In this episode, Stephan Livera and Matt Corallo discuss the implications of quantum computing on Bitcoin’s security. They explore expert opinions on the timelines for quantum threats, the current stance of Bitcoin developers, and potential solutions for quantum resistance. Matt introduces his proposed plan for integrating quantum-resistant features into Bitcoin wallets, emphasizing the need for gradual adoption and community consensus. The conversation also touches on market dynamics, the role of seed phrases, and the importance of preparing for a future where quantum computing could pose a significant risk to Bitcoin.

Takeaways:

🔸Quantum computers are not an immediate threat to Bitcoin.

🔸Experts suggest a timeline of 10 to 25 years for quantum threats.

🔸Bitcoin developers have historically underestimated quantum risks.

🔸There is ongoing research into quantum-resistant solutions.

🔸Wallet adoption of new technologies is slow and challenging.

🔸The future Bitcoin community will make decisions on quantum security.

🔸Market dynamics will influence the value of quantum-vulnerable coins.

🔸Seed phrases provide a layer of security against quantum threats.

🔸The proposed quantum plan aims for minimal disruption to users.

🔸Preparation for quantum threats should start now, even if the risk is distant.

Timestamps:

(00:00) – Intro

(00:51) – Quantum computer’s breakthrough timelines

(03:38) – Are Bitcoin developers taking the quantum threat seriously?

(07:41) – Evaluating the quantum threat

(10:00) – The Matt Corallo Quantum Plan

(17:48) – Future community decisions on quantum security

(20:12) – Will Bitcoin need a soft fork? 

(23:30) – Market’s response to quantum threat 

(28:15) – The role of seed phrases in quantum security

(33:40) – Post quantum cryptographic schemes

(37:23) – Patoshi miner adapting to Q-Day

(43:25) – Which public cryptography scheme is most vulnerable? 

(50:20) – Closing thoughts 

Links: 

• https://x.com/TheBlueMatt 
• https://bluematt.bitcoin.ninja/ 
• https://saveourwallets.org/ 

Stephan Livera links:

• Follow me on X: @stephanlivera
• Subscribe to the podcast
• Subscribe to Substack

Transcript:

Stephan Livera (00:00)
Hi everyone, welcome back to Stephan Livera podcast. Today rejoining me on the show is Matt Corallo. Matt is full-time open source Bitcoin and Lightning over at Spiral and for people who don’t know a long time Bitcoin developer ⁓ and obviously has a lot of insight and input around various things happening in the ecosystem. Today I wanted to chat with Matt kind of mainly about the quantum stuff but we’ll see whatever else is relevant. know, first off, welcome back to the show, Matt and let’s get your thoughts. Do you…

What’s your updated view on whether we see a so-called cryptographically relevant quantum computer anytime soon?

Matt (00:37)
Yeah, yeah, thanks for having me. Yeah, I mean, I’m no expert on quantum. Obviously, there’s a lot of just engineering challenges they have, ⁓ cooling, ⁓ scaling these things up, you know, they need to be running at absolute zero, there’s building ⁓ a large enough refrigerator to fit a lot of qubits, it’s kind of hard, we don’t really have technologies for a of these things. They have a long ways to go.

I think what some people are worried about rightfully or wrongfully that’s actually driving some of the narrative is more fear that there’s gonna be some kind of sudden breakthrough. So if you imagine a, you know, there’s some lab that’s using an LLM and the LLM gets some super creative idea, which, you know, things are not gonna happen with today’s LLMs, but you know, maybe in a few years.

And they come up with some massive breakthrough in refrigeration technology that we haven’t figured out in the last 200 years, or some massive material science breakthrough on, you know, room temperature superconductors or something. ⁓ then that that might unlock quantum faster. And I think that’s what some people are worried about, you know, with current LLMs, it’s probably not a huge risk. ⁓ but I think that’s the bigger fear versus just the slow progress of

improving the technology over time is still going to take years and years and decade or two or whatever.

