Episode Transcript
[00:00:00] At the outset of the summit, 25% of attendees were unsure whether quantum computers would ever pose a meaningful threat, according to an event poll. But after two days of intensive discussion, the share of attendees who remained uncertain dropped to just 8%. The share of respondents who believed quantum computers would arrive in the next five to 20 years jumped by 20% from 49 to 69%.
[00:00:27] These shifting perspectives reflect a growing consensus that while the timing and feasibility of quantum attacks remains uncertain, the threat deserves proactive and serious consideration. Today, the best in Bitcoin made Audible I am Guy Swan and this is Bitcoin Audible Foreign what is up guys? Welcome back to Bitcoin Audible. I am Guy Swan, the guy who has read more about Bitcoin than anybody else you know. This show is brought to you by Leden Leden IO they do bitcoin backed loans. It is a great option for getting fiat out of your bitcoin without actually having to sell it. Look into the details, check them out. There's a special link for you down in the show. Notes for the discount and to let you know or to let them know that I sent you. We are also brought to you by Pub Key and the team over at Synonym and the incredible tools that they are building. Picar and pkdns a literal stack for re decentralizing the web. And I still wish everything would I could log into every website exactly like Pub Keyring. I don't know why this isn't the norm yet, because it's just makes so much sense. Also we have Chroma. These guys make light designed for humans. I've got a skylight mini. I both use this thing as a bright white studio light and as an amber night light for when I'm reading a book and putting my son to bed. Because it works on a battery. So I can just kind of like take it off and take it with me and do stuff and go set it back up. It is a really cool little light. Chroma does light designed for human health. 10% discount with code Bitcoin Audible. And lastly the Human Rights foundation. They've got tickets for the OSLO Freedom Forum June 1st 3rd next year. And they also have the Financial Freedom Report which is a fantastic newsletter. And also just in general they have actually, actually this episode. Today's episode is a piece by the hrf. So this is about the Quantum threat to Bitcoin but a shout out to the HRF for their awesome work. Okay, so this is the. This is about Quantum again and they had the Presidio Quantum summit and anybody who's been following the show on this one. I keep going back and forth, but I still think, I still think this is such an important thing to keep revisiting. And I talk about this a lot at the end, but the asymmetric. And maybe I'll write an article about this to really kind of like get my thoughts out of it, out on it. But the asymmetry of this problem is too great to ignore, because if I'm wrong about kind of where I am on the level of concern right now about it, the cost is literally the destruction of Bitcoin. Like, we're talking about something that would fully undermine everything about why and how Bitcoin works and all of our tools and hardware for interacting with it. And this is actually something that was. There's a whole part of the perspective that the Human Rights foundation, who, whoever the actual article, the specific author of this piece was, who brought it up in, in the article that I had not quite thought about, is that this isn't really just about the signatures. This isn't just about the tech.
[00:03:57] There's so many other things. In fact, that's probably one of the easiest parts about making this transition. And when I got to that point, I was just like, we should probably cover this on the show because I don't think this part of the discussion has been focused on enough. So that'll be enough of a lead in and we will go ahead and get into today's article, and it's titled the Quantum Threat to Bitcoin by the Human Rights Foundation.
[00:04:28] Bitcoin is a financial lifeline for dissidents resisting authoritarian regimes.
[00:04:35] The rise of cryptographically relevant Quantum computers, or CRQCs, with the ability to crack Bitcoin's underlying cryptography could threaten the network's security foundations.
[00:04:48] This month, a team of Google researchers published findings that represent a quantum computing breakthrough. An algorithm enabled a quantum computer to carry out operations 13,000 times faster than a classical supercomputer.
[00:05:04] While quantum computing remains largely theoretical, Experts suggest that CRQCs could emerge within the next five years.
[00:05:13] CRQCs could put millions of Bitcoin stored in early address formats at risk and could endanger the wider trust that underpins Bitcoin.
[00:05:23] Quantum attacks could target new Bitcoin transactions or seize funds contained in older or reused addresses. If CRQCs are developed, they could easily plunder the estimated millions of Bitcoin held in some of the earliest address formats.
[00:05:40] Preparing Bitcoin for a post quantum world is a human rights imperative. If we don't then dissidents and activists would no longer be able to safely use the freedom money that they are increasingly relying on.
[00:05:55] Post Quantum cryptography offers solutions to help protect active Bitcoin users, but migration to quantum attack resistant addresses will require years of technical research, coordination and global consensus in a decentralized and ideologically divided ecosystem.
[00:06:15] The threat of these quantum attacks has sparked technical, political and moral debates. One is the burn or steal dilemma whether to a do nothing and allow attackers to steal funds sitting in early address formats that fail to upgrade to quantum safe addresses or b burn these funds and make them unspendable.
[00:06:37] Drawing on six months of discussions with experts in the Bitcoin field, this report explores the risks of CRQCs for dissidents and others using Bitcoin for financial freedom. This effort would not have been possible without the insights shared by presenters at the Presidio Bitcoin Quantum Summit and by a recent paper on the topic from chaincode Labs.
[00:06:59] Many thanks to HRF Bitcoin technical lead Alex Lee, who drove the primary research in this report.
