Justin (3:34)

Sure. So quantum computing is a form of computing that leverages microscopic physics, if you will, that is hidden to the day to day world that we live in, but is very much present. And using this hidden structure, you can run computation theoretically faster for certain classes of algorithms, including algorithms that break the cryptography that we have right now in terms of elliptic curves. And the major threat for crypto is that it breaks the current cryptography that we have. So for a firm specifically, there's three pieces of cryptography that are vulnerable. The first one for user transactions is called ecdsa. The second one is at the consensus layer we have something called BLS signatures. And then finally at the data layer for the blobs, we, we have something called kcg. And the common thread for all these three layers is elliptic curve cryptography, which would get broken by quantum computers.

Laura Shin (4:42)

And Chris, how would you describe quantum computing and the threat that it poses to crypto?

Chris (4:48)

Yeah, I think Justin said it perfectly. You know, this is technology that is still in somewhat early and even speculative stages, but there's been a lot of progress in building these quantum computers by efforts that have invested billions of dollars toward engineering these devices. And a theoretical level, and also at an engineering level. We know and have known for several decades now that quantum computers, if they are built at large enough scale, can and would break all of the cryptography that we've been using heavily on the Internet and in blockchain applications and all around the world for several decades now.

Laura Shin (5:35)

And so I know timelines can be difficult to project. But I was curious when you both personally thought that quantum computing would pose a threat to crypto. You know, how many years from now and either of you can answer?

Justin (5:52)

Sure.

Chris (5:52)

Well, I started kind of going all in on quantum resistant cryptography research about 21 years ago. So at the time I thought, you know, this is going to matter, this is going to be important someday. You know, in those 21 years, we still haven't seen a quantum computer, but the level of effort and investment that's gone in has, has really skyrocketed in recent years. And so most people who are experts in this domain, I, I'm not sure I consider myself one of them in terms of actually building quantum computers. But most people who are experts in this domain do believe that we will have them at some point in time. And those timelines range from, well, how likely do you think a quantum computer is to emerge within a certain amount of time? So I think most people believe that, you know, in the next three to five years, very unlikely, but perhaps at the 10 year, 15 years out from now, it starts to become more of a significant probability. And then predicting the future, even 20 years out, is a fool's game. I don't think anybody can do that.

Laura Shin (7:05)

Justin, what do you think of the timeline?

Justin (7:08)

Yeah, so at the firm foundation, we've been thinking about this since 2018. We actually gave a large grant, several millions of dollars to starkware back then to start building this technology. And with all of the progress that we've seen recently, both on the quantum computing side of things, but also on the algorithmic side of things, my personal date is now 2032, and I've partially stolen this from a friend in Cambridge who happens to be the founder and CEO of Riverlane, one of the top error correction companies in the world. And we both have a sons who are in the same class, which is how I met him. And he's been in the space for 15 years. And his date 15 years ago was 2032. So I'm feeling pretty good about it. And going back to what Chris said, very few people believe that we're going to have so called cryptographically relevant quantum computers by the end of this decade. So we're talking 2000s. But I think there's a reasonable chance, for example, that in 2031, maybe a 1% chance, 2% chance, maybe more, that we'll have a relevant computer. And then it really increases steeply the probability of having a cryptographically relevant quantum computer. And one of the things that I can share is that there's been this really big improvement on the algorithmic side of things. So if you rewind the clock two, three years ago, the best known algorithm for breaking Ethereum cryptography required about 10 million physical qubits. And then about a year ago so last year in 2025, we had a paper bringing that down to 1 million qubits. And in 2026, we're going to have another paper that brings it down even further. And so I wouldn't be surprised if the end game is much closer to 100,000 qubits. And so we have these two curves, eventually we'll cross. And because of the time it takes to migrate to new cryptography, we have to be thinking about this several years in advance. And if indeed I'm right that 2032 is the date, then today is when we really need to get started and.

Laura Shin (9:27)

Explain what a qubit is.

Justin (9:32)

So a qubit is the fundamental quantum building block, which is the equivalent of the bit. So a bit can take two values. A qubit can be in a superposition of states, and it can also be entangled with other qubits. This is what gives it its power. And when we talk about qubits, there's two flavors. There's the logically perfect qubit, which we call a logical qubit. And this is what the theoretical quantum algorithm designers will be using. And then you have what's called the physical qubit, which is the physical instantiation using atoms or photons or whatever it is. And because you of the noise involved, you have to do so called error correction. So you have to take a collection of physical qubits in order to form one perfect logical one. And this ratio between physical and logical is very important. And it might be on the order of 1000 or 100 or maybe 10,000. This is very much in the engineering stage. But one thing that we should expect in addition to, to the algorithms improving is that the error correction will improve so that the ratio will improve. And of course, we should see more and more physical qubits in the same way that we have Moore's Law, that increases the number of bits and transistors that we have on a single chip.

Laura Shin (11:09)

Okay, so as you said in the beginning, the threat that quantum computing poses to crypto is, is kind of limited to a certain area. Just explain what that means in practical terms. Like what are the actual dangers that everyday users would perceive, that businesses would perceive, you know, what are the things that could happen if the crypto industry and all these different chains don't, you know, come up with ways to, you know, protect themselves against the quantum threat in advance.

Justin (11:47)

Long story short, with a cryptographically relevant quantum computer, you can take a public key and rederive, recompute the private key from that. So normally you're meant to keep your seed phrase secret and your private keys safe, and you only expose the public key. But if we have a cryptographically relevant computer, it's basically game over. It's systemically bad for the whole industry where the notion of property rights starts to crumble.

Chris (12:19)

Yeah, I would add that cryptocurrency is built on the foundation of secure cryptography. And there's all kinds of cryptographic primitives and tools of, by various names, digital signatures and hash functions and encryption, and all these different kinds of tools and primitives that we use so that we can build a secure cryptocurrency. And when that foundation crumbles and becomes completely insecure, well, everything built atop of it also collapses. So it is, as Justin said, a completely systemic risk, as well as a particular risk to specific protocols that are out there, whether they be Ethereum or Bitcoin or, or any of the many other kinds of blockchains that are out there.

