A (3:19)

Essentially. It's also important to say for most of the other approaches that one can consider whether it is. There is one popular called lattice based schemes that require some other assumptions. Most of them still rely on hash functions. So this is essentially as minimal as you can get in terms of security assumptions and requirements from a scheme is requiring just a hash function to be secure. This is a very conservative approach and I guess arguably the most secure way. The possibilities this has the least amount of attack vectors and that they got.

B (4:11)

So Jonas, you referenced it. So Bitcoin already relies on SHA256 for mining and transaction IDs. So this is just sort of a doubling down on what's already worked to date and what we know to be pretty secure.

C (4:23)

Right. So hash based means we can use any hash. There are also different hash functions we could choose also with different trade offs with respect to performance or even proving proving in zero knowledge snarks. But the natural choice for the hash function would just be SHA256. Because if SHA256 is broken then arguably we have even bigger problems than just transaction authorization not working. The blockchain doesn't really work anymore. We don't know what the truth is. We don't have consensus on the blockchain anymore. So yeah, from that perspective makes sense to look at these hash based signature schemes. But they have a reputation for being quite large in terms of size. So that is a consideration that one needs to look into when considering hash based signatures.

B (5:24)

And before we get to that, because I think that's exactly what your paper focused on. Like okay, if we want to be quantum resistant, we're going to use hash based. How do we basically weigh the trade offs and make sure that Bitcoin is still usable and scalable at the end of the day. But before we get to that even we've all heard the term post quantum thrown around. What does that actually mean? What is the quantum we're supposed to be afraid of and supposed to be preparing for?

C (5:51)

Yeah, from my perspective, if we as cryptographers do security proofs, so for example for Schnorr signatures or music or frost or signature aggregation, dahlias, etc. We have these little theorems. They are a paragraph or two, contain some numbers and they very precisely state what the assumptions are under which these signatures are secure. And in the case of Schlor signatures it tells you directly when you read it or write it down. It relies on the security of this curve that you're choosing sec. P256k1 in the case of Bitcoin and we know that this assumption that Sec. P256K1 is not broken, is actually wrong. It is broken. The challenge is just to build a machine that exploits quantum mechanics enough to break it. But this is different from other types of cryptography. We can also do cryptography where we don't have assumptions like that. So just writing this down, this statement personally makes makes me a little bit uneasy as well. So a quantum computer would be able to break our curve and therefore would be able to break Schnorr signatures. Now the challenge of post quantum cryptography is to find cryptographic schemes that are secure even in the presence of quantum computers. And that requires also some sort of guesswork or some research as to what problems quantum computers are actually good at. We know that they are very good at breaking our elliptic curve. And there it's very unlikely that they are good at breaking hashes. Let's say they are better than classical computer, but they won't be able to break it in a way that they can break elliptic curves.

A (8:05)

And essentially what I can add here is that we even sure that the quantum computers cannot do certain tasks good enough to break the security of that. For example, if we have a database, a random database, and we ask quantum computer to search for a specific input in that database, we don't know where it is. We know that it is a hard problem for quantum computer and you cannot do better than certain complexity. And the hash function is essentially is this a random database? Because we take an input, we hash it, we get this arguably random looking output. And our assumption here is that we will not find an algorithm that can exploit the actual description of the hash function. But one can view this very similar to how classical analysis of hash functions works, because classically we also rely on that we cannot find an algorithm that can exploit the actual description of the hash function, the actual algorithm that does the hashing. And so far SHA256 was not under good attacks there it proved its security and there was no significant improvement in terms of exploiting the structure. So for any quantum advances there, there must be a structure in the hash function that like an exploit. And so far we couldn't find anything like this.

B (9:53)

Okay, and so let's dive back into the paper and run with the assumption that quantum computers could exploit that hash function at some point in the future. And talk about the trade offs in the paper, it seems like you guys settled on Sphinx plus as a standardized solution because it already exists. It's already standardized by the nist. Why do we need this research? What's the gap that you guys are trying to fill by applying this to Bitcoin specifically.

C (10:22)

Yeah, so NIST has looked at which post quantum signature schemes to standardize and they picked. So they picked multiple. One of them was Sphinx plus that they standardized. But. So Sphinx plus exists. We could use it. There exists in Bitcoin. I mean there exists high quality implementations with formal verification and proof, etc. So we could just use it. But the kind of research question that we had when we started the paper was the kind of goal of signatures, usually outside of Bitcoin or blockchains, is to sign software and, and to sign certificates for the web. And this is a very different application to what we're doing in Bitcoin with signatures. So what we were asking was can we adapt this standardized scheme or also other schemes that exist in the literature that have not been standardized and see how in what way we could change them to better fit to this Bitcoin application.

B (11:46)

And again, one of the trade offs that we're trying to solve for here is the size of the signature in the paper you mentioned going from about 7,800 bytes down to around 3,400 to 4,000 bytes with optimizations, I think for the listeners out there, getting them to understand like why does the size of these signatures matter? What's the trade off that you're making?

C (12:11)

Yeah, I think Mike can speak best to that.

A (12:13)

Yeah. So first of all, the size determines how many signatures can you fit in the block. And then the bigger the signatures, the fewer transactions you can fit. And that determines.

C (12:28)

So in a current block that is right, we have these maximum four megabyte blocks. And then if your signatures are suddenly huge, then you can of course fit fewer transactions in the block unless you increase the block size as well, which.