[00:07:07] Six key takeaways 1. 1.72 million Bitcoin, about $188 billion in very early address types thought to be potentially dormant or lost will be highly vulnerable to long range quantum attacks.
[00:07:26] 2 An additional 4.49 million Bitcoin, or $495 billion, are vulnerable to long range quantum attacks, but owners would be able to secure them by moving them to Quantum secure address types.
[00:07:41] 3 Short range quantum attacks could enable theft of Bitcoin during transactions while public keys are exposed.
[00:07:49] Four Researchers are working to solve for both short and long range attack risks, but solutions could take years to implement.
[00:07:58] 5 One proposed solution is to upgrade Bitcoin to include a quantum secure address type, which would protect anyone able to move their coins.
[00:08:07] Another proposal addresses what to do with the coins that no one can or is willing to move Burn them so that thieves cannot plunder them but sacrifice Bitcoin's neutrality in the process.
[00:08:20] Six Quantum resistant transactions would be significantly larger in data size than existing ones. This could dramatically increase the size of the Bitcoin blockchain, which is already facing scaling challenges.
[00:08:35] Background Bitcoin is a powerful tool for safeguarding human rights, promoting financial freedom, and resisting authoritarian control.
[00:08:45] Tyrannical governments frequently manipulate and surveil their currencies, and they seek to silence their critics by confiscating property and freezing bank accounts. Dissidents, human rights defenders, journalists, and nonprofit organizations operating under dictatorship face enormous obstacles just to receive donations and pay their bills.
[00:09:07] HRF's Financial Freedom Program supports the expansion of Bitcoin as a tool for activists facing financial repression, money that dictators can't stop.
[00:09:18] Quantum threats to Bitcoin's classical cryptography are still years away, however, if CRQCs emerge before Bitcoin's cryptographic foundations are upgraded. Activists who rely on Bitcoin for secure donations, private savings, and uncensored transactions would find their privacy and safety compromised, and dictators might find ways to steal or stop their money.
[00:09:43] Making Bitcoin use quantum proof poses political and social challenges Bitcoin is not like a standard software system. Its decentralization means that any upgrade requires coordination and consensus among a diverse and divided user base. After undergoing scientific peer review and extensive testing, any change to Bitcoin's cryptographic signature schemes will also require widespread education for users, developers, node operators, and miners.
[00:10:13] The Bitcoin community must Also consider the 1.72 million bitcoin held in early addresses that will be most vulnerable to attacks from CRQCs. Proposed changes to the base protocol have already sparked huge debates in Bitcoin's history over trade offs between performance, privacy, and backward compatibility.
[00:10:35] The current state of Quantum Computing Quantum computers exist today, but they remain years away from achieving the scale, stability and precision required to threaten Bitcoin's cryptography. Even with recent breakthroughs in quantum computing, experts remain divided over whether CRQCs with the capabilities to break Bitcoin's security will ever emerge. While some Bitcoin experts emphasize that incremental quantum breakthroughs on the road to crqcs will provide time to implement solutions, some quantum computing pioneers have cautioned that sudden advances could accelerate the timeline to make necessary upgrades to Bitcoin.
[00:11:16] At this year's Presidio Bitcoin Quantum Summit, a convening of quantum physicists, Bitcoin core developers, cryptographers, wallet engineers, miners, and open source educators provided insight into the evolving views on CRQCs among experts throughout the community.
[00:11:37] Quantum computing is real, but there are so many things to do. You don't need to worry too much about it. But at the same time, probably it's not a good idea to ignore it. Five to 10 years is not a crazy number.
[00:11:48] Sho Suigara, CEO of Block Someone is going to transition through this phase. Transition, and it's going to come just as fast as AI came and hit people in the face.
[00:12:01] Terry Rudolph, CEO of Sufficiently Powerful Quantum Computers and other ECDLP breaks are hypothetical, and if they happen, there will likely be a long series of incremental breakthroughs that give us some time for fundamental solutions.
[00:12:17] Peter Wella, Bitcoin Core contributor At the outset of the summit, 25% of attendees were unsure whether CRQCs would ever pose a meaningful threat, according to an event poll. But after two days of intensive discussion, the share of attendees who remained uncertain dropped to just 8%.
[00:12:38] The share of respondents who believed CRQCs would arrive in the next five to 20 years jumped by 20%, from 49 to 69%.
[00:12:49] These shifting perspectives reflect a growing consensus that while the timing and feasibility of quantum attacks remains uncertain, the threat deserves proactive and serious consideration today.
[00:13:02] Bitcoin's Quantum Threat Vectors not all Bitcoin will be equally vulnerable to quantum attacks From a CRQC Quantum threats to Bitcoin fall into two main long range and short range attacks, which each exploit different weaknesses in the exposure of public keys.
[00:13:25] Long Range Attacks In a long range attack, a quantum adversary targets Bitcoin whose public keys are stored in older address types or in reused addresses. This would include any user who has continued to use an address from which they have previously sent Bitcoin, or anyone who has received coins at a taproot address, also known as pay to Taproot or P2TR, an address type that increases privacy for complex bitcoin transactions. Approximately 6.51 million bitcoin, worth more than 718 billion, representing almost a third of the total current bitcoin supply, is vulnerable to long range attacks.
