# Post-Quantum Cryptography For Bitcoin | DAN BONEH

https://www.youtube.com/watch?v=F-HG87VJj_k

[00:00] If you try to aggressively move to a post-quantum architecture, like for example by 2029, I think that would be a mistake for the blockchain.
[00:08] I think we need to take our time.
[00:10] And the reason is that a hasty transition to post-quantum, in my mind, is more likely to cause a catastrophic bug than we'll be attacked by a quantum computer.
[00:20] Dan, welcome.
[00:20] Thank you.
[00:20] Thank you so much for being here.
[00:25] This is such a treat to have you here.
[00:26] You don't do interviews very often.
[00:28] Likewise, I'm looking forward to the to the next hour.
[00:30] It's going to be very exciting.
[00:32] You are of course, um, one of the most prolific and influential cryptographers in the world, um, not just in, uh, kind of the blockchain space, which we'll be focusing on today, but just industry-sector-wide, so I'm very honored to have you here.
[00:47] Um, and you were also co-author of the Google paper, uh, re- uh, securing elliptic curve cryptography from advancements in quantum computers, which I think we'll probably spend a good portion of this interview drilling down
[01:00] So, I'm very excited to get your thoughts, and I think it's been well over a year since you did an interview on that topic in particular.
[01:06] And I my understanding is that your thoughts have changed, um, and evolved since then.
[01:13] Indeed, lots to say about that.
[01:17] So, we will get into it.
[01:20] Um, I'd love to just start because I ask, uh, everyone this question.
[01:24] This is one of my, uh, common early interview questions.
[01:28] If you would share a little bit, just to kind of again, kind of contextualize you in the space, share a little bit about your history, and specifically kind of the Bitcoin blockchain world.
[01:34] How did you get into to Bitcoin?
[01:36] How did this sort of come up for you?
[01:38] Sure.
[01:40] Uh, let's see.
[01:42] Um, maybe I I'll just take 1 second to say how I got into cryptography in general.
[01:44] So, you know, I guess when I was growing up, I fell in love with computers at a pretty pretty young age.
[01:49] I also loved math, math competitions, and all that.
[01:53] And when I took a cryptography course in college, I realized, "Oh my god, I can have my my love of computers and, uh, love of number theory and algebra kind of combined into cryptography and that
[02:02] was very clear after I took that course.
[02:03] it was clear this is what I want to do for the rest of my life and you know I did I that's what I studied in my PhD and that's what I did after graduating and and and becoming a professor at Stanford.
[02:15] So cryptography is kind of my passion that's kind of all I work on and it's just such an amazing field.
[02:20] There's like constantly constantly new problems to think about, new application areas.
[02:27] It's an just an incredible field that combines both deep mathematics and practice.
[02:32] So what can you ask more for from a research area?
[02:35] And then the way I got into blockchains and Bitcoin in particular, I have to say like everything else I got into it through my students.
[02:43] So what happened is my students started asking me this Bitcoin thing came out what what is that?
[02:50] Can you explain that to us?
[02:52] So you know I went to look at what Bitcoin is and then I said oh you know this is just another digital payment system.
[02:59] We've seen digital payment systems before they kind of never took
[03:03] off.
[03:05] You know they've they've they've been around for quite a while.
[03:07] So let's wait and see.
[03:10] And so initially to be honest I kind of ignored it.
[03:13] But then of course it started growing and then more and more students started asking me what is this Bitcoin?
[03:19] Is this going to change the world?
[03:20] And this was actually by the way fairly early on.
[03:23] Yeah when was when was this about?
[03:24] Like what's like the timeline here?
[03:27] I don't remember exactly but it seems like maybe 2012-13.
[03:31] So around.
[03:31] Okay.
[03:31] So pretty early.
[03:34] around that that era.
[03:35] Yeah.
[03:37] And so yeah so then I have to say I kind of started looking more deeply into into what it's about.
[03:45] Uh you know turned out to be pretty interesting actually when you start to dig into it.
[03:48] There's a a lot going on and really interesting technical questions.
[03:52] Um and and the the thing that really hooked me is we wrote some papers about cryptography for Bitcoin.
[03:57] And one of the things that really kind of drew me into the space is the
[04:04] fact that we wrote a paper and within 6 months a blockchain actually deployed it.
[04:09] Hm.
[04:12] And that is something that simply does not happen on the internet.
[04:14] Hm.
[04:17] You know, it is so difficult to get new crypto systems adopted on the internet.
[04:18] Whereas in the blockchain space, people are hungry for new ideas and they're very very excited to actually go and experiment and deploy new ideas.
[04:27] And the minute that happened I was hooked.
[04:28] Like that that to me was like a transition.
[04:31] I said, "My god, this is such a cool space."
[04:33] And I kind of switched all my research to basically doing what I call cryptography for blockchains.
[04:41] And and I'll say over the years it has turned out um remarkable that the blockchain just keeps on generating new beautiful questions in cryptography.
[04:50] Yeah?
[04:52] So, we're always kind of as cryptographers we're always looking for new research challenges.
[04:57] And the blockchain just provides it's like, you know, a kid in a toy store.
[04:59] There's like so many interesting cryptography basic cryptography questions that the
[05:05] blockchain brings out that it'll just keep us busy
[05:09] as researchers for many many years to come.
[05:11] And that that's what why I love the space so much.
[05:13] Would you say that it's fair I mean is it a fair assumption to say that you really became kind of like seriously hooked by this
[05:20] when there started to become all of these new blockchains developed post Bitcoin, right?
[05:24] Because Bitcoin's cryptography is sort of relatively
[05:29] I don't want to use the word straightforward, but it certainly doesn't change much.
[05:34] Um would you say that that's I mean is that a fair assumption that like kind of once these other blockchains once sort of Ethereum and all of these other chains came about you kind of had more to grip into on the crypto
[05:45] first of all I want to I want to back on your on your premise.
[05:46] Bitcoin Bitcoin itself is super interesting from a cryptography point of view.
[05:50] Okay.
[05:51] I think in fact one of my earlier papers, this was with Joe Bono and Benedict Boons, was on proof of solvency.
[05:56] Okay.
[05:58] How do you prove in zero knowledge that an exchange is solvent?
[06:00] That's a purely Bitcoin question.
[06:01] Interesting.
[06:03] And it turns out, you know, you had to develop develop new zero knowledge mechanisms to
[06:07] do all that.
[06:07] That's a Bitcoin motivated motivated question.
[06:12] Even within Bitcoin, how to do you know, what's now called as NPCs protecting key secret keys by splitting them up either for ECDSA or for Schnorr.
[06:21] Those are fantastic interesting questions to think about.
[06:25] And so even within Bitcoin there's still lots and lots of interesting cryptography questions to think about.
[06:30] Now, it is true that one of the strengths of Bitcoin is that it doesn't change, right?
[06:37] And other blockchains are kind of more amenable to change.
[06:39] And in fact, yes, other blockchains like Ethereum, Solana, and so on have actually raised more interesting problems for cryptographers to work on.
[06:47] So I, you know, I view myself as I just love technical challenges.
[06:54] I'm neutral about the the blockchains.
[06:57] I love technical challenges.
[06:59] And so any blockchain that has an interesting cryptography problem please come talk to me.
[07:03] Cuz that's that's what I love to work on.
[07:04] And my group, we're kind of
[07:07] here for you.
[07:08] You originally, I mean, I think many people view you like kind of your influence starting with the co-creation of pairing based cryptography specifically, which has just, you know, enormous implications for again various blockchain related applications including just the development of zero knowledge proofs.
[07:25] Generally most SNARKs use pairing based cryptography.
[07:31] I'm wondering were there like what were like the primary applications for pairing based cryptography before you know, blockchains and Bitcoin and zero knowledge proofs came to be?
[07:40] Like what were you working on pre-Bitcoin and blockchains?
[07:43] Oh, I see. Yes, yes, of course.
[07:45] So, pairing-based cryptography is a that was developed long before the blockchain came about.
[07:49] Um what I what I the reason I loved it so much is because all of a sudden there's this new algebraic tool called a pairing that was developed, you know, it was developed for some very deep questions in algebraic geometry that has nothing to do with cryptography or to be honest,
[08:07] nothing to do with the real world.
[08:08] It's like very beautiful mathematical questions and as a result these pairings had to be to be developed.
[08:16] And then it turned out that all of a sudden pairings are useful for building crypto systems.
[08:19] Yeah?
[08:21] But were they not super useful before that?
[08:23] I mean, is like super useful.
[08:25] Oh, yeah.
[08:25] Oh, they were.
[08:27] They had like true applications before.
[08:29] Yeah, yeah, yeah.
[08:29] In fact, in fact, in fact, yeah, in fact, one of the very first papers we wrote on on pairings was to solve this long-standing open problem called identity-based encryption, which is a particular form of encryption.
[08:40] And then things kind of took off from there.
[08:42] Then we came up with the BLS signature and the fact that it's aggregatable, which is something that we haven't seen from a signature scheme before.
[08:48] So, all of a sudden pairings enabled like a whole new generation of crypto systems that had properties that we never had before.
[08:58] So, in some sense, we when we were s- forced to just use RSA and discrete log systems, there's only so much we can do.
[09:06] All of a sudden this tool fell on us
[09:08] from the sky that enabled us to do so many new things that we simply couldn't do before.
[09:13] And that I I would say that kind of ushered in a golden age in the this was like in the early 2000s, kind of the first and second decade of the of the 2000s that basically all of a sudden let us build crypto systems that we couldn't even dream of building before.
[09:27] They had properties that were both efficient and kind of they sounded like they couldn't be done any any other way.
[09:35] And so that that was kind of the remarkable uh thing about pairings.
[09:39] I should say that uh this is why again the field of cryptography is so exciting.
[09:42] Every time a new tool comes along, we use it to build new things.
[09:46] Uh so another tool that came along, I guess also kind of mid-2000s, is this this tool called lattices in cryptography.
[09:54] And lattices all of a sudden enabled us to do a bunch of other stuff.
[09:57] So in particular, the most exciting thing we can do from lattices is uh something that was developed by one of my former students, uh Craig Gentry, called fully homomorphic encryption.
[10:05] Which was a age-old problem in cryptography that we
[10:09] couldn't solve.
[10:10] And all of a sudden using this new tool, we could build fully homomorphic encryption.
[10:15] And I think this this is never going to end.
[10:16] Every time a new tool comes from uh algebra or mathematics, we're able to use it to build new cryptosystems that we couldn't build before.
[10:25] Maybe I'll just say here, since I'm I I can't uh skip over this, and that one of the big open problems that we're facing today, that actually Bitcoiners need as well, is what's called cryptographic obfuscation.
[10:35] Yeah?
[10:35] So uh this sometimes uh related problems to that are called witnessing witness encryption or functional encryption.
[10:43] These are kind of all problems that are related to one another in one way or another.
[10:46] Um the best constructions we have to for that today are not, let's say, practical.
[10:51] Yeah?
[10:51] They're inefficient.
[10:54] And so we're kind of waiting We're in a waiting pattern.
[10:55] Uh clearly the tools we have today are not powerful enough to build efficient obfuscation, efficient witnessing encryption, efficient uh functional encryption for general functionalities.
[11:05] We're kind of waiting for a new tool to appear that would let us solve these things much more
[11:10] efficiently.
[11:11] And this is why this space is so efficient so so so exciting, right?
[11:13] I mean, um you know, all it takes is some new tool that falls on us from algebraic geometry, and poof, all of a sudden we'd be able to do things that we haven't been able to do before.
[11:22] Yeah?
[11:24] So Well, it's certainly interesting that you bring up lattice-based cryptography because there's uh I think we're going to be getting a lot deeper into lattice in a few moments.
[11:30] Uh very relevant for the quantum conversation in particular.
[11:35] Uh to to lattices are of course generally considered quantum resistant broadly or it just depends?
[11:42] believed to be quantum resistant.
[11:45] Um before we kind of dive deeper into the quantum question and speaking of history, you also mentioned I mean you've been in the space long enough to remember when when Shor's was developed.
[11:54] Yeah, yeah.
[11:55] course being the algorithm that could potentially break elliptic cryptography, the signatures uh that protect Bitcoin private keys.
[12:00] Um can you share a little bit about that and what that moment was like?
[12:04] Oh yeah.
[12:05] Oh my god, that was an exciting time.
[12:08] So um yeah, uh Peter Shor's paper came out back in
[12:10] 1994.
[12:11] Um it it was a it was a beautiful work.
[12:14] So at the time actually maybe we I could take I go back one step further.
[12:17] So you probably know uh the original idea for quantum computers is attributed to Richard Feynman.
[12:24] So Feynman, what he realized is that when you try to simulate a quantum experiment on a classical computer, it's really slow.
[12:28] It's really hard.
[12:31] Yeah?
[12:33] And so he had this this this uh observation or this insight that maybe a quantum experiment can perform a computation that a classical that's really hard for a classical computer.
[12:44] That's that's why we're having so much trouble simulating these things on a classical computer.
[12:48] And so boy was he right.
[12:51] Yeah?
[12:51] So it took some time uh but people first of all defined what does it mean to uh what does a quantum computation uh look like.
[13:00] And so this that model has been defined.
[13:02] It's now called uh you know, BQP uh um basically effectively, you know, quantum uh polynomial time.
[13:08] Um
[13:12] Yeah.
[13:15] And so uh the the So we have a an understanding of what is a a quantum algorithm actually uh look like.
[13:20] And then uh the next question is uh well, what can we what can we use it for?
[13:23] And so there were some initial ideas for what can we use a quantum algorithm for?
[13:28] And I have to say that that that that there've been a couple of insights there, but to keep the keep the story short, I can say that kind of Shor's algorithm came as a bombshell to say, "Wait a minute, this new model that you guys just defined enables us to enables us to do something that we don't think is possible on a classical computer, namely factor large integers and compute discrete log in an arbitrary group, any group.
[13:49] Can you we we can break discrete log.
[13:53] The paper itself was it really quite pretty, I think.
[13:57] I'd like to talk a little bit about the mechanics of Shor's algorithm in just a second.
[14:01] So, the paper itself is quite pretty.
[14:03] You know, it came out.
[14:05] I guess I was really excited about that.
[14:06] I actually wrote some papers myself right after trying to generalize the algorithm right after it came out.
[14:13] And so, maybe I can tell you a little bit my personal view of quantum quantum computing.
[14:18] So, initially I was very excited.
[14:20] It seems like the reality is if you believe the axioms of the postulates of quantum mechanics, then quantum computation is possible.
[14:28] It's just a just an engineering problem.
[14:30] Just an engineering problem of building a quantum computer.
[14:33] So, I was quite excited.
[14:35] Actually, like I said, I even wrote some papers shortly after.
[14:38] When?
[14:38] Just again, to contextualize the time cuz there's been the sort of evolution of thought here.
[14:41] So, like when this was like this was like mid-1990s.
[14:45] Okay.
[14:45] Yeah, so fairly early on then.
[14:47] Okay.
[14:47] But then early rumblings of quantum computers even potentially being something we could build.
[14:53] Exactly.
[14:54] Okay.
[14:54] Exactly.
[14:54] Exactly.
[14:54] Yeah, and then I have to say there was there was like an explosion in quantum algorithms of various things we can do with a quantum computer.
[15:03] In fact, there's a there's a beautiful site.
[15:05] It's called the Quantum Algorithm Zoo.
[15:06] You guys can can Google it and there's like a list of all the beautiful quantum algorithms that have been developed.
[15:12] It's really quite an
[15:14] active area.
[15:16] There's whole conferences devoted to quantum algorithms.
[15:18] So, there's a lot we can do beyond factoring and discrete log, mostly algebraic questions,
[15:23] but yes, there are quite a few problems that we can solve using a quantum computer.
[15:28] But then the question is can we build it?
[15:29] Yeah?
[15:32] And so initially they the physicist so that now the problem is on the physicists, not the computer scientists.
[15:35] Yeah?
[15:37] So initially kind of the attempts to build a quantum computer were these NMR techniques and these uh NMR techniques were pretty clear they're not going to scale.
[15:45] Yeah?
[15:45] So but that was kind of the methods that that people were quoting for quite a while and that was a little disappointing cuz that's clearly not going to to get us to where we need to go.
[15:53] So in some sense I kind of got a little bit um you know, just just an engineering problem is maybe a harder problem than we thought.
[16:04] I kind of used to say to myself, "Oh my god, I wish I would uh flip on the TV and the Star Trek episode would come on screen and you know, Spock would say, "We intercepted a encrypted message from the 20th century,
[16:17] but that's okay, we have a quantum computer, we can break it.
[16:20] Yeah? So that in in a sense quantum computers would only be built in Star Trek times.
[16:25] Yeah?
[16:25] Uh because of because of just engineering problem seems to be uh really hard.
[16:30] So that was kind of uh the feeling that it's not make field is not making progress.
[16:33] But then a couple of things changed.
[16:36] Okay.
[16:37] Yeah?
[16:39] [laughter] I was just going to ask you how bullish are you that these um kind of theoretical advancements will actually translate into real practical hardware able uh you know, running of Shores essentially.
[16:53] Yeah, yeah, yeah, yeah.
[16:53] No, that's that's No, of course that's a great question.
