Brandon

You've had a dynamic where money's become freer than free.

Host 1

If you talk about a Fed just gone nuts, all.

Brandon

All the central banks going nuts. So it's all acting like safe haven. I believe that in a world where central bankers are tripping over themselves to devalue their currency, Bitcoin wins. In the world of fiat currencies, Bitcoin is the victor. I mean, that's part of the bull case for Bitcoin. If you're not paying attention, you probably should be. Probably should be. Probably should be.

Host 1

Brandon, welcome to the show, sir.

Brandon

Thanks. Good to see you, man.

Host 1

Good to see you. Very happy to get you on to talk about quantum. The risk, the perceived risk, the perceived reality. What is the reality? Maybe that's.

Host 2

That's where we'll start.

Host 1

And I'll reiterate what I was saying right before I hit record, which is it's hard as somebody who's not a quantum physicist, who's not a cryptographer, to really get a grasp of what the true reality with advances at quantum computing are and specifically how they relate to Bitcoin's security in the short, medium, and long term. And I've watched you on the front lines of. Of sort of debating the merits of the advancements in quantum physics over the last year. I actually listened to your podcast that you did with Gurdy last year. I thought that was really good. And that helped me. That helped help me get a better understanding of your perspective. But I think, starting with this question of how can you be confident on one side of the other? How can you be confident that it's not as big of a risk quantum computing is to Bitcoin today? And then conversely, why do you think people are saying we need to rush to become quantum resistant or as confident as they are right now?

Brandon

Yeah, I think the thing that gives me confidence and I said on Guardian, I think I still stand by it. I have an emotional confidence that we're 50 to 100 to forever years from a quantum computer breaking a meaningful cryptographic system. But that's not scientific. That's a gut feeling looking more kind of in a scientific lens at it. We live in a world constrained by the reality of physically building things, and it's hard to physically build things. That doesn't make any particular physical building challenge impossible. But I think the quantum field is full of these, call it. If this is possible, then all we have to do is build it kind of perspectives, and they totally just deny the realities of the difficulty in building physical things that manipulate tiny Subatomic particles, or in the case of neutral atoms, individual atoms being manipulated by laser tweezers I think they're called, or optical tweezers. These are incredibly difficult things to build and especially difficult to scale. Right. Let's say you can build the first optical tweezer and manipulate one atom. Okay. Now you want to build a grid of thousands of atoms and manipulate all of them with different tweezers at the same time. Think about how that difficulty scales. And so maybe it's possible, which is the thing I have to acknowledge when I'm being reasonable as opposed to emotional about this. But the difficulties are dramatically underplayed. And that's what the evidence shows. I think that's what people kind of don't acknowledge as the reality when they look at quantum, they're like, oh, all we have to do now is scale it up. But we've been working on quantum as a, call it a species for 40 years or something as long as I've been alive. And every time they go to scale it up, they hit new difficulties that they weren't expecting. That's the evidence we have is it's been over and over and over and over for decades that scaling up is hard. That doesn't mean it's impossible, but the hardness is. What gives me that confidence is that based on the evidence we have seen for decades, repeatedly and consistently, they may find a way to scale it up, but it's going to be clawed out by individual small improvements over years and years and years. And at some point they might hit on a technology that will work. And when they do, we'll see that technology go from five logical qubits in coherence for a while to 10 in coherence for a similar length of time to 20 to 40, et cetera. We'll see doublings like we saw with transistors of the same technology progressing through a scaling roadmap. And then we'll be able to say, oh, now it's doubled three times. It took 2.5 years each time to double the number of logical qubits in this technology. Okay, so at that rate, we'll get to a cryptographically relevant computer in Y years. But until we see a roadmap like that, that's the successful scaling in one technology. The evidence is it's going to be just hard fought, tiny wins, new technologies. There's just no evidence that it's going to come anytime in the next decade or really any time in the next 20 years. So that's where my confidence comes from on the flip side, can you ask the other side of the question, too? I think the other side gets their confidence from the, let's say, the impressiveness of the wins they do get. These are incredibly difficult, mathematically challenging algorithms and designs, and the folks working on them are some of the most brilliant people in the world. And they go through the fundamental physics of our world. They go down to the very smallest subatomic particles, they figure out how things work, and then they say, oh, my God, I figured out that we can do this in this easier way or in this faster way, or this new method of manipulating subatomic particles. And those discoveries are absolutely amazing. And they're the cutting edge of humans understanding our own world. There's nothing more impressive than that. And so it's a reality that these are the most brilliant people doing incredible work to understand our world. And people get really excited about that. And so that's where they get their confidence, is that the most brilliant people are working on that problem. But that doesn't change. Like, there's still this separation between. It's probably literally possible, which is their perspective. I don't think it is, but in their world, it's probably possible. And these fundamental understandings of the universe give them confidence that it's going to be solved in the real world, in physical devices.

Host 1

And that's the. So the way I understand it, and let me know if I'm wrong, because I did see you retweet my understanding of it the other day, which is like, hey, I think it's very obvious that in the theoretical realm of, like, what is possible, they are making advancements. And the biggest sort of chasm that exists in reality, which I think you just described, but trying to distill it down for an ELI 5 for people listening, is that, yes, we're making these theoretical advancements of what we can do. However, there is a chasm between what we can do and the physical reality of building machines that can actually sustain an uptime and persistence to make that theoretical advancement a applicable reality.

Brandon

Yeah, exactly. And I think that in Quantum, there's this extra. Well, there's extra detail to it, which is it's often possible to build. Call it the toy example of something where we've seen superconducting qubits, we've seen neutral atom qubits, we've seen. Shoot, I'm forgetting the other technology that's kind of commonly pushed right now, but there's a bunch of different technologies where they've built a few useful qubits and done something interesting with it. But again, the specific thing that happens is that taking that and going to the next step and building twice as many qubits or four times as many qubits and they keep running into problems there. I think that's also where they get their confidence is, oh, we built that thing. The physics described it, we built it. But then they tried to build a slightly bigger one and they hit a brick wall. And we even saw the way these things are published. The Majorana paper from Microsoft kind of glossed over that. And when you dig deeper, the physical device that they were publishing about had a single, I think a single physical qubit or something of that tiny, tiny nature. It's like, oh, they built the first qubit of this type. Usually that's the tech I wanted to mention using a Majorana particle. Okay, super cool. You got one bit of that. Now, what happens when trying to scale up and why has it now been almost a year since that result with no one building a 2 Majorana Qubit device? What's the deal?