A (12:44)

Is another topic, has its own ups and downs. But yeah, if we consider that for now that the block stays the same, the size matters. On the bent, this is one thing. Another thing is that the Sphinx plus was designed to support a lot of signing operations. So the requirement for the NIST was for the people to be able to sign two to the 64 different messages.

C (13:20)

Just to add to that, that's a number with 19 digits. So it's a huge number. It's practically infinite.

A (13:27)

That was exactly the idea. It's like, okay, we set up this bar that will be never reached. You don't have to worry about it. It's 2 to the 64 is huge for all practical applications. You just don't need to think about it. There's no problem. And this requirement or hash based signatures actually determines a lot in terms of the size. And the first observation that we can make is that if we set this bar lower and we actually can have a limit on less number of signing operations, we can significantly decrease the signature size. Moreover, with the signature size, the verification time can also be decreased and the verification determines on how fast can we validate the block, how fast we then can propagate it, and so on, so on. So this one of the core observations here, if we speak of another improvement, is that Sphinx plus there was a process of standardization and the ideas were coming and certain improvements were made, but they had their own timeline and so they had to decide at a certain point what we accept and what we standardize. But the research didn't stop there and there were different modifications and different improvements also suggested. And we can use those as well in the bitcoin environment.

B (15:14)

Yeah, when NIST sets these standards, do they ever change? Can you have updates to the specific standards on Sphinx plus or if you're going to go use the other ideas that were never suggested but not included in the standard? Obviously if you include those, are you out of NIST standard? And is that frowned upon or just considered experimental?

A (15:40)

So if we deviate from the standard now, then yeah, we're using a different one. Theoretically, modifications can be done to the standard and there can be an update. There can be a different standard or just a new version of that. There are different also like modifications that we can do. One can just use different parameters and for example, this way it will be easy to reuse some other implementation. But some modifications that we discuss in the paper also affect some of the structure of the signature scheme that will have to adjust the implementation as well. So this, there are various options that we can use that give us a certain performance boosts or sizes boosts or other trade offs. And they come also in the cost of like varying further from the standard or sticking more with it.

B (16:48)

And so we already talked about one trade off which is the size of the signatures. I think the other one, one of the other ones that you discussed in the paper is if you, if you have like heavier signature sizes and bytes, in terms of bytes, you could sort of limit the amount of signatures that any public key can be associated with any public key. What's, what's the, I think this is.

C (17:16)

A strange technical thing that one needs to get his head around right if right now in our world of signatures, we don't care how many signatures we do, it's just a technicality of these Hash based signatures that when you design such a scheme there is a limit of signatures you can make per public key. And to be clear, it's not our. We were not the first to come up with reducing the number of supported signatures. This is a pretty obvious idea when you, when you look at at those schemes, how they are structured. But one of the insights that you might have when trying to apply this to Bitcoin is just that in Bitcoin, specifically in Bitcoin we don't need that many signatures, right? We create an address, usually we only want to use it once, we don't want address reuse and then we sign, produce a transaction, that's it. Then you might have to do RBF to bump fees, then you have to sign again. How often does that happen? Maybe it happens more often if there's more a more competitive block space market doesn't happen often right now and it certainly doesn't happen two to the 64 times. There are other things where you need to sign more often. For example in layer 2s so lightning so that payment channels, that's sort of a different discussion perhaps. But you still won't sign that many times. There's still going to be an upper bound that is below 264. And using those ideas we can get down the signature size. And yeah, as I said, this is quite a technical thing, very peculiar to these hash based signatures. Lower number of supported signatures means you can get a smaller signature. And what happens if you sign more often? I think that's important to explain. So if you have a signature scheme, hash based signature scheme that supports let's say 1000 signatures and you do more, then the security sort of degrades. So it will make it easier and easier for an attacker to actually forge a signature which in Bitcoin would mean that they could be able to steal your coins, make a malicious transaction to steal your coins. So you should really, if you have that limit of supported signatures, you should not exceed it. You must not exceed it.

B (19:55)

Sup freaks this rip a TFTC was brought to you by our good friends at BitKey. BitKey makes Bitcoin easy to use and hard to lose. It is a hardware wallet that natively embeds into a two or three multisig. You have one key on the hardware wallet, one key on your mobile device and block stores a key in the cloud for you. This is an incredible hardware device for your friends and family or maybe yourself who have Bitcoin on exchanges and have for a long time but haven't Taken a step to self custody because they're worried about the complications of setting up a private public key pair, securing that seed phrase, setting up a pin, setting up a passphrase. Again, BitKey makes it easy to use, hard to lose. It's the easiest zero to one step, your first step to self custody. If you have friends and family on the exchanges who haven't moved it off, tell them to pick up a bit key.

D (20:40)

Go to Bitkey World.

B (20:42)

Use the key TFT TFTC20 at checkout for 20 off your order.