[00:14:08] Because long range quantum attacks exploit already revealed public keys, the only way to secure vulnerable coins is is to proactively move them to quantum safe addresses.
[00:14:21] Active users with funds in older or reused addresses can move their Bitcoin to a new quantum safe address and protect their funds by never sharing or reusing that public key?
[00:14:32] While this migration will necessitate extensive technical development and user education, the solution is technically feasible and will secure the majority 4.49 million of the estimated Bitcoin at risk.
[00:14:47] But for the remaining 1.72 million bitcoin $188 billion for which owners private keys are thought to be no longer accessible, no such migration would occur.
[00:14:59] These dormant coins, many dating back to Bitcoin's earliest days, would be left exposed in a post quantum world. Satoshi's estimated 1.1 million bitcoin, worth over $130 billion, for example, would reside in pay to public key addresses with exposed public keys.
[00:15:20] This has raised profound political questions. Should Bitcoin users take steps to burn these coins which would prevent anyone, including thieves, from using them, or leave the funds untouched and unprotected from quantum attackers.
[00:15:36] This burn or steal debate cuts to the heart of Bitcoin's values, raising concerns around decentralization, individual sovereignty, immutability and property rights.
[00:15:49] Short Range Attacks Short range quantum attacks would exploit Bitcoin transactions rather than addresses containing old or dormant coins. Attackers would exploit the brief window between the broadcast and confirmation of a Bitcoin transaction.
[00:16:08] When a user spends Bitcoin, the transaction reveals the public key associated with the address.
[00:16:14] Under classical cryptographic assumptions this is safe, but in a quantum world a CRQC could intercept an unconfirmed transaction, derive the corresponding private key from the exposed public key in real time and broadcast a conflicting transaction that redirects the funds to an address controlled by the attacker.
[00:16:37] All Bitcoin will be vulnerable to short range attacks during transactions. Until Bitcoin introduces a post quantum cryptographic signature scheme, attackers will likely prioritize long range attacks due to the quantity of vulnerable Bitcoin, the higher likelihood of long range attack success and the lower chances of public discovery of long range attacks.
[00:16:59] Infrastructural Risks Modern Bitcoin infrastructure introduces another underappreciated quantum vulnerability.
[00:17:08] Most popular self, custodial and multi signature Bitcoin wallets, wallet companion software and accounting and portfolio trackers store a user's public keys to be able to calculate balances and to generate and recover a user's wallets.
[00:17:25] Many users rely on third party apps to view their balances, but if these companies are hacked, attackers could potentially steal users funds in a CRQC world.
[00:17:35] As such, developers have proposed a number of upgrades to protect users against quantum attacks, preparing Bitcoin for the quantum era.
[00:17:47] Quantum Resistant Signature Schemes Integrating quantum resistant signature schemes represents the only durable solution to CRQC attacks on Bitcoin.
[00:18:00] There are two distinct proven quantum resistant signature lattice based signature schemes including crystals dilithium 44 and Falcon 512 and hash based signature schemes including Sphinx, XMSS and Lamport.
[00:18:19] Lattice based signatures are more compact than hash based signatures, more easily supporting features useful to human rights defenders like multisig key aggregation and deterministic key derivation.
[00:18:31] However, they introduce new cryptographic assumptions that must be carefully vetted.
[00:18:36] Hash based signatures on the other hand are the most mature post quantum option. However, their larger signature sizes introduce technical challenges and make features like key aggregation and standard multisig more complex to implement.
[00:18:51] The smallest lattice based signatures are roughly 10 times larger than than current standard signatures while the most compact hash based signatures are 38 times larger.
[00:19:04] Dramatic size increases in quantum resistant signatures would significantly reduce the number of transactions per block, decreasing Bitcoin's throughput and increasing the storage and bandwidth demands on full nodes. In addition to imposing a substantial technical burden on node runners.
[00:19:22] Any effort to increase block size or adjust the witness discount to accommodate larger signatures is likely to divide the Bitcoin community.
[00:19:31] Introducing larger quantum resistant signatures will not just be an engineering task it will require navigating intense debates over decentralization, security, and the limits of protocol change.
[00:19:44] Bitcoin Improvement Proposal360 or BIP360, a current quantum resistant proposal, is signature scheme agnostic. It makes taproot addresses more quantum resistant and provides a flexible framework to accommodate a variety of post quantum algorithms. Other quantum resistant BIPs are sure to come.
[00:20:05] There's a table in the article comparing Schnorr, ecdsa, Lamport, xmss, Sphinx Crystals, Falcon, all of these different types of and comparing them versus the public key size, the signature size, the cost to sign them, and the cost to verify them. It's a pretty useful chart to compare the various trade offs of each proposed signature scheme. Don't forget to check out the link in the show notes if you want to see the table Upgrades to Bitcoin Education and Design Upgrading Bitcoin to withstand quantum threats is as much a human challenge as a cryptographic one.