Host 1

Well, I think this is an important detail to dive into too, is the difference between a logical qubit and a physical qubit and the relationship between the two. Because from what I understand, logical comes down to the math and what you can do. And then physical is like, all right, how do you organize all that and make it a computer, an operating software, whatever it may be.

Brandon

Yeah, you're right. And it's a complicated thing where depending what your physical underlying technology is, that affects the relationship between the physical and the logical qubits. So there's different avenues of research happening in quantum. There's the mathematical research, which is, assuming we have logical qubits mathematically, how do we apply that to solving real world problems? That's what Google published about this week. They published a paper that says, here's some new mathematics we could apply to running Shor's algorithm on logical qubits. That makes it take fewer logical qubits to execute Shor's algorithm. And in this case, also fewer steps of computation. That's the math side. But that all runs on logical qubits. And then the question is, how do you organize some physical device into logical qubits on which you can run math? And that's where the physical qubits come in. So the other paper that came out this week on neutral atoms was a new way of error correcting physical qubits to make useful mathematical logical qubits. Within the context of this neutral atoms architecture that uses the Optical tweezers to move atoms around, because they can physically move the qubits around. They can grab a physical atom that's a qubit and has been entangled in some way with some other qubit and they can move it to another part of the chip or the device. That's the cool thing about it. Because of that, they can do what's called non local error correction. And the theory described in this paper is that because they can do non local error correction, because the physical qubits can be moved by optical tweezers, they can do what they call high rate error correction, where rather than having to have a dedicated cluster of error correction qubits, call it for each logical qubit, you've got a bunch of physical qubits error correcting each other to get one logical qubit. Instead, in this neutral atom architecture, with the optical tweezers, they can in theory have one cluster of error correcting qubits that correct a whole bunch of kind of active computing qubits. And that's why they got that remarkable result in the paper of basically, if this high rate non local error correction works, we can go down from 500,000 to 10,000 physical qubits needed to implement Shor's algorithm. And that's basically my summary of a lot of these quantum papers is if this thing that hasn't ever been done works, then we can do this easy thing. That's where the relationship is. And why you see these radically different relationships between number of physical qubits and logical is because it depends dramatically on what types of error correction you can do on this physical architecture and whether those work.

Host 1

And you need to do the error correction. Because these physical qubits are beholden to entropy, right?

Brandon

Yeah, they're notoriously flaky.

Host 1

Yeah. And so that on the physical qubit side, we're still trying to figure out a way how to make it so they don't deteriorate in real time.

Brandon

And then also in this neutral atom architecture, again because they can physically move qubits, they have in the paper, they accept that physical qubits will deteriorate, and they design a theoretical neutral atom quantum computer that has a reservoir of pre coherent backup qubits that they can grab with the optical tweezers and stuff into the circuit to replace one that deteriorates. So exactly as you said, these physical qubits, they tend to break down. And so the big question is how do we stabilize them and make it so that we can kind of continue doing computation on them and different Researchers in different parts of the quantum field have different methods of kind of holding that shit together for longer.

Host 1

And how much energy does all that take?

Brandon

Yeah, I mean that's the other big question that I think Bob Mckelworth and I were talking about on X this morning, right before this. Even if you linearly scale up the energy needed, it's still huge. He was saying it's something like 100 megawatts. Based on his calculations, you need to cram into whatever device if you linearly scale up the energy needed per qubit based on current technologies. But my point that I think is a valid point. If you think about the complexity of moving around more and more qubits in the neutral atom architecture or in cooling more and more qubits, it's not going to be a linear scaling. And we've seen this even with classical computers that the more dense you make devices, the more leakage you have and therefore the more energy it takes per bit to keep it cool for supercomputer architecture. And so even let's say it's linear, it's still a ton of energy to cram into a device. And if it's non linear, it may become completely intractable to power a device that can do meaningful quantum computing.

Host 1

Sup, freaks?

Host 2

Guess what? Just booked my tickets to Vegas headed for Bitcoin 2026. It's that time of the year, April 27th to 29th in Las Veg, Vegas. I'm going to be there. A ton of people are going to be there. You better get your ass there.

Host 1

You know what people are calling it?

Host 2

Bear market. You know, these are the best conferences I've been going since 2019 when it was in a parking garage in San Francisco. If you want to get the best possible ticket prices, make sure you use our link and the code TFTC. You go to 2026B TC, use the code TFTC, you'll get 10% off. You can bundle with a hotel room to save big and make the most of your experience staying on site at the Venetian. That is where I will be. Ticket prices are increasing, so make sure you get yours today. Join bitcoiners from all around the world. It's a global endeavor. It's a pilgrimage, if you will, for the ultimate networking experience. There's gonna be a ton of people there. You can hear from the biggest names in the industry. Sailor's gonna be there. Matt and I and the Pub Key boys and the Bugle Boys. We're gonna have live hot style takeover. That's Gonna be there too. All in the Venetian.

Host 1

Everybody's meeting up.

Host 2

It's gonna be fun. Get there 2026B TC.

Host 1

Use the code TFTC at signup.