Stephan Livera (02:12)
And do you have any thoughts on the, I guess people talking about the different timelines, like as you were kind of touching on, maybe the fear is this sudden breakthrough, but outside of that, do you have any thought on where, like what are some of the experts saying on this? Like at least the experts I’m seeing are saying it’s more, they see it’s more like, you know, like a 20 year thing.

Matt (02:36)
Yeah, I think that lines up with what I’ve seen. Obviously I’m no quantum material science physicist expert. But yeah, I think that the experts that I’ve seen who aren’t really just trying to pump a bag are talking about 10, 15, 20, 25 years kind of timelines. That’s not to say that we shouldn’t worry about doing things to prepare for that in 10, 15, 20, 25 years, but

It’s still a long ways off.

Stephan Livera (03:07)
Yeah, now the other big point of contention, let’s say, is, I don’t know, you’ve had some back and forth with Nick Carter on this, is this point of, the Bitcoin developers taking quantum seriously? So what do you think about that?

Matt (03:23)
Yeah, I mean, think there’s, it’s definitely the case that historically, say, 10 years ago, Bitcoin developers largely wrote off quantum. think that lines up with where the mainstream cryptographic community was at the time as well. I think there are a lot of members of the Bitcoin community who aren’t necessarily influential developers or aren’t necessarily contributing actively to Bitcoin have either

concluded that quantum will never happen, which I don’t think is very common among kind of influential Bitcoin developers or spend a lot of time ⁓ talking about how far away it is because there’s this conversation like, ⁓ Bitcoin’s terrible. We need to sell our Bitcoin because quantum is going to destroy it. And so people respond with

guys, the like real experts are saying 10, 15, 20, 25 years away, like you don’t need to worry, whatever, and that then gets read as, these people think that we shouldn’t do anything, we don’t need to worry about this, or that they think we don’t need to worry about this, that we shouldn’t do anything, and I don’t think that’s necessarily the right conclusion to draw from their words, it’s just…

that they’re also not talking about, well, here’s what we’re doing. And I think it is true that people aren’t talking necessarily about what work is being done, but there is work going on, right? So if you actually go look at, you know, I think that a comment that I made is, you know, if you want to look at what quote unquote influential Bitcoin developers think or what, you know, is what the thinking is, go look at

top organizations that fund Bitcoin developers, organizations like Brink, ChainCode, Blockstream Research, there’s a few others, but, and then look at the organization as a whole and look at what different people within that organization are doing. And so if you look at ChainCode, well, ChainCode’s ⁓ crypto folks came out with research paper talking about Bitcoin and quantum and…

the timelines for different things and different approaches and how it could be solved, et cetera. So clearly they’re thinking about it and taking it seriously, at least approaching the problem is like, what are the constraints? What should we do? What can we do, et cetera. You look at Blockstream Research, well, two of the cryptographers there have been working on Bitcoin post-quantum cryptographic research, both Tim Ruffing and Jonas Nick. Bring a little less so, but bring focuses more on day to day.

⁓ maintenance of Bitcoin Core. So I don’t think you can reasonably conclude that because the organizations that hire some of the top Bitcoin developers are working on this, clearly Bitcoin developers aren’t working on this. I don’t think that’s a reasonable conclusion.

Stephan Livera (06:23)
Right. And I know there was also the Presidio Bitcoin Quantum Summit and that was, I think it was May of last year around there. So there was a lot of, you know, well-known Bitcoin, you know, developer researcher types who were there along with some quantum people. So ⁓ certainly I think maybe the concern from the, let’s say the people who think quantum is coming really soon. Maybe they see it like, that’s not fast enough. Or there’s this concern of

⁓ the Bitcoin community doesn’t have a plan in place. ⁓ But I think it’s also maybe a bit tricky to have a plan in place because we’re trying to, and I think this is a point Peter Willer made on the ⁓ Bitcoin Optech podcast, which was how do you bind a future community to this plan? Like we could put a plan and say, this is what we think right now as of February, 2026, but what Bitcoin people think five years from now, 10 years from now.