[16:55] So so like I said there there's kind of two big ideas that came about that uh physical ideas that kind of changed the development of space.
[17:03] So one is what are called superconducting qubits.
[17:05] Um and so you know, the groups at IBM, at Google, at Rigetti, and some other companies that kind of
[17:11] These are kind of like the This is like the most promising directions style.
[17:15] Right, okay.
[17:15] Yeah, there's a couple of directions maybe that I want
[17:18] There's a couple of avenues that people are exploring.
[17:22] The ones that seem the most advanced are basically the superconducting qubits methods.
[17:27] This is basically using VLSI techniques.
[17:29] I'll say that those experiments are not that easy to build, which is why it takes IBM and Google and well-funded startups cuz you have to cool everything down to almost absolute zero.
[17:41] So, these experiments you probably see know remember these pictures of a quantum computer?
[17:45] It's They're all running inside of these big fridges.
[17:47] Everything has to be cooled down.
[17:48] So, they're kind of expensive experiments to do.
[17:50] How long do you think it takes to build?
[17:52] Like let's just say that like in theory we could figure out, you know, just like on paper we know how to get to breaking a 256-bit elliptic curve.
[18:00] How long would it take to then build something that could potentially run Shor's?
[18:06] Yeah, okay.
[18:07] Actually, you know, that's a great question.
[18:09] But let me finish the story and then and then and then we can talk about timelines.
[18:13] Because those are very relevant.
[18:15] So, one approach that seems very promising is the superconducting qubits.
[18:19] But these are experiments that are kind of.
[18:21] There's a lot of hardware involved in doing the experiments.
[18:26] Meaning and the implication of that is that, you know, there's a there's kind of advancements theoretically that just then can't be proven physically because it's so difficult to build these things in practice.
[18:34] You can't test things in the physical real world.
[18:36] You can.
[18:38] There have and there have been many tests actually.
[18:38] But but it's difficult.
[18:40] It's like challenging to.
[18:41] Yeah, the the apparatus is is uh takes some work to build to build the apparatus.
[18:46] Uh the other direction, by the way, these are all physical experiments that have been done.
[18:49] Yeah.
[18:49] The other direction that that was that's very promising is what are called uh neutral atoms.
[18:55] Um so, there uh that technique is is much um easier for people to experiment with.
[19:00] And in fact, there's a an explosion of startups actually building quantum computers using neutral atoms.
[19:06] Um And they're easier to build?
[19:08] Like it's easier to build computers using neutral atoms?
[19:10] Yeah, yeah.
[19:11] I'll talk about the distinction between the two and just more distinctions between the two in a second, but I can tell you maybe as a as a mental model, I actually let me explain how a neutral atom computer
[19:20] works.
[19:21] I'll definitely be imprecise and what I'll say is not quite correct,
[19:26] but I think it's a mental good good mental model for the for how to think about neutral atom computer.
[19:32] And so the way it works is basically you have this one laser that basically creates these traps.
[19:38] So you take a one laser, you split it up into 10,000, 50,000 beams,
[19:45] which is technology that exists today.
[19:47] For example, lidar in cars, they have one laser that gets split up into a lot of beams.
[19:51] So that's basically basically mostly dealing with optical hardware,
[19:56] which you can just buy the optical hardware that does all that.
[19:58] So you have a laser, you have some optical hardware.
[20:03] And yeah, there are companies that will sell it to you.
[20:06] And then using those those isolated beams, you can build what I call traps.
[20:09] So you can kind of trap the atom where where it is.
[20:14] So you can build using one laser beam splitting it up, you can build 3,000, 10,000.
[20:18] There was
[20:21] even some discussion. I saw one paper,
[20:23] one experiment that actually hasn't been
[20:26] done yet that claims to go even above
[20:28] 100,000 traps.
[20:31] And so potentially you can have a large
[20:33] number of atoms trapped in under this
[20:36] under this laser beam.
[20:37] And then so they're just sitting there.
[20:40] Yeah, they're
[20:41] the the the the beam traps them, cools
[20:43] them down, so they're just sitting them
[20:44] sitting there.
[20:45] So that's kind of what we call the
[20:47] memory zone of the computer. And then
[20:49] when you want to act on these atoms, so
[20:50] this is part of the step of a quantum
[20:52] computer, you have to kind of implement
[20:54] what's called a quantum gate. So you can
[20:56] take
[20:57] two neutral atoms, bring them into the
[21:00] entanglement zone. So
[21:02] just like you have the the trap that's
[21:03] holding them fixed, you can also move
[21:05] those atoms to to them together into the
[21:08] entanglement zone, have them then
[21:09] there's
[21:10] another laser that shines on them that
[21:12] cause it causes them to to get
[21:14] entangled, and then you take them back
[21:16] and bring them back to memory. Then you
[21:17] pick the next two, you bring them to the
[21:19] entanglement zone, entangle them, and
[21:20] you move them back. And in fact, you can
[21:22] even do this on groups of atoms um
[21:24] as an optimization. So again, this is
[21:26] not precisely how this works, but it's a
[21:28] good way to think about this. So you
[21:29] have memory, you have effectively a CPU
[21:32] that's kind of operating the way to
[21:34] operate on these bits. And then, once
[21:36] you're ready to measure, you can
[21:37] actually bring the these atoms into a
[21:39] measurement zone and look at them and
[21:41] sort of measure and get the result out.
[21:43] So this is sometimes called a three-zone
[21:44] architecture for a neutral atom
[21:46] computer. Turns out there's a fourth
[21:48] zone because all this is happening in a
[21:50] vacuum chamber. So you have to build a
[21:52] good vacuum chamber. That's kind of one
[21:54] expensive uh piece you have to do. But a
[21:55] vacuum chamber is not completely empty.
[21:57] So sometimes you have an atom uh that's
[22:00] roaming around that hits your trap and
[22:02] knocks the atom that's in the trap out
[22:04] of the out of the trap. So you kind of
[22:06] these these um uh traps uh you lose
[22:09] atoms in the trap once in a while. So
[22:11] there's another zone that's used to
[22:12] replenish atoms into the trap. Yeah. And
[22:15] and these these styles of quantum
[22:17] computers um the sort of builds of
[22:19] quantum computers, this has been these
[22:20] have been in development for many many
[22:22] years. Not that many years actually. So
[22:24] so
[22:26] um
[22:27] you know, neutral atoms neutral atoms I
[22:29] I guess it they're about a decade old.
[22:30] Okay.
[22:31] >> but the actual experiments, you know, if
[22:33] you if you look at uh the exciting
[22:35] experiments, they're just in the last
[22:37] two or three years. Okay.
[22:38] >> this this is like a relatively new uh
[22:40] new development.
[22:41] >> Okay. So you would say in the last two
[22:43] or three years, that's when your maybe
[22:46] previous skepticism started to be
[22:48] turned. I mean, is that fair?
[22:49] >> Yeah. Yeah. Yeah. So maybe it's
[22:50] worthwhile also saying maybe we're going
[22:52] too much into the physics here, but uh
[22:53] let me also say one more thing. So we
[22:55] have these two approaches,
[22:57] superconducting qubits, neutral atom
[22:59] approaches. There are other are like ion
[23:01] traps and photonics that I I I won't
[23:03] talk about here.
[23:04] Um but
[23:05] um
[23:06] there there's kind of core differences
[23:08] between them. In superconducting qubits,
[23:10] the bits don't move. Because of that,
[23:12] they can only talk to their direct
[23:13] neighbors. So, the connectivity graph is
[23:16] not very big. You basically you can only
[23:18] talk to your neighbors and that limits
[23:20] the speed of the the amount the type of
[23:22] computations you can do. However,
[23:24] superconducting qubits, because of this,
[23:26] they're quite fast. You can do implement
[23:28] a gate in about um 10 microseconds. Uh
[23:32] yeah, 10 microseconds. Yeah. Uh with a
[23:34] with the neutral atoms, because you have
[23:36] to move things back and forth, things
[23:38] actually are slower. So, there you can
[23:39] implement a gate in about 10
[23:41] milliseconds. So, it's a couple it's
[23:43] about 100 to 1,000 times slower.
[23:45] Yeah, so superconducting, remember, is
[23:47] fast. Neutral atoms is slow. Okay.
[23:49] Superconducting, limited connectivity.
[23:52] Neutral atoms, arbitrary connectivity.
[23:54] So, you can implement computation more
[23:55] efficiently. Okay. Those are kind of the
[23:57] those are kind of the tradeoffs. I think
[23:58] like like everything I say here, by the
[24:00] way, is greatly simplified and not
[24:02] entirely accurate. Mhm. But I think as a
[24:04] mental model, this is the this is the
[24:06] good mental models. This is a good way
[24:07] to think about uh these these
[24:09] architectures.
[24:10] >> Is one or the other just simply just,
[24:12] you know, like from a net perspective,
[24:14] more promising?
[24:16] >> Yes. Okay. Okay. So, now so now it's
[24:17] looking like uh the neutral atom
[24:19] approach actually might be the one to
[24:22] scale first.
[24:23] >> Which is new, which is not previously
[24:26] believed to be the case.
[24:26] >> And yeah, and I can say we can even see
[24:28] that uh just about what is it, three or
[24:30] four weeks ago, Google made an
[24:32] announcement. Google was very heavily um
[24:35] invested in the superconducting
[24:36] approach. And just three or four weeks
[24:38] ago, they they they said that they're
[24:40] now
[24:41] going to continue with the
[24:42] superconducting effort, but they're
[24:43] going to start a new effort on neutral
[24:45] atoms. Yeah. So, you take that as sort
[24:47] of like a like a low-key endorsement of
[24:49] the neutral atoms perspective. Yeah, so
[24:51] they hired a bunch of people to now work
[24:53] on neutral atoms. And so, they're going
[24:55] to pursue both approaches in parallel,
[24:57] Uh but uh also Yeah, so the neutral
[25:00] atoms approach A because it's simpler
[25:02] simpler to build.
[25:04] There are more companies, more groups
[25:06] actually doing it. In fact, there's a
[25:07] new lab at Stanford that's actually
[25:08] building
[25:09] a neutral atom computer,
[25:11] which I'm pretty excited about. So, it's
[25:13] just to show you that
[25:15] academics is simple enough that actually
[25:17] labs in universities can can get
[25:19] involved and build these experiments.
[25:21] >> And is it these sort of like
[25:22] physics-related advancements that you
[25:24] are kind of that kind of again kind of
[25:26] tipped you more into the conservative,
[25:29] we should get prepped for this mode?
[25:32] Yeah, you know,
[25:34] it's interesting. So,
[25:37] when this when should we worry about
[25:39] quantum? I'm a little surprised. It's a
[25:41] very divisive topic. Very divisive in
[25:44] the in the Well, the implications are
[25:46] pretty significant.
[25:47] It's true. Yeah. So, I'll say this. I
[25:50] would say kind of things fall into two
[25:51] groups, right? So, there's one group of
[25:54] people that says,
[25:55] you know, it's plausible that we'll have
[25:58] a working computer before 20 2035, let's
[26:01] say. Yeah, to be to be generous.
[26:04] Which you previously I have heard you on
[26:06] record saying that you thought it was
[26:07] like probably pretty A year ago, I think
[26:10] you said on a podcast you thought it was
[26:11] unrealistic that we would have a working
[26:13] a cryptographically relevant quantum
[26:14] computer for before 2035.
[26:17] Do you still feel that way? Honestly,
[26:18] when you look at the number of
[26:20] challenges that that remain to be solved
[26:22] to scale these computers, I still think
[26:24] it's going to take a fair number of
[26:25] years. Well beyond 2035?
[26:27] >> I don't know if well beyond, but But you
[26:29] think you would put the over/under on
[26:31] 2035 at like So, let's just say there's
[26:33] one group that's really
[26:36] uh
[26:36] Their their their point is Some people
[26:39] say even it's it's potentially possible,
[26:41] maybe unlikely, but potentially possible
[26:43] that one will be built even by the end
[26:45] of the decade. That seems to be very
[26:47] aggressive to me.
[26:49] Uh
[26:49] I think it It's one of these things that
[26:51] might be possible if this became like a
[26:54] Manhattan size project, right?
[26:56] You know, in the when when the Apollo
[26:58] program was running the you know, the
[26:59] the moonshot was happening. That was
[27:01] like two to three percent of the US GDP.
[27:03] Right, I think you described it in a
[27:05] previous interview as a national
[27:06] priority versus a business interest.
[27:09] >> exactly.
[27:09] >> Right, if it becomes a national priority
[27:11] then and we're all activated to solve
[27:14] this.
[27:14] >> If humanity is devoted to building a
[27:16] quantum computer, then maybe we can get
[27:18] it we can get it done. There's still
[27:20] lots of hurdles to solve. You know,
[27:22] maybe we can get it done sooner than
[27:24] what one one might expect.
[27:26] But that's not happening. Yeah, right
[27:28] now it's right now it is
[27:30] basically VC funded efforts, startups
[27:33] that are running towards this. I guess
[27:35] Google and IBM
[27:36] are running towards this. The Google and
[27:37] IBM groups are not huge. It's not a huge
[27:41] investment Okay.
[27:42] >> that Google and IBM are making.
[27:43] >> But it's still like billions of dollars
[27:44] though. I mean, it's significant.
[27:47] >> They're They're definitely investing,
[27:49] but it's not like It's not like
[27:51] let's say Google is investing in AI
[27:54] and Google investing in quantum. Totally
[27:56] different.
[27:56] >> Totally different scales. Completely
[27:57] different scales.
[27:58] >> Fair. Not even in the same ballpark.
[28:00] Right, right, right. You know, if
[28:01] Google put the efforts that they're
[28:03] putting into AI into building quantum,
[28:05] we would be having a very different
[28:06] conversation.
[28:06] >> We'd be more scared.
[28:07] >> Yeah, we would be having a different
[28:08] conversation. So, the question is at the
[28:10] current level of funding, how long do we
[28:13] think it's going to take? Again, nobody
[28:15] knows. I can tell you that
[28:18] from speaking to the physicists and kind
[28:20] of reading the physics papers on this
[28:21] stuff, there are a lot of technical
[28:24] challenges that have to be solved to
[28:26] scale superconducting qubits and neutral
[28:28] atoms. We're not there. Yeah, there are
[28:30] a lot of technical challenges. The main
[28:32] one or one of Well, there's many. One of
[28:35] the issue that we you always have to
[28:37] harp on is always about the quantum
[28:38] error correcting code. How complicated
[28:40] is it to run to implement the quantum
[28:42] error correcting code? Um and we'll talk
[28:44] about more more about that in just a
[28:46] second. Uh but given that
[28:49] it's it seems like So, yeah. So, it
[28:51] seems like anything between 2035 and
[28:53] again, this is my opinion given the
[28:55] current level of funding
[28:58] seems
[28:59] I think
[29:00] it's reasonable to assume that it's
[29:01] going to happen after 2035. So, you
[29:03] would put it in the category of possible
[29:05] but unlikely. But before 2035. Depending
[29:08] on the level of investments.
[29:09] >> because of possibility but unlikely.
[29:12] >> Exactly. Exactly. Yeah, exactly. So, I
[29:14] mean the message I would like to make
[29:16] kind of get across is you don't need to
[29:18] panic about this about the
[29:20] the effect of quantum computing, but at
[29:22] the same time we shouldn't be ignoring
[29:23] it. And the reason we shouldn't be
[29:25] ignoring it because because the
[29:27] transition is going to be very painful.
[29:28] And we'll talk about the transition in
[29:30] just a little bit. And that transition
[29:31] is going to take a long time. And we
[29:34] need to start early enough to give us
[29:36] enough time to do it. We are definitely
[29:38] going to get into this very lengthy and
[29:40] probably painful transition. I have many
[29:42] many questions about that. But really
[29:44] quickly Sorry. There's one more thing I
[29:46] want to say. There's another group. So,
[29:48] there's one group that says, you know,
[29:50] we should be worried right now before
[29:51] 2035 Yeah, and so on and so forth.
[29:54] There's another group of people that
[29:55] basically says, "Oh, this is not going
[29:57] to happen in our lifetime. This is Star
[29:59] Trek technology. We don't need to worry
[30:01] about this at all."
[30:03] You know, that seems to be also not
[30:07] quite the right thing to to to say to be
[30:10] honest. And I like to kind of draw this
[30:12] analogy. So, the analogy I would bring
[30:15] up is the the development of human
[30:18] flight. Yeah? I think it's useful to
[30:21] remember that throughout the 1800s
[30:24] people kind of knew that how lift works.
[30:27] People knew that if, you know, a wing
[30:29] moves fast enough, you can generate
[30:31] enough lift to lift to lift a human.
[30:34] So, the theory of flight was kind of
[30:35] understood for many many years for many
[30:37] decades. But no it was just an
[30:39] engineering problem. Kind of like what
[30:41] we're facing now.
[30:42] >> Mhm. In fact In fact, there were many
[30:43] failed attempts at building a plane that
[30:46] just didn't fly. To the point where it's
[30:48] really interesting to remember uh in
[30:50] 1903, the New York Times ran an article
[30:54] saying human flight
[30:57] heavy than air heavier than air human
[30:58] flight is not possible and it will not
[31:00] be possible for a million years. Yeah,
[31:02] there was literally an article in the
[31:04] New York Times
[31:05] 10 weeks later Kitty Hawk, the Wright
[31:08] brothers happened. Just 10 weeks later.