Host 2

Sup freaks? Up next, the Bitcoin Scaling conference, where bitcoin developers meet institutional capital is coming to New York next month. Join Bitcoiners from Blockstream, chaincode, Brink and Summit at the intersection of bitcoin tech and finance. This conference has one of the best signal to noise ratios. And that's why I'll be joining Block Space's third annual Bitcoin Tech Conference on April 16th at the New York Times center in midtown Manhattan. There's only room for 200 attendees and they've already sold more than a hundred tickets of their open spots. So you've only got a few weeks to get your travel plans in order for New York. With the ticket you get access to the best programming and Bitcoin tech from BitVM to Bitchat catered lunch and access to the pub key afterparty wearing the hat. Pub key after party. Up next is where builders meet capital founders find funding and companies source top talent. Plus meet institutional investors and developers from blackrock, HC Wainwright and Bitcoin Infrastructure Corp. If you're at a venture fund or another finance firm, this is the event to learn more about the quantum computing bleeding edge bitcoin tech and topics that will define bitcoin's futures. Go to opnext.dev for tickets and use the code TFTC to get 25% off a general admission or VIP ticket to the event. And again, that's opt next.dev code TFTC for 25% off a ticket. I'll see you there.

Host 1

Again, going back to the confidence of the other, of the other side, like what do you, what do you think's, what do you think's driving? Because that's, I mean, I guess the whole conversation as it pertains to bitcoin is this perceived urgency that is being thrust on the developer community specifically to, to upgrade to a quantum resistant cryptographic primitive that would, that would secure private keys so that they're, they wouldn't succumb to an attack via quantum computer. And that, that's been like the confounding, not confounding, but that's been sort of the thing that's really perturbed me. It's like you have this very confident and somewhat manic. I think manic is a good way to describe it. Group of people are saying we need to fix this Devs do something right now. And it's frustrating for two reasons. Number one, Quantum has been thought about within Bitcoin since Satoshi was around. I mean, he mentioned it. If you've been really mail, if you've been reading the mailing list and looking at some of the research being done, like there are people trying to figure out like, okay, if quantum computers do come, what's the best way to transition to a quantum resistant address structure? And there are a ton of not only coordination issues, but standardization issues that exist. There's a ton of, for lack of a better term, tech debt that exists. Like if you are going to transition to a quantum resistant address structure that is going to disrupt a lot of the, a lot of the infrastructure that's been built today. So you talk about The Lightning Network, PSBTs, multisig, all this stuff. Like, you need to think through, like, how do we transition to this address structure without disrupting all that if possible? And if that is going to be disrupted, like what do we do? And my biggest worry is that you rush a change and it just not only disrupts all of that standardization, that infrastructure that's been built to date, but you haphazardly rush to a change that has been well thought through, well tested, and leads to a bigger fallout in terms of disruption to the network than having done nothing. Because Quantum potentially doesn't manifest on the timescale that these people are saying it will.

Brandon

Yeah, I mean, I think it's a legitimate risk and frankly, it's one of the reasons I try to stay on top of all of this because we should be realistic here. The most likely outcome is that at Some point sec P256K1 or Elliptical cryptography in general will fail. Like that's the most likely outcome. I don't think personally that it's Quantum that's going to break it. But you know, crypto systems have failed over the years. We've seen it and it seems likely that at some point it will. So what do we, what do we do about that? And so I try to stay up on what the other kind of new cryptographic research is so that when there's something suitable for Bitcoin that can support all the infrastructure, we have wallets and lightning and everything that you mentioned, we should actually add it to Bitcoin and we should maybe even do that before there's a real threat, so that people have options. And that's fine, that's good. There was a whole discussion on the mailing list about the benefits and downsides of having options. And I think Peter Woola is a bit concerned about people having options because there could be fighting over what the correct option to use is. I'm less concerned about that because we already have that Essentially where some custodians use npc, that's kind of cross crypto, I think Coinbase does and others. But some custodians use on chain multisig. Right, that's fine. It's okay for different people to choose different trade offs and how they secure their coins. So yeah, if we have suitable cryptography we should totally put it in bitcoin. And there's a decent argument to say that we're getting very close to having something suitable to add at least as a backup in the work that Jonas Nick and Blockchain Research and others are doing. So I'm not out here saying we shouldn't do anything about the potential break of SecP256K1. And I think that's where kind of to your point, these confident, almost manic people in the quantum side are like, devs do something. Well, the devs are doing something. Even people like me that don't believe in quantum at all are out there doing research and evaluating research on what we could use as another cryptosystem for bitcoin. And so, so chill out, I guess.

Host 1

Well it's not only that. It's like they're treating bitcoin core, like any bitcoin developer as a monolith, like go do something. And it's like, well there's only so many people are qualified to understand quantum physics and the cryptography sec P256K1 that's like a very niche part of the bitcoin development process. Obviously you have the P2P layer, you have the wallet layer, you have the GUI, you have many different facets of the protocol that make up bitcoin and like finger wagging at the whole dev community, like do something. It's like, well not everybody within the developer community is going to be able to do anything about this because they're not like they're, they're their core competency isn't the cryptography. And taking it further, like making the cryptography quantum resistant, like there's very few people that are equipped to work on this particular problem. And to your point, and what I've been saying for the last six months since this, this has become a huge meme is like the people who are equipped and able to do this work are seem to be working on it. Maybe it's not the pace that you want, but you can't pull out a whip and make them work faster, nor would you want to.

Brandon

Like yeah, there's a great post Stu Txo out there. Since this post, it was December, there have been five new post quantum cryptographic algorithms published and zero new numbers factored by an actual quantum computer. And I just thought that was so great. So really we're upset about the rate of progress when month to month to month we're seeing new algorithms that are kind of progressing the state of the art for post quantum cryptography in Bitcoin. And no new physical quantum devices being built that run real algorithms that could maybe even someday break Bitcoin? No, I think the progress is at a good pace. We might even be over investing if you ask my honest opinion.

Host 1

Yeah, well, I think I saw something yesterday where somebody is saying like you could do the factoring of these numbers by hand faster than the quantum computers could right now.

Brandon

Yeah, I checked with my 6 year old and he's 7 now anyway, and he can factor more numbers than a quantum computer for sure.