[00:20:45] Any successful soft fork integrating quantum resistant signature schemes will necessitate user education, thoughtful user interface design, and coordination across a global ecosystem that includes users, developers, hardware manufacturers, node operators, and civil society.
[00:21:04] For Bitcoin to remain a reliable tool for human rights and financial freedom in the quantum era, its upgrades must be inclusive and accessible and resilient.
[00:21:15] Wallets and user interfaces are tightly bound to the current elliptic curve cryptographic model and may not be compatible with post quantum schemes. Quantum resistant algorithms would likely introduce much larger signature sizes, slower signing speeds, and more complex verification paths. These are not minor tweaks they fundamentally change how Bitcoin wallets must operate, significantly increasing the technical burden for existing wallets and nodes.
[00:21:44] Hardware wallets must adapt to slower computations and bulkier keys while preserving the seamless and secure experience users expect.
[00:21:53] This necessitates an entirely new approach to hierarchical key derivation backups and recovery. Accounting platforms, custody providers and financial institutions will need to retool their systems.
[00:22:07] Multisig coordination, watch only setups, and automated transaction workflows will also need to be reevaluated in light of new signature semantics.
[00:22:17] Developers will also face the difficult task of balancing system complexity and security with usability.
[00:22:25] The need for education about quantum threats to Bitcoin is even more pressing. Many Bitcoin users remain unaware that their coins may eventually be vulnerable to long range quantum attacks due to public key exposure.
[00:22:39] This includes coins protected by legacy pay to public key or P2PK scripts and coins at reused addresses. Encouraging users to migrate to quantum safe outputs, especially when the threat remains abstract, will be difficult Because Bitcoin has no central authority to enforce upgrades, every soft fork depends on voluntary adoption, consensus and grassroots coordination.
[00:23:05] Introducing signature schemes that increase transaction sizes by 10 times or more will trigger debates about block space, throughput and scalability.
[00:23:14] Proposals to increase block size or adjust the witness discount to accommodate quantum resistant signatures will likely be met with resistance on both technical and ideological grounds.
[00:23:27] Previous improvement to the Bitcoin network have taken years to reach widespread adoption, even for upgrades like SEGWIT that decreased transaction fees. Convincing a diverse global user base to take coordinated action to prepare for a still hypothetical quantum future will be even harder. To succeed, a quantum resilient soft fork must be socially durable as well as technically correct.
[00:23:52] Upgrades must provide clear benefits, usable defaults and migration tools that reduce the cognitive and operational burden on everyday users.
[00:24:02] Changes must be designed with the understanding that consensus is slow, fragile and precious. Above all, a soft fork must remain faithful to Bitcoin's underlying privacy, decentralization and freedom from coercion.
[00:24:18] Anything less risks the financial freedom of the dissidents and human rights defenders who need Bitcoin the most.
[00:24:27] Burn steal hourglass to protect the quantum vulnerable 1.72 million dormant Bitcoin from long range attack.
[00:24:38] Some in the Bitcoin community advocate for a burn a proactive intervention to preserve Bitcoin's legitimacy.
[00:24:47] These proposals would render quantum vulnerable Bitcoin unspendable after a migration window.
[00:24:53] Advocates for this approach argue that such action would protect Bitcoin's monetary integrity, prevent destabilizing wealth redistribution, and reinforce the principle that possession through cryptographic theft is not valid ownership.
[00:25:07] Some express concerns that the theft of millions of Bitcoin could undermine the value of the currency, affecting all holders of the currency, not only those whose Bitcoin is stolen.
[00:25:18] On the other side, critics of the burn position warn that freezing funds would undermine one of Bitcoin's foundational guarant that no one can arbitrarily prevent others from spending their funds. For opponents of the Bern proposal, censorship resistance is paramount. Hunter Beast, author of the Quantum resistance proposal bip360, argued that a lot of these coins, these lost coins, are unclaimed property.
[00:25:44] Lightning developer Lao Lua Tsuntakan said such a proposal breaks a fundamental tenet of Bitcoin. We must resist groups trying to coordinate to effectively redistribute wealth.
[00:25:56] A middle ground has emerged between these polarized positions. Rather than immediately burning vulnerable Bitcoin or allowing them to be swept by the first actor to develop a CR qc, an Hourglass proposal suggests introducing a protocol rule that limits how fast Bitcoin can be spent. This mechanism could slow the bleeding of offer miners incentives in the form of high fees from competing CRQCs bidding to steal the same coins and buy the network time in the event of a real long range attack.
[00:26:29] Yet even this compromise is controversial. Its critics argue that the Hourglass approach normalizes theft and redistribution of stolen coins to miners via fees, runs counter to Bitcoin's stateless model, and opens the door to future governance intrusions.
[00:26:46] At the Presidio Bitcoin Quantum Summit attendees views on what to do with quantum vulnerable coins remained split even after days of rigorous expert discussions. As shown in the post summit poll results, support for the burn approach declined from 45% to 38%, while the percentage of participants referring to do Nothing rose from 22 to 29. Support for the hourglass mechanism remained static at 33%.
[00:27:14] Speaker's closing remarks also acknowledged the difficult choices ahead. As Lightning Network pioneer Taj Dryja put it, who wants to be the person to push the button to merge the code to steal Satoshi's coins?
