dead addresses. We know they're dead. We don't want them to be quantum susceptible. So we're just going to make a social decision and hard fork and just say these coins shall never be moved. They're, they're frozen. We'll write it into the, to the code, right? So it's 21 million less the 10% that was, you know, like frozen this one time. That's one of their options. The other option is they just leave that 10% to whoever can create the quantum computer to go claim them. Almost like a salvaging a shipwreck situation where you have a Spanish Armada fleet and they sink with all their gold and their treasure and whoever has the builds the submarine to go to the bottom of the ocean to get the gold can go claim it. But those are forced options. Like no matter what happens, if Q day happens, the bitcoin community will have to choose one of those two options. Either intervene, burn and freeze, or just leave it to whatever geopolitical commercial force has the ability to develop quantum computers and go claim the prize. Is that what we're saying here?

A

Yes, that's very well said. But the one small correction is that this doesn't have to happen at Q day or after Q day. It can happen prior to Q day. At any point in time, the bitcoin community, or some subset of it, can propose to make a fork. And then at the fork block number there would basically be two versions of bitcoin. The asset, just like the bitcoin cash fork. Back then goes the bitcoin classic, if you will, bitcoin cash. And ultimately this is decided by the market. So you'll have exchanges that will set up the two versions of the assets. And it's the market that decides which one is the true bitcoin. And it's possible, just because of short term liquidity dynamics, that the version which burns the coins potentially ahead of Q day is going to be the one that wins.

B

Right, okay. So I'm Michael Saylor. I own a large percentage of the bitcoin supply, like 2, 3% of the, especially the liquid supply. I get both copies of the bitcoin. So we're forking the bitcoin blockchain just like we did during the bitcoin fork wars between bitcoin cash and Bitcoin back in 2017. I'm Michael Saylor. I want to preserve my value. So I sell all of the bitcoins that are quantum susceptible and I keep all the bitcoins that are on the version of bitcoin that burned or locked all of the quantum susceptible bitcoins and therefore the price of the bitcoin blockchain, the bitcoin on the bitcoin blockchain that has quantum susceptibility, the untouched blockchain, that one goes down. And the price of the bitcoin, the version of bitcoin that is having all the quantum susceptible bitcoins burned stays high because no one's selling that one. Michael Sailor's not selling, you know, BlackRock's not selling, or whoever, anyone who believes in this isn't selling. And so what you're saying is simply the price of the quantum solved bitcoin will be higher and therefore that will by market forces become the canonical bitcoin.

A

Yeah, and Michael might even decide to buy, you know, the, the burn version of the bitcoin using the proceeds of the, the vulnerable and go from like 5% to 5 and a half or whatever.

C

Right.

B

Question though. Doesn't this mean that there needs to be some level of top down coordination on which wallets are frozen and which wallets are not frozen? And so isn't that also a choice that needs to be made of like, okay, clearly we can label Satoshi's coins, we will definitely freez, but then we have to freeze a few more. And there are some wallets out there that are, you know, we can be meaningfully sure about is like it's okay to freeze those because that person's dead. But we actually don't know where to draw the line on who, which wallets are valid to be frozen and which wallets are actually owned by humans, somewhere that are just dormant. Is there a clear line there? How do we make that choice?

A

Well, there's a concept called the shelling point, which is, you know, in the absence of a, of a central coordinator, how do you come to consensus? And like, for bitcoin, I guess the shining point might be, you know, the block where halving might happen. So you might pick the first halving or the second halving or the third having. That seems like reasonably credibly neutral. Any coin that hasn't moved since let's say the second having is considered burnt.

B

So we just pick a date and we say, hey, if you are leaving your wallet, your bitcoins in a quantum insecure wallet by this date, we are going to burn your coins on this bitcoin secondary blockchain that we're going to fork.

A

Yeah, it's like there's a relatively wide design space and some people have tried to be creative. So for example, some people are trying to solve two problems in one go. Both the quantum one and the security budget problem where the proposal is let's take the 2 million coins and instead of burning them, we just add them to, to, to issuance. That it kicks the can down the road for the security budget.

B

I bet that becomes even more ambitious in terms of bitcoin coordination. I don't know if you want to overload Bitcoin's coordination ability.

A

Yes, if I were a betting man, I would just bet on very simple burn, let's say after the second half.

B

Okay.

C

This is so difficult though because to, to your point earlier, Justin, this does shatter the incorruptible narrative, the, the property rights narrative. So this, this is any decision on a freez somewhat shatters the pure nature of what bitcoin is. And I must wonder. So Nick Carter in his essays about this goes through a different story where there's not a burn and freeze scenario. Instead it's the salvage scenario where you just leave the coins. And in his scenario he goes through, there's a private quantum lab that cracks the ECDSA ahead of schedule. They happen to be kind of US based. The US government quickly nationalizes them in secret. It goes and starts acquiring the bitcoin. They coordinate with treasury, they coordinate with the big ETF providers, BlackRocks, the Michael Saylors of the world. And at the end of this, the US ends up with the 10% of Bitcoin supply in the treasury. And he goes through fictional price charts. Of course, when people realize the bitcoin network is under quantum attack and the supply is being taken by someone, price spikes down by 73%. But then when it's revealed that actually the US government has it and they're using salvage laws, maritime salvage laws, in order to legally confiscate this, then the market rebounds and is very excited because the US has this bitcoin strategic reserve Treasury. So that's his other scenario. And kind of you just, you just leave the bitcoin and some nation state, maybe the US government actually cracks it and, and, and gets that. Do you find a scenario like that plausible? Because at least in that scenario you're not breaking any property rights. It certainly is incredible that this will have happened to a multitrillion dollar network and there's such a prize bounty. It's like just unprecedented. But that could happen as well. And maybe that's a better outcome for bitcoin.