D (20:46)

That's Bitkey World code TFTC20SUP, freaks. Have you noticed that governments have become more despotic? They want to surveil more, they want to take more of your data, they want to follow you around the Internet as much as possible so they can control your speech, control what you do. It's imperative in times like this to make sure that you're running a VPN as you're surfing the web, as we used to say back in the 90s. And it's more imperative that you use the right VPN, a VPN that cannot log because of the way that it's designed. And that's why we have partnered with Obscura, that is our official VPN here at tftc, built by bitcoiner Carl Dung for bitcoiners focused on privacy. You can pay in Bitcoin over the Lightning. So not only are you private while you're perusing the web with Obscura, but when you actually set up an account, you can acquire that account privately by paying in bitcoin over the Lightning network. Do not be complacent when it comes to protecting your privacy on the Internet. Go to obscura.net Set up an Obscura account. Use the code TFTC for 25% off. When I say account, you just get a token. It's a string of token. It's not connected to your identity at all. Token sign up, pay with Bitcoin, completely private. Turn on Obscura, surf the web privately. Obscura.net use the code TFTC for 25% off.

B (22:02)

Yeah, it's funny, again, I say this a lot, especially when I talk to developers and cryptographers like yourself. It's like so many people take for granted that the system just works and not understanding these deep cryptographic primitives that exist. But it is always infinitely fascinating diving into these details because I think it's important, even if you're not technical, to. So I have a rough understanding of what's happening under the hood. And obviously we talked about Sphinx plus some of the optimizations there. We also talk about Watts plus C4S plus C Poors plus FP as potential optimizations. I guess without getting too far into the weeds. What are the ideas with these optimizations?

A (22:51)

I think I can give some over in here. So the core idea is here is we can make the signer to work a little bit more on finding certain inputs. So except we don't only include the message, but some extra seed or an extra random number or a counter. And that allows us to search for better values that we can then sign. And this requires some extra work from the signer. But because we have this extra properties from what we are signing, this can reduce the signature size and this also helps the verifier. So by doing extra work on the, on the signer part, we reduce the size and we reduce the verification time. Sometimes this extra work also comes in the cost kind of. Yes, we search for this nice value to sign afterwards, but because this value is nice, this also eases the further work for the sign. So we had these different parameters choices in the beta and for most of them we make the signing time a little bit more than the original Sphinx plus because we want more effort from the signer, but really smaller signatures. But on the other hand, we can still balance this out while keeping the signature sizes small.

B (24:38)

And so this would affect wallet software, right? Because I'm thinking of played around with some DLC apps, Atomic Finance, and when you go and you're doing like a rollover transaction with DLCs that take a lot of signatures, it sometimes takes like a minute or two to actually sign and then broadcast the transaction. So this wouldn't necessarily affect the nodes. Right. And bandwidth propagation and things like that. It's just literally on the setup to sign and then broadcast, correct?

A (25:08)

Yes, I think so.

C (25:10)

Yes. I think this is a very interesting point that you're making right now that I hadn't really considered before. So I think this kind of trade off between increasing the signing time while reducing signature size and verification time makes a lot of sense in Bitcoin because at least on the Bitcoin blockchain we have a natural limit of the number of transactions that are supported per second. Right. We can at Most like whatever, 10 transactions per second and few more signatures than that, whatever. But it's not thousands of signatures per second that you need to make. On the other hand, we also have hardware wallets that are of course lower powered and that might take longer. And I Think what you're pointing out is an interesting thing. You might have situation where you are pre signing a lot of transactions and this is what is happening naturally in DLCs right now. And this would be affected by a change like this, by a change to hash based signatures. Because producing these signatures depending on which parameters you pick, which is I think the biggest part of our work trying to figure out what are reasonable parameters, it might take much longer to sign them than it takes currently.

B (26:37)

Yeah, and that's the trade off you have to weigh. Are you willing to wait more to broadcast the transaction?

C (26:42)

Right. What More generally, perhaps important to say that in this post quantum world we always have to deal with downsides. This is also something that I feel like people on Twitter sometimes misunderstand because they are asking why haven't you done anything right now already? Perhaps we would have changed to more conservative assumptions in terms of signatures if it was for free, but that's not the case. Whenever we want to add post quantum security to Bitcoin we get very significant downsides, be it new assumptions, signature sizes, verification time, signing time, statefulness. So there's no. We can't just. There's a big risk I think to just try to switch something which we later figure out wasn't the right choice because it picks the wrong trade offs. So what we are doing mainly in this paper is to explore the trade of space particular with respect to hash based signatures to inform the community as to what are reasonable parameters to pick.

B (28:00)

Yeah, that makes a lot of sense. You mentioned statefulness. You guys touched on it on the paper. Stateful versus stateless signature schemes. Why is being stateless so important to Bitcoin specifically?

A (28:15)

So yes, stateful versus statelessness is a good topic as well here. What does a stateless versus stateful mean? Is that again now we don't have to think about it. ECDSA is essentially stateless. And what this means is that when you sign you don't have to touch your secret key in terms of changes and updated, it stays the same and you can kind of in more or less implementations you can separate it, you can backup it as it is, there is no problem. Everything again stays the same. When we say stateful hash based scheme means every signing operation must update the secret key. And if there is a misuse of the secret key or the update didn't go through, or you lost some key and you run a backup that has an older state of the key, that will compromise the security of the scheme, but it comes from the other side with benefits of Having again, better performance and better sizes with a stateful scheme. If you're happy with this secret key manipulations, you can have better performance. But it's important to mention yes, this can be very quick. For example, if you have just two separate devices and you want to run them with the same key pair, if they don't communicate with each other, maybe you can separate the states, but that will limit the number of signatures that they can provide. But there is much involved there in that regard with managing your keypad.