Matt (07:19)
Yeah, I think that’s true. it does get very complicated to talk about what should happen in a quantum, in some scenario where a quantum computer becomes a realistic threat to Bitcoin ⁓ because there’s so much nuance to exactly what the scenario is. ⁓ Did we have years of slow technological progress and then we started to get to that point?

which I think is by far the most likely scenario to be clear. But then also how many wallets have migrated to some kind of post quantum scheme? How long ago did they migrate? Was it in the last two years? Was it 10 years before? You know, was it right before? Have they not migrated at all? Which types of wallets? What groups of Bitcoiners are there? It’s so much depends on the exact scenario that happens that I don’t think

Not only can we not bind the community to some decision we make, the future community to some decision we make now, but it’s kind of hard to predict exactly what they’ll do because there are a lot of things that are going to go into that decision that we can guess at, and I think we have some reasonable guesses, but it’s not clear.

Stephan Livera (08:42)
Yeah, so in the now talking in the realm of what could we Bitcoiners do in terms of okay having a soft fork or multiple soft forks that Do something about this obviously that a big one people are talking about is the bit 360 by hunter beast and ⁓ I think Ethan Harmon and ⁓ I think one other person I forgot the name right now ⁓ and then The I guess the general approach is like this idea of okay. What if you had

a special output type that was quantum resistant and you know pick some flavor of post quantum cryptography and that might be that idea now I know you’ve also put out an idea yourself I don’t know if there’s a name for it so in my episode with Jonas Nick we were kind of calling it the Matt Corrello plan let’s say but do you have a name for the Matt Corrello quantum plan or what is it?

Matt (09:31)
No, I think it’s, there’s, so to set the stage maybe a little bit, historically in Bitcoin, it’s been the case that wallets adopt new technology at a glacial pace. In fact, in most cases, wallets simply don’t adopt new technology and the only way new technologies get adopted are when wallets kind of cease being popular, go out of business, stop being maintained and new wallets get built instead. ⁓ So.

Talking about doing a new output type that is quantum resistant has massive ecosystem cost, right? As we’ve seen, adopting new output types is new address formats, new output types is really, really glacially slow. Now, ⁓ Batch32M, the Taproot output type encoding, as well as Batch32 before it, are designed to be a little forward compatible, so you should be able to send to a new type of output, even if you don’t understand it today, but who knows whether all wallets actually do that.

More importantly, I think any output type where spending it has a material cost, which all of the post-quantum schemes are much slower, generally much larger than existing secp signatures. ⁓ And so that’s gonna be higher fees. If you want to use a wallet that transact with these things, you’re gonna have higher fees and really materially higher fees, not just…

you know, 10 % higher or something, we’re talking double, triple, quadruple the fees, and all of a sudden that’s kind of material. And so these, I don’t really buy that these wallets are going to, that these schemes are going to be adopted in any time horizon that makes it relevant, right? The only reason to add post-quantum signatures to Bitcoin today would be for very, very long-term wallets.

adopt it, right? So we’re talking cold storage wallets, people who might just start to use Bitcoin and not think about it and then forget about it and come back to it five, ten, twenty years later. And any scheme that wallets aren’t going to jump to adopt because it has 4x, 5x higher fees just doesn’t accomplish that goal. It doesn’t really move the needle materially. Now that’s something

we’re gonna need eventually. So it’s good that people are working on this, you know, when, you know, in 10, 15 years, when a cryptographically relevant quantum computer is kind of more imminent, then okay, yeah, we’re gonna need a scheme like this. We’re gonna need to start migrating everyone over to this, because it doesn’t even make sense to have secp signatures for anything anymore, because they’re just not helpful, they’re not secure. So I’m happy people are working on it, but I don’t think it’s relevant today. So what can we do today?

that moves the needle on getting wallets ready so that there’s no questions. Basically so that the future Bitcoin community, when a cryptographically relevant quantum computer is an imminent threat, has more options. Our goal is to get wallets migrated so that that community has more options on what they can do to address the problem. And the only thing that I think makes sense today that…

really wallets might adopt is something that has no additional cost. And so Tim Ruffing actually ⁓ did a more formal paper analyzing taproot output and says that concluded, look, if we have a taproot output with a post-quantum signature in one of the script leaves and the script path spends, and there’s a software to disable the key path spends, then that’s quantum secure.