[00:27:27] Maintaining Financial Freedom in a Quantum World if Bitcoin is to remain a tool for freedom, it must remain secure in the face of emerging challenges. Addressing any quantum threat to Bitcoin will require years of sustained research, development, coordination and public education.
[00:27:48] HRF the Human Rights foundation, through its Bitcoin Development Fund and Financial Freedom Program, is uniquely positioned to support efforts to ensure that Bitcoin remains a tool for dissidents, human rights defenders and individuals facing financial repression. The HRF will explore funding research into quantum resistant cryptographic signature schemes suitable for Bitcoin.
[00:28:12] This includes research evaluating trade offs between scalability, UX and network impact, experimental implementations of lattice and hash based schemes, development of migration tooling and testnets, and new bips. There are no easy answers to the burn or steal debate, hourglass style proposals or quantum proof signature schemes. What the HRF can do is explore funding research into making Bitcoin quantum safe and for human rights activists and others.
[00:28:44] Moving forward, we will be accepting proposals in this area at the Bitcoin Development Fund and seeking to cover the topic in our newsletters, events and future research pieces.
[00:28:56] Bitcoin is currently in A dip. And I know exactly what it feels like to have to sell at the worst possible time. And sometimes you can make it through, but sometimes things just come up and there's no alternative.
[00:29:10] There actually is. You can take out a loan against your bitcoin without actually selling it. Now this does come with risk. It's leverage. You're looking at custodians, which is why you want to use a very safe and boring company. And there's only a couple that I would ever even entertain. The experience is hard to beat at Ledn IO. They do proof of reserves. They have open books, they've made it through a hell of a bear market. They've cut all their other features. They've just done a ton of things that made me far more comfortable with it. And I just really like, I really like their product and service. Now again, this is a form of leverage. You got to be very careful with this. But they've got all of the details exactly at what point you need to think about, you know, adding more collateral and all of that sort of stuff, those various risks. But when you're in a tight spot, a bitcoin backed loan is a tool that a bitcoiner needs to have in his arsenal. I've got a link for you right down in the show. Notes. They'll know that I sent you and there's a little bit of a discount. So check them out. Leden IO all right, so this is a great piece from the Human Rights foundation and I'm also.
[00:30:19] I want to talk about a couple of different things in respect to this topic. The first few things are on the debate about like which path you would take.
[00:30:28] I want to talk a little bit about the quantum summit that happened recently. I saw some clips and a couple of pieces of video from it, but I never actually like got to really dig into all of the various content around it. Then one thing that I really think the HRF brings up here, that is one of the most important things to recognize because it is very undervalued. I think a lot of people are all they're all thinking about, oh, we just need to get a quantum safe signature scheme and then we upgrade and we do a soft fork. And that's all gonna be difficult. You know, soft forks are tough, but we'll get there and it'll be fine. But that is not the problem. Well, that is the beginning of the problem and recognizing. And that's really what this piece brought out. When I was running through it, I was like, okay, we've covered Quantum before, but recognizing the scope of the social and infrastructure change. And I think they could have even stressed it a little bit harder because we're just talking about a herculean task, like years and years. Look how much taproot adoption it actually is right now. Look at segwit adoption even still to this day.
[00:31:45] We're talking about five to 10 years just to adjust the infrastructure for the fact that we have a new signature scheme, especially one that changes the dynamic so much that old tools, old hardware wallets like ColdCard or Trezor or BitBox, like all, all the hardware wallets that I use probably don't even have the capacity to sign or will take so long to actually produce a signature. And then you've also got the various schemes in which they actually transmit that communicate the transaction data. You're talking about signature schemes that are so large that if you use the QR code scheme where it like just cycles through QR codes, you're probably talking about like 50 QR codes literally. And if you miss any of them, you miss the data. Like who wants to sit there and scroll through. Like QR codes suddenly don't have enough information density to even transmit the information.
[00:32:41] And those are just like very simple practical problems, let alone the shifting over of all the hardware and firmware. And like, like we spent, we've spent 15 years building this out and this would basically be a start from zero. It would take less time to revamp everything, but probably not a lot less time.
[00:33:06] We're, like I said, we're probably still looking at five to 10 years to even really talking about a broad and widely usable and non user ridiculous implementation of, of, of cryptography of a quantum proof signature scheme. And it might seem like there are obvious options like you know, if, if multi sig and signature aggregation, these things are better with lattice based signatures, then okay, well and of course they're smaller.
[00:33:41] Well then of course we would, you know, we would go that route. Right? Like that seems like the obvious choice. But then you also have to deal with cost, assign cost to verify their size, specifically the size of the public key versus the size of, you know, the proof of the key of the, of the underlying signature. And all of these different considerations are like almost every one of them has some sort of a trade off that they're better in one way but then worse in another.