Laura Shin (13:08)

And so essentially like, it's something like whoever creates the first quantum computer could steal as many coins as they want from pretty much any chain. Is that sort of the, the doomsday scenario?

Chris (13:23)

That's a fair description of, of what would happen. Right. If you can take any public key off of the blockchain, you could empty its account. Right. And just forge a transaction that transfers all the assets from this account to the account of your choice. Those are some of the very simple to imagine consequences of having a cryptographically relevant quantum computer. There are other sort of more subtle or nuanced situations. Like one could potentially use a quantum computer to break consensus or cause some kind of fork in certain types of blockchains that are protected by digital signatures that are vulnerable to quantum computers. So Justin also mentioned this at the beginning. The actual consensus layer of many blockchains is protected by cryptography that would be broken by quantum computers. So, you know, whether an attacker would actually want to do this and destroy the entire consensus of the network or not is an open question. But it's at least something that in principle could be done. And so that would be a systemic destruction of maybe all the value in that blockchain.

Justin (14:38)

I do want to kind of share some of the nitty gritty details of quantum computers. So there's several so called modalities which are different flavors of quantum computing. There's for example, trapped ion and neutral atoms, and those involve moving particles around, and they tend to be relatively slow in terms of their clock cycles. And so if you were to run the algorithm to break our cryptography known as Grover's algorithm. It might actually take several hours or several days. And so if you only have a limited number of quantum computers at the very beginning, then you should only expect a small number of keys to break. If these are the modalities that are going to win. There's other modalities, for example, supercomputing and photonics, that are much faster because there's no moving parts. And here you could expect a key to break in a matter of minutes. But again, if there's a limited number of sufficiently powerful quantum computers, most addresses will actually be safe. Because, for example, Satoshi has a very large number of addresses, each with 50 Bitcoin in the early days of mining bitcoin. And so one very easy mitigation, actually, is to just make sure that in your wallet you have less than 50 bitcoins worth of value, because then the attacker will target Satoshi's coins first and will have a bunch of lead time seeing Satoshi's coins being drained before everyone else's.

Laura Shin (16:17)

Wow. Okay. Yeah. I mean, the, the one thing of course, is if Satoshi's coins get drained, then that would cause like a systemic panic. And so the price of bitcoin might, might go south. But let's say that now it was 2032, we would wake up one morning and like that, all of Binance's wallets got drained, even like cold storage. Same with Coinbase. Is that kind of how to think about it?

Justin (16:47)

So a lot of the large exchanges for their cold wallet actually implement a very easy mitigation, or at least they should implement a very easy mitigation, which is to not reveal the public key. So on most blockchains like Bitcoin and Ethereum, you have the address which is the hash of the public key, and then you have the public key which needs to be revealed the very first time you spend from that address. But if you have a cold storage address for which you've never made any spends, then the public key has not been revealed, and that's actually secure against quantum computers. So the very easy mitigation is to make sure that you're hiding your public key behind the hash, which is the. Your address. Now, there is a company called Project 11 that has this tracker website that will tell you what percentage of keys are protected behind the hash and those that are not, and I believe we're talking roughly 30%. Don't quote me on this, just check the website. And some of the top addresses are indeed exchanges. So if you are a security officer at one of These exchanges or you're part of management, do consider this very simple mitigation of putting all your cold storage in an address that has never made a single spend.

Laura Shin (18:17)

Okay. Okay. Yeah, I guess from what I understand, you know, the way these exchanges work, they have cold storage, they'll have like a lukewarm storage, I forget what it's called, and then the hot wallet. So presumably there are times when certain cold storage wallets might need to transact with the lukewarm wallets or whatever they're called. But yeah, it's probably pretty infrequent. Okay, so now let's talk about something that Chris kind of alluded to. He said, you know, if whoever develops the first computer wants to go after these coins, I'm so curious, there must be a race to develop this type of computer first. So who are sort of the different players and are any of them ones that, yeah, might be motivated to. To attack crypto?

Chris (19:15)

Sure. Well, we know of many of the public players at least. So Google has a serious high dollar investment in building various types of quantum computers, engineering them. And as Justin mentioned before about error correction, just last year Google had a major breakthrough in the quality of error correction that it was able to attain. That's one of the most important ingredients in ultimately building a large scale quantum computer. You also have IBM and a large number of, moderate number of startups of various names that are all trying different engineering approaches. And then you have the not so public players. We know that governments around the world of various large countries are very interested in this kind of technology. They don't report out their progress to a large degree. And so we don't really know where they lie. And whether the private sector that's making public announcements is ahead of them or catching up, it's very hard to say. But you know, naturally the US government, the Chinese government, all kinds of rich countries are almost certainly investing a lot of effort into building quantum computers.

Justin (20:37)

Yeah. And in the public quantum computing industry, there's a bunch of companies that have gone public and there's been a little bit of speculation around those. So some names that Chris didn't mention, there's like Psiquantum and Quantinuum and Rigetti. Now I was talking to the Google team recently and one thing they mentioned is that in China, instead of having many different commercial companies working on this, it's mostly centralized at the government level and they're extremely quiet. So I would say Those are the two primary poles. The public companies and the Microsofts, the IBMs and the Googles versus a government like China.

Laura Shin (21:30)

Yeah, I, I feel like, I mean, this is sort of something that's been said a lot in crypto, but you know, a government like China is probably one of the few players that would be very motivated to try to attack blockchains in this way. So yeah, I could see that being a threat. Okay, well, I'm so curious and I know you guys are kind of affiliated with certain chains, but you probably have made an assessment of which chains are maybe more vulnerable than others and which ones are least vulnerable. So I'm just curious to hear the lay of the land, like what your opinion is on if there are any particular coins that you think probably, you know, are better positioned and which ones need to, you know, up their game.