So the quantum computer can’t somehow unwrap the taproot into a different script path or something like that. This was actually a design goal of taproot. This was a deliberate decision, but Tim Ruffing wrote a more formal paper analyzing this, concluding that it was done correctly. ⁓ So we could do that, right? We could say, okay, we’re gonna add a very expensive hash based signature scheme in a taproot leaf. And…

As a result, the future community could decide to disable that keypath spend and now these wallets are fine. They’re upgraded. They’re done. So they’ve been hiding this thing in the taproot leaf this whole time. They never revealed it. They never used it. It had zero additional cost because they just use the keypath spends today. And then at some point in the future, the Bitcoin community can say, okay, now it’s a risk.

We’re going to disable that key path spend. Now you have to use this other thing, which is more expensive, know, larger, whatever, but it’s still fine. You, still have your money. It’s no big deal.

Stephan Livera (14:26)
Gotcha,

yeah. So let’s just take a second, just to make sure we haven’t lost anyone. So when we go to spend in Bitcoin today, right, in the Taproot context, if you’re using a P2TR Taproot output, you have, as you mentioned, this key path, which is like, as I understand, that’s like just the, you know, it’s like a smart, like public key and signature.

And then you also have this opportunity of using a script path. And then the way they’re sort of designing their protocols and things is that you want to use that. ⁓ In most cases, you want to use the key path, but you can put in a lot of other conditions and things into some kind of script path, spending path way.

And what you’re talking about is this idea of, what if we just use the existing taproot, but with special like quantum resistant script path spending pathways that are not shown until you actually need it, until you actually go to spend that pathway. Have I got you? Have I got that right?

Matt (15:24)
Exactly. Yeah. So it just, it’s totally transparent while it’s do it, don’t even think about it. You know, it’s just a slightly different format for how they create the address. The address looks the same functions the same. And then at some point, if they need it, ⁓ then they can switch to using it. And until then it’s totally transparent, zero additional cost.

Stephan Livera (15:45)
Okay, and so then while wallets would obviously need to do an uplift on building out that special script pathway that has a quantum resistant cryptography built into it somehow, like Sphinx Plus or Shrinks or whatever these different ones are, ⁓ but the actual taproot output part of it…

does not have to change and in terms of exchange support and like exchanges sending and receiving and things like that, that part is easy and it’s maybe a bit of a gradual transition because then people can just like keep using the same setup that they already have.

without having to kind of go into an entirely new paradigm where if we’re going to like fully quantum outputs and maybe we eventually are going to go there, I mean who knows, but we’re going to need like special hardware wallets for that and special software for that and like it’s going to be a different user flow isn’t it?

Matt (16:39)
Yeah, yeah, so it does keep things simpler. Now, it’s still not free. you might, know, a hardware wallet needs to be aware of how this new address type is derived, right? Because the hardware wallet has to be able to identify which address, you know, is that change output mine? Is this input address mine? So there is still a non-trivial lift in across the Bitcoin community, but it’s much simpler, especially for just a simple wallet, right? If you’re just a normal wallet that’s not doing hardware.

hardware wallet support, not doing anything like that, you’re just a wallet, ⁓ it’s really easy. ⁓ And so that at least enables some of the simpler cases to really start moving.

Stephan Livera (17:19)
Okay, so I’m just trying to think this through. And then I guess the other thing is because these quantum resistant or the post quantum cryptography is generally much bigger in terms of the size going on chain and things like this, but as I understand, you would not have to show that until you’re spending that particular… ⁓

Pathway, right? You’re spending that particular like if you’re just doing you know standard taproot, you know pub key Spend you are not having to pay that extra price right now. It’s only in the future post quantum. Yeah Yeah

Matt (17:55)
Right, so it wouldn’t even appear on chain. No one even knows

that you’re doing this. And I think that’s one open question with this approach is, is it better that people know that you’re doing this? ⁓ So there’s this whole debate around when or if a quantum computer becomes an imminent threat to Bitcoin, ⁓ should Bitcoin disable insecure spend paths, right? So ⁓ seize or burn.