A

Yeah. So I have a couple of thoughts. The first one is that there is this rather sophisticated way of proving ownership of Bitcoin without going through the private key. And this is what's known as a proof of seed phrase. So the way that you derive a bitcoin address is in some set in three steps. Step number one is that you generate your seed phrase. Step number two you do some manipulations on the seed phrase, including hashing. And this is an important point to derive your private key. And then from the private key you derive the public key, which then is the address that goes on chain. Now the private key unfortunately is no longer something that can prove ownership, but because of the hashing step, if you know your seed phrase, that is still a proof of ownership. And so one thing that could happen, and technically speaking is the soundest way forward is to freeze the Bitcoin, but to allow anyone to revive their Bitcoin with a proof of seed phrase. Now the proof of seed phrase unfortunately is quite complicated. It requires a snark, a zero knowledge proof. And so it would significantly, potentially complicate a bitcoin. But I guess we'll get back to this later because my prediction is that Bitcoin is going to have snarks to solve the so called size problem of post quantum signatures. So Bitcoin is very much known for not wanting to increase its block size. Unfortunately, post quantum signatures are roughly 10 times larger than ECDSA. To give you the concrete numbers, ECDSA is 64 bytes. It's a minuscule signature. The smallest NIST standardized post quantum signature is Falcon, which is 666 bytes more than 10 times larger. And so if you were to naively swap out ECDSA for something that is post quantum secure, without increasing the block size, your throughput is going to go down roughly 10x. So your TPS on Bitcoin will go from 3 to 0.3, which in my opinion is a non starter. And so what we're building for Ethereum is this Fancy post quantum signature aggregation technology so that you don't put the raw signatures, even if they're large on chain. You only put this aggregation proof. And my bet is that bitcoin is going to adopt the solution that bitcoin will develop because there's just no other technically sound way forward.

C

I see. And that's why you're betting against the salvage type scenario, because you think they'll go with this approach. And if they go with this approach, then that gives them a way to more credibly, neutrally, like kind of like freeze the assets because they're not completely freezing it. If you can prove ownership, then you can access the old legacy bitcoin.

A

Yes. Now, unfortunately, if your property writes maxi, this is not completely satisfactory.

C

No.

A

And the reason is that there are some subset of the frozen addresses for which there is no known seed phrase. So for example, the seed phrase standard only came several years after Genesis. So all of the early satoshi addresses, for example, won't have a corresponding seed phrase. And there's some like wallets, for example, MPC based wallets where there is no corresponding seed phrase. So it's, it's not a perfect solution, but it gets you 80% of the way.

C

So messy. This is so messy, no matter how you cut it.

A

Yes, yes. The other thing I wanted to highlight is that a lot of people think that when you steal bitcoin, the price of BTCD asset will crash and then the asset that you've stolen will be worthless. But there actually is a way to basically hedge the price of bitcoin, which is very easy. You just go short btc. So let's say you know for sure that you've cracked the private key of a wallet that holds, let's say 100,000 BTC. What you do is you short 100,000 BTC, that locks in your profit of 100,000 BTC. And then no matter what the price of bitcoin does, it goes up or down, you've locked in your profit, which could be, you know, tens of billions of dollars.

B

Now I do want to flag that, Justin, you think in a particular way and the way that you think is why you are in Ethereum. And if you were a bitcoiner, you would think a different way. The bitcoiner way of thinking is very unique, very distinct, like kind of. Ryan just alluded to a property rights maxi. I think what Justin would do if he was in charge of bitcoin is very different. What the general aggregate of bitcoiners would do if they're in charge of bitcoin and I don't really have like an actionable like question here, but I just do want to highlight that. Oh yeah, what bitcoiners do is not. Is probably not what you're going to do.

C

Nick Carter's charge is that basically what many of the bitcoin core devs are doing is kind of burying their head in the sand and saying Q day is not real or it's not going to be real for like 20 to 30 years. That's what he's saying they're doing.

A

Just to be clear, my prediction around the burn winning out is a prediction of what I think is most likely is not what I would do if I would actually just not touch bitcoin and embrace the property rights just because I don't have this short time preference. And I think many bitcoiners will agree with me. But unfortunately Michael Saylor has such a strong influence that in some sense bitcoin has been centralized at the social layer and that comes with great power and great responsibility.

C

I actually agree with you. That's what I would do too. I would let the treasure hunt happen, I would let the salvage happen. I would not touch anything. That is the key thing that bitcoin does and just let the chips fall where they may. Let me ask you the same question though. So it's not just some portion of bitcoin supply that is post quantum insecure. Also Ethereum has this problem too, but with a different percent of supply. Can you map that same problem so we get to a post Q day scenario? Oh my God, somebody, let's say they didn't freeze and burn. Somebody is, is, is grabbing, scooping up the. The satoshi bitcoin. What is happening on Ethereum at this point in time? What percent of supply would be susceptible? Let's just say Ethereum didn't solve quantum yet. So let's just say it's in its current place. What percent of supply would be vulnerable to this type of an attack?

A

One advantage that Ethereum has is that there isn't the 5% of supply controlled by one person, Satoshi, which is kind of 4 to 10 to be lost. The other advantage in some sense is that Ethereum is less old and it had a price from day one. So there was a reason to take care of your ether from the very beginning. Whereas in the early days of Bitcoin it was just monopoly money and people just didn't really have very good hygiene with their private keys. And so it's much more likely that you know, the 1.7 that Nicarta was talking about, you know, are actually, you know, truly, truly lost. Now when I was with the ultrasound project, one of the things that we were trying to do is calculate the amount of known loss coins so that we could add it to the, to the dashboard in addition to the burn. And it was just such a negligible amount that we didn't even bother doing doing it. There were.

C

But you have like the parity hack, isn't that a large portion?

A

Yes, very good point. So that was like the number one item in the list. But it so happens that this is a bricked smart contract which is not vulnerable to quantum computers. So it's actually just stuck.

B

It's not about not having the private keys, it's just literally stuck.

A

It's bricked. Yes, exactly. And then, you know, there's like a few case studies of a few people. If you really go digging in the Reddit discussions and whatnot, you'll find stuff, but in the grand scheme of things, it's some total less than 0.1%. So that is the known lost supply. But realistically there will be some coins which will be revealed to be lost closer to Q day and that if I were to make a guess that is in the small single digit call it 2, 3, 4, 5% maybe.

C

So you think maybe at max 2, 3, 4 5% of Ethereum, supply is kind of both lost and in quantum crackable addresses.

A

Exactly, yes. I mean if I were to make a concrete prediction, I'd say 2%, which is roughly an order of magnitude less than Bitcoin. And this quantitative difference actually has qualitative consequences, which is that in the case of Ethereum, I would strongly advocate for not doing anything and really honoring property rights because at the end of the day, whatever, 2% is not a big deal. In the case of Bitcoin, 15% is a massive deal.