[31:10] So, I think this is And by the way, once
[31:12] Kitty Hawk happened and they you know,
[31:14] in Kitty Hawk 1903, the Wright brothers,
[31:16] they only flew for like what is 300 ft
[31:18] or so? They They was a small flight.
[31:21] Yeah?
[31:21] Once they did that, things really took
[31:23] off quickly. Yeah, like within a year or
[31:26] two or just a small number of years,
[31:27] they were already flying all all over
[31:28] the place. By 1919, there was already
[31:31] transatlantic flights. Um so, I just The
[31:34] reason I'm bring I'm bringing this
[31:35] analogy up is people who say this is
[31:38] Star Trek technology just you know, need
[31:40] to think a little bit about what
[31:41] happened with human flight. All it took
[31:43] is like one step, one physical
[31:45] experiment, and everything happened.
[31:47] Everything kind of took off from there.
[31:49] Personally to me
[31:51] um I think we've already had the Kitty
[31:53] Hawk moment of quantum computing. And
[31:55] that is uh what's called the Willow
[31:56] experiment back in 2024. So, Google was
[32:00] able to actually show that they can
[32:02] implement quantum error correcting codes
[32:04] using 105 physical qubits. Yeah, so they
[32:07] did a superconducting experiment. They
[32:09] showed that we can actually build a
[32:10] logical qubit using physical qubits and
[32:13] they can actually run the logical qubit
[32:15] uh corrector and it actually corrects
[32:17] the errors.
[32:18] Since then, so that's was 2024.
[32:21] In June 2025, there was a paper that
[32:23] appeared. This is a paper by Dolev who's
[32:24] currently at Caltech.
[32:26] They did an experiment using neutral
[32:28] atoms on 448 atoms, 448 atoms.
[32:32] They demonstrated a quantum error
[32:34] correction works, that it actually
[32:35] corrects errors across I think they did
[32:38] uh 27 gates. So, they were able to run a
[32:41] circuit of depth 27. Already that
[32:43] generates a lot of errors. Right? You
[32:45] remember you you remember if you bring
[32:46] these atoms together, bring them back,
[32:48] bring more atoms together, bring them
[32:49] back. So, you're moving them back and
[32:50] forth. So, uh that generates a lot of
[32:52] errors and and that experiments
[32:54] demonstrated that error correction
[32:55] actually is able uh to correct errors uh
[32:58] in that experiment. Um so, 27 gates,
[33:01] quantum error correction.
[33:03] That's literally June 2025. It's like
[33:05] I'll just under it less than a year ago
[33:07] that that that that was done. And so, I
[33:09] think we're kind of at a moment now
[33:11] where where things are going to start
[33:12] scaling, you know,
[33:14] um you know, human flight took off
[33:16] really quickly.
[33:17] Uh things are going to start scaling
[33:18] now. Now, that's not to say that this is
[33:21] happening tomorrow. No, this is not at
[33:23] all what's happening. This is there are
[33:24] still lots You have to understand
[33:26] there's a lot of technical challenges
[33:28] that have to be solved before we can
[33:30] scale a quantum computer to um to what's
[33:32] needed to run Shor's.
[33:34] Um but kind of the components are there.
[33:36] The components are there. They're like
[33:37] in different papers now. The components
[33:39] are there. Somebody needs to bring it
[33:41] together and uh build a large enough
[33:43] experiment. And there are many startups
[33:45] and companies that are trying to do just
[33:46] that.
[33:47] >> Can Can you give some examples of the
[33:49] unsolved problems that you're
[33:51] referencing when you say there are many
[33:52] problems that need to be solved? Like
[33:54] what are those specifically? And and is
[33:57] there a reason to believe that those are
[33:59] problems that could be solved suddenly
[34:01] um rather than, you know, incrementally
[34:03] over time? Uh no, I'm I'm pretty sure
[34:06] they will be solved incrementally over
[34:07] time. There's no sudden Okay. So,
[34:10] I I would say that uh before
[34:12] >> Because that's that's the concern,
[34:13] right? Like I think that there's
[34:14] broadly, you know, this concern that um
[34:17] you know, all of the sudden these things
[34:19] that are currently not possible will
[34:20] just like magically become possible and
[34:22] the timeline will compress, right?
[34:24] That's sort of like the fear narrative.
[34:26] And then I think like the opposing kind
[34:27] of more skeptical narrative is that no
[34:29] no no, we're going to have tons of
[34:32] runway on this because actually it's
[34:35] exponentially more difficult to scale as
[34:38] you put more cubits together. And you
[34:40] know, so I kind of want to drill down
[34:41] into that and and sort of where you lie
[34:44] in that argument specifically.
[34:47] Look, the reality is we we we don't
[34:48] know. Yeah, to be realistic, it's poss-
[34:51] it's possible that quantum computers
[34:53] will never be built. Yeah, it's
[34:55] possible.
[34:56] >> Is it poss- well, is that possibly
[34:58] provable? Like could something come up
[35:00] that could prove that this is just not
[35:01] physically possible or is it just Yeah,
[35:04] of course. So, you know, quantum
[35:06] mechanics have never has never been
[35:07] tested at the scales that are needed for
[35:09] Shor's algorithm. Um, and so, you know,
[35:12] there's a paper that the physics paper
[35:13] that appeared last year.
[35:15] I I don't subscribe to that paper, but
[35:17] that paper says quantum mechanics is
[35:18] wrong. Yeah, we actually
[35:21] >> for that? Like are there is there like
[35:22] an incentive for somebody to prove that
[35:24] Shor's cannot be run by a quantum
[35:25] computer? Well, it could it could be. I
[35:28] don't think that's going to happen, but
[35:29] it could be that we try to scale up
[35:31] these experiments and all of a sudden it
[35:33] turns out we're getting wrong results
[35:35] because our understanding of quantum
[35:37] mechanics is incorrect.
[35:38] I don't think that's going to happen cuz
[35:40] quantum mechanics as far as we know is
[35:41] correct.
[35:41] >> billions of dollars trying to
[35:44] make sure that to to make that to prove
[35:46] the opposite basically that By the way,
[35:48] this very true, but I would say that
[35:50] even Come on, even if we learn that our
[35:52] understanding of quantum mechanics is
[35:53] incorrect and there's a different
[35:55] physical theory of the universe,
[35:57] that's like a once-in-a-century event.
[35:58] That that is like
[35:59] >> Nobel Prize.
[36:01] Forget no- of course Nobel Prize, but I
[36:02] mean just the implication for what we
[36:04] can do if we have a different
[36:06] understanding of our universe, that
[36:07] would be incredible. Yeah, and so, I
[36:10] think it's kind of a win-win situation.
[36:11] Okay. So, you don't think there's like a
[36:13] situation where we have like misaligned
[36:15] incentives where it's like, you know,
[36:16] there's so much money and run it in
[36:18] potentially running Shor's one day,
[36:20] which even that I'd like to drill down
[36:21] into. Like why are we spending all this
[36:23] money just to break all of our
[36:24] cryptography? Is there other reasons why
[36:26] we want to Yeah, yeah, maybe we should
[36:28] talk about that. Yeah, so so yeah, it's
[36:30] also want to go through the Google paper
[36:32] cuz there's a lot of very cool ideas in
[36:34] the Google paper that that I want to
[36:35] that I I want to get through.
[36:37] Yeah, so you so your question is why
[36:39] build a quantum computer in the first
[36:41] place? Yeah.
[36:42] So it's kind of I don't know it's kind
[36:44] of
[36:46] maybe funny is not the right word but it
[36:47] is funny that the universe is in some
[36:49] sense messing with us. Yeah, the
[36:50] universe gave us this
[36:52] magical ability to compute things that
[36:55] we can't compute classically using a
[36:56] quantum computer. And what is it good
[36:58] for?
[36:59] Causing harm. Right, right, right.
[37:01] >> Breaking cryptography.
[37:02] Right. So
[37:03] is it good for anything else? So first
[37:05] of all I did mention the quantum zoo.
[37:07] There's a whole bunch of algorithms that
[37:08] can be run on a quantum computer.
[37:11] The other application we people always
[37:12] talk about is what's called quantum
[37:14] simulation and that is has to do with
[37:17] solving problems in chemistry
[37:19] computational chemistry. I give you a
[37:20] complicated molecule and I ask you what
[37:23] is the shape of the molecule in the real
[37:25] world. Potentially a quantum computer
[37:27] can actually compute this and so you
[37:29] know we we would potentially have the
[37:31] ability to build to calculate what
[37:33] materials look like without having to do
[37:35] expensive experiments, physical
[37:37] experiments. Yeah. That is that's an
[37:40] area that you know
[37:43] we'll see whether that actually works
[37:45] out
[37:46] but that's a potential other other
[37:48] application area for for quantum
[37:49] computers. Right now the most compelling
[37:53] application sadly is breaking
[37:55] cryptography. Mhm. But you're asking why
[37:57] are people investing so much money in
[37:58] building it? I think it's just grander
[38:00] vision that we'll demonstrate that it
[38:03] works by breaking cryptography but then
[38:05] there'll be other other applications
[38:07] that people people come up with. It's
[38:09] also one of these things that you know
[38:12] once the technology today nobody really
[38:14] is looking or the number of people
[38:16] looking for applications is not that
[38:18] high because the computers don't exist.
[38:20] Once the computers exist you can imagine
[38:21] oh everybody will try to look for new
[38:23] applications for them and you know,
[38:26] human ingenuity is amazing. So, we'll
[38:28] find find new applications that will
[38:30] drive this industry. So, so the argument
[38:32] here is that Shor's is basically like
[38:34] the low-hanging fruit of proving that we
[38:35] can even use quantum computers for any
[38:38] like practical real-world use case. Um
[38:40] but that ultimately like the incentive
[38:42] for building these things is that
[38:43] potentially once we're able to do that,
[38:45] you know, other kind of more profitable
[38:48] well, I don't know, maybe Shor's
[38:49] Bringing Shor's might be maybe very
[38:51] profitable for the right or wrong
[38:52] person. Yeah. Um So, Shor's by the way
[38:55] is a way to prove that there's there's
[38:56] new computing ability here. That it does
[38:59] something that we can't do
[39:01] uh on a classical computer. At least we
[39:02] believe we can't do on a classical
[39:03] computer.
[39:03] >> want to give a little TLDR on how Shor's
[39:05] works?
[39:07] Yeah, yeah, actually yeah, that would be
[39:08] great actually. Um in fact, let's do
[39:10] this. Let's let's kind of quickly walk
[39:11] through the Google paper. I think it's a
[39:13] pretty interesting paper. It's kind of a
[39:15] long paper, so I'm not sure how many
[39:16] people have actually read it.
[39:18] Um so, let's let's kind of walk through
[39:20] quickly uh click it quickly what's
[39:21] there. So, first of all, uh what is fun-
[39:23] fundamentally the result in the paper is
[39:26] an optimization of Shor's algorithm. So,
[39:29] to do that I have to kind of briefly
[39:30] explain how Shor's algorithm works. Uh
[39:32] Shor's is not a complicated algorithm.
[39:34] It's actually quite a simple algorithm.
[39:36] Uh let me describe it the way Shor
[39:38] described it. These days we think of it
[39:39] a think of it a little bit differently,
[39:41] but let me try to explain it the way
[39:43] Shor described it. Um so, really there
[39:45] are four steps to Shor's algorithm.
[39:47] Yeah? Um I'm going to say some words
[39:49] here that hopefully will be clear, but
[39:51] if not, please Google it because or or
[39:54] ChatGPT it because it's uh really
[39:55] interesting. Uh
[39:57] So, the first step in Shor's algorithm
[39:58] is uh you take a uh a classical state.
[40:02] And uh what you do is you can you create
[40:05] a superposition of exponentially many
[40:07] states. The way to think about that is
[40:10] um you literally write down a pair of
[40:12] numbers x, y for all x, y let's say
[40:16] between 0 and 2 to the 256. Yeah? So,
[40:21] classically, we can write not write down
[40:22] such a large list because it's got 2 to
[40:25] the 512 values in it. Yeah, it's two
[40:28] numbers, each one is 256 bits.
[40:31] But, the magic of quantum computing uh
[40:32] or a quantum mechanics is we can create
[40:34] a superposition using, let's say, 1,000
[40:37] atoms, 1,000 qubits, 1,000 logical
[40:40] qubits. We can create a superposition
[40:42] but I'll say using 512 logical qubits,
[40:46] we can create a superposition of 2 to
[40:48] the 512 different states. Okay, so now
[40:51] we have this huge vector of pairs X, Y
[40:56] for all XY. Okay, that's the first step.
[40:58] Turns out that's a really easy step to
[41:00] do. Yeah, that uses just what are called
[41:02] Hadamard gates. That's for a computer,
[41:04] that's easy to do.
[41:05] The next step is actually the hardest
[41:07] part of Shor's algorithm.
[41:08] Now, we have to take every pair XY and
[41:12] we have to apply a classical computation
[41:13] to it. Okay, so we're operating on the
[41:16] superposition, so on all pairs XY, on
[41:19] each pair, we apply a classical
[41:21] computation. What's the computation?
[41:22] Well, if we're trying to compute the
[41:23] discrete log of H base G,
[41:26] what we're computing is the function X *
[41:29] G + Y * H. So, remember we have a table
[41:33] of all XY's. We have our elliptic curve
[41:36] group elements G and H. And then for
[41:39] every XY, we compute X * G + Y * H.
[41:43] Remember that formula, X * G + Y * H.
[41:47] Okay, so we compute that formula. Um and
[41:49] that classical computation turns out to
[41:51] be the hardest part of Shor's algorithm.
[41:54] It's kind of funny that uh
[41:55] all the quantum things are easy, the
[41:57] classical computation is the one that's
[41:58] hard to do on a quantum computer. Yeah?
[42:01] So, now what when we once we have done
[42:02] this calculation, now we have a table
[42:04] that looks like X, Y, X
[42:07] * G + Y * H. Okay, we have a table of
[42:10] triples.
[42:12] Then now now we get into something that
[42:14] maybe is I'll just say the words. We do
[42:15] what's called a quantum Fourier
[42:16] transform. Yeah, that is not so
[42:19] important. I'll just tell you again, for
[42:20] a quantum computer, that step is step is
[42:22] not hard. Yeah? So, we do that, and then
[42:25] we measure.
[42:26] Okay, we measure the result, and it
[42:27] turns out what comes out is something
[42:29] called a period. The function that I
[42:31] just described is a periodic function.
[42:33] What comes out is an approximate period
[42:35] of that function. And I have to say,
[42:37] then there's the the part when I saw
[42:39] this in Shor's paper, I got really
[42:40] excited, cuz that's the most beautiful
[42:42] part of Shor's paper, to show that that
[42:44] approximation is enough to compute the
[42:46] discrete log using a classical
[42:48] computation. So, let's go over it again.
[42:50] So, first step, you create this massive
[42:52] superposition.
[42:53] Then you do a classical computation, x *
[42:56] g + y * h. Then you do a quantum Fourier
[42:58] transform. Then you do a measurement,
[43:00] and then you do a classical computation
[43:02] to recover the discrete log. Yeah, those
[43:04] are the steps of Shor's algorithm. Okay.
[43:06] The hardest step is x * g + y * h, the
[43:10] classical computation. So, you do that
[43:12] using a quantum circuit that implements
[43:15] that classical step.
[43:17] The
[43:17] innovation in Google's paper is
[43:19] basically an optimization for that step.
[43:22] Okay, so we can do the hardest part of
[43:25] Shor's algorithm faster than we thought
[43:27] we could do it before. Okay, so this is
[43:29] the cute optimization that you were
[43:30] referencing earlier. Um,
[43:33] and this is I mean, really the key
[43:34] breakthrough of the Google paper. Like,
[43:36] this is the new thing that really
[43:38] happened. Although there are a couple of
[43:40] other very cute ideas in the paper. So,
[43:42] so so, one thing that happened is um, so
[43:45] Google decided to actually not reveal
[43:48] the actual algorithm for computing x * g
[43:51] + y * h. It literally is just a quantum
[43:53] circuit. So, I'll tell you, they have a
[43:55] quantum circuit simulator, it's called
[43:58] Kick Mix You literally write down a
[44:00] program as a quantum circuit, and Kick
[44:02] Kick Mix will simulate it for you.
[44:04] Remember, this is a classical
[44:05] computation that's written using quantum
[44:08] gates. Yeah, so KickMix can just run
[44:10] this the quan- the classical algorithm
[44:12] and show that it works correctly.
[44:14] They could have just showed the world
[44:16] what their circuit is. Yeah, but they
[44:18] decided to not do that. Yeah, in this
[44:21] >> For a good reason.
[44:23] I mean, would that be not be a security
[44:24] vulnerability? I mean, isn't that the
[44:25] reason why they decided to use a
[44:27] zero-knowledge proof is they didn't
[44:28] >> Personally, I wish they would have
[44:31] revealed the algo- I believe in open
[44:32] research. I'm an academic. I believe
[44:34] that we should share our knowledge with
[44:36] the world. Personally, I would have
[44:37] liked to have that released in the open.