Stephan Livera (18:07)
Right.

Matt (18:24)
money that doesn’t have some quantum secure pathway to spending. ⁓ And if people have no idea whether wallets have upgraded by looking at the chain, they can’t see whether wallets are post-quantum secure or anything, that limits the knowledge the Bitcoin community has at that point to make that decision.

And so there is a question of like, well, do you actually want to tag it on change? You want to have a different taproot version or something just so that, or require that the, you know, an extra bit in the public key be even or odd or something, just so that people could statistically determine whether this upgrade path has completed. And so there’s some question there. I think that’s an open question that needs to be resolved. But in terms of

Stephan Livera (18:55)
Like, yeah.

Matt (19:19)
this approach, I think it’s relatively straightforward in terms of like, yeah, we can just do this. It’s not a lot of complexity. It’s, we’ll get some wallets off zero. We’ll give people a path and, you know, clean things up so that if, if a problem becomes urgent, we have this as an option. ⁓ and so it seems relatively straightforward that we should kind of just do this, but timeline and, and, and focus.

Stephan Livera (19:49)
I see. So just help us compare the number of soft forks required, right? So in the, let’s say in the bit 360 style of like you might, you’d need a soft fork to give you that new type of output. And maybe it depends on if they also include.

like the specific type of post-quantum cryptography. And then maybe there might even be another one to like, they’re gonna do like hourglass or a burn, et cetera. In the, let’s say in your proposed idea of using a taproot script path that is quantum resistant, I presume you don’t need, we don’t actually need a soft fork to even, do the first part of that. It’s just that you might, you wouldn’t have a soft fork to like burn the key path.

or to, sorry, to, let’s say, disable the key path, spend, on Taproot.

Matt (20:32)
Yeah.

Yeah, mean, in theory wallets could start doing this now. They could say, okay, I’m gonna pick, I’m gonna go implement shrinks. I’m gonna start embedding it as a leaf on the taproot script tree. I’m never gonna reveal it. So no one can ever use it. And it would be totally fine. This wouldn’t break your wallet. Probably it makes sense to do a soft fork to actually provide consensus meaning to that.

to go ahead and kind of enshrine that definition ⁓ so that wallets don’t have this weird risk of like, well, if this other part of your script tree leaks, then someone could steal your money. ⁓ So probably good to just do that, but you’re right, technically we don’t need it. What we do need then is some soft fork in the future to disable the key path spends. And I think that is where you get into this question of does the future Bitcoin community want to

burn insecure coins because if they do we don’t need a different script version, we don’t need a different taproot version, you just disable the keypath spend and you’re done. ⁓ Whereas if the Bitcoin community in the future says strongly no, we don’t want to insecure coins, then there needs to be way to more explicitly opt in, right? There would need to be a different taproot version so that you can say hey yes, I’m upgraded, please disable keypath spend when it’s concern. ⁓

I think.

In my view the Bitcoin community is kind of almost without question going to burn into your coins ⁓ But that’s a it’s a very different

Stephan Livera (22:14)
I’m curious why you say that because it’s kind of like,

I mean, let’s talk about that because if I kind of, know, finger in the air, just kind of read the vibe. look, maybe it’s a loud minority, but ⁓ the sense I get is that actually most Bitcoin people seem to side more on the idea of like, it’s maybe in their mind.

it’s sort of, they don’t want to do like the ETHDAO thing where it’s like, quote unquote, rolling back the chain or they had some fancy word for it where they kind of did a, you know, specific thing to that, to the ETHDAO, you know, hack. ⁓ And so there’s a perception that…

Matt (22:45)
Yeah.

Stephan Livera (22:49)
You know, if you’re burning these quantum vulnerable coins, then that somehow is cutting against the property rights notion that we we treasure inside of Bitcoin. So that seems to be the main opposition. I’m sort of my gut feel is towards that direction also. So I’m curious where you’re at on that. Why do you think most Bitcoiners are actually going to be pro-burning?