Justin (22:21)

So when migrating to post quantum cryptography, there's really two challenges. One is a technical one and the other one is a social one. In my opinion, the major technical challenge is what's known as the size problem. For post quantum cryptography, we're dealing with signatures that are at least 10 times larger than ECDSA. So ECDSA has 64 bytes signatures and the smallest NIST standardized scheme is called Falcon 512 and it has signature sizes of 666 bytes. And then there's all sorts of other schemes that have even larger signatures. And so if you maintain the block size, which for, you know, pretty much any blockchain is like the scarcest resource that you have, your throughput, and you increase your size of your transactions by a factor of 10, then your TPS, your throughput is going to go down by a factor of 10. So imagine Bitcoin going from 3 TPS to 0.3 TPS, or Ethereum going from 25 to 2.5, or Solana going from 1000 to 100. In my personal opinion, this is just a non starter. Just from a commercial standpoint, it would just be way too disruptive. And so what the Affirmative foundation has been investing in to solve this technical size problem is what's known as signature aggregation. So the idea is to take all of the signatures corresponding to all of the transactions in the block and to snarkify them into a single proof that would get published alongside the block. And this is something that we've been working on for a while now. We have something called LeanVM and we have variants of the NIST standardized signatures that are much more friendly to this aggregation. Now, putting aside the technical problem, which is real, for some other blockchains, there's an even more real problem, which is the social one. First of all, they need to recognize that indeed there is a problem. And then even once they've recognized, they need to put in place all of the coordination infrastructure. And the top blockchain that I have in mind here is Bitcoin. You have leaders like Adam Beck that are in complete denial that quantum computers could be coming in the early2030s. He's talking about, at minimum, decades until cryptographically relevant quantum computers come. And Nick Carter wrote this report recently where he went through the whole list of bitcoin high priests. And of the 10 that he identified, only one of them, Jonas, Nick, was worried about quantum computers, and the nine others didn't seem too worried. And bitcoin is a chain that only makes upgrades extremely infrequently. You know, in the last 10 years, it's only made two upgrades. And it's plausible that it would take them at least five years to upgrade to post quantum cryptography and that quantum computers could come within that timeframe. Now, one of the things that I'm hoping will happen, ironically, is that there's a collaboration between Ethereum and Bitcoin, because what happened in 2009 when Satoshi launched Bitcoin is that he created a de facto standard for signatures. So he went with ECDSA, he picked a specific curve, sec 256 sec P256K1. And then most of the chains just copied this. And this was really good because it meant that you have the same key derivation standards across all of the chains. You have the same wallet infrastructure, the same hardware wallets, you have the same MPC protocols, et cetera, et cetera. And it would be pretty catastrophic, in my opinion, if every chain were to come up with its own solution. And so the strategy that we're taking at the Ethereum foundation is actually to try and pill the bitcoiners to reuse whatever we have, so that if Bitcoin and Ethereum together have the exact same solution, that all of the other chains most likely will just copy it. And so the lean VM that I mentioned is built with bitcoiner security in mind. We're trying to be as conservative as possible and not cutting any corners. And we're also collaborating with bitcoin researchers. So there's Mihal Kudinov, for example. We wrote four different papers, academic papers with him in 2025 and early 2026. These are papers on post quantum cryptography. And last year we organized a workshop in Cambridge in October. This was a three day post quantum Workshop, which he came to. He's a great guy. And I'm basically hoping that Michal can single handedly be the bridge between the Bitcoin world and the Ethereum world. And I forgot to mention that Michal works at Blockstream, the primary company that has soft power over Bitcoin upgrades. Yeah.

Laura Shin (27:52)

And that is run by Adam Back, who actually you mentioned earlier was not yet.

Justin (28:00)

But yeah, Jonas Nick is also at Blockstream, so maybe Adam Back could be convinced if Michal and Jonas joined forces.

Laura Shin (28:11)

Okay. And I'm curious, Chris, what you think of that idea about if Bitcoin and Ethereum are using the same strategy or the same solution, if that would be something that other chains would naturally do? Because I don't know if it is even an issue, but in my head I'm like, oh, but does that reduce resiliency for the industry if everybody's using the same model that potentially could later on become vulnerable? I don't, I don't know.

Chris (28:42)

Yeah. In terms of cryptography and the, you know, the standards that are underlying the technologies themselves, I think it's a very good thing to have broad industry standards that are well understood, that have been well vetted. And as Justin mentioned, you know, the Falcon Signature scheme is one which has been selected by the U.S. national Institute of Standards and Technology now through a many year post quantum cryptography process. So that started back in 2017 or so and is just coming to the conclusion of its main activities in the past year and upcoming year. And so it's very good if the industry can all agree on one standard so that things are interoperable. You get many fewer cryptographic disasters or unexpected incompatibilities or security issues. Now, speaking of some of the other projects out there that have taken post quantum cryptography seriously, for example, I've been connected to Algorand since 2021 through Algorand Technologies. That's a company that works on the cryptographic research and protocol security. And one of the reasons I got excited to do that at the time was they specifically wanted to understand the post quantum cryptography landscape and to bring their chain up to date and understand what it would take to build in post quantum resiliency. So through those years we developed something very similar to what Justin was talking about to address this size problem. It was called State Proofs and it uses the Falcon Signature scheme and it basically offers a fairly frequent but periodic checkpoint, a post quantum secure checkpoint about the state of the Algorand chain, for example. So it allows you to say, you know, every 256 blocks, which is every few minutes on Algorand, you can get signatures, falcon signatures, from many, many different validators and accounts that attest to the state of the chain. And then there's a thing called a state proof that kind of condenses these falcon signatures down to a small number of them that together prove that a large percentage of the stake in the Algorand system has attested to. Yes, this is the state of the blockchain at this point in time. And that's a post quantum secure attestation or proof. And so it allows one to, for example, interact with other chains or have a long term, post quantum secure kind of snapshot of what the chain actually looked like. And that keeps it secure even in the ultimate future when quantum computers emerge and might try to, you know, fork the chain through a historical path or try to convince a light client that the chain looks like this when it actually looks like that. So light clients and other users can, can look at these state proofs and determine, yes, this is the actual state of the chain at this point in time. And then recently Algorand also added these post quantum secured wallets. So you can actually give post quantum secure transactions for using the same Falcon signature scheme.