Host 1

I actually just set my six year old up with Synthesis Math tutoring, that app, and he's been playing with it. So I actually did see him factor some numbers this morning that were faster than a quantum computer. But again, so the Google paper specifically, I think it's another thing to touch on is the fact that they didn't actually release the results. They released the zero knowledge proof that they had done something and said basically framed as like we didn't want to release the results of this because we don't want black hat quantum developers to get access to this and to, to go build a computer that disrupts the world. And then the advocates for this paper were saying, well now this, this is the warning. Like they're, they're not going to tell us the, the advancements that they're making because they're worried about releasing them to the public because it'll be used against us by nefarious actors. Is this a marketing scheme, a way to develop a budget? Or do you think there's some legitimacy here that the smartest people in the world working on this problem are truly worried that we're hitting an inflection point, a tipping point that could accelerate the progress being made within quantum computing?

Brandon

So it's a really interesting problem to think about. I had that moment of pause as well when I read the Google paper. The thing about the Google paper though is that there is no fundamental physical change that they're Publishing, like I said, they published a mathematical change which reduces the number of. Sorry, reduces the complexity of the physical device you need to build in order to run this algorithm. But no one actually made a more complex physical device. So Alex Pruden, who I'll be debating at Bitcoin in a couple of weeks, I think actually looked pretty cogently about this. Of the pro quantum guys, he's one of the more pleasant to talk to. So I'm glad I'll be talking to him at Bitcoin. And he was pointing out that let's say right now we're at 5ish. Logical qubits have been demonstrated in a very short microsecond duration coherence. Okay, well what if through the mathematical improvements we get to the point where it only takes just 256 logical qubits, incoherence for only 5 milliseconds in order to run Shor's algorithm on a Bitcoin and private key or public key to get that private key. If they on the mathematical side compress the time and the number of qubits so much, then we could see a situation where it's very much in reach of the physical progress. So if physical progress is zero, but the mathematical progress is extreme, we could see it break kind of in that direction where the mathematical progress brings it down to the point where the physical guys have a very short step to take. And that's a great point. Now that said, the Google paper puts us about six orders of magnitude away from the needed coherence time and about three orders of magnitude away in the number of qubits that need to be in a physical device. So I don't know how you want to look at those two different dimensions of orders of magnitude, but we're somewhere between six and nine orders of magnitude of improvement on the physical side away from implementing Google's paper. So we need to be really realistic that yes, eventually the mathematical progress could bring it into reach of the physical, but we're still very far away from that.

Host 1

I guess that begs the question,

Host 2

what

Host 1

are the advancements from an order of magnitude perspective on the physical side been like in recent years? Is that a big leap? Obviously it is. But have the advancements over the last 10 years, was it 100 orders of magnitude away five years ago? Was it 1,000? And are we now getting to the point where six to nine may seem big, but it's not that big?

Brandon

We haven't. I mean even the best kind of longest held stable devices have up to a couple thousand physical qubits, which is maybe one or two orders of magnitude improvement in the last 10 years. But I hesitate to even say that because I think it paints it a little bit too Rosaly for the physical quantum guys because the biggest improvements have come by implementing whole new architectures. And so there's no evidence right now that any single architecture can increase the number of physical qubits. And that's where I think the pro quantum manic folks get way over their skis. They're like, all we have to do is scale up. But you can't just scale up when every scale up that you're doing so far for the last many decades has been because you developed a whole new architecture. Right. You're just discovering whole new sets of problem spaces because you're developing whole new architectures still. And so I made it very clear when would I start to think we need to take action in Bitcoin? And that's when we see a single quantum architecture increase the number of qubits. You can hold incoherence for a longer time over several cycles, at least two. We need to start seeing a trend in one architecture scaling up. And then maybe it becomes just a scaling problem where we just have to do the decades long industrialization to go order of magnitude, order of magnitude, order of magnitude. Now we need to start taking action. But until you see that they're like, oh, okay, maybe this one is going to be the one. But until there's evidence that it actually scales, why would you take any action? We don't have the evidence to say, to justify action.

Host 1

Yeah, and that's where it gets very confusing. I think that's been the most disconcerting thing observing this over the last year is the narrative around the quantum threat to Bitcoin has hit the market is again, I'm not a quantum physicist, I'm not a cryptographer.

Brandon

I

Host 1

know enough to understand like I can explain like a logical qubit does, like the theoretical algorithm, the physical qubit sort of creates the space where that stuff is, is, is computed for lack of a better term. And I understand that there is a coordination on the physical side and energy needed. And it seems clear to me that it's not where it needs to be and not anywhere close to where it needs to be to effectively run this stuff persistently to wage the necessary attacks. But then again, going back to the confidence game, and I hate to say like the sky is falling perspective that is very reminiscent of like climate change and things that I'm just using like psyop pattern recognition. And it feels like that to me. It could be wrong using heuristics here. Again, don't understand the math and not a physicist by any means studied economics, but yeah, I think that's the narrative side of things. It's very, very easy to socially attack people. And it feels, I'm not saying that I do believe the other side is earnest in their beliefs. And that's like the interesting part of this whole discussion in observing it over the last year is like they're so ardent on their beliefs and people who are just skeptical, like, hey, I believe that you're genuine, but I'm not seeing it. And there's this like narrative leverage, this asymmetric leverage they have because they can project fear onto the market. And if you're not afraid, you're not doing enough and you're actually stupid.

Brandon

Yeah, I think it's the classic FUD game and it does make it hard to still, again, I didn't want to be. I'm not a quantum physicist, by the way. I'm just a person with engineering background and with a lot of experience for many decades of reading research papers. So I come at it not as an expert in the particular field, but as someone experienced in reading papers and kind of understanding the real implications of what some new publication means. I think one thing I want to say from what you were just saying is that I recommend really that everyone go read the papers because in many cases the papers that underlie the big manic posts about quantum the sky is falling, the papers are much more conservative in what they claim. Now this Google one is kind of an exception to that, but I think that's also a good way to gauge the progress in quantum computing is look at what the actual results in the papers are that justify these very high excitement posts in social media and in kind of science journalism, let's call it. And what you'll find is that the real results being published in the academic papers are small, little nuanced improvements in things. And again, this Google paper is kind of an exception to that. But the vast majority are, especially on the physical side. Actually, I think exclusively that's true. On the physical side there are these small progressive improvements. And so you can kind of tell where we are in quantum computing by the fact that what gets the hype in the social media and science journalism side are these tiny little improvements on the physical side. Okay, so if that's what gets the hype, then we are a long way from getting all the way there. Because when we're getting close. You're going to see the Majorana particle architecture scaled up again and now went from X logical qubits to Y for the third time in three years. We're going to see like, oh, these are big improvements. They're building devices that can run Shor's algorithm on bigger and bigger, even if they don't really run it. To be fair, they don't have to run the actual algorithm, but the physical device is capable of running it on a key this big, on a key that big. You'll see, I guess, bigger results actually being published with less hype. And now we're seeing tiny results published with huge hype. And that's one of the ways to kind of tell how far we are and how much it is just hype.