Matt (23:12)
Yeah, look, the reality is the winning, like there will be a fork, right? So in the face of some quantum, high quantum risk in the medium term, someone’s gonna write the code to define a soft fork, right? So there will be two coins, right? And it’s at that point, as is always the case, it’s up to the market. So the market is gonna look at those two coins, evaluate which they care more about, which they wanna hold and which one they wanna sell.

And I think as we’ve seen pretty robustly, the market has a very, very strong incentive to converge quickly to say, oh no, there’s only value if there’s one Bitcoin. And so once the market starts moving, everyone’s gonna jump on that and there will be one Bitcoin. So the question is, which one is the market gonna value more? And it’s true, it’s complicated because it gets into

how many different scenarios there are, all of the different pieces that might go into a scenario, ⁓ all of the different facts of how much Bitcoin has been upgraded, how much Bitcoin is vulnerable, ⁓ how much time actually is there, do we discover this in advance or slowly or really rapidly, is there some rapid breakthrough? All of these are going to obviously influence that decision, but I think

First and foremost, law of supply and demand is pretty king. ⁓ I think in all likelihood, we’ve seen wallets move slowly, adapt very, very slowly. And as a result, think no matter when and how a quantum computer becomes a threat to Bitcoin, quote unquote, ⁓ the…

number of coins available for that quantum computer to steal will be huge. Even if we roll out a soft fork today and progress is really slow and gradual and public, both of which I think are likely, and it takes 20 years before we get a quantum computer, which also seems very possible, very plausible. Even in that case, think wallets are gonna start moving for 17 years.

Right? And so you’re going to see a lot of quantum vulnerable.

The other consideration is that quantum is not a risk for, depending on how the Bitcoin community approaches it, quantum is potentially not a risk for any wallet that uses a seek phrase. So if the Bitcoin community says, if the market around Bitcoin, not just the community, but the market around Bitcoin says, look, there’s 10, five, seven million

Stephan Livera (25:54)
Right.

Matt (26:07)
Bitcoin that are going to be stolen by this quantum computer that are going to enter the market. And I don’t just mean, you know, that’s some portion of Bitcoin’s total supply. mean, those are coins that are going to be actively sold on the market, not coins that are lost, know, coins that were lost that are now on the sell side of the market, coins that were held by long-term holders who aren’t willing to sell that are now on the sell side of the market, you know, that’s a massive increase, even if it’s only 1 million Bitcoin.

It’s not a 5 % increase in supply. It’s a 10, 20, 30, 40 % increase in supply active on the market. ⁓ And so I think that’s gonna be a huge pressure for the market to pick one side. And that’s gonna be the burning insecure coin side. ⁓ Maybe I’m wrong, but I think that’s very likely.

Stephan Livera (26:52)
Yeah, well, think it kind of matters. It kind of matters

if the I mean, like, as you said, there’s so many moving parts here, we can’t exactly isolate everything. But it could also be that I mean, imagine if it’s 20 years in the future, and Bitcoin is like, I don’t know, $10 million a coin or something crazy. Maybe the hackers are just going to huddle it, right? Maybe they would actually just want to hold it and not sell it all. So I don’t know.

Matt (27:12)
Maybe,

but the market has to evaluate that. And obviously, if a quantum computer has been built slowly over last 20 years, they have investors who want their many billions of dollars of investment back. And this is about the only way they can get their investment back. There’s not a lot of other interesting value for a quantum computer. So I think there’s gonna be a lot of pressure to sell some of it and to sell probably quite a bit of it at market.

Stephan Livera (27:26)
Well, yeah, that depends what they do, yeah.

Matt (27:42)
as fast as they can. Or the market has to evaluate that risk in any case. But I think the important part is the other important important factor is if they decide this. if the market says no, we’re gonna allow the quantum computer to steal all the coins and sell them. Then there’s not a lot you can do like you just have to have already upgraded to a quantum secure output type, which

Stephan Livera (27:46)
Yeah, and I guess people on the… Yeah, go on.