[44:40] Mhm. But let let me just say that they
[44:42] were operating under certain
[44:43] constraints.
[44:45] Their only options was not to tell the
[44:47] world anything
[44:49] or to do a zero-knowledge proof.
[44:50] >> Who was enforcing these constraints?
[44:52] What constraints exactly were you
[44:54] >> that is I'm going to that's up to the
[44:56] that not I don't That's up to the Google
[44:57] people to say. Okay. But
[45:00] uh let me just say that I thought it was
[45:02] pretty cool a pretty cool application of
[45:04] a zero-knowledge proof. What they did is
[45:06] they took the KickMix simulator quantum
[45:08] simulator. They converted it to Rust and
[45:11] then they ran a zero-knowledge prover to
[45:14] prove that their circuit actually
[45:16] computes a point addition correctly. So,
[45:19] this was a fun new application of
[45:20] zero-knowledge proofs on top of
[45:21] everything else. Yeah, that's basically
[45:23] what you're saying.
[45:23] >> a pretty exciting application of
[45:25] zero-knowledge proofs. You know, you you
[45:26] prove that you have an attack without
[45:28] actually revealing what the attack is.
[45:30] Now, I want to walk through actually
[45:31] what actually is being proved in in this
[45:34] in this ZK proof.
[45:35] So, one thing that I I I want to drill
[45:38] down a bit more is when you look at the
[45:40] function that needs to be computed x * g
[45:42] + y * h. Yeah, that you compute using
[45:46] what's called a repeated doubling
[45:47] algorithm.
[45:48] Of course, now I'm going to say a few
[45:50] words that hopefully your audience is
[45:52] familiar with. When you implement
[45:53] repeated doubling, of course, you
[45:55] implement this using what's called a
[45:56] windowing method.
[45:59] And it turns out what you would do is
[46:00] you would they chose to to implement it
[46:02] using a 16-bit window.
[46:04] Uh and then there's a different
[46:06] windowing table at every step of the
[46:07] algorithm.
[46:09] When you do the math, you know, there's
[46:10] 512 uh
[46:12] x * g + y * h. X and y are 256 bits. So,
[46:15] there are 512 elliptic curve additions
[46:17] that are done naively.
[46:19] Using this windowing method, it turns
[46:21] out you only need to do 31 uh additions.
[46:24] 31 additions. It turns out you can save
[46:26] uh uh three additions by some other
[46:29] tricks. And so, overall, Shor's
[46:32] algorithm, it's kind of important to
[46:33] understand, Shor's algorithm, at the end
[46:35] of the day, just boils down to 28
[46:38] elliptic curve additions. Yeah, the only
[46:40] thing the circuit needs to do is 28
[46:43] elliptic curve additions plus some
[46:45] lookup tables.
[46:46] Yeah, that's it. 28. Okay. So, what they
[46:49] proved is that they have an addition
[46:51] circuit that computes an elliptic curve
[46:53] addition in a certain at a certain using
[46:55] a a circuit of a certain size. In
[46:57] particular, I can tell you the the size
[47:00] that they showed is 2.7 million
[47:03] non-Clifford gates, which is what we
[47:05] care about. 2.7 million Toffoli gates.
[47:07] Yeah. So, yes, so they can compute uh
[47:10] one elliptic curve addition using 2.7
[47:11] million Toffoli gate, and they have to
[47:13] do that 28 times, which is roughly where
[47:16] the 90 million Toffoli gate count comes
[47:18] from. Okay, so the whole algorithm takes
[47:20] 90 million Toffoli gates. They proved in
[47:23] zero knowledge they have a circuit that
[47:24] does it in 2.7 million Toffoli gates. I
[47:27] thought that once the paper is
[47:29] published,
[47:30] people are going to think of this as an
[47:32] amazing puzzle.
[47:33] So, we know there's a circuit that
[47:35] implements uh you know, there's a kick
[47:37] mix circuit that does curve addition
[47:39] using 2.7 million Toffoli gates
[47:42] because the proof is correct.
[47:44] We can talk about that, too, too, but
[47:45] the proof is the proof is correct. Um uh
[47:48] and so, now there's an amazing puzzle
[47:50] out there.
[47:51] Can you guys figure out what the circuit
[47:53] is? It's a pretty cool puzzle. I thought
[47:56] it was just This is
[47:57] >> challenge that you're proposing. Yeah.
[47:58] Yeah, it's a challenge for the research
[48:00] community. I thought actually it would
[48:03] but by now people will have already
[48:05] figured it out. I can tell you one of my
[48:07] former students
[48:08] Ilya told me that he just went to Claude
[48:11] Claude code and said, "Hey Claude, why
[48:12] don't you learn how to use KickMix and
[48:14] can you come up with an addition circuit
[48:16] yourself?" I think he said Claude came
[48:18] up with like a circuit that was 10
[48:20] million Toffoli gates and like 5,000
[48:22] physical qubits, which is much worse
[48:23] than the Google paper.
[48:25] But at least it gives you a scaffold and
[48:26] now you can try to optimize the scaffold
[48:28] manually. Or maybe by interacting with
[48:31] Claude you can you can try to optimize
[48:32] the scaffold.
[48:34] So yeah, so this is a pretty cool
[48:36] challenge out there. Maybe somebody can
[48:37] even find a better gate a better circuit
[48:39] than the Google one. So in the Google
[48:41] paper we have this sort of optimization
[48:43] of Shor's as sort of like the key
[48:45] breakthrough. We have the zero-knowledge
[48:46] proof application of proving the attack
[48:48] without revealing information about the
[48:50] attack, which is pretty cool and kind of
[48:52] potentially lends itself to this
[48:53] challenge. Hey, go go figure this out.
[48:56] Anything else that's cute in the Google
[48:58] paper that you want to make sure we
[49:00] cover before we go into mitigation.
[49:02] >> good good. Yes, yes, of course. Yes,
[49:03] there is a couple other other very cool
[49:05] ideas in the paper.
[49:06] So
[49:08] right, it turns out remember when we
[49:10] compute the function x times g plus y
[49:12] times h.
[49:14] Amazingly,
[49:16] g in the world of ECDSA and Schnorr, g
[49:20] is fixed forever. Everybody uses the
[49:21] same group generator.
[49:23] H kind of depends on the user's public
[49:25] key. Yeah? So really half of the
[49:29] computation
[49:30] in the x times g plus y times h can be
[49:32] done before we even know the user's
[49:34] public key.
[49:35] Yeah? So we call this priming. We can
[49:37] prime the quantum computer with x times
[49:40] g so that when the public key becomes
[49:42] known all you have all you have to do is
[49:45] y times h. So it's a factor of two speed
[49:47] up in in breaking a public key if you
[49:51] don't know the public key ahead of time.
[49:53] When is a When is there a situation
[49:55] where you don't know the public key
[49:56] ahead of time? Well, that's exactly the
[49:58] Bitcoin mempool. Right? So, in the
[50:00] Bitcoin mempool, what happens is uh
[50:02] Satoshi had this incredible idea that
[50:05] Bitcoin addresses are hashes of public
[50:07] keys.
[50:09] So, when somebody wants to spend uh you
[50:11] know, a pay-to-public-key-hash uh UTXO,
[50:14] they publish the public key as part of
[50:16] this of this transaction.
[50:18] And now the attacker has basically 10
[50:20] minutes to try to do the attack.
[50:21] >> so that just like if we were going to
[50:23] TLDR that for folks, it basically means
[50:26] like we now have evidence that the
[50:27] amount of time that it would take to
[50:29] execute an attack is reduced
[50:32] essentially.
[50:33] >> you theoretically reduced. Because you
[50:35] can prime the you can prime the computer
[50:36] so that when the public key becomes
[50:38] known, you can break it twice as fast.
[50:39] >> Which is not relevant to the when
[50:41] quantum question, but is more relevant
[50:43] to the types of attacks that we need to
[50:45] be able to uh mitigate against in the
[50:48] future. Short exposure versus long
[50:49] exposure. Is that fair? Yeah, that's
[50:51] very fair. Yeah, I thought that was a
[50:52] very very cute observation in the in in
[50:54] the paper that is worth highlighting. Um
[50:57] so, the the reason that's important is
[51:00] because the superconducting qubits,
[51:01] remember they are fast. Mhm. Yeah, when
[51:04] you do the math of how long will a
[51:06] superconducting qubits actually take to
[51:08] run this optimized Shor's algorithm, it
[51:10] turns out it is about 20 minutes. Yeah?
[51:13] But, because of this factor of two
[51:14] optimization, you can prime the
[51:15] algorithm and then attack on the fly,
[51:18] the 20 minutes drop to 10 minutes. Yeah,
[51:20] which is kind of interesting.
[51:21] >> Which is a interesting number when
[51:23] you're talking about mempool attacks.
[51:25] It's kind of weird that the numbers
[51:26] literally just line up with the Bitcoin
[51:27] numbers. That that is a again, a bizarre
[51:29] coincidence of the universe.
[51:30] >> Bizarre coincidence of the universe.
[51:32] Okay, fair enough.
[51:33] >> On a neutral atom computer, remember
[51:35] things are much slower. The Caltech
[51:37] paper estimates that on a neutral atom
[51:39] computer, they will need about their
[51:41] estimates are
[51:43] a lot of debate somewhere that their
[51:44] their his are aggressive or not.
[51:47] Their estimates are you will need 26
[51:49] 26,000 atoms, which is
[51:52] within reason, and you you you will need
[51:54] about 10 days of compute. Was there
[51:56] anything in the paper? I thought I had
[51:58] read something and there were a couple
[52:00] people suggested that the paper kind of
[52:02] implied that there may be sort of like a
[52:04] specific tipping point where scaling
[52:06] could become easier rather than
[52:09] exponentially more difficult, right?
[52:11] Like I think I mentioned earlier when we
[52:12] were prepping that, you know, the 32-bit
[52:15] uh number isn't that much easier than
[52:18] breaking a 256-bit number. I mean, is
[52:20] there is there
[52:21] any reason to believe that that's true?
[52:23] Cuz that that could be potentially an
[52:25] argument for, you know, the bears, the
[52:27] quantum bears who are saying, "No, no,
[52:29] no, no, it's going to you know, we're
[52:30] going to have tons of runway on the
[52:33] incremental time." But if it if it if it
[52:35] is true that it you know, it's not
[52:37] necessarily exponentially harder to go
[52:39] from breaking a 32-bit key to a 256-bit
[52:41] key, um like why is that? Is there, you
[52:45] know, evidence to support that idea or
[52:47] is it just who knows?
[52:49] Yeah, so the quantum Star Trek folks
[52:50] that it will only be possible in Star
[52:52] Trek times, the quantum bears, I like
[52:53] the name.
[52:54] Um
[52:55] one of the arguments is, "Well, you have
[52:56] any your factor 21." Right? Um so, why
[52:59] is that? So, um again, I'm
[53:02] uh not sure exactly what the timelines
[53:04] are, but I can say factoring 21 using
[53:07] Shor's algorithm is a circuit that takes
[53:09] um between 100 and 200 gates,
[53:11] non-Toffoli non-Toffoli gates, uh
[53:13] non-Clifford gates.
[53:14] Um and as a result, you already need all
[53:17] the quantum error correction, like even
[53:18] just to factor 21, all the machinery
[53:21] that is preventing quantum computing
[53:23] from happening tomorrow is already
[53:25] needed. Yeah? I see. And so, today it's
[53:29] not clear that we can factor 21 if we if
[53:31] we want to.
[53:32] Uh but the tools the the the tools are
[53:34] coming together. As I said,
[53:36] um quantum error correction has has been
[53:37] demonstrated for 448 physical qubits, 27
[53:41] uh gates.
[53:42] Um so, that needs to be scaled up to a
[53:44] couple hundred gates and then maybe
[53:47] they'll be able to uh to factor 21. And
[53:49] so, my my point is that the the the
[53:53] it's just now that these these tools are
[53:56] coming together. And so, I think now
[53:58] actually we will start to see things uh
[54:00] moving a little bit faster than we saw
[54:01] before. So, I mean, is is the kind of
[54:03] core argument there that there's so much
[54:06] that has to go into building a quantum
[54:08] computer that just factors 21 that once
[54:11] you get there, it's actually really not
[54:13] that much of a jump in terms of like
[54:15] like overarching work to get to freaking
[54:18] 256? Uh okay, so that that okay, that
[54:21] that is over an oversimplification. So,
[54:23] the quantum error correcting code is
[54:24] going to be much harder to do for a
[54:27] large-scale computation. It's very
[54:29] interesting, by the way, that
[54:30] >> Exponentially harder as you increase Not
[54:32] at exponential is a mathematical term.
[54:34] Not exponentially harder.
[54:35] >> Okay, not. Uh harder, not exponentially
[54:37] harder. Not exponentially harder. But,
[54:38] some people do say that, but
[54:40] Maybe that's what I want to clarify.
[54:42] >> Yeah, yeah, yeah. It is harder. But, but
[54:43] it's I wish we had more time because
[54:45] there's so much so much I want to say.
[54:47] And in that one of the bottlenecks, it's
[54:49] interesting, one of the bottlenecks of a
[54:51] quantum computation is the classical
[54:53] work that needs to be done to run the
[54:55] error correcting code. Yeah, and why
[54:58] that's true is super interesting to the
[54:59] point where Nvidia got into this game,
[55:01] which I thought was kind of cool. So,
[55:03] Nvidia realized, "Oh my god, to run a
[55:04] quantum computer, you you need a massive
[55:06] classical computer." And so, they said,
[55:09] "Oh, we have a massive classic classical
[55:11] computer with these GPUs." So, they they
[55:13] put up this uh what is it called? Quan
[55:15] uh CUDA-Q uh library. So, a lot of the
[55:18] physics experiments are hoping that
[55:20] Nvidia will solve the software version
[55:22] of it, the software aspect of it, um and
[55:25] that uh will help scale things up. So,
[55:27] yeah, so things are things are coming
[55:29] together. It takes time, but things are
[55:31] things are coming together. Again, I'm I
[55:34] don't think that I think we have still
[55:35] many years to come. I just the the the
[55:38] number of things that have to be done
[55:40] is quite large. So, we still have uh
[55:42] quite a long runway.
[55:45] In my again, I I could be wrong. Reading
[55:48] the Reading between the lines, to me it
[55:49] sounds like it's it's it's um 2035 and
[55:52] above.
[55:53] Um I'd probably would even
[55:56] >> I I'd probably would guess even further
[55:58] out.
[55:59] But not everybody is as uh Some people
[56:01] are much more bullish than than I am in
[56:03] thinking that it will come sooner. And
[56:05] of course there's the argument that we
[56:07] should be prepared in the unlikely
[56:09] event. Exactly. To just again to drive
[56:11] the point home, you know, the Google
[56:13] security team, not the quantum team, the
[56:15] Google security team made their own
[56:17] assessment, and they decided that they
[56:19] want to move the timelines up to 2029.
[56:22] Yeah, so not because they think there's
[56:24] a computer going to that's going to
[56:25] appear in 20 2029,
[56:27] um it's because they want to be ready.
[56:29] Yeah, so
[56:30] >> case. Just in case Yeah, you don't want
[56:31] to bet the whole world just on on
[56:34] something that's
[56:36] uh on a hunch. Yeah, you want to be
[56:37] ready. So, they they want to finish the
[56:39] transition by 2029. Another interesting
[56:41] thing about that is the transition is
[56:42] quite difficult. Yeah, moving the world
[56:44] to post-quantum is going to be
[56:46] even for the web, it's going to be very
[56:48] uh difficult and slow.
[56:49] They might say 2029, but they could miss
[56:51] by 3 years easily. Right. If they say
[56:54] 2035 and they miss by 3 years, now we're
[56:56] getting into kind of a dangerous danger
[56:57] zone. And so, saying 2029 and missing by
[57:00] 3 years, we're still probably okay.
[57:02] All right, guys. Taking a quick moment
[57:04] to thank my new sponsors of the show.
[57:07] First off, the one and only Layer2 Labs
[57:09] pushing forward research and development
[57:11] of Drivechains.
[57:12] Drivechains were first introduced as a
[57:14] software proposal to Bitcoin, aka BIP
[57:16] 300 BIP 301. These BIPs essentially
[57:20] propose a bridging mechanism between
[57:21] Bitcoin and Layer2s that are incentive
[57:24] aligned with miners, and they've gotten
[57:26] a ton of attention over the last couple
[57:28] of years.
[57:29] If you're curious about how Drivechains
[57:30] could work in practice though? Check out
[57:33] layer2labs.com and download their
[57:35] alternative front end to Bitcoin Core.
[57:37] It lets you play with drivechains and
[57:39] see how they actually work in real life.
[57:42] I'd also like to introduce Hashi,
[57:44] an alternative primitive to traditional
[57:46] L2s that allows users to execute a wide
[57:48] range of Bitcoin DeFi activities without
[57:51] having to trust a federated bridge.
[57:54] With Hashi, Bitcoin is controlled by an
[57:56] MPC wallet that requires a quorum of
[57:59] proof-of-stake validators on the Sui
[58:01] network to execute Bitcoin transactions
[58:04] based on the validity of smart
[58:05] contracts.