C (30:04)

Yeah, so the state management thing I think is another very technical thing, but that is kind of important when trying to pay these schemes. I think statefulness is pretty fragile and it's one of those things that won't work for every signer. So another example is so you run Bitcoin core on your node, let's say you produce a backup, you back up your wallet that you make a few transactions perhaps and your machine crashes. Whatever your machine breaks, you need to restore the backup that you've created, including the wallet that. And if you do that and the state would be stored in the wallet, that of course no one would do. But if you did that, then essentially you would allow an attacker to produce forgeries, steal your Bitcoin. So that is why it's very fragile and it won't work for everyone. So for example, it won't, probably won't easily work for sure core.

B (31:08)

Okay. I guess another thing that this affects too though is like HD wallets, hierarchical deterministic wallets. You mentioned the backup system that we rely on. Again, they don't work the same way with hash based signatures either. So what do we do with hd?

C (31:27)

Yeah, I think this is one of the other sort of downsides of hash based signatures is that they don't have this nice mathematical structure that we currently enjoy on our elliptic curve, which means that we cannot use any of the tricks that we've developed over the past years in Bitcoin. And that includes HD wallets. It includes multi signatures, threshold signatures, silent payments, aggregate signatures, and taproot, I guess, taproot commitments. So that was one of the other research questions that we also had when we started this entire project is is there anything we can do with hash based signatures? In the past it was sort of, it was intuitive that it wouldn't work. But I thought maybe we could do something here or there and improve on at least the trivial things. I think the answer is mostly we can't really do anything fancy there. We describe some methods in the paper that would reduce the Size of multi signatures by a little bit. But it makes the signing protocol very complicated. And there are other techniques like that that you could use especially for multi and threshold signatures. Maybe there are some scenarios where you could use them. But right now it doesn't seem to make a lot of sense to base the entire standardization effort and picking specific schemes just to make it work a little bit better with these multi signature schemes because they don't really work that well.

A (33:25)

Yeah, they don't give much there.

C (33:28)

And for HD wallets there we have so HD right is is multiple things. One is private derivation and public derivation. So what you can have still with hash based signatures that works very straightforwardly. You have a seed that you can generate many addresses from it perfectly fine. Works well. What you can't have is this kind of XPub where some other person would or some other entity would derive new public keys from some given XPub that does not work. And this like this XPub system, the XPub setup is particularly important today in hardware Software Wallet setups. You have your hardware wallet export your XPub from the hardware wallet to the software Wallet. Software Wallet is then able to derive new addresses and scan the chain in that way. And that wouldn't be possible anymore with hash based signatures. What you need to do instead. So the only thing we know of is you have your XPub is not a short public key, but rather a list of a long list of public keys that you give to the software Wallet. And once this list is exceeded, the software Wallet needs to talk to the hardware wallet and ask for more public keys again. So it's not impossible, but it doesn't work as well with the infrastructure that we've created with descriptors in the past. And there is also this kind of worry that because it's a little bit harder to make this work that people would or wallet developers might decide to just reuse addresses, for example, instead of building this system.

B (35:32)

That would bork a lot of things there.

C (35:34)

Yep.

B (35:37)

If you're a listener, I think one of the examples that Jonas just walked through like say you have a cold card and you want to set up the private public key pair offline using the wallet and then you want to put it in a safe or something, but you want to be able to receive Bitcoin to it. So you download Sparrow, you export the XPub to Sparrow and then from there you can get these addresses. This would be made harder. You'd have to do it a different way with these hash based then similarly with multisig you share XPubs with your quorum partners to make the multisig expub. And that would be made impossible. Patch based signatures, Right?

C (36:17)

Right. This is another kind of scenario that sort of wouldn't work as well anymore.

B (36:25)

That seems like a pretty big change. Maybe something we should talk through.

C (36:32)

Well, it might be. I mean, there are other. We said it's not only hash based signatures. There are assumptions. We can basically, they might support these kind of scenarios better, but they have other downsides.

D (36:46)

So, freaks, have you noticed that governments have become more despotic? They want to surveil more, they want to take more of your data, they want to follow you around the Internet as much as possible so they can control your speeds, control what you do. It's imperative in times like this to make sure that you're running a VPN as you're surfing the web, as we used to say back in the 90s. And it's more imperative that you use the right VPN, a VPN that cannot log because of the way that it's designed. And that's why we have partnered with Obscura. That is our official VPN here at tftc, built by bitcoiner Carl Dung for bitcoiners focused on privacy. You can pay in bitcoin over the lightning. So not only are you private while you're perusing the web with obscura, but when you actually set up an account, you can acquire that account privately by paying in bitcoin over the lightning network. Do not be complacent when it comes to protecting your privacy on the Internet. Go to obscura.net Set up an Obscura account. Use the code TFTC for 25% off. When I say account, you just get a token. It's a string of token. It's not connected to your identity at all. Token sign up, pay with Bitcoin, Completely private. Turn on Obscura, surf the web privately. Obscura.net, use the code TFTC for 25% off.

B (37:59)

What's up, freaks?

D (38:00)

Been seeing a lot of YouTube comments.

B (38:02)

Marty, your skin looks so good. You're looking fit these days.

D (38:06)

How are you doing it?

B (38:07)

Well, number one, I'm going to the gym more. Trying to get my swell on.

D (38:11)

Trying to be a good example for my young sons.

B (38:14)

A fit, healthy dad.