Laura Shin (32:13)

Okay. And for the transaction, that just means like that the transaction wouldn't be vulnerable to a quantum computer or.

Chris (32:24)

Exactly. Yeah. The transaction, the signature transaction has a signature. It's a Falcon signature. That's a post quantum secure signature. And those. The idea is that a quantum computer would not even be able to forge such a signature. It would not be able to, you know, empty your wallet if you've got this feature enabled that requires post quantum signatures on its transactions.

Laura Shin (32:47)

Oh, got it. Okay.

Chris (32:49)

Okay, so these are addressing sort of the two layers that that Justin mentioned at the top of the show where you have, you know, there's, there's protection for individual accounts and wallets and then there's protection at the base layer of the blockchain itself and the consensus layer. And you know, does everybody agree that the same thing is happening?

Laura Shin (33:11)

Okay, got it. That, that makes sense. All right, so in a moment, we're going to talk a little bit more about some of the other efforts that are being made. But first, a quick word from the sponsors who make this show possible. Bits and Bits now has its dedicated feeds. We're spinning off from the unchained feed and moving to a new podcast and YouTube channel. So if you want to keep up with our weekly livestreams and macro meats, crypto breakdowns, make sure to subscribe to Bits and Bips directly. We won't publish there until March, but subscribe today so you can be ready for launch. Be sure to subscribe to the new feeds@ Unchained Crypto.com BitsandBips Want a chance to win $25,000 in USDC figure? A platform to earn yield, borrow against crypto and access lending markets is running a $25,000 USDC sweepstakes tied to their democratized prime product. Here's how it Download the Figure Markets app using our link figuremarkets Co unchainedp Deposit into a democratized prime lending pool and leave your funds there for 25 consecutive days. Every dollar equals one entry, so $1,000 equals 1,000 chances. While your funds stay in the pool, you're also earning around 9% APY paid out hourly. To learn more and enter, go to FigureMarkets Co UnchainedDP, which is also available in the show Notes if you're looking for help with crypto taxes, Crypto Tax girl is offering $100 off for Unchained listeners. They provide personalized crypto tax reports and returns, and spots before April 15th are limited. Go to cryptotaxgirl.com Unchained to save $100. Once again, the link is cryptotaxgirl.com unchained back to my conversation with Justin and Chris so are those all the different types of, you know, problems that could happen with quantum cryptography, sorry, quantum computing, or are there any others that know might affect blockchains?

Chris (35:19)

There's another type of attack that we haven't really mentioned so far, and it's of lesser significance to the blockchain space, but still can have some important implications. And that is what's known as a store now, decrypt later attack. This primarily affects encryption. So if you have data that you want to keep secret, let's say you're account balance is private, or you're using a chain that offers some privacy to the transactions that usually uses a technology called encryption. And just like with ECDSA signatures that Justin mentioned earlier, all of the predominant encryption methods of the past several decades are also vulnerable to quantum computing attacks.

Laura Shin (36:05)

And so would that affect like pretty much all the privacy coins and all the privacy chains is that it might.

Chris (36:12)

It would depend on what kind of level of privacy that they provide. But what it would allow is if there's some encrypted data that is stored on the blockchain, for example, and is meant to remain secret for a long time. When a quantum computer ultimately emerges, it can look at that encrypted data, break the key and decrypt the data and learn what was supposed to remain private. And so you have this problem where if you're encrypting things today with cryptography that would be vulnerable to quantum computers, you have a problem. Because if you're trying to keep IT secret for 10 years, for example, and quantum computers emerge in six, or as whatever the prediction is, you can't, you're going to lose, right? You're not going to be able to keep it secret for that long. So it means that if you want to keep secrets for a longer term period, then you need to start using quantum, quantum secure cryptography right now.

Justin (37:16)

Laura, you were asking about the privacy chains. So I have a piece of good news and a piece of bad news. The piece of good news is that quantum computers will break the soundness of these private privacy schemes like zcash, but they will not break privacy. So someone can spend coins that are not theirs, but at least the whole history of past transactions will not be magically decrypted. So that's the good news. The bad news is that I think privacy coins like zcash are going to be the very first target, a quantum computer. And the reason is that you can steal funds without anyone noticing. So within the privacy pool, you can just empty the privacy pool and no one will know. And so you, you mentioned, Laura, that there would be kind of mass panic if Satoshi's coins were to move. Well, there wouldn't be any mass panic if the zcash coins were to move because no one would really notice.

Laura Shin (38:19)

Oh my gosh. Yeah, that, that is, that, that's really scary. And, and would this also affect, because there's, you know, as, as I'm sure you know, there's a bunch of layer twos that have privacy on Ethereum. You know, I just interviewed Aztec back at DefConnect when they launched like that, you know, there's a bunch. So would those also be affected?