[58:06] At least a third of the staking power of
[58:09] the Sui validators network is required
[58:11] to execute these MPC mint and redeem
[58:13] transactions, which is a substantive
[58:16] improvement in trust assumptions
[58:17] relative to other L2s or sidechain
[58:20] bridges.
[58:21] Hashi's commercial team is also stacked,
[58:23] including a crew of former builders from
[58:25] the crypto division of Meta. I think
[58:28] we're going to see a suite of super
[58:30] competitive Bitcoin DeFi products built
[58:31] with this protocol, so definitely check
[58:33] out the Hashi page on sui.io if you're
[58:36] curious.
[58:38] Last but not least, shout-out to BitBox.
[58:41] BitBox is one of the easiest and most
[58:43] simple-to-use Bitcoin hardware wallets
[58:45] on the market right now. If you have
[58:47] friends or family members that you want
[58:48] to make sure stay safe and use cold
[58:51] storage, but maybe they're not [music]
[58:52] the most Bitcoin native people in the
[58:54] world, I highly recommend checking out
[58:57] BitBox. They're completely open source,
[59:00] no compromises on security, but they're
[59:02] also super easy to use, really intuitive
[59:05] UX. Plus, you can use them with
[59:07] concierge multi-sig services like
[59:09] Unchained, which I'm personally a big
[59:11] fan of. If you want to check out their
[59:13] hardware wallets, go to bitbox.swiss
[59:16] and use code bitcoinrails to get a
[59:18] discount. All right, back to the show.
[59:21] So, let's talk about mitigation. Yeah.
[59:23] Um for Bitcoin specifically, which is,
[59:26] you know, kind of most of my audience uh
[59:27] listening to this.
[59:29] Do you have a point of view about
[59:32] signature schemes and sort of how we
[59:34] should be I mean, we could even just
[59:35] zoom out from there, you know, what we
[59:37] should how we should be addressing this
[59:38] broadly if you have like a big picture
[59:40] that you'd like to share for Bitcoin,
[59:41] but certainly I want to kind of ask you
[59:43] about your point of view about
[59:45] post-quantum signature schemes for
[59:46] Bitcoin if you have a favorite. Yes.
[59:48] Okay, good. Good. Good. So, the question
[59:49] is what to do about about the
[59:51] transition, yeah?
[59:53] The answer is there's really no good
[59:55] answer. It's kind of sad, actually.
[59:56] There's really There's really no no no
[59:58] good answer. So, but we have to do
[59:59] something.
[01:00:00] Yeah, so how we have to prepare, right?
[01:00:03] So, what what what do we do? Again,
[01:00:05] don't panic,
[01:00:07] but we can't ignore this problem,
[01:00:08] either. And we need to start to start
[01:00:11] the transition. So, what So, what do we
[01:00:12] do?
[01:00:13] So, let me actually zoom out just a
[01:00:15] little bit. I would say first of all,
[01:00:17] for new blockchains, you know, there are
[01:00:18] new blockchains created once in a while.
[01:00:21] For new blockchains, it seems like
[01:00:24] a cautious thing to do is to have every
[01:00:27] user choose their seed phrase, but from
[01:00:29] the seed phrase, you can generate both
[01:00:31] ECDSA and ECDSA or Schnorr key.
[01:00:34] And in a post-quantum key, and have both
[01:00:37] keys committed on chain.
[01:00:39] So, that before Q-Day, everybody just
[01:00:40] uses the pre-quantum key and the world
[01:00:42] is happy. After Q-Day, at least users
[01:00:45] are protected cuz they already have a
[01:00:46] post-quantum key that's registered on
[01:00:48] chain.
[01:00:49] >> And this is happening at the wallet
[01:00:50] level, or is the or this would be like
[01:00:51] consensus? This is just wallet level.
[01:00:53] >> This is just wallets.
[01:00:54] >> For the non-Bitcoin chains, you can do
[01:00:55] this wallet level, which is maybe points
[01:00:57] for them. Yeah, well, this is also for
[01:01:00] Yeah, for new chains for Yeah, for the
[01:01:02] existing chains, unfortunately, the the
[01:01:04] reason this is so problematic is that
[01:01:06] everybody is going to have to transition
[01:01:09] They have to revoke their old
[01:01:10] pre-quantum key and transition to to
[01:01:13] post-quantum key.
[01:01:13] >> And some will inevitably not, which is a
[01:01:15] question that we'll get into.
[01:01:17] >> assets, and so on.
[01:01:18] >> Abandoned assets, yeah. Yeah, so what
[01:01:20] So, what do we do? So,
[01:01:21] uh yeah, so look, we can go through
[01:01:23] through the different the different
[01:01:25] schemes. Maybe to zoom out at a high
[01:01:27] level, I'll say there are kind of two
[01:01:29] contenders, right? And I think your
[01:01:31] audience knows this. So, there are
[01:01:32] hash-based schemes that people are
[01:01:34] considering, and then there are
[01:01:36] lattice-based schemes. Yeah? Is isogeny
[01:01:38] in the mix at all or not really?
[01:01:40] So, it's interesting you say this. So,
[01:01:42] isogeny is in the mix, and in fact, NIST
[01:01:44] has a running
[01:01:47] additional signature scheme competition,
[01:01:49] and SQ sign is actually one of the round
[01:01:52] two signature schemes in the NIST
[01:01:54] competition. So, they made it to round
[01:01:56] two.
[01:01:57] So, isogenies are in the mix, but
[01:01:58] isogenies are a little problematic. Um
[01:02:03] maybe do you want to talk about
[01:02:04] isogenies or
[01:02:05] >> really quickly, why are they
[01:02:06] problematic? Uh so, isogenies, as you
[01:02:08] probably know, they suffered a pretty
[01:02:09] significant attack recently. The key
[01:02:12] exchange mechanism turned out to be to
[01:02:14] be insecure, and it kind of shows and
[01:02:16] and the attack is basically not using
[01:02:19] kind of new math. It was like old math
[01:02:21] that just people didn't know about.
[01:02:22] Yeah? And it just shows this area uses
[01:02:25] such sophisticated tools that
[01:02:29] it's a little
[01:02:30] hard for for
[01:02:32] you know, maybe there's a theory theorem
[01:02:34] that we don't know about that that would
[01:02:36] impact
[01:02:37] >> hardened enough is sort of the argument,
[01:02:39] right?
[01:02:39] >> we we need to wait. Isogenies are great,
[01:02:42] fantastic, but we need to wait a bit
[01:02:44] more to make sure
[01:02:46] things really they're as secure as
[01:02:47] claimed before we start to use them.
[01:02:49] >> an argument that lattice-based also
[01:02:51] could potentially
[01:02:53] experience those kinds of
[01:02:54] vulnerabilities that like maybe it's
[01:02:56] more like theoretical and like you know,
[01:02:58] like again, less hardened than hashes or
[01:03:00] Sphinx?
[01:03:01] Yeah, it is so it is possible. So, of
[01:03:03] course, you know, it's possible that
[01:03:04] SHA-256 is not secure. It's possible
[01:03:06] that ECDSA is not secure. Anything is
[01:03:08] possible. Relatively speaking though, I
[01:03:10] mean like how would you compare just the
[01:03:11] security properties of lattice versus
[01:03:13] hashes?
[01:03:14] >> Okay, I'll I'll I'll say it this this
[01:03:16] Uh you know, so the the Bitcoin folks,
[01:03:18] they love SHA-256 and they love they
[01:03:20] love ECDSA, yeah? Cuz we're we're used
[01:03:22] to them. Right. Yeah, we we love yeah, I
[01:03:25] should say.
[01:03:26] Um
[01:03:26] well, used to them and also Satoshi kind
[01:03:28] of blessed them, right?
[01:03:29] >> Right, right.
[01:03:29] >> I guess it took forever for Peter Woolly
[01:03:31] to even convince folks to use Schnorr
[01:03:33] signatures, right?
[01:03:33] >> True. At least we had we adopted Schnorr
[01:03:36] signatures.
[01:03:37] Where you know, SHA-256 and and and
[01:03:39] ECDSA and Schnorr, they didn't come from
[01:03:41] God. They came from NIST, right? They
[01:03:44] came from NIST. NIST said this is okay.
[01:03:45] Mhm. Well, now NIST is telling us
[01:03:48] lattice is all okay to use for
[01:03:49] post-quantum crypto. Okay. You know, if
[01:03:51] Satoshi was alive today, well, I don't
[01:03:53] know. If Satoshi was around
[01:03:54] >> approved isogenies. Is that Not yet.
[01:03:56] Okay, okay. So, lattice okay. Has NIST
[01:03:58] approved all guys?
[01:03:59] >> They have approved lattice schemes. They
[01:04:01] have approved hash-based lattice
[01:04:02] signatures, hash-based signatures. Uh
[01:04:04] it's quite possible if Satoshi was
[01:04:06] designing Bitcoin today, he would have
[01:04:08] just used one of the post-quantum NIST
[01:04:09] standards, yeah? So, I think it's a it's
[01:04:12] it's it's good to remember. Now, at the
[01:04:13] same time, I also understand the
[01:04:15] caution. I mean, of course you need to
[01:04:16] be you need to be cautious. Uh
[01:04:18] lattice-based schemes are not as old as
[01:04:20] elliptic curve-based schemes.
[01:04:22] >> Mhm. Or hash-based schemes. Well, or
[01:04:24] hashes period, yeah. It's true, but they
[01:04:26] have been around for quite a while,
[01:04:27] yeah? So, lattice-based schemes are over
[01:04:29] 20 years old.
[01:04:30] Uh they have been around for quite a
[01:04:31] while. They have nice randomness of
[01:04:33] reduction properties uh to them.
[01:04:36] You know, could there be a quantum
[01:04:38] algorithm that that gives you polynomial
[01:04:40] approximations for shortest vector?
[01:04:43] Could be. In fact, last What was it?
[01:04:44] Last year I mean, I forget
[01:04:46] last year or 2 years ago, I don't
[01:04:47] remember. Uh there was actually a paper
[01:04:48] that claimed to have to have solved
[01:04:50] that. Uh turned out to be wrong, but um
[01:04:53] uh that that scared quite a few people
[01:04:57] uh for quite a while. So, I would say
[01:04:59] that um
[01:05:00] um
[01:05:01] when you move to a new signature scheme,
[01:05:03] there is not you can do what the web is
[01:05:06] doing. So, the web, if you look, the web
[01:05:07] has already transitioned to post-quantum
[01:05:09] encryption, post-quantum key exchange
[01:05:11] rather. If you connect to Amazon, if you
[01:05:13] connect to uh GitHub, if you connect to
[01:05:16] any of your favorite sites on Chrome,
[01:05:19] you can look at the key exchange method
[01:05:20] that the browser is using. It's using
[01:05:22] what's called a hybrid encryption
[01:05:23] scheme. Yeah, it's using
[01:05:25] effectively 25519, which is an elliptic
[01:05:28] curve scheme, combined with ML chem 768,
[01:05:31] which is a lattice based scheme. Yeah?
[01:05:33] So, we necessarily don't make security
[01:05:36] worse.
[01:05:37] We still have elliptic curves to fall
[01:05:38] back to if something happens with
[01:05:41] lattices, but if somebody builds a
[01:05:42] quantum computer, at least we have
[01:05:45] lattices to protect us.
[01:05:46] >> This was going to be one of my other key
[01:05:47] questions because I've heard differing
[01:05:48] points of view on this is do you think
[01:05:50] that we should have redundancies of
[01:05:51] signature types in Bitcoin? Absolutely.
[01:05:54] Absolutely. When you move to a new
[01:05:55] signature scheme, you should always move
[01:05:57] to a hybrid signature scheme.
[01:05:58] >> you think is the
[01:05:59] you know, optimal number of signature
[01:06:00] scheme options to have in Bitcoin?
[01:06:03] Uh okay, so to me it's not options.
[01:06:06] So,
[01:06:07] what I hope will happen, I'm I'm not
[01:06:09] sure if that will actually happen, but
[01:06:11] what I hope will happen is that the new
[01:06:14] post quantum so
[01:06:15] Okay, there are many solutions for
[01:06:17] Bitcoin, but let's suppose for a minute
[01:06:18] that Bitcoin adopts a post quantum
[01:06:20] signature scheme. What I hope will
[01:06:22] happen is that what will be adopted is
[01:06:24] actually
[01:06:25] one signature scheme that actually
[01:06:27] implements two.
[01:06:28] Okay. In particular, it will do Schnorr
[01:06:31] plus let's say ML let's say I'll say
[01:06:34] Hawk. But but it specifically will do
[01:06:36] something PQ and something elliptic
[01:06:38] curve based. Is that
[01:06:40] >> Exactly. Exactly.
[01:06:41] >> Okay. And it will be one signature,
[01:06:43] but the signature will be kind of two
[01:06:45] signatures smooshed together.
[01:06:47] Yeah? Cool. And the reason I say that
[01:06:48] that actually
[01:06:49] >> to be able to do that? No, no,
[01:06:51] [laughter] no. It's actually quite It's
[01:06:52] just an engineering just
[01:06:54] >> engineering problem. You know, be
[01:06:55] careful when when somebody tells you
[01:06:57] just engineering.
[01:06:58] But it's from a mathematical point of
[01:07:00] view, we actually know how to do it. Now
[01:07:02] it's just a matter of of of implementing
[01:07:03] it. And I would say say is even true for
[01:07:06] the hash-based signature schemes. The
[01:07:08] reason is ECDSA libraries are
[01:07:11] battle-tested. They've been with us
[01:07:12] forever. They've been optimized. We
[01:07:14] trust them. These uh hash-based
[01:07:16] signatures, you know, maybe there are
[01:07:17] bugs in the implementation, right? If
[01:07:20] you combine a pre-quantum signature with
[01:07:22] a hash-based signature, you are not harm
[01:07:24] You are by provably you are not harming
[01:07:26] security.
[01:07:27] >> But so you get the the separate benefits
[01:07:30] of each signature type even if you
[01:07:31] smoosh them together into one signature.
[01:07:34] >> provably you're not harming security.
[01:07:35] You're only can only make things better.
[01:07:37] Now, the the interesting thing is the
[01:07:39] post-quantum signatures are much longer
[01:07:41] than the pre-quantum signatures, sadly,
[01:07:44] which means that actually moving to a
[01:07:45] hybrid model is actually from a uh
[01:07:48] signature size point of view is not that
[01:07:50] expensive, right? When you take a big
[01:07:52] number and you add a small number to it,
[01:07:54] it doesn't change the big number by too
[01:07:56] much.
[01:07:57] Um and so it's not a unreasonable
[01:07:59] engineering requirement to do that. But
[01:08:01] I see the world not going in that
[01:08:02] direction, which I think is all I think
[01:08:05] deserves more discussion.
[01:08:07] >> You you see instead people just being
[01:08:09] like, "Okay, now we're just going to
[01:08:10] switch out of ECC entirely and just go
[01:08:12] straight into some like hash-based
[01:08:13] scheme?" Or what they'll do is for
[01:08:15] example, they use Taproot, where one
[01:08:17] leaf is is uh
[01:08:19] uh is Schnorr or ECDSA, and the other
[01:08:22] leaf is some post-quantum signature.
[01:08:24] >> would be like the optionality version
[01:08:26] versus what you're saying, which is the
[01:08:28] smooshing together option.
[01:08:29] >> And I what we have learned for over many
[01:08:32] years of uh you know, pain and suffering
[01:08:34] is the minute you start giving users and
[01:08:36] developers options, those are foot guns.
[01:08:39] It's interesting you say that because
[01:08:41] that is the primary argument that I've
[01:08:43] heard for like reducing redundancies is
[01:08:45] don't give people options. Don't let
[01:08:47] people do different things on Bitcoin.
[01:08:48] That actually comes with its own risks,
[01:08:51] essentially. Um you're taking on
[01:08:52] different security vulnerabilities than
[01:08:54] your counterpart. It's not a good idea.
[01:08:56] So my my my point is even more than My
[01:08:57] point is if we're going to implement
[01:08:59] post-quantum using Taproot,
[01:09:01] rather than having a ECDSA leaf and a
[01:09:04] ML-DSA leaf, say, or a hawk leaf or
[01:09:07] whatever, let's let's make the Hawk, by
[01:09:10] the way, is a is a post-quantum lattice
[01:09:12] signature. Yeah. Which I would love to
[01:09:14] talk about.
[01:09:14] >> Okay, we can talk about Hawk.
[01:09:15] >> What I'm saying is, uh, rather than just
[01:09:18] having a Hawk leaf, make the Hawk leaf
[01:09:20] be a concatenation of a Hawk Hawk
[01:09:22] signature and Schnorr, for example.
[01:09:24] >> even heard of this idea. Have you put
[01:09:26] posited this on the mailing list? Like
[01:09:28] you said, no one's talking about this.
[01:09:29] >> I I I It's kind of obvious. What what is
[01:09:30] there to say? Well, you said no one is
[01:09:32] talking about this.
[01:09:33] >> Well, we're talking about it.