D (38:16)

But part of that is having a.

B (38:18)

Good regimen, particularly staying hydrated, making sure.

D (38:20)

I have the right electrolytes and salts in my body. That is why I use salt of the earths. I drink probably three of these A day with one packet of salt of the earth. I'm liking the pink lemonade right now. It's my flavor of choice. This is their creatine. I've added this to my regimen. They have it in these packets as well. Makes it extremely convenient if you're traveling. You want to work out while you're.

B (38:42)

Traveling, but you don't want to be.

D (38:43)

Carrying a white bag of powder going through tsa. It's very, very nerve wracking at times. You have to explain hates. It's not what you think it is. It's creatine. I'm trying to get my swell on. Make sure you're staying hydrated. I have become addicted to these. It's made my life a lot better. I can supplement this for coffee in the morning and be energized right away. I can supplement. I can bring the creatine wherever I need to. Just put a couple packets in here.

B (39:12)

Before I head to the gym. Bring this to the gym. Drinking out of a glass bottle.

D (39:15)

Make sure I'm not injecting any microplastics into my body. Go to drinksote.com use the code TFTC and you'll get 15% off anything in the store. That's drinksotay.com, code TFTC.

B (39:28)

Well, that was going to be my next question. Obviously this research paper was focused on hash based signature schemes. Do you guys plan on doing more research on different signature schemes moving forward?

A (39:41)

Yes. So what I current plan is also to look at lettuce based schemes. As exactly Jonas mentioned is although the lattice base they introduce extra assumptions. This is called lattice based. They're based on lattices and the structure and with certain hat problems. But they can potentially offer these upsides in terms of hardware, wallets, public key derivation, multi signatures and stuff like this. So for now I think it's a little bit early to talk in details about that. But this is the fallout that we're currently working at.

C (40:28)

Yeah. And I also think it's important to note that this entire post quantum story for Bitcoin is a spectrum from what do we do in an emergency if it happens now, let's say might not even be a quantum computer. Could be just our curve is broken classically that's a scenario that some people bring up. And how can bitcoin really work in a post quantum future? And those are different questions I think because when we want Bitcoin to work in a post quantum future, we need to make sure that people can just can still make transactions and they are not just like a few transactions that can make it into the chain because the blocks are so small compared to the signature sizes. So those are different questions. And then there's a spectrum in between where we look at, okay, maybe this won't be the perfect solution, but at least it doesn't rely on these crazy assumptions. And I think this hash based signature schemes is more on the sort of emergency, something we could get consensus on relatively easily, whereas the lattice based stuff is a little bit further away on that spectrum.

B (41:48)

Yeah, there would be a lot of reshuffling if we had to do if and potentially when we have to do this transition. So being prepared for it.

C (41:57)

Also, it's also possible to add multiple signature schemes to Bitcoin. And even the hash based, even just looking at hash based signatures, this might be a viable path forward because there are just so many different types of signers. There are these, I don't know, pleb hardware wallets and there are pleb lightning nodes and there are also big exchanges and they have different requirements. And even just for hash based signature schemes this might mean that it makes sense to add hash based signature schemes with different parameters. This has downsides as well. Of course it increases the complexity of the Bitcoin protocol which we want to keep relatively small because this might result in chain splits or other vulnerabilities in bugs if we have, if there are actually is something that goes wrong. Another downside would be that it reduces privacy. One of the big advantages of introducing Taproot, right was that every transaction should look like every other transaction, even at least in the best case and to improve privacy. And if we introduce these many different signature schemes now this might be a problem because now you can look at the blockchain and just follow certain paths of transactions and maybe certain wallets, they have identifiable fingerprints and so on. So these are the downsides if you add multiple signature schemes, but it's certainly possible.

B (43:50)

So you get degradation and privacy via process of elimination of different people using different signature schemes.

C (43:59)

Yes.

B (44:00)

Yeah, that makes sense. Well, I guess this all comes back to how real is this threat? How imminent is it or far away is it? How much time do we have to prepare? Obviously Jonas, you mentioned there is a potential for classical means. You don't even need a quantum computer just to break the curve. But I think a lot of the discussion is on quantum specifically and obviously earlier this year you had Google's Willow chip made a lot of headlines. I think the sort of advancement there was 105 qubits computations that would take supercomputers 10 septillion years to perform. And is that advancement enough to make bitcoiners wary? And then another thing, which is I'm trying to wrap my head around reading people's reactions to the, the quantum discussion this week is like how, how much signal is in these advancements? Whether it's Willow or other quantum advancements that have been made recently, I've, I've read people explaining that some of these advancements have sort of hard coded variables or assumptions in them, which are sort of cheating in a way. And even if Willow got to 105 qubits and it was legitimate, I think there's a very good case to be made that it was. Bitcoin's cryptography would require around 13 million qubits working in parallel to break the curve. And so how viable is that? How realistic is that in a timeline of 5, 10, 15 years?

C (45:41)

So I'm not a quantum engineer and I think there is no consensus, at least among the experts, when this will happen. My angle on this is that I told you, we, we write these theorems, they rely on the elliptic curve. We know the elliptic curve is broken. This makes me uneasy. I want Bitcoin to be secure, and that includes my own little stash. I want it to be secure against very, very powerful adversaries. And I don't want it to only remain secure if some random guy on Twitter turns out to be right. So I think the bitcoin community should certainly look at this problem and this is why we are working on it right now. I wouldn't lose my sleep over it for sure as well. But on the other hand, 10 years in Bitcoin even is not such a long time if we need to prepare for an upgrade like that. You said it yourself, the HD wallet stuff, for example, that would completely be broken. So we would need to have an ecosystem update for that. Maybe that doesn't take 10 years, but people migrating their coins, the more time they have, the better. Yeah.