C

So Ethereum will have to make this same choice whether to, let's say it's something like 3%, whether to do the freeze and burn or just let that be a treasure hunt. And your hope is that we just go with the treasure hunt option, which means some sort of quantum attacker will be able to scoop up that 1, 2, 3% of ether.

A

And if you zoom out and you look at the big picture, we're basically moving towards Ether being much better money than btc. It will be non interventionist, respectful of property rights, it will be quantum secure, and it will not have the security budget issue that is going to plague Bitcoin. In a couple halvings. And so I think this is a big opportunity for E, for the assets.

C

Okay, so we have just talked about kind of the soft social issue that quantum computing brings up. There's a lot of technical challenges that we also have to face in order to make kind of the rest of the chain post quantum secure. I want to bring out this, this tweet that I saw from Hazeeb Qureshi, friend of the show. He said this and he was, quote, tweeting a Vitalik post on Ethereum's quantum roadmap. And he said this Ethereum has a tougher roadmap to become post quantum than Bitcoin. Actually a lot of dependencies before you can tackle EOAs and private keys due to post quantum proof sizes. So his take is actually the challenges and the roadmap ahead for Ethereum are much tougher than Bitcoin. What do you think about that?

A

So there's two problems that need to be solved. There's the technical one and the social one. If you look at the technical one, Haseeb is correct that there's basically three problems that Ethereum has to solve, each at the different layers of Ethereum. So there's the consensus layer where we have this cryptography called dls, there's the data layer where we have kcg, and then we have the execution layer where we have ecdsa. And each three of these pieces of cryptography are vulnerable. And that is a superset of what you have in Bitcoin where you only have the ECDSA problem. So in some sense we have like three times more things that we need to upgrade. But when you zoom out, I would argue that the bigger issue, maybe 80% of it, is social. We've already touched on whether to burn or not to burn. But there's something even more fundamental which is, do we accept that this is even a problem? And in bitcoin land, you have this immunoresponse, which basically just rejects any kind of narrative which could potentially be bad for the price. And you have people like Adam back that are saying quantum computers are at least decades away from today. And so step zero is to have some sort of acceptance that there is a problem. And it's possible that bitcoin will be slightly too late and that would have much bigger consequences than on the technology side of things.

C

So you think generally bitcoin will have a harder problem than because of their social layer is just not acknowledging this reality and is less willing to engage with new developments on chain.

A

Yeah, Let me say this, I'm willing to bet a large amount that all three layers of Ethereum will be upgraded prior to the single layer of.

B

So we have three times larger of a problem. But it is on the Ethereum side of things, just an engineering problem at the end of the day. And not only that, it is an engineering problem that Ethereum is taking head on. So while the Bitcoin engineering problem is a smaller engineering problem, it is a social problem, a coordination problem, which is fundamentally harder to get over.

A

Yes, exactly. And even on the technical side of things, this is a problem that we've been working on for almost a decade now. So if you rewind the clock back to 2018, we gave a $5 million grant to Starkware to study these hash based post quantum snarks and to lay the foundations with snark friendly hash functions. This is where the Poseidon hash function came out from. And if you look in more recent past, you know, in 2024 there was the lean consensus chain that was announced, formerly known as the beam chain. We've had for example, the post Quantum workshops in Cambridge last year. We now have a dedicated post Quantum team with Thomas and Emil. And we have this straw map which really details some of the key milestones to making these upgrades.

C

Can we talk about each of those problems one by one? And I know, Justin, you can get into extreme detail respect to the cryptography. We'll want to try to keep this at the level that David and I can understand, which is much more simple, let's say Justin. But we do understand kind of the different layers of course, of the Ethereum stack. And maybe we can start with the execution layer, because that's been the main thing we've talked about. Ecdsa. This is the signature scheme behind both Bitcoin addresses and Ethereum addresses. That's the thing that would be cracked in a post quantum world where somebody could go and take the actual assets. So what's the upgrade path to ecdsa? I mean that is a long standing cryptography tool and we have something that can replace it. What's the process for that?

A

Yeah, so first of all, let me just highlight that this is a very big task. Fundamentally we're changing the pillars of blockchains, the base cryptography, and swapping it out with something new with completely different properties. Now if you were kind of a layperson, your answer might be, it's simple. We have a standard body called nist, the National Institute of Standards and Technology. They've basically come up with this post Quantum Signature competition and they've selected a few, namely Falcon, Delithium and Sphynx plus. And so we just need to pick one or several of these options. The problem is that NIST has not designed for the blockchain use case. They've designed for a use case where you have individual signatures for individual messages that are used on the Internet. In the context of blockchains you have batches of transactions. For example, for Bitcoin you have thousands of transactions per block. And again we have this size problem with the post quantum signatures that they're at least 10 times larger, if not 100 times larger. And so in my opinion it's a total non starter to consider these individual signatures that we're just naively packing and concatenating in the blocks. The only solution that I see is called signature aggregation where you take multiple signatures and then you squish them into one multisignature if you will. And then verifying this master multi signature is the same as verifying all of the individual constituents. Now when you do your homework, looking at the design space for aggregatable post quantum signatures, there's just not that many options. There's essentially one option that is viable in my opinion, at least with the technology that we have today, which is to make use of snox, specifically post quantum snox. And there's not that many post quantum snobs that we know about. There's basically one major family which is the hash based knocks. So the basic idea is that you take individual post quantum signatures and then you prove knowledge of all of these signatures to end up with a final snark proof. Now if you're going to go with the hash based snarks, you might as well also go with the hash based leaf signatures, the unaggregated raw signatures. And the reason is that this gives you simplicity and security benefits. It is the most minimal security assumptions that you can have where you're just assuming that your hash function is secure. And in the world of blockchains, hash functions are sunk cost. We have them everywhere, you know, for building blocks and merkle trees and state trees and blockchains where the chaining is done with hashes. And so the Ethereum foundation has put in a lot of effort to start with hash based signatures and make sure to make them as snark friendly as possible so that the cost of aggregation is as low as possible. And I'm pleased to report that the performance of this approach is actually good enough for all of the blockchains. So whatever the throughput of your chain is you can have an aggregator on reasonable hardware, for example on a laptop CPU that can just be aggregating all these transactions and producing a final proof that gets accompanied with the block. And one of the ironic things about this approach is that it's actually a scalability increase relative to what we have today. And the reason is that you don't have the fixed cost of 64 bytes per transactions. The transactions have like 0 bytes of signature data. And then you have this one master signature which gets amortized away across all of the transactions in the block.