[01:09:34] >> we're talking about it. Okay, so now
[01:09:35] we're popularizing this idea. Hey, you
[01:09:37] don't need to give people the option.
[01:09:38] You can smash them together and just
[01:09:40] kind of I guess 2 + 2 Uh but it's even
[01:09:42] more than that. This This is literally
[01:09:43] what the web decided to do. The web
[01:09:45] didn't just move to ML-KEM. The web
[01:09:47] moved to a hybrid scheme. Why would the
[01:09:49] blockchain do it something different?
[01:09:51] Right? Fair question. What do you think
[01:09:53] of Oh, sorry, one more point. In the In
[01:09:55] the web, we didn't give people the
[01:09:56] option, "Oh, you know, you can choose
[01:09:58] whichever pair you want pairs you want."
[01:10:00] No, no. The name of the cipher spec that
[01:10:03] is post-quantum is 25519 ML-KEM. Like,
[01:10:07] that is one atom. It's not like the two
[01:10:09] are separate. That's one atom that does
[01:10:11] both at the same time.
[01:10:12] >> This is an important distinction, cuz I
[01:10:13] think a lot of people are not thinking
[01:10:15] about it this way. I think most people
[01:10:17] are thinking of it in the merklized way,
[01:10:19] where you have options of signatures,
[01:10:20] and that's problematic.
[01:10:21] >> minute you give options, people are
[01:10:23] going to start misusing the options and
[01:10:25] maybe not implementing the option, and
[01:10:27] basically we're just giving people a
[01:10:29] foot gun. Okay. My opinion. My opinion.
[01:10:31] >> What do you think I mean it So
[01:10:34] I have lots of follow-up questions
[01:10:35] there, but I was going to ask you about
[01:10:37] some of the hash-based signatures that
[01:10:40] folks are putting forth in Bitcoin.
[01:10:41] Right now, it seems like the popular
[01:10:43] frontrunner is Jonas Nick's
[01:10:46] Shrinks Shrimps
[01:10:48] kind of hash-based optimization. Would
[01:10:50] it even be possible to I mean, could you
[01:10:53] do this kind of smushing technique with
[01:10:56] something like that? With like shrinks
[01:10:57] and shrimps potentially?
[01:10:59] >> of course. So that is not a problem.
[01:11:01] >> That is not a problem. Okay, so
[01:11:03] man, okay.
[01:11:04] Uh
[01:11:05] Right.
[01:11:06] A lot to say here.
[01:11:08] So I I think what you're asking me is
[01:11:10] forget the forget the hybrid method.
[01:11:12] Just let's core let's talk about the
[01:11:13] core post-quantum signature. Should we
[01:11:15] use a hash-based signature or should we
[01:11:17] use a lattice-based signature?
[01:11:18] >> Mhm. So I I would like to say that
[01:11:22] um
[01:11:23] it the current
[01:11:26] is we're going to move in the direction
[01:11:27] of hash-based purely hash-based
[01:11:29] signatures.
[01:11:30] Ethereum, by the way, is is more general
[01:11:32] than that. It's very interesting. For
[01:11:33] Ethereum transactions, Ethereum is
[01:11:35] saying we're just going to move to smart
[01:11:37] contract wallets.
[01:11:38] >> Right. And then users can implement
[01:11:39] whatever signature scheme they want in
[01:11:41] their in their wallet.
[01:11:42] >> think that's a good plan for them? It's
[01:11:44] a very interesting plan. I actually I
[01:11:45] kind of like that. That's a very
[01:11:46] interesting
[01:11:47] >> So optionality works for Ethereum in a
[01:11:49] way that it doesn't work at the
[01:11:50] transaction level. Yeah, yeah. For
[01:11:51] consensus, they're thinking of doing
[01:11:53] something different. But let's talk
[01:11:54] about Bitcoin. So again, the question is
[01:11:56] hash-based signatures or lattice-based
[01:11:58] signatures?
[01:11:59] I I I I would like to actually push for
[01:12:02] lattice-based signatures. Let me explain
[01:12:03] why.
[01:12:04] So
[01:12:06] um Hot take. Hot Well, okay. Is it? All
[01:12:09] right.
[01:12:09] >> [laughter]
[01:12:09] >> Well, I would like to push for
[01:12:10] lattice-based signatures. So my my
[01:12:12] reasoning is this.
[01:12:13] Um
[01:12:14] Hash-based signatures are kind of
[01:12:15] combinatorial in nature and that limits
[01:12:18] a lot of what we a lot a lot of the
[01:12:21] clever things we can do with them.
[01:12:23] So what do we want to do with
[01:12:24] signatures? So for example, we'd like to
[01:12:25] implement threshold signatures. Yeah, so
[01:12:27] what's a threshold signature? You take
[01:12:29] your secret key, you break it up into
[01:12:30] multiple shares, and so that even if a
[01:12:32] few shares are compromised, the key is
[01:12:34] not is not revealed.
[01:12:36] It turns out with lattice-based
[01:12:37] signatures, it's actually
[01:12:39] it's not as easy as BLS, but it's not
[01:12:42] that difficult to actually thresholdize
[01:12:44] lattice-based signatures.
[01:12:45] When it comes to hash-based signatures,
[01:12:47] there are a couple of proposals for
[01:12:49] doing it, but it's a a harder. Yeah. And
[01:12:51] here we can go into how hash-based
[01:12:54] signatures uh work. There's actually a
[01:12:56] proposal called Haystack for
[01:12:58] threshold-based hash-based signatures.
[01:13:00] Um and just to give you an idea for why
[01:13:02] already you can see why it's
[01:13:03] complicated. In Haystack, um
[01:13:06] for example, the threshold and the the
[01:13:10] so T and N, the threshold and the number
[01:13:11] of parties is somewhat is sort of
[01:13:13] revealed by the public key. Yeah, but
[01:13:16] the public key and the signatures.
[01:13:17] Whereas when you use threshold
[01:13:18] signatures, there's often a desire to
[01:13:21] not reveal what the threshold is. You
[01:13:22] know, if I'm using
[01:13:24] threshold signatures to protect my my my
[01:13:26] secret key, I don't want to tell the
[01:13:28] attacker how many people they have to
[01:13:29] compromise in order to to steal my keys.
[01:13:31] I want the threshold to remain secret.
[01:13:34] Uh in a fresh and for example, and if
[01:13:36] you use a combinatorial threshold
[01:13:38] signature scheme, it's much harder to
[01:13:39] keep the not impossible, but much harder
[01:13:41] to keep the threshold uh secret. So, one
[01:13:44] approach to threshold signatures from
[01:13:46] hash-based signatures is actually using
[01:13:48] a SNARK. Yeah? So, everybody will
[01:13:50] generate their own key, public key.
[01:13:53] T people will sign to prove that to to
[01:13:56] indicate that T have signed, and then
[01:13:58] we'll use a SNARK to compress those T
[01:14:01] signatures into a single proof. So, some
[01:14:03] combination of SNARKs plus lattice-based
[01:14:06] signatures Hash-based. This will be
[01:14:07] hash-based.
[01:14:08] >> Oh, this is for hash-based. You have to
[01:14:09] use SNARKs, but with you had lattices,
[01:14:11] you would not. Uh okay.
[01:14:13] Let's be precise here.
[01:14:14] >> Okay. In the hash-based world,
[01:14:17] uh there are combinatorial methods to do
[01:14:18] threshold signatures. Mhm. Uh they are
[01:14:21] somewhat problematic uh be for various
[01:14:24] reasons. One of them is that the
[01:14:26] the simple constructions reveal the
[01:14:28] threshold.
[01:14:29] The other way to do threshold signatures
[01:14:31] from from hash-based methods is using a
[01:14:33] SNARK.
[01:14:34] But now you have to use a SNARK for
[01:14:36] every signature. Every signature
[01:14:37] basically involves a SNARK proof with
[01:14:40] all the baggage
[01:14:41] >> and complexity
[01:14:42] >> the baggage that goes with it. By the
[01:14:43] way, I'll say one thing when you're
[01:14:44] using a SNARK, you have to be a little
[01:14:46] careful. The snark by default will
[01:14:48] reveal the threshold. So, when you're
[01:14:50] implementing a snark-based threshold
[01:14:52] signature, it's kind of important that
[01:14:54] the threshold is committed and not
[01:14:55] available in the clear. So, the snark
[01:14:57] proof would have to be relative to a
[01:14:58] commitment to the threshold, not on the
[01:15:01] threshold itself. Okay, so there's a bit
[01:15:02] of a nuance in implementing the snark,
[01:15:04] but I want people to keep that in mind.
[01:15:06] Yeah, hiding the threshold is very
[01:15:08] important in a threshold signature for
[01:15:10] for some applications. While we're on
[01:15:12] the topic of snarks really quickly, do
[01:15:14] you have a point of view about quantum
[01:15:16] resistant snarks and what we should be
[01:15:17] doing there?
[01:15:18] >> yeah. That's that's actually not a
[01:15:19] problem. In fact, most of the deployed
[01:15:21] snarks are quantum resistant.
[01:15:22] >> Oh, okay. So, so actually that's that's
[01:15:24] not a problem. Okay. Okay. How are they
[01:15:26] quantum resistant?
[01:15:27] >> They're hash-based, basically.
[01:15:28] >> Oh, they are? Most You're saying most
[01:15:29] snarks are hash-based?
[01:15:30] >> Yeah, the deployed ones not the ones
[01:15:32] that go on chain, but the deployed ones
[01:15:34] for other purposes are are are are
[01:15:36] hash-based.
[01:15:36] >> Okay. So, for that we have I would say
[01:15:39] that is not a controversial topic.
[01:15:41] >> issue. Okay. Sadly, of course,
[01:15:44] they're not as compact as the as the
[01:15:47] pre-quantum ones, but they are they are
[01:15:50] they are
[01:15:52] post-quantum because they're only based
[01:15:53] on hashes. But, let's go back to your
[01:15:55] question of hash-based signatures versus
[01:15:57] lattice-based signatures.
[01:15:58] >> [snorts]
[01:15:58] >> So, my point my first point is with
[01:16:00] lattice-based signatures, threshold a
[01:16:02] threshold mechanism is much easier than
[01:16:04] a than in a hash-based mechanism. Okay?
[01:16:07] Point number one. Okay. Point number two
[01:16:09] is lattice-based signatures have
[01:16:11] algebraic an algebraic structure, and we
[01:16:13] know that algebraic structures allow us
[01:16:16] to innovate. And even with Schnorr
[01:16:18] signatures, you know, we have adapter
[01:16:20] signatures, and we have, you know, the
[01:16:22] taproot tweaking mechanism. There's all
[01:16:24] these beautiful ideas even in a Bitcoin
[01:16:26] world. All these beautiful ideas that
[01:16:28] are based on the algebraic structure of
[01:16:31] of
[01:16:32] well, of Schnorr signatures, and and it
[01:16:35] translates to a lattice-based
[01:16:36] signatures. There's a new paper on HD
[01:16:38] wallets for lattice-based schemes. Yeah,
[01:16:41] and so the algebraic structure lets us
[01:16:43] do things that are much harder or even
[01:16:45] impossible to do with hash-based
[01:16:47] signatures. So, I would um I would say
[01:16:50] that if the community decides to go down
[01:16:53] the path of hash-based signatures, we
[01:16:55] are basically cutting off a lot of
[01:16:56] potential innovation. Yeah, cuz we're
[01:16:59] stuck with combinatorics. So, so my
[01:17:02] again, my sort of take on that, if I was
[01:17:03] going to just summarize what you just
[01:17:04] said, is basically that um
[01:17:07] uh
[01:17:08] lattice-based signatures will allow us
[01:17:10] to be able to continue to do all of
[01:17:11] these interesting technical things that
[01:17:13] we currently do with ECDSA that would
[01:17:15] not be possible if we move to hash-based
[01:17:17] schemes. So, hash-based schemes might
[01:17:19] have like a minor edge is what I'm
[01:17:21] hearing on hardness, but you just give
[01:17:23] up all this functionality, and that
[01:17:25] might be an argument to just move into
[01:17:26] lattice-based from the get.
[01:17:29] Yeah, that's that's that's that's that's
[01:17:30] a fair summary. Okay.
[01:17:31] >> Um yeah, I guess we could go with
[01:17:33] hash-based there's further nuance. If
[01:17:34] you're going to do ZK proofs on
[01:17:36] hash-based schemes,
[01:17:37] there is actually a push towards using
[01:17:40] uh
[01:17:41] hash-friendly hash hash hash functions,
[01:17:44] and that has its own kind of worms.
[01:17:46] I wonder if we're going to see any
[01:17:48] proposals, lattice-based proposals,
[01:17:50] anytime soon. I think that one of the
[01:17:51] challenges with Bitcoin is that it is
[01:17:53] the sort of like new beast. Um Okay,
[01:17:56] good, good, good. I like that you said
[01:17:57] that, so let's let's talk about now the
[01:17:59] lattice-based signatures.
[01:18:00] >> Okay. So, one thing that happened, which
[01:18:03] is really unfortunate, is the NIST
[01:18:05] competition. Well, they don't like
[01:18:06] calling it a competition. The NIST
[01:18:07] process actually happened too early.
[01:18:10] Yeah? So, they standardized
[01:18:12] lattice-based signatures before the
[01:18:14] research community had its say. Yeah?
[01:18:17] And so, as a result, ML-DSA at this
[01:18:19] point is not the best lattice algorithm
[01:18:22] lattice scheme that we have. Yeah? Also
[01:18:23] a hot take, yeah. And and NIST actually
[01:18:25] real recognizes this, and because of
[01:18:26] this, they they reopened the
[01:18:28] competition. They have this thing called
[01:18:30] additional signature schemes. And uh
[01:18:32] like the round two candidates, I can
[01:18:34] tell you there is a
[01:18:35] Well, there's one isogeny-based scheme,
[01:18:37] uh SQISign. Uh There's one lattice based
[01:18:40] scheme called Hawk in the in that
[01:18:42] competition. So, Hawk is kind of
[01:18:44] interesting. It's based on
[01:18:46] an interesting problem. It's called
[01:18:48] the lattice isomorphism problem, which
[01:18:50] is really it's quite a quite a elegant
[01:18:52] problem. I can tell you in one sentence
[01:18:54] what the problem is.
[01:18:56] I give you two isomorphic bilinear forms
[01:18:59] and I ask you find the isomorphism
[01:19:01] between them. Yeah, that's the problem.
[01:19:03] It's quite an elegant problem. It has a
[01:19:05] lot of interesting properties to it and
[01:19:07] it leads to
[01:19:09] signatures that are not even that big.
[01:19:11] Here I even
[01:19:13] >> [snorts]
[01:19:13] >> wrote it down just to make sure I get
[01:19:15] the right the right number. Do I have it
[01:19:17] here somewhere? Let's see. Yeah.
[01:19:20] Oh, yeah. Yeah. So, so yeah. So, Hawk
[01:19:23] it the higher level of security is about
[01:19:25] 1.2 kilobytes, whereas ML-DSA is even
[01:19:28] longer. Yeah, so Hawk is a much shorter
[01:19:30] signature. I love I love that all these
[01:19:32] lattice based schemes are named after
[01:19:34] birds. I think
[01:19:35] >> [laughter]
[01:19:36] >> Yeah. Hawk, Falcon, I mean, yeah. I love
[01:19:38] the bird the bird
[01:19:40] Right. Right. That's good. That's uh
[01:19:42] That's I guess one of the fun things
[01:19:44] about being in the field.
[01:19:45] Um yeah. Okay. So, so
[01:19:47] right. So, we have By the way, 1.2
[01:19:49] kilobytes is not 64 bytes, which is what
[01:19:52] we have in the pre the pre quantum
[01:19:53] world. Still quite expensive. Still
[01:19:55] quite expensive. Um so, yeah. So,
[01:19:58] anyhow, I think that's what I'll say
[01:19:59] about Oh, I'm sorry. There's one more
[01:20:01] thing that I'd like to say. There's even
[01:20:02] a recent result
[01:20:03] from Crypto 25 that shows that even if
[01:20:06] you look at ML-DSA, even ML-DSA itself
[01:20:09] can be improved and the signature size
[01:20:12] can be reduced quite dramatically to
[01:20:13] just over a kilobyte, whereas today it's
[01:20:15] much much more than that. So, just keep
[01:20:17] in mind NIST the NIST process in some
[01:20:19] sense is was done too early. I remember
[01:20:22] in the early version of BIP 360 that you
[01:20:25] are co-author of, you guys suggested
[01:20:27] ML-DSA. That was not the right thing to
[01:20:29] do. Yeah, we have better signature
[01:20:31] schemes now.
[01:20:33] Uh lattice-based signature schemes that
[01:20:34] would be better alternatives.
[01:20:35] >> And the ones that it sounds like the
[01:20:37] Hawk is your favorite.
[01:20:39] Well, Hawk is on like I said, it's
[01:20:41] one it's one of the round two NIST
[01:20:43] candidates. And you know, the Bitcoin
[01:20:45] world seems to be in love with NIST
[01:20:46] standards. And so that one could be on a
[01:20:49] track to become a NIST standard. And so
[01:20:51] Just the Bitcoin world Is it mostly the
[01:20:53] Bitcoin world that loves NIST standards?