Justin (38:44)

Yes, unfortunately they would be affected. And really the solution here is to try and migrate as quickly as possible to post quantum snarks, because a lot of these are based on snarks. And hash based snarks are basically the only solution that is production grade today. Now, in addition to deploying new technology, one of the social problems is trying to force the community to exit one system and move to another one. So for example, in the, in the context of zcash, they have these multiple shielded pools. I think one is called sapling and they have various names. And one thing that you can do is basically keep track of the total amount of funds that have been deposited in the privacy pool and the total amount of funds that have left. And so what you could potentially do is have a policy that says by this date we need to have this specific vulnerable privacy pool be emptied, otherwise all of the coins might, might be deemed, might be destroyed as a policy decision by the community. And one of the things that I want to highlight going back to Bitcoin is that they have this big issue around what do you do with the Satoshi coins, which is about a million btc, which is tens of billions of dollars. And there's basically potentially going to be a contentious fork here with one side wanting to burn them and the other side saying no, no, no, privacy rights are sacred, we definitely cannot burn them. The good news for Ethereum is that there's roughly speaking 0.1% of the ETH circulating supply which is known to be lost or believed to be lost. And so that's essentially a rounding error. And I don't think we'll have this consensus fork in Ethereum land and wait.

Laura Shin (40:48)

So I'm sorry, just to understand, are you saying for something like Bitcoin that in order for any coins to be saved, all the owners have to voluntarily move? No.

Justin (41:02)

For any chain we need to have the owners perform an action where the they spend their coins from a quantum insecure wallet and migrate them to a post quantum secure wallet. There is this like one exception which is that it is possible to basically have a proof of knowledge of the seed phrase as opposed to a proof of knowledge of the private key. And that would allow you to migrate without any user action. But this is not something that many chains are considering as the default path. They are considering it, for example, as an emergency path. So if, let's say tomorrow we had a quantum computer that was able to crack Ethereum addresses at will, what would probably happen is that we would just shut down the chain and then we would have a mechanism for people to prove that they own the seed phrase, which is a post quantum secure thing, as opposed to proving that they know their private key, because that's something that the attacker would know. And then we would have this reboot mechanism that would take several weeks, potentially several months. So. So yeah, it is being considered right now as a, an emergency backup, but it's not the default path.

Laura Shin (42:32)

Wait, and I'm sorry, like to quote unquote, shut down the chain. You have to get all the individual miners all or stakers I get like. But I, I guess because there's a lot of. So you'd have to get all the solo stakers and all the, you know, kind of like places like Lido and whatever that are doing it for, for individuals. Like, you'd have to get them all to do that. Right?

Justin (42:55)

Or so there's two separate problems. There's the users and the validators. For the users, we'd basically, the community, more likely than not, would say, hey, like, any transaction that has been made from this point onwards is just considered null and void. What we're going to do in order to prove your ownership of a specific address is we're going to ask you to prove that you know your seed phrase. So just to back up a little bit, the way that you go from the seed phrase to the private key involves some hashing and hashing is quantum secure. So that step here is quantum secure and it can be leveraged to do an emergency reboot for the users. You could also do a similar thing for the stakers. So ethereum has roughly $100 billion of, of stake and each validator can have a zero knowledge proof that they know the corresponding seed phrase and then use that to basically send the ETH to a new post quantum secure address. But this is a process that would take many weeks, potentially many months. And so for a period of time the Ethereum chain would go down. But having said all this, the plan right now is to upgrade every single piece of Ethereum cryptography to be post Quantum secure by 2029. And so hopefully this should not be an issue if indeed 2022 is 2032 is the correct date.

Laura Shin (44:32)

Okay, yeah, yeah, yeah. Obviously you want to do it ahead of time because what you just described sounds like chaos. But Ethereum has done similar things in the past. Like if I think about the DAO hard fork, there are messy situations that it's come across. And yeah, okay, maybe the solution was messy in its own way, but like it, it worked, you know, basically. So, okay, that, that is, that's really interesting. So Chris. Well, yeah, so, okay, so now Justin just briefly gave us a little bit of a glimpse of like, how, how Ethereum is thinking about trying to tackle this. Like, does Algorand have any plans or do you know of any other chains that have like certain plans around, you know, how to kind of transition before the threat arrives?

Chris (45:28)

Yeah, there are, you know, several chains that are thinking, I think, seriously, or to some degree of seriousness about how to do these kinds of upgrades and transitions. I think it's absolutely important to do it very deliberatively and iteratively. So the approach at Algorand, for example, has been let's deploy this state proofs, right, for the, for the underlying consensus and chain and the long term viability and accuracy of the chain. And then let's learn from that and let's iterate. And then they moved it to post quantum transactions, post quantum protected transactions. We'll learn from that and discover new techniques, new ideas that allow to move forward to other pieces of the picture. And so I think another reason to start early, in addition to the ones that Justin has mentioned about the uncertain timeline of when are we going to be at Q Day, right, when are we going to hit the qpocalypse is you have to learn and you have to iterate and you have to try some things that might not work and adjust your approach. Because the performance profiles of these post quantum schemes is very, very different from what people are used to with the current classical cryptography. So, you know, the sizes are much larger. There's, you know, on the plus side, verifying signatures is much faster in post quantum schemes like Falcon. And so, you know, for blockchain applications, fast verification is a very useful fact. You want to be able to verify a lot of signatures very quickly because there are so many of them on the chain. There are going to be a lot of tricky implementation issues with a lot of these cryptographic primitives. They work completely differently from what we're used to. And so all the lessons of the past actual, you know, few decades in terms of sticky points and trip ups that people have made with insecure implementations and things of that nature, we might have to relearn some of these lessons or at least pay close attention to the mistakes that were made in the past and make sure we don't make versions of those mistakes again with the new cryptography. So, you know, it takes a long time. All of these things are slow and deliberative and one needs to start early because the, it's a, it's a marathon, right? It's not a sprint. You don't want to be sprinting for 26 miles. You're going to fall over dead at the end. If you do, you'd rather have a nice, you know, well, my pace would be four miles an hour if I were running the marathon, maybe less. But you know, you want to be able to be going carefully and deliberately. And that means starting very early and going piece by piece.

Laura Shin (48:28)

And so Justin, as you mentioned, the Ethereum foundation just announced this post quantum team and you know, you kind of already gave a little bit of a glimpse into what you guys were thinking, but just like tell us a little bit more about your plan and, you know, what goals you have.