B

Okay, so this is a upgrade for many of the other smart contract blockchains downstream of Ethereum, especially the ones that optimize for speed.

C

Like not just smart contract. Right, Bitcoin as well.

B

Yeah, right, right, right. So like, but the idea here, what I thought going into this episode, that chains like Solana would be income unencumbered by having to do beefier signatures. Just in the Same way Bitcoin TPS slows down to.03 transactions per second, Solana would similarly also slow down because transactions just would be beefier in a post quantum world. But what you're saying is with this technology that it won't be true and it actually will allow chains to broadly get faster and solve that problem.

A

Yeah, exactly. And just like Satoshi with ECDSA set a de facto standard for the whole industry and we basically copied even the curve, the K1 curve, which is very unusual to pick with Satoshi. No one knows why he picked that curve, but that became the de facto standard. I think there's an opportunity for Ethereum to be a first mover and set the de facto standard. And the strategy that we're taking is actually to collaborate with the Bitcoiners. So in the bitcoin land there's a couple individuals, Mihal Kudinov and Nick Jonas. They're both part of Blockstream and they're both hash based signature experts. And we're basically working with them to make sure that whatever we develop in Ethereum land is also applicable to Bitcoin. And if Bitcoin and Ethereum uses that standard, then the whole industry presumably will also use the standard.

C

Some exciting news. We are launching a new podcast to help people figure out the crypto cycle, how to navigate it. The best crypto cycle investor I know, his name is Michael Nick, he runs the Defi Report. This is the guy that sent me a sell alert before the 10:10 price drop happened. His cycle analysis has been absolutely on point. I've Been following him for years. And this year we started recording weekly podcast episodes. Each one we get into his portfolio, what he's holding, the market structure, entry targets, fair market value of bitcoin and ether. And where we are in the cycle, there's new episodes that are released every Wednesday. They're 30 minutes, they're short, they're punchy. I think this crypto cycle is harder to navigate than most. So let's do it together. Go subscribe to this podcast, search the Defi Report wherever you get your podcasts, YouTube, Apple, Spotify, or find a link in the show Notes. There's a new episode waiting for you now. That's fantastic. So we have a way to solve the execution layer your post quantum upgrade without a performance hit. Let me ask you another question though. How about security? So these are, this is newer cryptography versus ecdsa, which has been around forever, has Lindy. It's been proven, should we be worried in implementing new cryptography that there's some kind of hidden bug zero day, something out there that could completely destroy what we've built?

A

So I have a few thoughts here. We take security extremely, extremely seriously. And overall, what I expect will happen is that the solution that we deploy is going to be orders of magnitude more secure than what we have today with ecdsa. Now let me try and explain this. So ECDSA is based on elliptic curves, which are these fancy structured mathematical objects. And it is possible that some clever mathematician comes up with an algorithm to break the discrete log using some very fancy mathematical trick that humanity was not aware of. And this is the kind of thing that has happened in the past. We have better and better algorithms for factoring, for example, and for the discrete log. And one possibility with the advent of AI, is that we just have mathematicians that are 100 times smarter than human mathematicians that discover this hidden structure, elliptic curves, and can break up the cryptography. And so the cryptography that we're building is not only post quantum, it's also post AI. And going back to the other thing that I said is that it only relies on hash functions. So if you take basically any signature scheme, it will rely on two things. One, the hash function, and then two, an optional additional hardness assumption, which might be the discrete log, or in the case of lattice based signatures, like these structured lattices. But in the case of hash based signatures, there isn't this additional hardness assumption. It's just hash functions. So if your hash function is secure, then you're good. And so in that sense, I expect to be an Improvement versus the status quo. Now, there's two caveats that I want to highlight. Caveat number one is that we're dealing with more complex objects. And the solution that we have here is what we call deep end to end formal verification. So we have our cryptographic object and we want to basically prove mathematically that it is sound, that it is impossible to forge a signature. And not only do we want to do this for the mathematics, but we also want to do this for the code. And had you asked me two, three years ago, is this something that you know that would be doable, I would say have said yes, but it was extremely laborious, extremely expensive. But what we're seeing with the advent of AI is that this very laborious and expensive work can be done a hundred times faster and 100 times cheaper. We're starting to see bleeding edge world class mathematics. For example, a recent result that won the Fields Medal, which is the equivalent of a Nobel Prize for mathematics. That result has been formally verified by an AI in five days. They produce half a million lines of code proving mathematically that, you know, like machine checkable proof that this is indeed a valid theorem, and end the process finding all sorts of typos in the proof of the written, the human written paper. So that's the kind of due diligence that we want to have in order to avoid the bugs. Now there is another thing that I want to highlight, which is the hash function itself. So historically blockchains have been built on either SHA2 in the case of Bitcoin, or a hash function called Ketchak in the case of Ethereum. And the proposal that we have for post quantum Ethereum is to introduce another hash function called Poseidon, which in some sense is a different type of hash function because it's snark friendly. Now by the time we launch Poseidon, it should be pretty safe in the sense that it will have been new analyzed for a whole 10 years. It will have been securing many billions of dollars through the L2s and it will have gone through cryptanalysis by all of the top experts in the field. And also recently we just announced a $1 million prize, you know, to try and break Poseidon. But it is indeed possible that Poseidon, which is a new thing, would break. Now the way unfortunately that you design hash functions is that you can't just prove that they're secure. The best that you can do is, you know, the lack of an attack that proves that they are insecure. And so there's basically this baking time and the order of magnitude that I have in mind is 8 years. Why 8 years? Because when Satoshi picked SHA256 it was 8 years old. When Vitalik picked Keczak, it was 8 years old, coincidentally. And so I would want Poseidon to be at least eight years old, which it will be when we do deploy it on Ethereum.

C

Okay, so that's the execution layer. Quickly, could you talk about the data layer? KZG needs to be upgraded to something post quantum. And the consensus layer where we have BLS signatures, is that sort of similar in terms of the level of effort to the execution layer in replacing ecdsa?