[01:20:55] It's not everyone who loves NIST
[01:20:56] standards? Uh
[01:20:58] >> That's not a global point of view? Okay,
[01:21:00] well, fair.
[01:21:01] >> [laughter]
[01:21:01] >> I I I would say the Ethereum world is
[01:21:03] much more open. I mean, Ethereum uses
[01:21:05] BLS. Ethereum uses uh pairings much more
[01:21:08] aggressively. And so I would say other
[01:21:10] blockchains are much more open to to
[01:21:12] more modern systems.
[01:21:13] >> Would you consider like Shrimp Shrinks
[01:21:15] like a modern system? Like a custom
[01:21:17] system? Or Yeah, yeah. You would. Yeah,
[01:21:19] yeah, for sure. That's not a NIST
[01:21:21] standard. So actually, you know what?
[01:21:22] Thank you very much. I guess you just
[01:21:24] you just uh gave me a contrary example.
[01:21:26] >> [laughter]
[01:21:26] >> Well, but Shrinks has not been adopted
[01:21:28] by the Bitcoin community yet. It's just
[01:21:29] a proposal. That's true. So
[01:21:31] >> At the same time, I would say that
[01:21:33] >> are they seem to be leading in the court
[01:21:34] of public opinion at the moment. Yeah.
[01:21:37] And also
[01:21:37] >> of view as far as hash-based schemes go?
[01:21:39] What's your point of view on Shrinks and
[01:21:40] Shrimps? Yeah, yeah, yeah. So with
[01:21:42] hash-based schemes, I guess the the um
[01:21:47] I mean, the at the end of the day, you
[01:21:48] can prove that the scheme is as secure
[01:21:50] as the underlying hash function. Yeah,
[01:21:53] and so as long as you trust SHA-256,
[01:21:55] >> Right. the scheme is secure. There's
[01:21:57] nothing to debate. Right. That's sort of
[01:21:59] what I was thinking is it's like, well,
[01:22:00] it's based on hashes, which I think is
[01:22:01] like the key thing. So that's why people
[01:22:04] are not terribly worried about
[01:22:05] >> So so in some sense, the fact that it
[01:22:07] deviates from the NIST standard is not
[01:22:09] that important because we actually can
[01:22:10] prove it's as secure as the NIST
[01:22:12] standard cuz it's based on it's still
[01:22:14] based on SHA-256.
[01:22:16] Um so from a security point of view, the
[01:22:18] I don't there's not any problem. It's
[01:22:20] perfectly fine. I My my argument is um
[01:22:24] look, sure, if you want to use
[01:22:26] hash-based signatures, use hash-based
[01:22:28] signatures. My argument is it's going to
[01:22:30] stifle a lot of upcoming innovation in
[01:22:33] that um you know, threshold signatures,
[01:22:36] adapter signatures, how do we do
[01:22:38] distributed key generation? I mean, all
[01:22:40] there's like a lot of questions that are
[01:22:42] solvable when we have an algebraic
[01:22:44] structure and are much harder when we
[01:22:46] don't.
[01:22:46] >> And those things actually do have
[01:22:48] security implications. Um like when you
[01:22:50] talk about key management, those kinds
[01:22:52] of things. I mean, these are not um this
[01:22:53] is not just like innovation in the like
[01:22:55] layer two sense or something like that.
[01:22:57] It's like this is critical for like
[01:22:59] custody and issues of that nature.
[01:23:00] >> So, for example for example, if you're
[01:23:02] going to do threshold signatures from
[01:23:03] hash-based schemes using a SNARK,
[01:23:05] well, now all of a sudden the Bitcoin
[01:23:08] network has to be able to verify SNARKs.
[01:23:10] Yeah, so now you've introduced this huge
[01:23:13] complexity into the Bitcoin network.
[01:23:15] Yeah.
[01:23:15] >> Speaking of SNARKs and kind of circling
[01:23:17] back into zero-knowledge proofs, where
[01:23:19] do you see zero-knowledge proofs? I
[01:23:20] mean, you gave one example of how
[01:23:21] zero-knowledge proofs could be useful in
[01:23:23] this sort of quantum hardening process.
[01:23:26] Um they've also obviously come up in the
[01:23:28] conversation about Satoshi's coins and
[01:23:31] quantum vulnerable coins. I think that
[01:23:32] this is a proposal that people are
[01:23:34] thinking about is, you know, again,
[01:23:35] first like burn don't burn, but if we do
[01:23:37] burn, can we do retrieval with
[01:23:39] zero-knowledge proofs? Um I'm curious if
[01:23:42] you could
[01:23:42] >> Oh, yeah, of course.
[01:23:43] Oh, of course.
[01:23:44] >> As usual, there's lots to say.
[01:23:46] >> [snorts]
[01:23:46] >> Um right, so I guess BIP 31 BIP 361 came
[01:23:50] out.
[01:23:51] >> Yep, Jameson Lopp. Yes, exactly. So, I
[01:23:53] mean, let's just review the proposal.
[01:23:54] The proposal is uh disallow transfers
[01:23:58] into non-post-quantum scripts
[01:24:00] >> Mhm. two years after the proposal is
[01:24:03] adopted, uh revoke all uh
[01:24:06] non-post-quantum UTXOs.
[01:24:08] >> So, deprecate all quantum vulnerable
[01:24:10] UTXOs. And then the third phase is if
[01:24:14] somebody complains that they lost their
[01:24:16] funds as a result, then there's a backup
[01:24:19] uh process through a ZK proof of a BIP
[01:24:22] 32 seed phrase.
[01:24:23] >> And this would only be usable, I think
[01:24:25] people often point this out is that that
[01:24:27] would only be possible with addresses
[01:24:29] that that are have seed phrases, right?
[01:24:32] Yeah, I think it's good to remember BIP
[01:24:33] 32 is 2012. Right. So any address before
[01:24:38] 2012 by definition does not is not BIP
[01:24:40] 32. Even after 2012, you know, the
[01:24:43] Bitcoin world is the wild west. So what
[01:24:46] wallets don't have to use BIP 32. What
[01:24:48] wallets can do seed phrase to to secret
[01:24:51] key generation however they want. And so
[01:24:54] people who didn't use BIP 32
[01:24:56] there's an issue.
[01:24:57] There's other issues that I wanted to
[01:24:59] bring up. So
[01:25:00] technically the way seed phrases work is
[01:25:02] they use BIP 39 to hash and then they
[01:25:05] use BIP 32 to do key derivation. Yes?
[01:25:08] I'm with you. familiar with this.
[01:25:11] BIP 39 is very ZK unfriendly. Yeah, so
[01:25:14] BIP BIP 39 uses PBKDF2. So it if I
[01:25:18] remember correctly, it does 2000
[01:25:20] iterations of SHA-256. So that is very
[01:25:22] ZK unfriendly. Interesting. Cuz now you
[01:25:24] have to do 2000 prove 2000 iterations of
[01:25:27] SHA-256, which is kind of hard for a
[01:25:29] prover to do.
[01:25:30] But fortunately the two are are nicely
[01:25:33] segmented. Yeah, so you do 2000
[01:25:36] iterations to get to somewhere and then
[01:25:39] from that point on you just use HMAC to
[01:25:41] derive your secret keys. So
[01:25:45] the ZK proofs really only need to apply
[01:25:47] to the second step, the one that's only
[01:25:49] using HMAC. So that was actually quite
[01:25:51] lucky that we don't keep using
[01:25:53] PBKDF2 throughout key derivation.
[01:25:56] And so in principle when we talk about
[01:25:59] proving seed knowledge, it's not really
[01:26:02] proof knowledge of the seed phrase. It's
[01:26:03] proof of knowledge of what comes out of
[01:26:05] PBKDF2. So just to be precise. Okay.
[01:26:09] Yeah, and that actually seems like a
[01:26:10] like a
[01:26:12] uh
[01:26:12] a good backup to go. The one thing I
[01:26:15] would be a little worried about is the
[01:26:16] BIP 361 two-year proposal. So,
[01:26:20] effectively, we'll be giving people 2
[01:26:22] years to transition.
[01:26:23] That seems a little short.
[01:26:25] >> That's too tight, in your opinion. What
[01:26:27] would you like to see there? How much
[01:26:29] time would you like to give people
[01:26:30] >> Good, good, good. So, so optimism, for
[01:26:31] example, they announced
[01:26:33] uh 2035 as the deprecation dates. And to
[01:26:36] me, that Way more reasonable.
[01:26:38] >> Yeah, that seems like a gives people a
[01:26:39] lot of time, and so But but that, you
[01:26:41] know, again, there's always this
[01:26:42] argument, like, well, what if the
[01:26:44] quantum computer arises in 2029? Um I
[01:26:47] mean, that seems to be I mean, you hear,
[01:26:49] you know, it depends on sort of like how
[01:26:50] prepared we want to be relative to the
[01:26:52] risk associated. You think 2035 is
[01:26:55] It seems seems seems reasonable. And the
[01:26:57] interesting thing is
[01:26:58] um
[01:26:59] there there are proposals There are some
[01:27:01] other proposals that I find really
[01:27:03] intriguing. So, the one that I, for
[01:27:05] example, really like is this proposal of
[01:27:08] uh you know, commit, delay, reveal.
[01:27:10] Tash. Tash's proposal. I really I forgot
[01:27:12] what that's called, but
[01:27:13] >> Well, he he has a nickname for it called
[01:27:15] lifeboat. I actually had him on the
[01:27:17] show, and he talked about Oh, yeah,
[01:27:18] yeah. Oh, is that right? I see. Yeah,
[01:27:19] yeah. Um Yeah, I think that's a pretty
[01:27:21] interesting proposal. So, basically,
[01:27:22] what happens there is uh we use the fact
[01:27:25] that the hash of your public key is on
[01:27:26] chain, and the actual public key becomes
[01:27:29] the secret. Yeah, and so
[01:27:31] >> you can't move coins quite as quickly,
[01:27:33] but it's like a nice little backup plan,
[01:27:35] and it's relatively unobtrusive.
[01:27:37] Exactly, exactly. So, I thought that
[01:27:39] that was uh that was pretty pretty
[01:27:41] clever. I guess there's now uh a new
[01:27:43] proposal for for uh using Bitcoin script
[01:27:46] to even implement some post-quantum
[01:27:48] schemes, but uh those are a bit more
[01:27:50] painful. Um but the the uh but even
[01:27:53] working out I mean, I wish someone would
[01:27:55] actually literally work out all the
[01:27:57] details of commit, delay, reveal.
[01:27:59] There's a lot of interesting questions
[01:28:01] there. When you You have to post a
[01:28:03] commitment to your transaction on chain
[01:28:06] uh ahead of time. Well, who pays for
[01:28:07] that? How do you pay for that? Right?
[01:28:09] You You don't have any All your UTXOs
[01:28:10] are are locked. So, how do you How do
[01:28:12] you pay for that? Um And so, one one
[01:28:15] proposal is, you know, maybe you go to
[01:28:17] Coinbase and Coinbase creates like a $1
[01:28:19] UTXO for you that you can just pay for
[01:28:22] posting your commitments
[01:28:24] uh is one is one option. Um and so,
[01:28:27] there's a lot of mechanics to go into
[01:28:29] making that works work. And so, I wish
[01:28:31] somebody would actually fleshed out
[01:28:33] fleshed that out completely. Just to
[01:28:35] close the loop on the Satoshi's
[01:28:36] conversation, you said we we have, you
[01:28:38] know, a solution to how people can
[01:28:40] retrieve their coins if, you know, coins
[01:28:42] are deprecated, you know, quantum
[01:28:43] vulnerable coins are deprecated as long
[01:28:45] as those addresses were created
[01:28:46] post-2012 and people obviously have
[01:28:48] access to their seed phrases. Um there
[01:28:50] are, I think, almost close to 2 million
[01:28:53] coins in total, but probably not that
[01:28:55] many actually active users or actual key
[01:28:59] holders in the category of, you know,
[01:29:01] the Satoshi's proper Satoshi's coins
[01:29:03] category where we don't have seed
[01:29:05] phrases and that wouldn't be possible.
[01:29:07] Do you have sort of an ethical or sort
[01:29:09] of a philosophical point of view about
[01:29:11] how we should handle, you know,
[01:29:13] potentially depreciating coins where
[01:29:15] retrieval might not be possible? Yeah,
[01:29:17] yeah, I think that's a that's a great
[01:29:19] question. Um
[01:29:20] So, let's let's play this out. I think
[01:29:23] it's pretty clear how things are going
[01:29:24] to go. And so, um
[01:29:27] this question of what to do about
[01:29:28] abandoned assets
[01:29:30] um is one that will probably will cause
[01:29:34] a lot of arguments and contention in the
[01:29:36] community.
[01:29:37] And I don't think there there there's no
[01:29:39] right or wrong. And so, I think there's
[01:29:41] a quite a good possibility that the
[01:29:43] community will not reach agreement. What
[01:29:46] happens in Bitcoin when the community
[01:29:47] does not reach agreements? We've been to
[01:29:49] this movie before.
[01:29:50] Yes. The F-word. The F-word, which we
[01:29:53] which we don't want to say.
[01:29:54] Right. Now, okay, fine. So, let's play
[01:29:57] this out. Suppose Bitcoin forks and in
[01:29:59] one fork they're deprecated and the
[01:30:01] other fork they're not deprecated.
[01:30:03] The question is which fork will survive?
[01:30:06] Well, that depends on the asset holders.
[01:30:09] Which fork did they decide to use? And
[01:30:11] which fork do you think the asset
[01:30:12] holders will end up using? Obviously,
[01:30:14] the one with burned coins.
[01:30:15] >> Obviously, the ones with burned coins
[01:30:17] because then their coins are worth more.
[01:30:19] And so, it's
[01:30:21] Substantively more. Yeah.
[01:30:22] >> [laughter]
[01:30:22] >> Yeah, exactly. So, it's kind of clear
[01:30:24] that the fork that does deprecate is the
[01:30:26] one that will survive.
[01:30:27] >> The economic incentives are just going
[01:30:29] to be what they're going to be. It's
[01:30:29] like, why are we even having this
[01:30:30] discussion? And so, my my my question to
[01:30:33] the community then is if we can kind of
[01:30:35] play this game in our heads, and it's
[01:30:37] pretty clear what the outcome is going
[01:30:38] to be, why do we have to play the game?
[01:30:40] Right. Like, why fork, which will be
[01:30:42] very painful, if the outcome is like
[01:30:45] pretty much, you know, kind of written
[01:30:47] on the wall? Yeah. Right. So, I think
[01:30:49] we're kind of in agreement. [laughter]
[01:30:50] >> We're on the same page. Yeah.
[01:30:52] I'm like, let's do this the easier,
[01:30:54] softer way, guys. Yeah. Um is sort of my
[01:30:56] point of view. Okay, interesting.
[01:30:58] >> Yeah, so that that that's my argument.
[01:30:59] Again, other people can have other
[01:31:00] arguments, uh but that that seems to be
[01:31:04] like how how things will will will play
[01:31:06] out. And so, if we know how they're
[01:31:07] going to play out, why do we need to
[01:31:09] play the game? Fair enough. I'm with
[01:31:12] you.
[01:31:13] Um this has been a super interesting
[01:31:15] conversation. I'm just checking the
[01:31:17] time. No, I think right now, well, we've
[01:31:18] got we had I had a feeling There's, by
[01:31:20] the way, there's a million other things
[01:31:21] I would love to talk about.
[01:31:22] >> So much we could talk about. Um maybe
[01:31:25] we'll do a part two on my next trip.
[01:31:27] But, um is there anything like major
[01:31:30] that you feel like we didn't cover that
[01:31:33] you want to make sure that we cover
[01:31:34] while we have like a few extra minutes
[01:31:35] to spare? Yeah, maybe I can just in 1
[01:31:37] minute I'll say,
[01:31:39] look, there are so many exciting
[01:31:41] cryptographic questions in the
[01:31:42] blockchain space, in Bitcoin, in
[01:31:44] Ethereum, and all these all these uh
[01:31:46] blockchains. Maybe I'll just mention
[01:31:48] things that I'm really interested in
[01:31:49] now, and stuff that we're working on.
[01:31:51] So, one question that I find really
[01:31:54] fascinating is this question of
[01:31:55] encrypted mempools.
[01:31:57] And the reason we want to have an
[01:31:58] encrypted mempool, of course, is to
[01:32:00] prevent MEV, right? So, the point is, I
[01:32:02] submit my transaction encrypted.
[01:32:04] It only gets decrypted after uh after
[01:32:07] it's finalized on chain. So, basically,
[01:32:10] it prevents front running, right? Or
[01:32:11] >> Prevents Oh, not prevents, but makes it
[01:32:13] harder to do front running. It turns out
[01:32:14] with spamming, you can still front run,
[01:32:16] but it's harder. Which is just sort of
[01:32:17] in Ethereum land again, cuz most of my,
[01:32:20] you know, audience are Bitcoiners. In
[01:32:21] Ethereum land, that's just the way
[01:32:22] things are. Future, right? Like, MEV is
[01:32:25] just like a normal part of life, and
[01:32:27] there are just, you know, economics that
[01:32:28] sort of just play out around MEV as an
[01:32:30] inevitable. Bitcoiners are obviously
[01:32:33] terrified of MEV coming to Bitcoin with
[01:32:35] layer twos and and meta protocols, etc.