Justin (48:47)

Right. I guess before that. One thing that I want to share as a prediction is that I think the blockchain industry is going to suck in a lot of post quantum talent in the months and years to come. One thing that might not be clear to your audience is that Chris is one of the very top experts in the world on lattice based cryptography and it's fantastic that he is in blockchain land working with Algorand and Blockstream. Very recently hired Michal and we at the firm foundation, we had already a team of cryptographers and we're increasing that. For example, recently we hired Emil to work on LeanVM full time. Now the specific plan that we have is to solve this size problem via hash based cryptography. So specifically we're hoping to have hash based signatures that are unaggregated and then use hash based snarks to aggregate the hash based signatures. Now why hash based? The reason is that one of the primary reasons is that there's uncompromising security. One of the goals of blockchains is that they're going to be securing hundreds of trillions of dollars over centuries. And hash based cryptography is believed to stand the test of time and is by far the most conservative and minimal assumption that you could hope for. And hashes in some sense are some cost for blockchains. We have them everywhere with our Merkle trees, even in signature schemes like filecoin, which are called hash and Sign, you have the hashing that's part of the signing process. So we're going with absolute uncompromising security. And again, that's part of the strategy to try and appeal to the Bitcoiners. Now if you were to ask a person on the street or a cryptographer of the street, is using hash based cryptography a wise choice for blockchains? They might actually say no. And the reason is that hash based signatures are larger than the other flavor, which is called lattice based signatures. So it seems paradoxical, why would you choose the hash based signatures? And the way that I think about this is that it's what I call the hash gambit. So where we have these larger signatures, but then we're solving the size problem with this other tool, which is the hash based snox. And what you end up with is a very small and fast to verify snark proof that you post with every single block. And the only place where the larger signatures show up is off chain in the mempools. So there's a solution there which is called sharded mempools. So Instead of having one mega mempool for all of Ethereum, we might have 64 mempools each with 164 of the transactions flowing through. And that's perfectly fine, it's an easy design. But really the scarce resource that we want to be preserving is the on chain data availability throughput. And for that we would take all of the signatures and snarkify them. And ironically when we do that, it's actually a scalability boost relative to what we have today. And the reason is that today we are consuming 64 bytes of ECDSA data availability per transaction, whereas in the future we wouldn't be having this fixed cost per transaction. And so if you look at a blockchain like Bitcoin, the total amount of signature data that goes per block is actually larger than a single proof, which is on the order of 200 kilobytes. So that is a strategy to take the hash gambit, have slightly larger signatures, but then aggregate them. And by going with hash based signatures, in addition to the uncompromising security, we also have very elegant designs. So hash based signatures are some of the simplest things that you could imagine. They were actually invented close to half a century ago. So a small historical fact is that Ralph Merkle invented Merkel trees in 19 and what was the context of that? It was Merkle signatures, which are hash based signatures. And what we're hoping to put in production at the consensus layer is basically a small variant over these Merkel signatures. So we've been taking the Merkle tree part of his invention that's almost 50 years old in blockchains. And now we're kind of going back to the roots and also using it for signatures, which is a fun anecdote. And in addition to the security and the elegance, there's a third advantage of hash based cryptography, which is that it's been heavily deployed in production. Hash based snarks, sometimes known as stocks, are the common now the de facto standard for snarks for rollups, for example, and they're extremely performant and certainly performant enough to be able to aggregate the signatures for all blockchains.

Laura Shin (54:46)

Okay. And yeah, I mean what you just explained sounds so interesting, but I'm sure Chris, being an expert in a different type of, I guess, post quantum computing, I'm curious Chris, what your thoughts are on that and if you can explain what, like, you know, what a different way to approach it might be and not just for Ethereum, but like for any chain.

Chris (55:09)

Sure, yeah, it's, it's a really exciting time because there's such a wide spectrum of possible solutions to these problems we face and there's a lot of different trade offs that emerge and that in one context may make a great deal of sense and in another context, you know, don't make any sense at all. Right. So I think the thing, the system that Justin just described sounds really cool. These hash based signatures are, as he said, one of the oldest and most classical things you teach in crypto 101. And often things in crypto 101 that we teach, we say, oh, this is a completely theoretical thing because it's so inefficient. But then with a bunch of engineering and a lot of hard work and very clever systems work, it turns out, hey, this is completely practical and you can do it in reality. So, you know, that's what's one of the exciting parts of this post quantum cryptography field for me and many others I think is, you know, there's like a thousand flowers blooming all over the place and oh, look at this one, it looks completely different from this one and it has its own like cool advantages and you can do these kinds of things with it, which, well, we could never do that before, or oh, but like, oh, it's got a very fragile stem. Well, okay, we can like shore up the stem and make it much more strong with this other tool.

Justin (56:34)

Right.

Chris (56:34)

So all these combinations of really cool, almost magical cryptography allow you to do these sort of miraculous things. The work, you know, the area that I work in is called lattice based cryptography. And in addition to hash based cryptography, those are the two kind of two categories that of schemes that NIST did ultimately select for its standards, its post quantum cryptography standards. So both areas are old ish. Lattice based cryptography goes back to the mid-1990s. So it's kind of getting long in the tooth as well, which in cryptography is a good thing. When something's been around a long time, that generally means it's stood the test of time and can be considered to have, you know, good security. People have looked at it for a good deal of time, which is necessary before you start putting, you know, billions and trillions of dollars of assets at work secured by such cryptography. So the other thing I love about lattice based cryptography is maybe some things we'll be talking about in five or 10 or maybe even three years. It has these amazing other features you can do with respect to privacy and what's called fully homomorphic computation, fully homomorphic encryption that enables all kinds of miraculous applications. It's still in the relatively early days of being practical enough to deploy, but there's been a great deal of effort on it at the scientific side and the engineering side over the past 15 years, or even getting a little bit more than that. And I think in, you know, five and 10 years, we will be pretty amazed by what we can do with. With those kinds of technologies as well.