[00:34:12] Like for instance, the, and this is actually, I encourage you to actually go look at the table that they've got in this article because that's where I'm pulling this information from. But like the Sphinx based things like they're some of the worst when it comes to the signature, this actual size of the signature. But then the public key size is actually only 32 bytes. But the cost to sign is incredibly worse. Like the cost, like the amount of time the compute it takes to sign the transaction transaction is huge. As if you're looking at something like Lamport. The cost to sign and the cost to verify are actually both pretty reasonably close. It's not. They're not totally. They're definitely. I mean in the chart they actually show them very visually simply. You've got a bunch of stuff in red, a bunch of stuff in yellow and a bunch of stuff in green. So obviously green would be the things that are very close to the current Schnorr signatures and ECDSA signatures, whereas the yellow and the red are comparatively further and further away from just the sheer compute or simplicity of doing this with the current signature scheme. And so like when you look at Crystals or Falcon, these are actually. These have pretty significant costs comparatively for signing. But then for verifying they're actually pretty close. And then you've got this one down at the out down at the bottom that was apparently invented in 2023 called SQL.
[00:35:44] I guess it's sqi because those are capitalized sqi sign one and it looks as green all the way across the board. The public except for one it's public key size is 64 bytes. The public key versus snore is just twice the size. Signature size is 177 bytes. The signature size versus schnorr is 2.8 times.
[00:36:05] But the cost to sign versus an ECDSA signature. The compute needed to sign a transaction is 135,000 times what it currently takes. So you're talking about like needing an ASIC just assign transactions. Granted it actually says a. I wonder, I wonder what kind of.
[00:36:28] This might be the same thing in the cost to verify. The cost to verify is green on the chart, but I think it's supposed to be red. It says 830 times more. And unless that's supposed to be like 8.3 or something, it doesn't make sense that that's green. That might actually be the worst of all when it comes to the compute to sign and verify. Well that's kind of what I mean. The, the different trade offs. Like let's say you could do something that actually like sqi sign okay this is actually more compatible with current bitcoin limits, right? Is even though however it's a isogeny cryptography. And that's the other thing is that hash based cryptography, okay, maybe we have a much better understanding of its relative security.
[00:37:10] But then lattice and isogeny, which I don't even know what the hell that is like. Cryptography usually has a shelf life and I don't even mean it like ECDSA or whatever, but sometimes like it's just found to be unsafe and it's usually just a matter of time. Like it's, it's just okay, this has existed for 20 years in real settings with real people trying to actually break it. And so we can kind of consider it safe. Something developed in 2023.
[00:37:39] And with isogeny, like, I don't like the cryptographic assumptions, there are probably really at the edge of anything that we would want to consider conservative.
[00:37:48] So the argument I mean to make with this is simply that a fundamental cryptographic and major signature change like this isn't even as simple as something like Taproot, which Taproot was not a simple thing. Like a massive amount went into developing Schnorr signatures. And this was also not a.
[00:38:15] There were no major new cryptographic assumptions that had to be taken into account for this. It was purely a implementation problem.
[00:38:27] And look at how utilized Taproot is today versus, I mean, when was this, how many years ago now was this implemented?
[00:38:36] Making a change like this to quantum proof signatures and a quantum proof cryptographic scheme would basically be rebuilding everything that we have built in Bitcoin from scratch on entirely new cryptographic primitives and resetting or restarting all of the various risks and potential bugs and potential weaknesses for the entire, for that Entire history of SHA256 and ECDSA and all of this stuff, basically mirroring that entire problem back on top of this new lattice signature scheme or whatever it is.
[00:39:22] That is not a small deal.
[00:39:25] That's an enormous, enormous hurdle.
[00:39:30] This is exactly why I think it's crucial that even though, and I've talked, we talked about this on the show, we talked about this on the roundtable and Steve doesn't even believe, doesn't even see genuine evidence that quantum computing is actually scaling. And I almost, I kind of tend to mirror that thought the deeper I dig into it. And I didn't go to or really watch much of the Presidio quantum summit, but you know, it would tend to, you know, if you just spend a couple of days talking about quantum quantum computing, breaking cryptography, the cryptography of Bitcoin, as if it's a legitimate and real thing Regardless of kind of the, even the general sentiment, if you're just kind of talking about it like it's a thing, I think at the end of those two to three days you're going to have more people believe, believing that this is a real threat that is coming sooner rather than later. So I kind of take that shift in mentality of those who went the poll or survey of those who were present with a bit of a grain of salt.
[00:40:39] I haven't quite read through it, but I would really like the or I haven't read through every bit of it. I think I'm about halfway through it. But who wrote this piece?
[00:40:48] The replication of quantum factorization records with an 8 bit home computer, an abacus and a dog By Peter Gutman University of Auckland Stefan Nieuhaus Zircher Hochschule ver Angelo Vijen Schaften but this was basically towards the end of September 2025 that this was released and they've basically identified first they've tried to go and actually find the explicit attempts of factorization.
[00:41:30] What actual open direct factorization of a number has been done with a quote unquote general quantum computer whose purpose was to run the algorithm of Grover's or Shorz or I can't remember confusing names, but whatever the algorithm is to explicitly factor a number into two primes. And the only cases of that there are three.
[00:41:59] In 2001, IBM tried to factorize the number 15.
[00:42:05] Eleven years later they tried to do the number 21 and they were successful in both of those. And then another seven years later they tried 35, but it failed. And on this explicit issue, on actual factorization of a number blindly by a quantum computer, this is the farthest they've gone.