[01:32:38] By By the way, quantum computers might
[01:32:40] cause MEV to happen because there's an
[01:32:42] incentive
[01:32:44] uh maybe I'll just explain
[01:32:45] >> Like a reorg incentive?
[01:32:46] >> incentive. Once you put Once you your
[01:32:48] transaction is posted, now you revealed
[01:32:50] your public key, and now there's an
[01:32:52] incentive to reorg your to reorg the
[01:32:54] chain so that someone could actually
[01:32:55] exploit your public key. So, it could be
[01:32:57] that it's oddly enough, quantum actually
[01:32:59] might cause MEV MEV to happen. This is
[01:33:02] another big topic that I don't think
[01:33:03] people are talking about enough um and
[01:33:05] that I hope people are talking uh start
[01:33:07] talking about more.
[01:33:08] >> hope is that by the time Q-Day happens,
[01:33:10] Bitcoin will have already transitioned.
[01:33:12] Uh and so, this will not be an issue,
[01:33:13] but if it is if it does come up, then
[01:33:15] then people do need to worry about uh
[01:33:17] the reorg reorg issue. Well, anyway, so
[01:33:20] it's a So, in the question of of
[01:33:21] encrypted mempools,
[01:33:22] it that raises so many beautiful crypto-
[01:33:25] cryptography question. Maybe I'll
[01:33:26] mention just a few very very briefly.
[01:33:28] So, the idea is again, we're going to
[01:33:29] we're going to split the decryption key
[01:33:32] across the validators or miners,
[01:33:34] whatever you want to call them. Um and
[01:33:35] so, we're kind of doing threshold
[01:33:36] decryption now. Threshold decryption is
[01:33:38] an old topic that's been studied, you
[01:33:40] know, I've written many papers on it.
[01:33:41] It's been studied for 40 years now.
[01:33:44] Turns out, because of encrypted mempool,
[01:33:45] all of a sudden, all these new questions
[01:33:47] in this 40-year-old area are coming up
[01:33:50] that nobody has ever asked thought to
[01:33:51] ask before. Yeah? Like, can I For For
[01:33:54] Yeah, for example, there's this uh
[01:33:56] question like, if suppose I have
[01:33:58] [snorts] a block of transactions.
[01:34:00] So I have a bunch of transactions in a
[01:34:02] mempool, a subset of them go into the
[01:34:04] block. I want to decrypt only that
[01:34:06] subset.
[01:34:07] The naive thing to do is to go and
[01:34:09] decrypt them one by one. But that means
[01:34:11] that I have to now post decryption
[01:34:13] shares for each one of those
[01:34:15] transactions and it's a lot of data
[01:34:17] that's going to go on chain. Yeah.
[01:34:19] A much better way to do things is to do
[01:34:21] what's called batch decryption. I have a
[01:34:23] a set of I don't know n transactions and
[01:34:26] I want to decrypt a subset of those
[01:34:28] transactions. That's called a batch
[01:34:30] decryption. What I will do is or what
[01:34:32] the miners or validators will do is
[01:34:34] they'll
[01:34:35] they'll publish
[01:34:37] a secret key that will decrypt a short
[01:34:39] secret key that will decrypt the
[01:34:40] transactions in a block and no no other
[01:34:43] transactions. Yeah.
[01:34:45] So this is now called batch threshold
[01:34:46] decryption. Super active area of
[01:34:49] research that's purely motivated by this
[01:34:51] question of encrypted mempools.
[01:34:53] >> Would you in that example just so that I
[01:34:55] can wrap my brain around this cuz this
[01:34:56] is a totally new idea for me. Would you
[01:34:58] theoretically be choosing what to
[01:35:00] decrypt based on fees?
[01:35:03] No, no, it's based on what's what the
[01:35:04] block proposer proposes. Yeah, so
[01:35:07] whoever builds the block
[01:35:08] >> but in Bitcoin, you're building blocks
[01:35:11] ostensibly based on fees, right? Sure,
[01:35:13] sure, sure.
[01:35:14] Those
[01:35:15] in some sense those things are
[01:35:16] orthogonal. You build your block however
[01:35:18] you want to. Okay.
[01:35:19] >> is they will
[01:35:20] >> would be public information. Like that's
[01:35:22] not something that would be encrypted.
[01:35:24] And you know
[01:35:25] >> Exactly. The reason I'm asking this to
[01:35:26] get to the point is like would you not
[01:35:28] be able to guess the value of the
[01:35:30] underlying transaction based on the fees
[01:35:32] that are being paid to execute them? So
[01:35:34] the fees might actually be public. What
[01:35:36] the what the transactions do is what's
[01:35:39] what's being hidden. Right.
[01:35:41] >> Yeah.
[01:35:41] >> But like couldn't you like potentially
[01:35:43] like if somebody's paying a huge amount
[01:35:45] of fees to get a transaction you might
[01:35:46] think that's a really valuable
[01:35:47] transaction. I bet that that's the one
[01:35:49] that I
[01:35:50] >> a great question. What what you're
[01:35:51] asking is do encrypted mempools do they
[01:35:54] solve the the problem completely? The
[01:35:56] right like you're still going to have if
[01:35:58] you know what the fees are you're kind
[01:35:59] of going to be able to guess which
[01:36:00] transactions are more valuable anyway.
[01:36:03] Absolutely. So encrypted mempools they
[01:36:04] don't completely solve the MEV problem.
[01:36:06] I'm the first to admit that.
[01:36:08] They but they're a step in the right
[01:36:10] direction. This is one of these
[01:36:11] situations where you don't want perfect
[01:36:13] to be the enemy of the good.
[01:36:14] >> Fair enough. Yeah.
[01:36:15] >> [laughter]
[01:36:15] >> So they're they're a step in the right
[01:36:16] direction. Once we have encrypted
[01:36:18] mempools we can do lots of other things
[01:36:20] to to solve other other MEV questions.
[01:36:23] Fair enough. But but the question is how
[01:36:24] do we implement these encrypted
[01:36:25] mempools? And I could go on and on. So
[01:36:27] batch decryption is one. Maybe I'll just
[01:36:28] say the words. Batch decryption is new
[01:36:30] problem that we have to work on. That's
[01:36:32] a pretty thriving area of research.
[01:36:34] It turns out there's something called a
[01:36:35] decryption context that comes up in the
[01:36:37] context of
[01:36:39] encrypted mempools. Something that's
[01:36:41] very natural once you say it but nobody
[01:36:43] thought of saying it until blockchain
[01:36:46] said we want to do encrypted mempools.
[01:36:48] And finally the third the third one
[01:36:49] that's really fascinating is well once
[01:36:52] you have an
[01:36:53] an encrypted mempool
[01:36:55] the searchers you know the guys that are
[01:36:56] trying to to front run people they could
[01:36:59] go to the to the miners and say hey sell
[01:37:01] us your decryption key. We'll pay you
[01:37:03] such and such if you sell us your
[01:37:04] decryption key.
[01:37:06] And the the miners could sell the
[01:37:08] decryption key nobody would ever know
[01:37:09] that that actually happened. Yeah. So
[01:37:11] what we're working on is what's called
[01:37:13] traceable threshold decryption where if
[01:37:15] you sell your secret key I can actually
[01:37:18] I can actually figure out that it's you
[01:37:20] who did it and then you can be you can
[01:37:21] be slashed in some way.
[01:37:22] >> Who are you working on this with?
[01:37:24] So so first of all I should say this is
[01:37:26] now has become pretty active area of
[01:37:28] research in the in the in the community.
[01:37:31] Of course I work with my students and my
[01:37:32] collaborators. Okay. So there's several
[01:37:35] people working on this
[01:37:36] this is a major topic.
[01:37:37] >> there's
[01:37:38] I would say there's like by now there's
[01:37:40] probably a dozen papers on these three
[01:37:41] questions.
[01:37:42] >> And most of the research I presume is
[01:37:43] happening more on the Ethereum front but
[01:37:44] it would have implications for Bitcoin.
[01:37:46] Yes yes absolutely Absolutely.
[01:37:48] Interesting.
[01:37:49] >> So, that's one example in cryptonimals,
[01:37:50] super exciting, super fascinating from
[01:37:52] for a cryptographer like me. This is
[01:37:54] again why I love the space so much.
[01:37:56] >> Always new problems to solve, always new
[01:37:58] areas of research to execute.
[01:38:01] >> In the area of of zero knowledge proofs,
[01:38:03] there's a ton happening both in better
[01:38:05] proofs
[01:38:07] and new applications. I could go on and
[01:38:08] on and on about applications of zero
[01:38:10] knowledge proofs. Okay. And finally, I
[01:38:11] will say even in the area of threshold
[01:38:14] Schnorr signatures, there are a lot of
[01:38:16] interesting ideas. I'll just throw out
[01:38:17] one concept, something called an
[01:38:19] exponent VRF, EVRF, which is something
[01:38:22] that we that we worked on that
[01:38:23] potentially can improve threshold
[01:38:25] Schnorr. Hopefully, people can look it
[01:38:27] up and see what that is what that's
[01:38:28] about.
[01:38:28] >> Awesome. Well, I have one final
[01:38:31] question. This is my This is our final
[01:38:32] foray question, which will be um
[01:38:35] you know, just kind of wrapping up in
[01:38:37] summary the quantum conversation. I
[01:38:38] think, you know, there are some folks
[01:38:40] out there who are just bearish that you
[01:38:42] you've mentioned several times that this
[01:38:44] is going to be a painful transition. And
[01:38:45] there are people out there who are just
[01:38:46] bearish that Bitcoin can even survive
[01:38:48] it.
[01:38:49] Are you optimistic that Bitcoin will
[01:38:51] solve it? Why or why not?
[01:38:54] Um I am totally optimistic that Bitcoin
[01:38:56] will solve it. That is it's insane to
[01:38:58] say that Bitcoin will not solve the
[01:38:59] quantum problem.
[01:39:00] >> It is? Is that how you feel? That is
[01:39:01] insane. Of course, Bitcoin will survive
[01:39:03] it and of course, Bitcoin Bitcoin will
[01:39:05] will will solve it. Um Okay. So, that
[01:39:07] that goes without saying.
[01:39:08] >> you that confidence? What do you want to
[01:39:10] give to
[01:39:10] >> what's what we we know where to go. We
[01:39:12] need to move to, you know, post-quantum
[01:39:14] addresses, post-quantum signatures. We
[01:39:15] know where to go.
[01:39:16] Uh
[01:39:17] the only, you know, everything we've
[01:39:19] been discussing in this in this podcast
[01:39:22] is really just kind of technical nuances
[01:39:24] of exactly what should you do. But the
[01:39:27] big picture is very well known. We know
[01:39:29] what to do. So, anyone who is worried
[01:39:33] that quantum is going to affect the
[01:39:34] security of blockchains
[01:39:36] is wrong. Overly paranoid, basically, or
[01:39:40] just
[01:39:41] >> The post-quantum technology exists. You
[01:39:43] know, it we have many I I I guess it's
[01:39:45] actually the fact that we're even having
[01:39:46] this conversation says we have many
[01:39:49] solutions and we're just debating which
[01:39:51] path to take in order to to solve the
[01:39:53] problem. But, there are definitely this
[01:39:55] will get solved and
[01:39:57] the blockchains will survive.
[01:39:58] >> have a message that you want to
[01:39:59] communicate to like the developers and
[01:40:02] builders that are actually trying to
[01:40:04] solve this? Like something you want the
[01:40:05] builders and developers to remember?
[01:40:07] Yes, actually two sentences. Okay. The
[01:40:09] first one I've already said, which is
[01:40:11] don't panic. Okay.
[01:40:12] >> But, don't ignore. Okay. The other one
[01:40:14] is if you try to aggressively move to a
[01:40:17] post-quantum architecture,
[01:40:19] like for example by 2029, I think that
[01:40:22] would be a mistake for the blockchain. I
[01:40:23] think we need to take our time.
[01:40:25] And the reason is that a hasty
[01:40:28] transition to post-quantum, in my mind,
[01:40:30] is more likely to cause a catastrophic
[01:40:34] bug
[01:40:35] than it is to be that's it's more you
[01:40:38] know, higher probability that we'll end
[01:40:40] up with a catastrophic bug than we'll be
[01:40:42] attacked by a quantum computer. On that
[01:40:44] note, would you support a BIP 361 that
[01:40:47] just had longer timelines for migration?
[01:40:49] Like is that your primary criticism BIP
[01:40:51] 361 is that the timeline's just too
[01:40:53] compressed for migration?
[01:40:55] Yeah, I think BIP 361 I think there are
[01:40:58] a bunch of elements missing from BIP 361
[01:41:00] cuz BIP 361 doesn't specify
[01:41:04] post-quantum signatures. So, there are a
[01:41:06] bunch of elements missing from BIP 361.
[01:41:07] I wish it was a more complete proposal.
[01:41:10] Well, I I think that the proposals will
[01:41:11] ultimately, and we kind of talked about
[01:41:13] this earlier, will be more modular,
[01:41:14] right? Like BIP 361's kind of addressing
[01:41:16] the Satoshi's coins issues specifically
[01:41:18] and I think there will be like separate
[01:41:20] BIPs for, you know, signature schemes
[01:41:22] and P2 BIP 361 paid and work or root,
[01:41:25] etc. I mean, do you do you Yeah, that's
[01:41:27] the right path. You think that is the
[01:41:28] right path? The modular approach? Yes,
[01:41:31] yes, of course. And we need to be, like
[01:41:32] I said, we should take our time. We
[01:41:34] shouldn't rush.
[01:41:35] Um uh, should we should debate these
[01:41:37] things and again my opinion is we have
[01:41:39] time.
[01:41:40] Uh, not forever, but but we have we have
[01:41:43] the time.
[01:41:44] Uh, we should decide on on a on a plan
[01:41:46] of action. We should
[01:41:48] agree by a reason
[01:41:49] by a reasonable point on what to do and
[01:41:51] then it's just a matter of executing and
[01:41:53] then waiting for people to transition
[01:41:55] and then deprecating.
[01:41:56] >> When would you like to see a plan
[01:41:59] given how much time you assume it will
[01:42:01] take to actually execute that kind of
[01:42:03] plan? Oh my god.
[01:42:04] >> [laughter]
[01:42:05] >> Like what's the timeline to just have a
[01:42:06] plan?
[01:42:06] >> Oh, I see. I see.
[01:42:08] Um, you know, uh, you know, I'm going to
[01:42:11] I'm going to play the academic card
[01:42:13] here. I don't know.
[01:42:15] Uh, um, that is really up to the
[01:42:17] community. The one thing that worries me
[01:42:19] a little bit is there's some quantum
[01:42:22] fatigue among Bitcoin Core. It's been
[01:42:25] discussed so much that people are a
[01:42:28] little bit of tired of talking about it.
[01:42:30] >> Mhm. Yeah.
[01:42:32] And I don't think that's the right
[01:42:33] attitude. Yeah, we do need to kind of
[01:42:36] decide on a plan.
[01:42:37] Um, [snorts]
[01:42:38] look, hopefully the community can come
[01:42:40] together on on a plan. Let's let you
[01:42:42] know, more BIPs. Let let's put things in
[01:42:45] writing, right? Let's kind of
[01:42:47] instead of it just being informal
[01:42:48] conversations and blog posts, let's put
[01:42:50] things in writing. I thought BIP 360 was
[01:42:52] a step in the right direction.
[01:42:54] Uh, I thought BIP 361 is the fact that
[01:42:57] he they even wrote that is a step in the
[01:42:59] right direction.
[01:43:00] Let's have more of that. Um,
[01:43:03] you know, then the question of whether
[01:43:04] to deploy or not, hopefully, you know,
[01:43:06] that can be resolved by the end of the
[01:43:08] decade.
[01:43:09] And then we'll have the time then we'll
[01:43:11] allocate the time to transition. Sounds
[01:43:12] like you're saying by end of the decade
[01:43:14] we should have a pretty clear plan and
[01:43:15] execution should be underway by 2030. At
[01:43:19] the at the latest at the latest. Yeah.
[01:43:22] Fair enough.
[01:43:23] Dan, thank you so much for coming on.
[01:43:24] This was great. I know there are so many
[01:43:26] people who are curious to hear your
[01:43:27] thoughts on this very topic. So, I
[01:43:29] really really appreciate you sharing all
[01:43:31] of this with us and
[01:43:33] yeah anything in particular I know you
[01:43:35] had mentioned a couple things you want
[01:43:36] to make sure people Google or chat GPT
[01:43:38] afterwards
[01:43:39] anything in particular you want to make
[01:43:41] sure people or that you want to
[01:43:42] encourage people to just take a look at
[01:43:44] Yeah I think we we covered it during
[01:43:46] during the hour I
[01:43:47] I I would say again thank you so much
[01:43:49] for running this podcast I think it's a
[01:43:51] great service for the Bitcoin community
[01:43:53] Thank you and it's yeah it's fun to have
[01:43:54] this technical conversation Awesome
[01:43:56] thank you thanks Dan Yeah my pleasure