Laura Shin (58:30)

All right, so now let's talk about bitcoin, because that's really the chain that kind of kicked out this conversation, as Justin alluded to. Nick Carter of Castle Island Ventures a few months ago, released, you know, a bunch of different essays, and he talked about how he had done a bunch of interviews and he felt like the bitcoin core devs were not really taking the quantum threat seriously. And he found that concerning because it's the most decentralized chain with the. I guess what you could say is least codified governmental infrastructure or, or practices for decision making and group action. And obviously bitcoin is easily the. The most important asset in crypto. And I just wondered if you, you know, had thoughts on what he was saying. You know, Justin, as you mentioned, some of the people who are very prominent bitcoin are a little bit dismissive of. Of this threat. And. And I wondered, you know, if he felt that, you know, Nick maybe kind of was making a stronger point or if he felt like you agreed more with the bitcoin devs or. Yeah, how. And either of you, you know, can answer, but I'm just curious for you to describe what you think are the quantum threats to bitcoin.

Justin (59:53)

I think Nick is directionally correct on pretty much all of the points. I guess I would add two caveats. The first one is that there's this weird game theory where maybe the bitcoin developers don't have an incentive to talk about the risk, even though they themselves kind of personally, privately appreciate the risk. And I think there might be something similar going on with the security budget. I know with very high confidence that bitcoin is not going to stand the test of time because of the security budget and the happenings. And there's some very smart people that probably understand that, but don't have an incentive to speak about it. And maybe we see something similar with quantum. The other thing that I want to kind of push back on a little bit with Nick is that there are a couple of very smart people that are taking it seriously and especially Mikhail and Jonas. And at the technical level you don't need an army of researchers necessarily. A small group of people, especially with the advance of AI, can do a lot. And I think there is a reasonable path here where in parallel to mainnet there's some testnets or some devnets that are led by people like Michal and Jonas and that thanks to companies like Project 11, there is a reasonably swift migration. Now one of the data points worth sharing is that if you're going to cycle through, every single UTXO on bitcoin is going to take about three months if the chain is dedicated to doing nothing other than cycling through these UTXOs. And so realistically, maybe we're talking more like a whole year to do the migration. But yeah, I think the bigger issue is going to be how are they going to solve this aggregation problem. There's the technically naive way of solving it, which is just increase the block size 20x to kind of counterbalance the fact that the pub keys and the signatures are that much larger. But there was a whole holy war that was fought on bitcoin block sizes and the small blockers win. And I think it would be not super palatable to increase the block size by 20x. And so the solution that I'm presenting to the table for bitcoiners is maximum security with hash based signatures. A solution which gives them a scalability boost over what they have today and doesn't require them to increase the block size. So my hope is that in the three day post quantum workshop that we're organizing again this year, we're going to have more than just one bitcoiner, hopefully a handful of them. And if you'd like to come, my DMs are open and I'd be more happy to host you.

Laura Shin (63:22)

Chris, what do you think?

Chris (63:24)

Yeah, I mean I would say at sort of higher level, just backing away from the specific situation of bitcoin in the issue that we face of this very uncertain timeline of when and if quantum computers will emerge to the point where they can break our crypto is a very, you know, interesting kind of at an intellectual level. Right? How, how do you apportion your resources? How do you measure the risk? How do you predict? Well, we've got a long migration ahead of us. Where, when do we start? That is, is really a challenging, a challenging thing and so know reasonable people can come to, to different conclusions about that in their own context and projects. But I think overall, you know, I would say there does not seem to be any intrinsic blocker to quantum computers eventually scaling up to break cryptography. I think more and more people are coming around to the idea that, you know, it's a matter of engineering. It's a matter of are people going to put in enough budget to actually engineer these devices? And the directional that seems to be going is yes, it's going to happen sooner or later. And technology is very hard to predict. We have many examples in history where technology came on much faster than it was maybe expected to. And we have many instances where certain technologies took a lot longer to come out than than some of maybe the reasonable predictions had made.

Laura Shin (65:02)

So I, I, I did want to ask about the issue about Satoshi's coins, which we brought up earlier because Satoshi has such a large number of coins. And from what I understand, the coins that Satoshi mined have a public key structure that is more susceptible to the quantum threat. And obviously because of the high dollar value on that, that number of coins that, you know, would be something that maybe somebody who developed quantum computing early could be motivated to attack first.

Chris (65:34)

So could be the canary in the coal mine. Yeah.

Laura Shin (65:37)

So I'm curious, like, do you feel like satoshi's coins in particular pose sort of a unique threat that bitcoin, out of all the blockchains has? Or, or do you, I don't know. What? Yeah. What do you think about that?

Justin (65:54)

Yeah, I would say it is unique. It's, it's 5% of the Bitcoin supply. And I don't know of many chains that have like such a large amount.

Chris (66:02)

Of.

Justin (66:04)

Believed to be lost coins for which the public key is exposed. You know, as I mentioned previously in the show, the equivalent number for Ethereum is 0.1%, so about 50 times less of a problem from a quantitative standpoint. But because the delta is so big, it has qualitative different consequences. So in the case of bitcoin, it's going to be a whole debate. It's going to be a contentious fork. In the case of Ethereum is going to be a rounding error. No one's going to care that 0.1% of the coins are going to get stolen.

Laura Shin (66:42)

Okay. So even though we've kind of been arguing that like bitcoin maybe has a little bit more of a threat, 21 shares just came out with an essay that I wouldn't say they're like minimizing the threat, but they are saying at least that they feel the way that it's been portrayed has been overstated. And so they did an analysis and they are actually saying that they believe only 10,000 to 20,000 bitcoins are actually going to be vulnerable and that. Only that they said so about 10,000 would be able to be suddenly, quote, suddenly and unexpectedly brought to market from compromised private keys. And the remaining coins sit in 24,000 individual Bitcoin addresses that hold about 50 bitcoins, and that it would take decades to steal those quote, even with the most wildly optimistic technological breakthroughs. So, so in that regard, then it sort of felt like, oh, maybe the threat has been overstated.