A

So let me start with the consensus layer because it's a simpler answer at first approximation is basically a copy paste. So we have a similar concept where we have actors making signatures and there's a lot of signatures and you know, they take up a lot of space and we want to, we want to compress them. The issue with the consensus layer is that we have way more signatures than at the execution layer. People don't realize this, but you know, we have a million validators, so that's a million signatures per epoch, which is 32,000 signatures per slot, which is thousands of signatures per second. You know, it's like it's more than Solana, you know, in terms of vote transactions. In order to unlock a certain performance optimization, which is only available at the consensus layer, we have this notion of a stateful signature which basically says that the messages that you sign have a counter that increases every time you sign. And doesn't that remind you of something? The slot number? So in Ethereum at the consensus layer you will only ever sign a single message per slot. If you sign two messages per slot, you'll get slash. So you'll probably never do that. And we use this constraint to basically have signatures that are 10 times more efficient to aggregate. But this is the main difference, you know, the stateless so called stateless hash functions at the execution layer versus the stateful signatures where you have this slot number that increments. And the aggregation technology, we have a name for it, it's called LeanVM, which is a minimal ZKVM for hash based cryptography. Basically what LeanVM would be doing is proving that this is a correct Merkel route. And the main thing that we're not completely sure yet is whether or not this approach can unlock what I call the Terragas frontier. So we have this very ambitious 1 gigagas per second at DL1, 10,000 tps. But in some sense even more ambitious, 1 teragas 10 million transactions per second at DL2 using the data availability. And we're talking about 1 gigabyte per second of data availability. And so the question is, can the ZK VM be performant enough to crunch through 1 gigabyte of data per second? And this is still yet to be determined based on future optimization. What we do know for sure is that Ethereum will have the DA to have the one gas per second for the L1 plus a handful of other L2s.

C

So I think now listeners might be thinking at this point in the conversation, oh, okay, it sounds like the Ethereum community has a plan to upgrade to Post Quantum. They're acknowledging that quantum computers will exist and there is a Q day and they have a plan. Now they're wondering about timeline and level of effort. So I took Vitalik's post Quantum roadmap tweet and I threw it into Claude and I was like, hey Claude, what's the level of effort here? What are we talking about? How difficult really is this? And Claude responded like, think of this as like a 9 out of 10. Okay, this is one the most significant upgrade, maybe one of, or the most significant upgrade that Ethereum will ever do. It compared it actually to the merge where we sort of had to, we had to, we had a plane and mid flight we had to swap out the proof of work engine for proof of stake. Well now we're swapping out all of the many of the core cryptography of Ethereum and that feels like a pretty large level of effort. So can you I guess, scope this for us? First of all, are we going to be ready for this by 2032? And also like, how difficult is this as you're getting into it? Does, does it seem possible for us? Does it seem daunting to you?

A

Yeah. So I have two parts to the answer here. The first part is actually it's even more ambitious than the way you framed it. And the reason is that the change to the cryptography is so invasive that it's essentially almost a rewrite of the consensus layer at least. And so if we're going to rewrite the consensus layer, we might as well properly rewrite it and like put all of the goodies and clean up all of the technical debt. And does that remind you of anything? That's the lean consensus project where we're basically bundling together multiple rewrites, including the single start finality with the upgrade to post Quantum. So yes, it is a very ambitious project in some sense. We're starting from a clean slate and building something amazingly beautiful and simple and efficient and, you know, provably secure and all of the good things. The good news is that in many ways starting from scratch is simpler because, you know, you don't have all of this technical debt. And we can rewrite the spec to be as minimal and simple as possible. And this is where the terminology lean comes from, right? We want to have maximum simplicity, where we want to have the whole state transition function basically be a thousand lines of Python code that some sort of smart high schooler can just read. And right now we have testnets, sorry, devnets for lean consensus. And the specs are so easy to ingest that We've seen about 10 teams all implement them, start joining the devnet and do so without even contacting the Ethereum foundation. So the barrier to entry is relatively low. And we're in this crazy world where AI development means that you can basically just to a large extent vibe code your client. And then I think there's a big reason why we have so many clients and oftentimes we're talking about either single person teams or small two person or three person teams. And I think this is going to have interesting consequences in terms of sustainability, paying for all of these client teams as well as around governance of how do we make upgrades to Ethereum. Like on this latter topic, the way that we do governance today, roughly speaking, is that we have five consensus layer clients and they all need to implement the upgrade, so some sort of EIP in order to move forward. And if we want in the future, when we have, let's say 10 or 15 clients, we can just require the top 80% or the fastest 80% in order to move forward. And that's more of a Darwinian competition that allows us to move fast, much, much faster without having to wait for the slowest client.

C

So will we be ready by 2032? At what point will we be ready?

A

So the whole stroll map has everything laid out up to 2029, which is basically the exact same roadmap that I gave at my devcon talk where I introduced the beam chain and back then the one that people hated. Yes, it's my most hated slide TM because it stretched over four and a half years or whatever. And historically I've been bad with timelines, I've just been way too optimistic. But as I age and I'm mature and I have white hair, I've been becoming better at timelines. And I think it was a realistic, conservative timeline that got People upset, but you know, that's just the way it is.

B

But what was for adding on the context, the reason why people got upset was this was in peak Solana momentum versus a perceived lack of technical momentum on the Ethereum roadmap. So it was also the timing of the context. It wasn't just that you were giving a roadmap that was like four years long. I think that was also two years ago as well. And so we're also, we're decently all the ready, like decently far into that roadmap, but is also the context in the moment as well. So I don't want to discount that for the listeners who don't have that context.

A

Exactly. Yeah. So we're a year and a half away and back then it was four and a half years ago away. So now we're roughly three years away and I'm relatively confident that we can meet this 2029 milestone and I think there's even an opportunity if we want to move faster, thanks to AI.

C

So by 2029 all of this would be implemented if it meets the roadmap. Everything we just talked about, you promise everything. Another question as I was thinking about this, and this is sort of from old software engineering veterans that have told me in the past that they say things like, you know what, rewrites never work. And they have reasons for this that I'm not a software engineer, so I can't recite. But it's basically like the rewrite is kind of a trap because it's a myth because like there's this panacea of getting rid of all the technical debt. But like what ends up happening is you just kind of do staple on to the existing code base and it becomes so much more thorny to start something from scratch. In this case, Justin, you're saying like, hey, a rewrite is going to be a fresh start, it's going to work. What gives you that confidence? And why is there something in the back of my head some ancient software developer telling me that rewrites never work? Why does that not apply here?