A (47:08)

It'S very hard to just say, okay, this will be 5 years, 10 years or whatever years, because the advancement goes from every possible direction, as you said, for example, counting the number of cubics. There is a very interesting point in terms of it's a little bit different from how the classical computers work in terms of we need several physical qubits to encode a one logical means. One logical is that we actually, actually performs like we expected it to perform because there is a lot of noise in the quantum computations and One need to eliminate that noise to actually do proper computations. One can increase the number of those qubits, one can improve the, this noise cancellation algorithms. Then it's also very important in terms of the quantum algorithms that actually solving the problem. And for example, there was a recent advancement that reduced I think by 20 times the number of qubits that require the algorithms there. So the advancement go from different directions. I would agree with Jonas in terms of I wouldn't lose sleep today, but we have to work towards the solutions to be ready. If we just delay, delay, delay, then we never come there. But now we have to work and progress and see what possible solutions we have and prepare for the downsides and changes that these solutions bring.

B (48:56)

How would you two describe your. What's the word I'm looking for? Are you, are you happy with the amount of focus on this? Obviously bip360 has been talked about for, for the last, I mean, before it was bip360 even people have been talking about this Hunter and his work. People have been looking at that and discussing it seems like over a year now at this point. Obviously you two have done a ton of research. We had the quantum meeting at Presidio Bitcoin in July. Is there enough discussion in your opinion on this topic right now? Are enough people focused on it and taking it seriously?

C (49:42)

And of course it would always be better if there was more quality discussions, but I think the type of discussions that we have right now is pretty good and has also increased quite a bit, especially over, over the last year. So on Twitter there was not only noise, I think there was also a bunch of signal. And it was good that even the wider bitcoin community also talked about this and talked this through. And on the bitcoin mailing list there's always a bunch of discussions. Of course there's always this kind of bitcoin thing that might happen where just there is some discussion and then there's. There's no follow up. Nothing ever happens. Right. This is pretty standard thing that happens in bitcoin. But I'm also not too worried about that to be honest, because I think if it really, if it was really, if, if the quantum computer was imminent, then I think the bitcoin community would find consensus on some sort of upgrade. What is of course going to be really, really painful, and there's no way to sugarcoat it, is what happens with the coins that don't migrate. And I think this will be extremely painful. But that's not something that cryptography can Solve, unfortunately.

B (51:10)

What's your take there? I'm a don't do anything with them. Let the treasure hunts begin. I think that's my stance because you always have to think of the man in the coma, right? Which is if you were to change or make their coins unspendable and the guy wakes up and he's like, hey, I have five bitcoin here that I can't move anymore because you did something and quantum computers haven't stolen it yet. You're sort of screwing that guy over.

C (51:43)

I think there are reasonable arguments for both positions. That's what makes it painful. And I don't know, I guess my opinion right now is that if I look at it extremely selfishly, what code would I run on my node? And I think it would be the one that freezes the coins. Because at least I think in the mid to long term it would probably result in a better outcome for the bitcoin network. But you could find counter arguments to that, I'm sure.

B (52:17)

Yeah, I thought I followed the discussion on the mailing list. I've been following it, I thought earlier this year. I think there's still a lot of assumptions baked into this. But I thought Ethan Hailman's post on this was interesting. How you could essentially throttle the transition and only make a certain amount of transactions from quantum exposed signatures possible per block.

C (52:47)

Is this, this hourglass idea?

B (52:50)

I think so, I'm pretty sure. Let me see, it goes all the way up. I think it is. He also said it was a way to solve the, the JPEG spam as well. But this idea that that's the other thing. Maybe we should just dive into the trade offs that exist with what you do with the coins that, that haven't, haven't transitioned. What are the solutions that are being thrown out there right now or the trade offs that exist?

C (53:25)

I mean I personally haven't looked too much into this. I know that there is a discussion on the mailing list and there probably should be more discussion, I don't know. But as I said, there's no easy answer to this. I wouldn't be able to reproduce all the pros and cons there.

B (53:47)

All right, well then taking it in a different direction, obviously you guys are doing research. There's a lot of discussion about this. In terms of a first step beyond research and having the discussions, what would a transition to a post quantum signature scheme look like? How do you prep the market? How do you begin moving? How do you set up the node software to make this stuff viable.

C (54:18)

As for the next steps that we envision after this paper. So one thing that is a contribution of this paper is that we have this script, a python script where you can explore the parameter space or you can say okay, I want to support that many signatures and the tree to look like this. And then it's spits out the signature size, verification time, etc. And we also have tables in the paper that do show some of these values already for the parameters that we pick. So explore the parameter space. And then next, the next step there is implementations benchmarking. Yes, implementations and actual benchmarks. We just estimate through some crude proxy what the performance would be, but we haven't really measured actual performance. And at least from my experience, implementations usually they inform specifications quite a bit because you find things that you wouldn't notice just going from the, from the.