Host 2

Sup freaks this rip at TFTC was brought to you by our good friends at BitKey. BitKey makes Bitcoin easy to use and hard to lose. It is a hardware wallet that natively embeds into a two or three multisig you have one key on the hardware wallet, one key on your mobile device, and block stores a key in the cloud for you. This is an incredible hardware device for your friends and family or maybe yourself who who have Bitcoin on exchanges and have for a long time but haven't taken a step to self custody because they're worried about the complications of setting up a private public key pair, securing that seed phrase, setting up a pin, setting up a passphrase. Again, BitKey makes it easy to use, hard to lose. It's the easiest zero to one step, your first step to self custody. If you have friends and family on

Host 1

the exchanges who haven't moved it off,

Host 2

tell them to pick up a BitKey. Go to BitKey World, use the key TFTC20 at checkout for 20% off your order. That's BitKey World code TFTC20 suffreaks when you take Bitcoin seriously, you start with custody. You want to control your keys, avoid single points of failure, and make sure your savings cannot disappear because you or someone else screwed up. That is what Unchained has been focused on since 2016. Unchained is the leader in collaborative multi sig custody and Bitcoin financial services that keep you in control. They secure over $12 billion in Bitcoin for more than 12,000 clients. That means about one out of every 200 Bitcoin sits inside an unchained vault. Their model is simple. You hold two keys, they hold one key, and it always Takes two keys to move Bitcoin, meaning their single key. You can't access your Bitcoin on its own, just resilient shared custody that gives you institutional grade security while keeping you sovereign. Unchain also lets you trade straight from your vault. Access Bitcoin backed commercial loans, open a Bitcoin IRA where you hold your own keys and set up personal business, trust or retirement vaults. They even offer inheritance solutions built for long term hodlers. Or opt for the highest level private client service with Unchained signature and get a dedicated account manager, discounted trading fees, exclusive access to events and features, and much, much more. If you want a partner that helps you secure and grow your Bitcoin without giving up control, go to unchained.com and use the code T TFTC10 at checkout to get 10% off your new Bitcoin Multi Sig Vault. That's TFTC10chain.com.

Host 1

Yeah, and again, I think really nailing down the, the risk of trying to rush a change to Bitcoin to appease the people who think that this is coming faster than others believe it is. What are the risk of, of upgrading to something in haste because you're worried about this and alternatively not altern. But on top of that, like, is there a line in the sand we can, we can draw? It's like, hey, we, we hear your concerns, we'll take this seriously. We'll begin, we'll continue the research that we've been doing and make sure that we advance that. But if we get to 2030 and we're at this state of quantum research, we're not going to take you seriously anymore. Like, what is the line in your sand?

Brandon

Oh, that's a good question. I haven't really thought about it from that angle of, yeah, when do we stop paying attention?

Host 1

It's like Greta was like Greta Thunberg again for the good, using the climate change analogy was in 2015. She was like, by 2022, Miami's going to be underwater. It's like 2022 came and went. Miami's not underwater. It's like, okay, we can't take you seriously anymore. What is that line in this conversation?

Brandon

Yeah, I think with quantum, it's really hard because the reality is, again, I think quantum's not physically possible, but that's an emotional thing. So we can't really do that because there could always be a new architecture developed that makes it possible, something we haven't thought of before. But I think the good news is that as I said Something's eventually most likely going to break our existing crypto. And so we need to keep doing this research and building new crypto systems for Bitcoin regardless of quantum, and we should keep doing it at the right pace. And so one of the ways to I think almost ease the tension here is to say, look, Bitcoin actually is developing towards quantum resistance. Regardless of your level of concern or my level of concern. I'm not concerned. You are. It doesn't matter. Bitcoin is developing towards quantum resistance. BIP360 Merkel root is advancing. I think it's fairly likely to get activated on the network, which opens up the door to building quantum resistant new crypto into bitcoin. So that's like step one is actively happening. And why is it happening? Because it's actually a good change for Bitcoin. And pretty much everyone in the bitcoin developer community, there's a couple of very tiny exceptions, but really pretty much everyone's on board with that change. And it does move in the direction of quantum resistance. Does it matter that it's quantum resistant? Not to me, but it does to some people and that's okay. And we'll see that continue. Right. As other cryptographic research is done and as we get to the point where some alternative cryptographic primitive is appropriate for Bitcoin, I think it's absolutely a good thing. And I think almost everyone agrees to give people different ways to secure their coins depending on their goals. Right? So someone who's trying to secure their Bitcoin for some kind of dynasty trust, let's say, they might want to put it in a way where it's secured by both elliptic curves and let's say hash based signatures, because they don't care about the signing cost when they go to spend that bitcoin, they care that it is almost 100% secure for 100 years. And you really can't get 100 year security from one cryptographic assumption. You need a couple of. And so I think Bitcoin is going to go that direction. I think like that's, that's my take is, is just let's do the right thing for Bitcoin. And in the long term the right thing for Bitcoin is also going to happen to make quantum resistance an option. We just don't need to, to rush. And as you said, there's a, there's a big risk to rushing. You know, Satoshi notoriously chose a elliptic curve specifically that wasn't published by NIST to help mitigate the risk of kind of a backdoored crypto going into Bitcoin. And right now people are like, no, let's push this NIST published post quantum architecture into Bitcoin. And everyone who knows what Satoshi did is kind of, no, let's not put the NIST thing in. Let's develop something from our own first principles that's appropriate for Bitcoin. And when we have something good, we'll put it in. Yeah.