A

One piece of good news is that in some sense we have already done this type of large rewrite, as you alluded to with the merge, we completely changed the consensus foundations of Ethereum from proof of work to proof of stake. So that's in some sense is an existence proof that it can be done. And Ethereum is no stranger to ambitious projects. We've had other very ambitious things like bank sharding and data value sampling that is kind of On a similar scale. Another piece of good news is that we have no choice. We have to change the cryptography. It is a very strong forcing function and that alone, I would argue is 80% rewrite anyway. So that makes the coordination and coming to consensus much simpler. And then the other thing else, go ahead.

C

I guess we should emphasize it's not just Ethereum has no choice. No one in crypto has an alternative to this. Everyone in crypto has to do a rewrite. With Bitcoin, it's just ecdsa, but that in itself is enough.

A

Yes. So it's possible that Ethereum has to do more of a rewrite than other chains. And this has to do with the number of validators. So if you only have, let's say 100 validators, then you can just absorb the cost of the 10x largest signatures at the consensus layer. It's not too much of a big deal. So for most of the proof of stake chains, actually you don't need the sophistication that we have. But for Ethereum, we're hoping to have tens of thousands of validators voting every single slot, which is again like thousands of seconds transactions signatures per second. And we have to be very creative. Where I would agree with you is that there has to be a very big change for all blockchains at the execution layer. But the good news for the other chains is that the Ethereum is doing all the homework. Like we're building Lean vm, we're going to formally verify the whole thing and you can just copy paste it and it's largely an easy job to, to, to integrate it.

B

Nick Carter tweeted out, one of the dumbest fallacies is people thinking their coin is going to win if only bitcoin dies. Like the zcast people funding Bitcoin over Quantum. It's precisely the opposite. If Bitcoin dies, no one will ever trust Internet money again. All coins ride on Bitcoin's coattails. What's your reaction to this sentiment?

A

Yeah, I disagree with, with, with Nick Carter and Nick has always been like very upset when I tweet about the security budget. You know, he thinks that it's, you know, it's destructive of the whole industry to be, to be talking about this and you know, even though the fundamentals, you know, align with, you know, what I say in my tweet, like we should be treading more cautiously and ironically, like he's doing the same thing with Quantum that I'm doing with the security budget, which is kind of to try and Force the discussion and force change.

C

I mean, what about the larger take though, Justin, that let's say we get to 2032, Ethereum is quantum secure, Bitcoin isn't. Bitcoin gets attacked in some of the ways we've described, or there's this treasure hunt going on and there's this market uncertainty as to the outcome. I think what Nick is saying is like, don't cheer for that because that's going to be bad for every chain in crypto. And he's further saying, so goes bitcoin, so goes everybody else. If you want a meme of store of value Internet money, Bitcoin has to lead that charge. There's like no such thing as a flipping type scenario of like Ethereum community being able to say, hey, look, you know, our chain is post quantum secure and we don't have the problems that bitcoin does. He's saying that this will take the entire crypto space down, at least from an Internet money store of value perspective.

A

Yeah, I mean, I disagree. And you can just, you know, look at historical analysis where you have, you know, seashells that were superseded by, by salt or something, and then they were superseded by silver and then gold and then, you know, we even have, you know, Bitcoin, you know, superseding gold potentially. And just because gold fails doesn't mean that the next thing also has to fail. And I'd say, you know, that Ethereum is the very natural successor to Bitcoin as Internet money. And just because bitcoin fails doesn't mean that Ethereum has to fail. I agree with him that there might be some short term pain, but we're also talking about long term gain.

C

So what do we get at the end of this? So 2030, Ethereum is post quantum secure because Justin promised. What does Ethereum become? Is it sort of the only one in its class, or do you expect all other blockchains to kind of follow in its footsteps and to also achieve post quantum security? Like at that point in time, what is Ethereum up to? I know there's a broader roadmap here, but it does seem like a feather in the cap of being post quantum secure to the extent that quantum is on the Horizon in the2030s. But can you describe the system that we have in 2030 if all of this comes to pass?

A

Yeah. So one interesting shift of mindset for me in the last few months is that I've stopped thinking about post quantum as a hurdle that we have to overcome. And I think of it more as an opportunity, it's an opportunity for Ethereum to stand out as the very first global financial system that is post quantum secure, not just relative to its competitors like Bitcoin and whatnot, but also relative to fiat and Tradfi. And I think it would send a very strong message and kind of be a very natural security shutting point for the world to migrate over to Ethereum. And not only is it an opportunity for Ethereum to distinguish itself relative to its peers, but it's also an opportunity for Ethereum to become the best version of itself. And this goes back to the idea of the move to post quantum essentially being a rewrite and that being a massive opportunity to start with a clean slate and wipe out technical debt. One interesting data point here is that the OG beacon chain launched in 2020 and the design of it was frozen one year before in 2019. So when, if and when we ship, hopefully when we ship lean consensus, the lean beacon chain in 2029, we're going to be upgrading something that is 10 years old. And as you know, in crypto, 10 years is an eternity. We've learned so much that the lean beacon chain is going to be very, very different from the OG beacon chain. And you can think of it as kind of being proof of stake 2.0.

C

We are in a very interesting time with respect to computing, Justin. There seem to be these three kind of computing platforms and paradigms that are really at the frontier, shaking things up in ways that will interact with each other in the ways that will change the course of human history. One is AI, of course, and everyone is aware of what's going on there and where does that lead. And then we also have quantum, which is maybe where AI was in the 2010s, you know, maybe we're in 2018 quantum, something like that as compared to AI. So we have quantum and what's that going to shake up? And then we also have crypto and cryptography as best exemplified by, I think, blockchains like, like Ethereum and, and Bitcoin. So it almost seems like we're entering kind of a single singularity of these three things where like, you know, AI is speeding up quantum and cryptography. And then, you know, cryptography is going to be useful as kind of a counter ballast for the, some of the centralization vectors of AI. What do you think of all of this, like mess as you, I mean, you're a cryptographer, so and you're certainly involved in at least one of these frontiers. What's going to happen next?