A (55:32)

Research direction and it's nice that actually there are people actively participating in that regard. And also on the mailing list there were several posts of people trying to implement hash based schemes, either Sphinx plus or Sphinx plus with lower number of signatures. Now they're also looking at possible modifications that we also discussed in this paper and I think this will significantly help with the decision that we will have to make.

C (56:08)

So yeah, I think that's very good to point out because they have really specifically I want to give a shout out to Conduition. He wrote this awesome blog post where he optimized hash based signatures like crazy. It's certainly worth a read. But for the bigger discussion, how do we actually migrate now that this research exists or even before that just with the standardized NIST schemes. So one thing that could happen, that is I think a relatively reasonable upgrade path that unfortunately does not have a catchy name, I think so Matt Corello, he was the first one to popularize it on the mailing list. But others I think have discussed it before, which is let's say we just introduce a hash based signature opcode like check sig, verify that we have or for our curve elliptic curve based signatures we just introduce one for hash based signatures. Doesn't matter how it looks like something like that. And what people could do today already wallets could do, generate a post quantum public key, a hash based public key and then add this public key along with this new opcode in a Taproot Merkle tree that already exists. So this would be a soft fork. So we add this opcode and there's no cost for a wallet except implementation complexity to add this additional spending path. If they already use Taproot to The taproot tree. And so they do that. And of course taproot itself is not secure, so the full taproot not secure against a break of the elliptic curve. Because we have these key spins as well, which just require an elliptic curve shore signature for the public key that is directly in the output. So that's a keypad, but there's also the taproot tree. Now what our colleague Tim Roofing at Blockstream proved is that the taproot script spans. So the merkle trees inside the taproot they are still secure even if a quantum computer arrives, a cryptographically relevant quantum computer. So what you can do is at a certain point you disable the key spins from taproot and then you still hopefully many wallets have done that. They have these additional post quantum public keys in the tree so they will be able to spend those coins with a hash based signature. And the advantage of this is you can use taproot as you do right now. You have these very official key spins, you have the taproot path, you have Music, Frost, whatever. Only once the bitcoin community does this upgrade to disable keyspans, hypothetically then you need to use these new script paths in the merkle tree, in the tabor tree. This will be one variant.

A (59:54)

Actually a very important benefit of bitcoin system in that regard is that for example, other systems that we're looking like, I don't know, TLS or whatever, a lot of time we want encryption. And people that are also scared of quantum computers today they're also worried about this attack called store now, decrypt later. So they also urge in the migrating in terms of encryption. So for example now the post quantum is called encapsulation mechanism that help you to actually encrypt your messages and encrypt your communications are already getting deployed while the signatures can wait a little bit later. Because for most use cases you are scared of your signatures broken. Now you don't care if they, I don't know, they see your public key that you don't use anymore 10 years later. And so this scripting parts that you have described exactly, we can migrate closer when we see the actual thread while the solution is already there. You just want to use the solution when we are actually needed.

B (61:15)

And this may be a dumb question, but Jonas, you mentioned like Music and Frost, is there a way to just leverage those on top of.

D (61:26)

Your private.

B (61:26)

Public key pair to harden that private key even more from a quantum attack? Does that make sense? You mean obscure the spending Conditions that.

C (61:37)

Can make it harder without introducing hash based signatures or any post quantum assumption. Just no. The problem is that whenever the adversary sees a public key, they can run their quantum computer and compute the private key that's corresponding to it. So music or Frost or any obfuscation attempts like this will fail.

B (62:07)

Okay, that's good to know. Fascinating stuff.

A (62:11)

So.

B (62:14)

What are the dangers if we move too fast on this? I mean you mentioned them earlier with like if we. Because that's what I worry about is the most disheartening thing about the conversation last week. I think it's good that the conversation's happening but the idea that the community of developers working on Bitcoin haven't been thinking about this. Obviously you two spend a lot of time on your research. Blockstream does a ton of research and there's plenty of others outside of your organization working on this stuff. What I worry about most as I agree I think we should want Bitcoin to be as secure as possible and if the threat of quantum computing or even classical elliptic curve breaking computers are to manifest, we should prepare for this. But what could be just as dangerous as moving too fast? Right? So trying to have a level headed discussion about what to do and obviously you can't use the fear of moving too fast forever because then you're complacent. But there's this sort of trade off between urgency and complacency. How do you view it?

C (63:23)

I think it's. I mean first of all, yeah, there's a lot of value in the Bitcoin protocol being as simple as possible. Because yeah we, we want Bitcoin to be secure and that requires a relatively simple protocol. Whenever we add something to Bitcoin there is a risk. I think adding a hash based signature scheme to Bitcoin think that risk is manageable but still it will require resources to maintain it to make sure that it's that the versions are all compatible with each other and there are no consensus relevant issues which is a problem that is specific to Bitcoin. It doesn't exist in non consensus systems. So there's a risk in that. And then if you add something and no one uses it, I think that's just a lot of wasted effort. But I also don't think right now looking at the discussion on the mailing list and people had in person, even on Twitter, I don't really think that it is realistic that we will have a post quantum upgrade very soon in Bitcoin is at least my impression.

A (64:45)

And as you said we want to Explore in full what are our options. And as we said before, the next topic would be to look at lettuce based how they affect what are the assumptions, what are the benefits. And doing a proper comparison of what. What are the options gives us, I guess, the best, the best outcome here. So crushing it also like this was the figure in the ice is also not the best way to go. No.