Host 1

And that seems to be what Jonas and Mikhail are doing with Shrinks plus. Yeah, Jonas published Shrimps last week, which is sort of an advancement of Shrinks plus, because the way I understand it, shrimps, if you were just doing pure Shrinks plus private key, transferring a private key or recovering a private key on another physical device would be quite burdensome. But Shrimps makes it so you can begin recovering seeds on multiple devices using the same seed phrase. In a way.

Brandon

Yeah, exactly. I actually wrote it up for Op Tech, so check out Op Tech tomorrow morning. And I summarized Shrimps and also some other work on post quantum crypto by conduition about isogeny based crypto for op Tech. And that'll come out tomorrow morning. So there's two new post quantum systems detailed in Op Tech tomorrow by me. I'm the anti quantum guy, but I'm out there actively doing the work to publicize the post quantum stuff because like I said, we need it eventually, regardless of quantum.

Host 1

And so what are your thoughts on shrinks and shrimps? Is it a solution or is it a step towards a solution?

Brandon

They're like, okay, it would significantly impair the development of things like lightning and pageoin and Taproot and all the cryptographic primitives that we rely on, Frost and Musig and even the NPCs that are kind of non bitcoin specific for multisignature and threshold signature. Any of these would still significantly impair those. So I think Jonas's work and Blockchain Research in McHale is exceptional and it's definitely moving the state of the art forward. But as of now, I would be hesitant to put any of these in Bitcoin because of the combination of their size, which would impair the number of transactions we could do if we were to use them and the fact that they're not really compatible with our existing wallet infrastructure that people are depending on. I wouldn't be upset if other people in the developer community thought they were a good thing to add, especially if we're thinking about, as I said, a world where we do have multiple cryptosystems available in Bitcoin and people can choose whether they secure their coins with one, the other or both potentially. I'm not going to be mad if they go in in that context. I think the shrimps in particular shows a lot of promise in that it. I guess the way I would put it is that it's close to compatible. It works decently well with, as you said, being able to restore seeds on multiple devices and the ways we use Bitcoin for real while still being not so huge that it completely destroys the usability of the chain or requires massive block size increases or something. So I love the direction that Jonas and crew are working there and I hope that it just continues and we kind of take our time getting something better than these before I put it in. That's my hope.

Host 2

Yeah.

Host 1

And then there's the whole discussion around hash based and lattice based. I know Jonas and Mikael are working on a lattice based research paper right now. I guess what's the consensus, or lack of consensus around which direction to go in when given those two directions when given those two options?

Brandon

I think the consensus right now is if for some reason we decide to or need to do something in the near term, let's say the next five years, it would probably be something hash based because it doesn't require any new cryptographic assumptions. It relies on things we already trust and know in Bitcoin with the downside that hash based has certain downsides in terms of calculating keys that make it harder to use with our existing infrastructure in various ways. So yeah, so hash based would be the thing to do soon. Lattice based requires some new cryptographic assumptions, but has definitely certain benefits in terms of the flexibility of the math. I don't understand it as well, if I'm being honest. I haven't read deeply about it. And then the other piece, actually the op tech tomorrow is about isogeny based crypto, which is a whole different kind of crypto that also is quantum resistant but also requires a new cryptographic assumption. But it works on elliptic curves still, but using a different kind of key that's not vulnerable to quantum. So I think if it's not hash based, we don't know what it would be. It could be lattice, it could be isogeny, it could be something else. And research should continue and is continuing to kind of get to the point where we could do something other than hash based. And again, my hope is that we have much more time than the quantum doomsayers are predicting and we can get to a really good alternative. Cryptosystem that broadly works within the bitcoin ecosystem and supports all the stuff we want, whether it be signature aggregation or silent payments or HD wallets, whatever the stuff we want is, we want a crypto system that supports that. And I think the research is going quite rapidly towards having some options there in the next, let's say, maybe 10 years. Yeah,

Host 1

this seems very reasonable. This seems like a very reasonable approach to upgrading Bitcoin. And again, that's been the most frustrating thing. It's like devs do something. Bitcoiners aren't focused on this. It's like the research is being done. I can't speak for them, but that's what I've been trying to figure out is what pace would be sufficient for you guys, what changes do you want to see? And then there's a circular logic where it's like, hey, we're working on this. Give us feedback on the work that we're doing, whether or not you think it's sufficient for the security that you deem necessary for these quantum advancements that are being made. And if you don't agree, do you have a solution? And if so, will you propose it? And they're like, we can't propose it because bitcoin core is controlled by a cabal of five or six developers. So we'd never even propose it because we get rejected immediately. It's like, well, is this productive at all? What is going on here?

Brandon

Yeah, and I think what they're actually saying and what they're reflecting when they say that is that they know their crypto proposal would be rejected for good technical reasons. And so it's not, oh, core is this cabal. It's really bitcoin. Core holds the line on the quality of technical contributions accepted so high that, that nothing right now, no new crypto system for bitcoin right now meets the bar. And that bar, of course, can move if the threats to bitcoin's existing crypto system get closer. And so that's, I think, where the disconnect is, let's say, is that no one in the bitcoin kind of core maintainership has yet come out and said, the sky is falling. Quantum is in three years. We have to do something now. And if we had to do something right now, then some of these existing cryptosystems would be accepted by core, but the cabal won't accept them because they're not really good enough, and they'd only be accepted if it was an imminent threat.

Host 1

Well, what is Good enough in the eyes of people who do believe it's an imminent threat. Do they have solutions? Because that's the one I haven't seen.

Brandon

Yeah, they've said basically that we should just take Sphinx plus into Bitcoin, even though the signatures and keys would be combined like 10 kilobytes per spend or something like that. And that's not a completely unreasonable argument if the thing really was around the corner. Now, Sphinx is a NIST standard under the name slhdsa. I think it is. So the question is, is the sky falling enough that we would accept an unmodified NIST standard into Bitcoin with these significant trade offs in having 100x the key signature size versus our current cryptosystem? And I think as we've discussed at length here, the sky is not falling nearly enough to accept that kind of a trade off.