Justin (67:42)

I don't know.

Laura Shin (67:42)

What did you think of their analysis?

Justin (67:46)

I haven't read their reports, but I can imagine what they're saying. And this goes back to what I was saying previously in the show, that there's different quantum computing modalities. There's the fast computers, the superconducting and photonics, and then the slow ones, the, the trapped ions and the neutral atoms, if you have the fast flavor. So, for example, you have Google working on the superconducting stuff. The estimate for the time it takes to crack a key is on the order of minutes, like roughly 10 minutes. And so what you could imagine is that Satoshi's coins would actually be stolen at the same rate as at which they were mined in the early days. And Satoshi only mined for a period of two years or something like that. I need to check. Exactly. And so it would take roughly two years to empty Satoshi's 1 million coins. But that's with a single computer. But of course, you could just have multiple quantum computers. You could have 10 of them, in which case the timeline shrink by, by a factor of 10x. So this, this conclusion from, you know, 21 shares doesn't make sense to me.

Laura Shin (69:05)

Chris, what did you think?

Chris (69:08)

Yeah, I mean, putting aside the specific numbers here, I think it's important to realize that when, when a technology kind of achieves liftoff, it, it grows very quickly. Right? So the time to go from one quantum computer that can break a, a key in a few minutes to the time where there are a hundred such computers is going to be a very short period of time. And once you're in that window, it's far too late to act, and you certainly don't want to be staring that down. So, you know, it's sort of a zero to one type of situation, right, where you, for a long time do not have the technology to do a task and then all of a sudden it's there. And then very soon after it's ubiquitous.

Justin (69:56)

There's also a little bit of game theory where if you do have a quantum computer, maybe your best move is not to attack addresses immediately. What you could do is kind of scale it up to 10 computers and then kind of attack those in private and then all in one go, kind of steal steals first satoshi's coins.

Chris (70:19)

It is, yeah, I should, we should probably mention, right, that for the situation where you have a public key that's actually public, you can run the attack in your, you know, basement not telling anybody, and you can discover the secret key and you can accumulate all the secret keys that you need quietly without taking any external action. And then now when you have all the secret keys, you use them to make the transactions that empty the wallets. So it's not a matter of, oh, the quantum computer has to be out there actively making itself known while it's, it's doing these cryptographic attacks. It's, it's a quiet attack. And then when you're ready, you, you take your action.

Laura Shin (71:02)

Oh wow. This reminds me of the Bitfinex hack where the hacker knew what all the account balances were and drained the biggest ones in, you know, in order going down to the, the ones that had fewer coins. So basically the, the upshot is that any chains that want to prevent this type of attack have to act before quantum computing poses a threat to, to blockchains is that the basic takeaway, that's the bottom line.

Chris (71:33)

And, and really that action, that, that action to upgrade things is a long slow one that's going to take a matter of years.

Justin (71:45)

One kind of tangent, but I still think it's intellectually interesting is that the current elliptic curves that we have used the so called discrete log assumption and it is possible that a non quantum computer, a so called classical computer, could break these things. And the reason is that there's a lot of structure in these elliptic curves and you could imagine some sort of a mathematical breakthrough to happen. Now traditionally these mathematical breakthroughs have happened by humans, by mathematicians over periods of decades. But what we're seeing with AI is that time is shrinking and we're starting to potentially see AI is being much better than humans at mathematics. And so maybe they can find these kind of clever breakthroughs that leverage the structure of elliptic curves within a similar timeline or a shorter timeline than that of quantum computers. So this migration to post quantum cryptography is also a migration to post AI cryptography and is one that in My opinion should be done relatively quickly. And Chris mentioned the amazing world that would be available to us with lattices. So, for example, there's this technology called FHE fully homomorphic encryption that uses lattices. There's even more fancy stuff like witness encryption and obfuscation. And these are all things that we want. But there is a possibility that lattices get broken by an AI, partly because lattices involves these very structured mathematical objects, and it is at least plausible that there will be a breakthrough there. And so my personal thought here is that at the very foundations of blockchains, we should be avoiding these structured assumptions. So we should be going with maximally unstructured things like hash based cryptography. And the vast majority of assets, let's say 90% of them, should be conservatively secured. And then there's kind of the more exotic stuff that leverages the fancier assumptions that can be done on top. And if and when there is a break, it's actually not catastrophic and systemic to the whole industry.

Chris (74:22)

Yeah, as my PhD advisor said, cryptographers seldom sleep well at night because there's always this prospect that, you know, your baseline mathematical assumptions about what is and isn't secure turn out to be wrong. Right. And we have to make the best bets we can with the information we have available. But, you know, as with quantum computers, the ground can shift under you quite quickly.

Justin (74:47)

One final thought. Historically, the way that we've been thinking about post quantum cryptography is as a defensive technology against quantum computers. But in recent weeks and months at the firm foundation, we've actually changed our mindset. We now think of post quantum cryptography as being an aggressive strategy in order to attract know institutional capital, for example. And we're now hoping to be the very first global financial piece of infrastructure that is post quantum secure and that could potentially be used as a way to attract capital from tradfi into Ethereum.

Laura Shin (75:34)

Yeah, you've probably seen some people on Twitter making that point that Ethereum as an asset is looking very good from an investable standpoint, partly because you guys are being so proactive about the quantum threat. So, yeah, I think your strategy is a good one there. All right, everyone, this, this has been just fabulous. Thank you so much.

Chris (75:57)

It's great talking with you.

Justin (75:59)

Thanks, Laura.