B (65:24)

Again, who knows? That's the thing about this quantum risk is it's hard to know. It's like a big unknown. It's like climate change almost, where it's like it's just around the corner. But it's been said for some time and obviously there are some advancements. But again, as a layman, it's not easy to understand where the signal in these advancements are. Talked to some quantum physicists, they say to your point, like this doesn't scale literally. You need more physical qubits to create logical qubits. And if you need thousands of logical qubits to attack Bitcoin, it's an exponential amount of physical qubits. This is the way I understand it. I'm speaking out of my ass, but.

C (66:05)

Yeah, I mean, if I may, if I'm allowed to tell a personal anecdote, I actually, I studied cognitive science for my bachelor, which is right at the intersection of. Of AI and human intelligence. And for my master's I studied computer science with a focus on artificial intelligence. If I had told anyone that I believe we would have chatgpt free by 2022, they would have ridiculed me forever. At that time, people, they, not only that, they thought maybe, I think one of the. Or a lot of people thought that something like ChatGPT3 would never be possible. It's just so much intelligence coming from a machine. And look at where we are now. I actually sort of thought when I studied this, I thought this AI stuff is going nowhere. It's not going to be a breakthrough. I'm focusing all my time on Bitcoin back when I was a student. Right. So I am just very skeptical of people. First of all, I want to say, of course this analogy fails in many ways. Quantum computing, very different to AI, of course. But I am skeptical of people saying or confidently claiming there's no clear path towards a cryptographically relevant quantum computer. Maybe there's not one right now, but I think there could be one anytime.

A (67:41)

Yeah. And you have to prepare. If you don't prepare and then suddenly you find out you were wrong.

C (67:50)

Yep.

B (67:50)

Yeah, no, that's. It goes back to like measuring and balancing complacency versus urgency. Because again, to my point, like, I think this is a discussion that's been taken seriously for many years now. In this like rush to fix it right now it's like, whoa, hey, there's good conversations going on, there's good research being done. Let's make sure we get this right because it's critically important. And on that note, I want to thank you gentlemen not only for joining me, but for doing the research on the subject and coming to explain it to everybody. It's been incredibly illuminating for me. And again, like I said earlier, a lot of people take for granted the technical details of the Bitcoin protocol. It just works for them at the end of the day due to the work research that individuals like yourself and other developers have done. And it's pretty insane. Sci fi tech, once you look under the hood and trying to upgrade that tech, is not an easy feat, especially when you have a distributed protocol and you need coordination between all those individual actors within the system.

C (69:09)

Yes. But one thing I want to add there is that what we're doing is also not rocket science in the sense that it's impossible to understand or anything like that. Because there's also this impression that I see sometimes on Bitcoin that there is this closed group of perhaps bitcoin core people, high priests or whatever. If this is the case, then that is very bad. And I think everyone in the bitcoin community agrees that will be very bad. Well, we want to have a system based on merit and there's no secret knowledge that needs to be obtained to be part of any sort of group. At least this is the system we want to have and we want to have the best people working on Bitcoin.

A (69:59)

And this was also our intention writing this paper. We tried to give a good introduction into this hash based solution and slowly building up from very basic from lamper signatures which probably will not use but just to build the intuition. So go take a look at the paper. We're trying to introduce the stuff slowly there and moving on and on and showing what are the solutions, what are the trade offs, what can be done and yeah, let's have a discussion and.

B (70:37)

If I could read your research, have a conversation with you and know enough to understand what's happening in the background, like verification, signature verification, its effect on the protocol, anybody can do it. That's to say the least. But gentlemen, any parting notes, anything that you want to leave the audience with right before we wrap up here?

A (71:05)

I think I would Encourage further discussions, more technical discussions, reading to what we done, doing your own stuff, suggest and let's have it with a good pace, not rushing, but also not putting it away and saying like, this will never happen.

C (71:31)

Yeah, I agree. I mean there's still a lot of feedback that would be interesting for us in particular from wallet developers that, that is sort of an open question how if maybe there are wallet developers, for example, that can deal with a state issue. And we have a, we have a scheme that we describe which is very efficient if you can hold state securely. So that will be interesting feedback. Then there is this, this benchmarking question, especially with respect to signing on low power devices. And yeah, I think those were the main open questions. And the big question is, what is the most interesting parameter set to choose from, the set that we provide? And then there's also the question, I think some people would also argue that just using the standard versus our optimized thing would be preferable because then it would be supported by the secure element on your iPhone or whatever. So that is I think also one of the big open questions with respect to hash based signatures.

B (72:59)

Specifically, could you propose a new standard and get it.

A (73:07)

I mean, we could propose, but would.

B (73:10)

It be accepted as the bigger question?

C (73:14)

We make our own standards, right? We have the BIPS process and maybe we can get Apple to adopt our standards. That would of course be the most preferable path.

A (73:26)

Yeah.

B (73:27)

Well, gentlemen, thank you. This was again incredibly illuminating. Thank you for your work and hopefully we can do this again. Maybe when you finish your research on lattice based signatures, we can catch up then. Or maybe not. Maybe we won't have to wait that long. But thank you and I hope you guys enjoy the end of the year here. Thank you for joining me so close to Christmas and the holidays. So this was awesome.

C (73:56)

Yeah, thank you very much. It was fun.

B (73:58)

All right, Peace of love, freaks.