Host 1

Okay, so it's not. That's one thing I've been wondering. I thought you mentioned Alex Pruden. He's with Project 11. They're helping blockchain systems transition to post quantum, I believe, working with Solana and Ethereum. I was curious if they had a specific solution that they're putting forth for Bitcoin that.

Brandon

I don't know if they specifically have one. Yeah, that's targeting Bitcoin directly. They published a paper on some improvements they've worked out. I think it was lattice based where it does support a lot of the Bitcoin wallet infrastructure. Like I said, Lattice has more key math ability than hash based stuff. So yeah, I think if they were to propose something for Bitcoin, it would be probably lattice based and the bitcoin folks would currently say the lattice stuff is too new and we don't yet fully trust the cryptographic assumptions it makes for Bitcoin. We'd want to see more time,

Host 1

more

Brandon

threat modeling, more proofs, more different systems based on these same assumptions that all are shown to work. That's the kind of thing we want to see for Bitcoin. We don't want to put a new system in that's vulnerable to some classical attack in the attempt to defend against a quantum attack.

Host 1

Yeah, and this was similar to what would happen. I mean, you mentioned ECDSA was chosen for a certain reason. Schnorr was on the table, but I believe it was patented at that point. And I think Satoshi even said, hey, it probably needs more time to be in the wild before we adopt something like Schnorr. And then what was it, 13, 14 years in to the protocol Schnorb is included into. Including into Bitcoin.

Brandon

Yeah, exactly. There's a track record here that Bitcoin. It's so strange when they're like Bitcoin should this that other thing. And demonstrably Bitcoin has a conservatism that is appropriate and will adopt new cryptographic primitives or assumptions as appropriate to the protocol. One thing that relates here is it's interesting to see the difference between centralized things and decentralized. Right. So centralized systems can just upgrade their crypto, they can take a new assumption and if it goes bad they can turn it off. And that's a low cost thing when you're a centralized system. And so they, they have a different math here where if it's easy to change because you're a centralized system, then the risk of taking a bad assumption is much lower because you can just change again. But Bitcoin isn't like that. Bitcoin is a massive global, distributed, decentralized network. And so the costs of taking a bad crypto system into Bitcoin are much higher than for something like Solana or for Google Internally or some web server, some web server turns on SLHDSA today, they can turn it off tomorrow and that's okay for them. We can't do that in Bitcoin.

Host 1

No, we can't. And that's again the more frustrating. And Bitcoin gets picked on. That's like being honest. I'm happy you said that because that's one thing that I think bitcoiners who don't believe it's a big risk, like the whole line of, and I used to say this too, hand up of if quantum comes like Bitcoin's not the only thing at risk. Yes, that's true. But to your point, all these centralized systems can trivially incorporate and rip out these cryptographic systems rather trivially because they're centralized. Bitcoin does have a big unique problem in the sense that it's this distributed system. We need to get consensus. Once we put something in, it's hard to take it out. The risk factors to Bitcoin are certainly unique and arguably higher than they are to other systems.

Brandon

Yeah. So we have to pay attention and we have to move at the appropriate time. For sure.

Host 1

Yeah. And to your point about lattice based, I just wanted to bring this up. That's why I'm looking at my other screen over here because we wrote about it yesterday. But going back to lattice based schemes and the fact that, that they're not as battle tested as some hash based solutions. So lattice based schemes offer advantages of verification speed and signature aggregation. But the carry trade off they rely on newer mathematical assumptions that haven't been battle tested as long as hash functions. In fact, NIST tested 69 post quantum candidate algorithms during its standardization process and two of them, Rainbow and Psych, were broken with classical computers during testing. And so that's four. What would that be? That would be like five, four, four and a half percent or less than that, like three and a half percent of these or maybe like yeah, three and a half percent of of these. Of these post quantum lattice based systems were proven to be insecure. And so like that's. If you're going to incorporate a lattice based system into Bitcoin and you have a 3 1/2% risk of it being insecure, that's pretty high for a trillion dollar network as well.

Brandon

Yeah, for sure.

Host 1

And that's, and I mean this gets back to what I was saying earlier, like what's the line in the sand? Like how do we have a more level headed conversation about all this with the people who are convinced that this is coming faster than we are?

Brandon

Yeah, I mean my best way is to rely on evidence based decision making and that's why I keep posting kind of every few months. I guess I probably post something about I'll worry about quantum when I see here's a list of things and I think it's scaling over two generations less than exponential scaling in the time needed to solve progressively larger keys on the same quantum system and beating classical in any cryptographically relevant, even small size problem. And to date none of those three things have happened in any quantum architecture. And so there has to be evidence. I joke about it being unicorn fart based engineering, but the reality is that anybody can fud anything about Bitcoin and if we can be caused to make a change to the protocol based on claims and not evidence, then Bitcoin is vulnerable to the most obvious of attacks. Right. Bitcoin can't be subject to change without evidence that it needs to. That simply doesn't make sense. So we can set a pretty clear evidentiary standard for when a quantum architecture shows these three or maybe four people can argue about exactly what the criteria are, but we can set pretty darn clear standards for the evidence required to start taking immediate action. And of course in the meantime we're going to take progressive action anyway. So it's not like this is a, oh, we're going to do nothing until it's just we're Going to take a slow and steady approach until there's this level of evidence that we have to move faster.

Host 1

Yeah. And do you think we have to think of opportunity costs too? Right. Like what else could we be working on in Bitcoin that is necessary and a low hanging fruit that undeserved attention to the quantum question could take away from?