[00:42:28] Everything else that sounds way more impressive and sounds a lot bigger has been done by essentially setting up a physics experiment that allows the quantum computer to. To factorize something that seems really, really big, but essentially tricking it into only having an extremely small. I think, as the paper was, or at least to the point that I've made it through the paper, that there were only ever 2 bits of entropy to factorize even in the largest seeming numbers relevant to this task. And here's the problem.
[00:43:05] There is so much noise like this is worse than crypto. Quantum is such a convoluted and misrepresented thing because nobody understands it.
[00:43:22] And as Steve says on the roundtable is just factor something is just, just like there's. This is, this is simple. This is like Satoshi's keys, right? You Just sign something with the key, then boom, you are at least in the running of being Satoshi because you have the relevant keys that only Satoshi would have. And in this case, just factor something. Build a quantum computer that can factor something bigger than the number 35. In fact, build one that can just factor 35, because the last time that was attempted, it appears to have failed.
[00:43:58] However, at the same time, I don't want to completely.
[00:44:04] I'm not. I don't want to completely dismiss. I think there's still a very like the risk is way, way larger than the potential reward of doing nothing. It's like insurance against your house burning down. There's a very small likelihood that your house is going to burn down. But a relatively inexpensive insurance policy against that one particular case also isn't that big of a deal considering the asymmetric loss that would occur if that risk actually did manifest.
[00:44:37] This is currently how I feel about quantum computers. I do think that there is a lot more talk about how dangerous quantum computers are than actual risk to that quantum computers seem to represent in a real sense.
[00:44:56] But if I could buy insurance right now against Bitcoin being having the cryptography destroyed by a quantum computer, I would do it because the asymmetric loss is way, way, way bigger than the benefit of just having zero cost whatever, because you're just dismissing it and, you know, sticking your head in the sand.
[00:45:20] But I do have to say something about the debate between burning the coins like, like freezing all of those, the quantum vulnerable coins versus letting a quote unquote thief, a quantum thief, to steal all of them, is that I think this pretty game theory, both basic logic and game theory come down really hard on the fact that we're not going to be able to burn the coins and that that's the wrong route.
[00:45:50] Simple fact of the matter is, unless somebody literally publicly shows like they just broadcast it and prove that they have the private key and that they got it from a quantum computer breaking the key.
[00:46:05] It's going to be a completely subjective claim that this even occurred or not. Like we start seeing addresses move that, you know, were thought of as being frozen or being, you know, lost keys. Well, how do you know then? In addition is, I thought the. Was it. Was it Taj quote. I can't remember. I didn't save it, unfortunately. But somebody was saying that, you know, who wants to press the button to merge the code that's going to freeze Satoshi's coins. So not only is that just going to be difficult from the context of just Just trying to get the person that you want to execute it, the developer who's going to take on that responsibility and be like, yeah, I'm the one who did this and I'm the one who's responsible for all of these burned coins.
[00:46:57] And then also is that the.
[00:47:01] There is this subjective layer of like, oh, we don't want someone with a quantum computer to just get a bunch of coins because then we're rewarding a thief, but quote, unquote, allowing that to happen as if it's our responsibility to prevent that from happening, from.
[00:47:19] From something that is undoable, like the past. That is undoable.
[00:47:24] But that does not undermine any of Bitcoin's principles.
[00:47:29] Like, it's obviously not a good outcome because lots of people would either lose coins or someone who is just undermining the security and the trust and the cryptography of the system, somebody who is literally exploiting the nature of the code is going to be rewarded extraordinarily. Granted, if somebody is just widespread breaking keys of all these people's coins, the question is, what's your system worth anyway? Bitcoins probably aren't going to be worth a whole lot during that event.
[00:48:03] But what I find most important is that nobody's. There's no guarantee in Bitcoin that you're not going to lose your coins, that the cryptography is perfect and that like, like there are best practices, but people lose their keys all the time. I've lost keys. I know numerous people who have been hacked and have had their coins stolen from them. Now, in no way, shape or form is this a good thing. Would I want this to happen to more people?
[00:48:32] But it is perfectly natural that all cryptography to some degree appears to have a shelf life. So here's the, here's the analogy that came to mind when I was digging into this because we read Lopp's piece about the Berm proposal and I was definitely a lot more on the fence about it when I first got into it. That article definitely changed my opinion a little bit. But I have since kind of come back to where I originally started. And here's the thing that got me is there there was a handful of like, really popular, like really big walks, wallets that created a bunch of keys sometime ages ago. And since all the coins that have been found to be created with this bad random number generator have basically been swept at some point now, obviously this is a big difference from all the transaction types we've ever used were considered unsafe. But we could have easily found out the indication of which one of those coins or which one of those historical coins was in fact vulnerable to this random number generator. And we could have frozen those coins, but we didn't. Hackers and exploiters got a ton of old Bitcoin.
[00:49:44] Bitcoin didn't die.
[00:49:46] Nobody is unsure about the promises or the principles of the Bitcoin system because an old type of generating private keys was exploited, was found to be vulnerable, and those coins were then taken. Now, a quantum breaking of the cryptography would be a very, a much, much larger example of this, but I think it's of the same kind.