A

It's very hard to predict. But as you said, there's this very strange coincidence where 2032 seems to be the year where computing in general reaches the singularity. People have been talking about AI singularity potentially even before 2032, right? There's like AI 2027, which is a very, very famous write up. I don't think, you know, we'll have super intelligence in 2027, but I think it's likely that we'll have it by, by 2032. We're already starting to see just yesterday, you know, Karpathy, One of the AI OGs starting to have AIs recursively improve themselves autonomously, which is like extremely scary. And this is basically the thing that should start the exponential, at least many people believe should start the exponential towards superintelligence. We have 2032 as potentially that being Q day when we have these crocs, these cryptographically relevant quantum computer. And we also have 2032 where Bitcoin will have what I believe its final having and I believe, you know, it's, it's, it's, you know, you could call it B day, right, The Bitcoin day where you know, there's some sort of a reckoning that's going to happen because the issuance will be way too low to secure it. In two years time we're going to have one having. And then in six years time in 202032 we're going to have this other halving. And you know, the security story for Bitcoin over the last 15, 16 years has been that transaction fees are going to replace issuance. I invite you to look at the data. It's just not happening. Transaction fees today are 0.6% of issuance. So forget about transaction fees. We're going to have basically an exponential decay of Bitcoin security. And today Bitcoin is secured, roughly speaking by 10 gigawatts. And here's an absolutely crazy, mind blowing statistic. Every single day China deploys 1 gigawatt. Every single day China deploys 1 gigawatt, you know, mostly of solar. And so 10 days worth of deployment in China is sufficient to 51% attack Bitcoin.

B

It's just in terms of energy cost, which is this thing that shields bitcoin, China is producing as much energy as it takes to produce to secure Bitcoin every 10 days.

A

So in terms of the power draw, so bitcoin is drawing 10 gigawatts and gigawatts is, let's say a nuclear plant. So it's 10 nuclear plants, and China is deploying the equivalent of a nuclear plant every single day. And that is the, you know, one of the main bottlenecks to making an attack. The other bottleneck is to have the rigs, the hardware. And here we're talking about a million rigs, just a million machines, and it will cost you about $10 billion to pull off the attack, which in the grand scheme of things is absolute peanuts, both relative to the market cap of bitcoin, but also for an attacker like a nation state.

C

When you talk this way about bitcoin, Justin, it almost makes me think that you no longer think bitcoin should be sort of the vanguard of this crypto movement. You know, it's almost the framing of this is almost like bitcoin has some flaws from a security budget perspective, from a quantum perspective. And Ethereum is going to be here to kind of lead crypto after, you know, if Bitcoin can't get past some of these flaws. Is that what you believe?

A

So I remain optimistic on Quantum. I still think that ultimately it's rooted in a technical challenge that can be overcome. The bigger issue I see is the security budget, because here we're getting at the core essence the DNA of what it means to be Bitcoin, which is to have this $21 million cap and to be secured by proof of work. And I just don't see how you can combine proof of work and 21 million cap. You have to just lose one. So there is a possibility, for example, that BTCD assets were to decouple with bitcoin the chain, and it could go live on the more secure chain for free. And the obvious choice here is to live as an ERC20 token, for example, on Ethereum. But just saying these words,

B

Bitcoiners don't think like that.

A

No, they don't. But if I were to say different words like, oh yeah, we're just going to remove the 21 million limit because we realize that the security budget is insufficient. Bitcoiners also don't think like that. And so they're heading very fast towards a wall. And 2032 is the reckoning day.

B

What about quantum as it relates to the rest of society? Because this is not just a crypto problem. Blockchains are uniquely susceptible to quantum computers. But there are other components about society that is also susceptible to quantum computers. So, like, you know, regular encryption, for example. To what degree does a post quantum ethereum, like the 2029, 2032 Ethereum, represent just a tool for society? To solve stuff, fix stuff, prevent stuff in a post quantum, post AI world.

A

So there's basically two flavors of cryptography, if you will. There's real time cryptography where you're just signing messages in real time and there's no material impact on the actions that you made in the past. And I think here upgrading to post quantum cryptography should be relatively straightforward for most of the Internet. There are some exceptions. For example, if you have satellites that have already been deployed and you literally can't upgrade them, then they will be signing, producing signatures that can be forged. But that's more of the exception. Then there is another problem which has to do with encryption where if there's material that has been encrypted today and you're not using post quantum secure encryption today, that means that this data can be decrypted in the future. And there's this whole class of attack called, you know, harvest now and decrypt later. I think it's realistic that we're going to have mass decryptions in society. So we might have, you know, like lots of signal messages from several years ago or maybe lots of telegram messages or whatever. I don't want to pick on one specific platform or maybe like troves of Gmail messages all being decrypted simultaneously. And I think that could have a very significant impact on society.

C

Justin, when we were talking about these three compute technologies, it does feel like the one that sticks out is AI. And you were talking about 2032 being sort of maybe an AGI type. Moment one, just general question I have is you are a human, an extremely talented cryptographer, extremely intelligent, particularly within your domain, but you are not an AGI, you are not artificial general intelligence. And the concern is, as we enter into that computing singularity, that all bets are off when it comes to AGI. Like all of the well laid plans we make in 2026 to have our blockchains be quantum resistant. What if AGI just figures out how to crack crack our quantum resistant cryptography in some other way? Like as a cryptographer, are you worried about the un unknown unknowns of artificial general intelligence and the things that it could crack? Like what if we're prepared for this quantum world, post quantum world, but we're not prepared for a post AGI world?