Brandon

Yeah, that's a really important point. And I think even more than not working on the right things, it's essentially fudding the amazing innovations that are still kind of nascent, not widely deployed in Frost and silent payments and music and even DLCs. All of these things are classical elliptic curve based protocols that are really valuable for bitcoin. Craig Raw is working on getting silent payments at Disperrow Wallet. Recently coldcard just shipped Music 2 support. And these things strictly depend on the existing elliptic curve cryptography and they're great. There are huge improvements in the usability of Bitcoin in a couple of different ways. I'm not going to get into them because it's not important right now, but when you're saying we need post quantum tomorrow, people just say, well then why would I bother developing silent payments or music when we're going to replace the existing crypto in a year? You shouldn't if that was true. And so I think it is very important that we, we push back on this quantum fud and say, look, as of now, there's no evidence that we'll, we'll be kind of replacing the basic elliptic curve cryptography in the next decade. So we should keep building silent payments and music and frost and DLCs and everything based on the existing cryptography. It's going to be around for a long time, so keep building.

Host 1

Yeah. Oh, it's also tiresome. Do you think this is a social attack or. Man, I don't know, an intentional social attack? I guess if you believe that quantum is not coming as quickly as they believe it is a social attack. But I guess the question is intent.

Brandon

I tend to be optimistic on people's motivations, so I don't think so. I think it's more just that people love to panic. And I mean, we've seen that in the real world in so many ways in recent years. The need to panic, I think it relates to the fact that life is too soft. People don't do hard things and so they need to find things to be worried about to, to satisfy their natural evolutionary need to be worried about something. And so we just get prone to panic and it's easy to rile people up with this stuff.

Host 1

Yeah. Any parting notes here? Anything we didn't touch on that we should probably mention as it relates to this quantum discussion?

Brandon

Oh, I already shilled it once, but I'll shill again. Read Op Tech. I write the Changing consensus section of Op Tech every month and I think it'll actually put you more at ease about Quantum, because we cover Quantum a lot in there and you'll see the kind of remarkable progress being made, which very likely means that long before, because possibly never, but long before even a realistic timeframe for Quantum, assuming it started scaling today, I think long before it gets to a production relevant quantum computer, we'll have a better system in Bitcoin. It's happening actively.

Host 1

Well, this will be published the day after Op tech's published, so you're not spoiling anything. Is there any specifics you want to expand on there?

Brandon

Oh, sure. So I read this Developer Conduition has been posting a lot about cryptography to the Bitcoin mailing list recently and to delving Bitcoin. And he did this big write up earlier this month or last month I guess, about isogeny based crypto that I mentioned earlier. And he basically made the argument that bitcoin developers should be paying attention to it. And so I read his whole thing and wrote a summary for Op Tech about it. And isogeny based crypto is very interesting because unlike hash based or lattice based crypto, it's only about twice the size on chain of using elliptic curve stuff. And part of that is because it's also elliptic curve based, but unlike our existing stuff, it doesn't depend on the hardness of reversing points to keys, to secret keys in order to be secure. It has a totally different security assumption. It's just based on the same shapes of curves on a graph. Right? And so I think that is very promising. And I think people should read Konduishin's whole post if they're kind of even technically interested in this kind of stuff, because he does a great job of bringing it down to a place where Bitcoiners who kind of understand elliptic curve cryptography, the classical kind, can also understand isogeny based cryptography. And because it also works on elliptic curves, some of the machinery we already have in Bitcoin could be applicable to it. So we kind of take a new cryptographic assumption for the hardness, but we can use some of the same optimized elliptic curve math that we have already to work on these systems. And so that might be promising for Bitcoin if I'm Being totally honest about it, I would guess that if isogeny based crypto were to come to bitcoin, we would probably still want to do something that's not elliptic curve based, as well as a backup. So that if there's a fundamental break in elliptic curves themselves, which there hasn't been any evidence of it yet, we'd have a fallback. But it's just promising to see a totally different avenue that's not lattice, not hash also being brought to the fore. And I'm glad I got to write about it.

Host 1

Hell yeah. Do you think there's enough

Host 2

top tier

Host 1

cryptographers well versed on these subjects focused on Bitcoin? Do we need more?

Brandon

Not an isogeny based crypto yet. And that's exactly what Conduitian writes about, is that more bitcoin folks should be looking at this and seeing if it's suitable. Because if it's suitable, it would have a lot of really good properties that apply to Bitcoin and let us keep using Bitcoin the way we want to.

Host 1

Yeah, it's great to know. Thank you for all your work on the front lines of having the conversation and helping add context. Because again, as somebody who's not well versed in quantum physics and knows enough to be dangerous when it comes to cryptography, it is. I don't want to say it's easy to get bamboozled, but it's easy to begin questioning and you should always question. But getting a well rounded perspective on both sides of this quantum debate as it pertains to Bitcoin, I think it's important. You've been doing an incredible job of providing much needed context.

Brandon

Thank you. Yeah, I love FUD busting. It's been a hobby for a long time. So glad to be out there doing it on a new topic.

Host 1

Awesome.

Host 2

Where can people find out more about

Host 1

what you're working on?

Brandon

Yeah, check me out on X usually Erdencode. I sometimes post on the mailing list as well. And if you're building a wallet, I offer consulting reviews and stuff for bitcoin wallets and similar kind of on chain bitcoin stuff. And you can just hit me up on X about that. My DMs are always open.

Host 1

All right, awesome. Brandon, hope you enjoy your day and hopefully we can do this again.

Brandon

You too, man. Great talking.

Host 1

We'll draw a line in the sand. We'll say if quantum hasn't progressed in six months.

Brandon

Six months?

Host 1

Yeah. I'm kidding.

Host 2

Peace and love, freaks.

Host 1

Okay, thank you for listening to this episode of tftc. If you've made it this far, I imagine you got some value out of the episode.

Host 2

If so, please share it far and

Host 1

wide with your friends and family. We're looking to get the word out there. Also, wherever you're listening, whether that's YouTube, Apple, Spotify, make sure you like and subscribe to the show. And if you can, leave a rating on the podcasting platforms, that goes a long way.

Host 2

Last but not least, if you want to get these episodes a day early and ad free, make sure you download

Host 1

the Fountain podcasting app. You can go to Fountain FM to find that $5 a month get you every episode a day early ad free helps. The show gives you incredible value, so please consider subscribing via Fountain as well. Thank you for your time and until next time.