[00:50:14] If it were pushed by a bunch of large stakeholders or a large portion of the network to burn those old coins, I think this would absolutely be a kind of like Ethereum's DAO moment. And Eth 2.0 versus Ethereum classic is they chose to steal the funds back from the hacker who exploited their, their bad code, essentially. And it completely undermined the security, the principles, anything about what ETH claimed to be changed fundamentally when that happened.
[00:50:48] This would be. Trying to burn the coins would be so unbelievably contentious, there's zero chance it actually happens. And I know that because it's already contentious just talking about it. There's already a debate and there's already tons of people who would hold the line and be like, no, we're just not burning the coins. This undermines fundamentally what Bitcoin is meant to be. Not some technicality, not some, you know, one wallet or one key or one address type or something. Sure, this would be be one of the worst exploits of a bug, one of the largest underminings of a major security of the Bitcoin system.
[00:51:30] But today there are no nodes that you can run from.
[00:51:34] 10 years ago that would actually accept a transaction or a block that would be detrimental to your node. And if you ran it and you had your keys on it and somehow it destroyed your keys or your Bitcoin, that would be on you. I think it is on us to upgrade, to prepare for when that day comes. And if there are dormant keys that get taken, I think that is the cost of having a system that is truly decentralized and where there is no subjective decision being made about who can own what and which coins are real and which aren't. There are way, way too many unknowns, way too many gray areas.
[00:52:16] I would User activated soft fork. Hold the line on. We're not burning the coins at this point. I think it's a Thomas Jefferson quote that says, or Benjamin Franklin I don't remember. One of the founding fathers says something like crime is rampant. It is universal. Tons of people commit crimes, tons of evil is not punished. And there's no system that can actually punish or stop all evil. But if innocence is prosecuted unjustly in the name of trying to stop more evil, then it defeats the whole purpose. Because if being innocent isn't enough to preserve your freedom, then even the good and the innocent will just say, why should I bother? And if any of our potential solutions to the quantum breaking of Bitcoin's cryptography means that there's going to be old coins that get burned, there will be people who did not have their coins stolen from them from a quantum computer and may never even have had their coins at risk. And maybe they would have been aware or have found out about it as coins started getting stolen. And they will lose their coins because they were burned and not because they were stolen. And I don't quite see how that's really a whole lot better than what the quantum thief is doing.
[00:53:39] So that's my thoughts on that.
[00:53:41] And then there's also this. I'm purely a five year old child at heart and I like the idea of all 21 million Bitcoin coming back into circulation. So there's actually 21 million. Bitcoin could not be more arbitrary and pointless, but it makes me happy.
[00:54:02] Shout out to Leden IO for supporting the show. They do bitcoin backed loans so that you can get some fiat out of your bitcoin without actually selling. You can still hold for the long term to synonym and pub key. They have built a protocol stack to re decentralize the web. You've got to check it out. If you haven't get Chroma co for Light Made for Humans and the hrf. The amazing work that they do, this article that they wrote, the development that they do, their fundamentals, their grants, the work they do, the Oslo Freedom Forum, the Financial Freedom Report, you name it. They do incredible work and they have a lot of my respect. Links and details to all of this right down in the show notes.
[00:54:43] All right, so I think I'm going to do a guy's take on the replication and factorization of or the paper with a dog and an abacus and 8 bit computer or something like that.
[00:54:55] Because it's a really good paper and I do think this or topic is worthy of coming back to and I don't want to dismiss it outright. It's like one of those things where there are certain topics or perspectives on like custodians and stuff that I think are completely overblown or kind of miss the fundamental point. But it's also hard for me to argue with them because they're correct in spirit and direction. And I don't want to undermine the more important principle being displayed that you should not trust custodians and. Or you should think of custodians as very trusted entities and you should go into it with a very high degree of scrutiny. So, like, I want to correct the argument because it's not exactly right, but it's right in the. Or it's wrong in the right direction, and I don't want to undermine the direction. And so when I think about or when I'm talking about the whole corporation quantum stuff, and I don't think it's actually a strong threat right now. I also don't want under. Want to undermine the point that I do believe we should still be building an insurance policy for it, because if there's a 0.5% probability that we lose everything, it makes sense to put a tiny portion of the wealth, no more than 0.5% probably, but a tiny portion of it, twice the defense against that outcome. It's a very asymmetrical loss, and I think it would be stupid to be blindsided by it, regardless of how long it takes us to get there. So we will keep covering it. I'll keep investigating, and all you have to do is subscribe to Bitcoin Audible. I will catch you guys on the next episode. And until then, everybody, that's my two sats.
[00:56:56] It is more important that innocence be protected than it is that guilt be punished. For guilt and crimes are so frequent in this world that they cannot all be punished. But if innocence itself is brought to the bar and condemned perhaps to die, then the citizen will say, whether I do good or whether I do evil is immaterial. For innocence itself is no protection. And if such an idea as that were to take hold in the mind of the citizenry, that would be the end of security whatsoever.
[00:57:27] John Adams.