A

Yeah, so on the cryptography I'm like fairly confident about the soundness and the reason is that you can prove mathematically that your cryptography is correct. So cryptography is a sub branch of of mathematics and you know, there is this this one exception where you have like these hard problems and what you try and do, generally speaking is that you, you calibrate, you parameterize these hard problems so that if someone were to computationally break the hard problem, it would use more energy than there is in the solar system or you know, something ridiculous like this. And you know, going back to the cryptographic foundations that was suggesting for post quantum Ethereum, which is hashes, it doesn't get any stronger than that. And this is in some sense the weakest cryptography that you could hope to have. And this is one of the reasons why I'm cautious about putting the foundations of the Internet of value on top of so called lattices. So NIST has, there's two major flavors of post quantum signatures. There's the hash based stuff and the lattice based stuff. And the lattice based stuff to me is very reminiscent of the elliptic curves. You know, these are highly structured objects. You know, lattice suggests that you have these, you know, grid, if you will, of points. And it's very, it's plausible at least that you know, some AGI or even stronger, some asi, artificial super intelligence, you know, something that is thousands of times smarter than the combination of all humanity could crack. But the hash functions, there's reasons to believe that it's strong. Even though I'm not too worried about cryptography, I am worried about something much deeper, if you will, if you zoom out, I'm more and more worried about just existential risk for humanity. And I think more and more people are starting to, you know, understand what Eliza was trying to say on Bankless not, not, not too long ago. I think it's plausible that if humanity were to survive, that Ethereum plays a key role in that happening. The metaphor that I have right now is that humanity is driving, you know, in a car at a hundred miles an hour. And there's like all sorts of incentives. There's this Moloch trap where the big nation states the TSMC, Nvidia OpenAI, they're all pressing on the gas and the car has no brakes, it has no seat belt, it has no airbag. And while today we can steer relatively comfortably at 100 miles an hour, next year we're going to be at 200 miles an hour and then the year after that 300 miles an hour. And eventually we're just going to be driving irresponsibly fast that we're going to crash into a tree or into a wall or we're going to drive off a cliff. And I think for me, working on Ethereum has taken a whole new meaning in the last few months. To a large extent, I was ignoring AI, partly because I was just so obsessed with blockchain stuff, but also partly because it was a toy just not long ago. But what's happening is that through my work, especially with formal verification and development and coding, I'm just seeing how powerful this stuff is. And in the last few weeks and months, I've just been obsessed by AI, just learning as much as I can, watching many, many videos, and I'm by no means an expert. And maybe this is just some sort of a phase that people go through when they open Pandora's box. But for me, working on Ethereum is now all about defensive accelerationism. And I don't see other parts of society that are working on the braking system. It's just all gas. And the good news, I guess, is that Ethereum has a lot of the thinking and a lot of the tools that potentially could provide some of the solutions. So, you know, by day one, we assume adversariality. By day one, we're making use of technology like cryptography that empowers the weak and makes sure that, you know, even the strong, the arbitrary strong, cannot break certain things. You know, we're trying to be this source of truth, if you will. We're trying to be decentralized and try and give people sovereignty. And like all of these words, they're at least in the right direction. And I think it's possible that in the coming months and years, we will have some sort of an awakening where society goes, oh, shit. And it might become a moral imperative to start working on defensive accelerationism. And we might have some of the smartest minds in the world just naturally come to Ethereum as a potential solution, as part of a suite of solutions that we need to tackle this.

C

I love that you're thinking about that, and it does sound like your work on Ethereum gives you meaning. I have another question on that. So, being obviously a huge fan of Ethereum, David, and myself, one of the worries I actually have if the AI destiny comes true is at some level, yes, it's a defensive accelerationist technology. It's decentralized, it's kind of permissionless, it's pushing power to the small rather than the largest. At another level, though, it is digital and we have created a property rights system. And it does seem to be the case that some sort of AGI or ASI could leverage our immutable, can't turn it off world computer for things that humanity actually doesn't want. Are you worried at any level about that being an outcome that it just uses Ethereum for? Hey, humanity, thanks for the property rights system, we'll take it from here. And you've now actually accelerated a technology that is counter humanity.

A

I think this is a very fair point. And ultimately Ethereum is a tool which could be used by both the humans and the AIs. Now, maybe this is scope, but one way to think about it is that if you remove Ethereum, there doesn't seem to be many other alternative products that people are building in the defensive accelerationist space. It's pretty much all accelerationists. And so, yes, maybe Ethereum will accelerate some things, but in some sense it's one of the only hopes that we have for defensive acceleration. And so as such, I think it's still rational to be trying to ship the straw map by 2029 and doing my best to make sure that Ethereum will be ready for an age of artificial superintelligence.

C

Just last question as we draw this to a close. Justin, this has been absolutely fantastic. Thank you. And maybe this is kind of a personal question as you've had an AI awakening over the last few months. I now notice you're qualifying the Ethereum with like, if humanity survives. So Ethereum plays a key role. If humanity survives. Those words are hard to say. For me, it's hard to actually get that out of my mouth because that is a caveat that I've not had to think about or deal with. Like the real possibility that the technology accelerationism means humanity doesn't survive. How do you deal with that?

A

Personally, I'm relatively Zen about it. I've reached a point where, you know, I'm happy to die. You know, I've lived a very happy life.

C

What?

A

David is shocked.

B

That was not the answer I was expecting.

A

I think you just need to. To keep hope, you just need to put it aside, the so called P doom. Like, what is the probability of doom? My P doom now is relatively high. I think it's more than 50%. But I don't want to say this out loud. I don't want to.

C

You don't want to live in that pessimism?

A

Yeah, exactly. I don't want to discourage myself and make my life visible. And maybe more importantly, I don't want to discourage other people, you know, and have them lose hope. And so I think we should just be, you know, doing our best with what we have. The future is highly, highly, highly unpredictable. And so even though, like my PDM kind of went Way up in the last few weeks and months. This is a strong opinion weekly held and I want very smart people to come forward and tell me why I should, I should not be so scared and must be more optimistic and more hopeful. And you know, just as I said, I've only been thinking about this for like literally weeks and months. I'm just scratching the surface. The big wake up call for me was Opus 4.5, where Emil told me from, you know, from this point onwards, AI is actually helping me becoming more productive. Before that it was kind of net slowing me down. And then what we've seen in the last few weeks is more and more impressive results. So for example, about a month ago, one of the key lemmas in the hash based snarks, it's called the Polyshock Spillman Lemma, that was proven, formally, verified in eight hours and it cost $200, something that would have cost 100 times more if a human were to do it and would have taken 100 times more time if a human were to do it. And then I also mentioned the Fields Medal result which only took five days to generate a 500 line proof. And you can just, it's kind of obvious, right? Like we're going to have all the known mathematical theorems just be either checked and verified by the AIs with all of the typos corrected. And for some small subset of theorems, we're actually going to have a demonstration that these are actually incorrect and there might be counterexamples and it already seems like programming is largely solved and then we're going to solve scientific progress and all sorts of other things. Really, things get philosophical extremely quickly and you know, maybe that's for another episode.

C

Yeah, I, I, I do think that is for another episode. Justin. It's a, it's a fantastic answer though. I appreciate your insight into approaching this with some level of stoicism and then agency, which is working on things that are meaningful to you and we hope if humanity survives to do many more of these podcasts with you in the future. It's always a treat to have you. Justin Drake, thank you so much. Thank you. Gotta let you know, of course crypto is risky. So is the real world. You could lose what you put in. But we are headed west. This is the frontier. It's not for everyone. But we're glad you're with us on the bankless journey. Thanks a lot,

A

Sam.