Matt (28:09)
I don’t think is even going to be available for many, years. ⁓ So I think that’s going to cause more chaos versus if the market says, okay, no, we’re going to burn insecure coins that does not apply to wallets that have a seed phrase. So you can disable insecure spend paths and say, okay, actually what isn’t insecure is a zero knowledge proof that you knew the seed phrase that derived this private key. So wallets

go from a seed phrase, write this 12 or 24 words, then they use a hash scheme to go to a private key, which then they use to sign transactions and the public key using the blockchain sees the public key which it used to verify the signature. The quantum computer can go from the public key, which is on the blockchain, to the private key, but it can’t go from the private key to the seed phrase, because it’s a hash function and not standard EC math.

So if we disable insecure spend paths, we can say, okay, actually, if you have a seed phrase, you can do a zero knowledge proof that you know the seed phrase, and then that will count as a signature. So the actual number of coins that are burned, especially if we’re talking 10, 20 years in the future, is basically only lost coins at that point, right? It’s basically coins that haven’t moved for 10 or 20 years or…

are using the current Bitcoin Core wallet. That’s about the only wallet out there at this point that doesn’t use seed phrase derivation. And so hopefully, we can do this kind of a soft fork to enable opt shrinks and taproot leaves, and then we can put that in the Bitcoin Core wallet. And then there’s not really any wallets left. So at that point, it’s true that all wallets today, if we…

We do this soft fork and we enable it for this long tail of kind of specialty wallets, Bitcoin Core, some of these large custodians, whatever. And don’t use seed phrases.

and those wallets adopt this scheme, then it’s basically the case that all wallets today already are quantum secure in a world where the future Bitcoin community disables insecure spend paths. And especially if that’s a long way off.

Stephan Livera (30:21)
Interesting that’s a lot more interesting a lot more

a lot more compelling So I think that is that’s a good point actually I hadn’t considered that idea that if

we use that scheme when they’ve got the seed phrase, the ZK-proof thing that then allows them to recover. It could be more plausible then to actually do the burn in that scenario because if, like let’s say right now, the number of vulnerable coins is, I think people have thrown around numbers like five or six million BTC that are potentially vulnerable. in, let’s say we did this scheme.

and you had the ZK kind of whatever quantum recovery, whatever that scheme is called, I’m not sure. The actual number of coins that are vulnerable would drop dramatically. And then we’re pretty much talking about like the Satoshi coins and like a few other bits and pieces.

Matt (31:13)
Yeah.

Yeah, and really like specialty wallets, like large custodians maybe have more unique setups that might not use a seed phrase, but also Coinbase can adapt. Like Coinbase will move quickly, right? That’s not a concern.

Stephan Livera (31:26)
Right, but the large custodians

can pay professionals to do like fancy things so that like we don’t have to really worry as much about them. Yeah. So that’s not as much of a concern, I guess. Yeah. Yeah, that’s interesting. So the thing is with the ZK kind of recovery thing, do you know if that would require like really big signatures on chain? Like would that be like a big process? Like imagine that happens. Is it going to be like, you know, a few years worth of transactions to get everyone over to the new scheme?

Matt (31:31)
and they can move in an hour. Yeah, you know, so it’s.

Yeah, so-

Yeah, the, I mean, you know, obviously in a case where we’re talking about soft forking out insecure spend paths and we’re making these kinds of decisions, probably there’s going to be discussion around whether the block size should increase as a consequence of the increased size and signatures. ⁓ And so I’m not really worried about that. Like I imagine the block size will be adjusted appropriately for the signatures that are core.

Stephan Livera (32:21)
Yeah. And what would that look like? Would that be like some kind

of quantum witness discount or like what would that be?

Matt (32:27)
Potentially,

potentially, yeah, especially if we’re talking about some of these ZK schemes, you know, obviously the availability of high quality ZK schemes will improve over the next 10 years, 15 years, you maybe they’ll be super, super cheap. ⁓ You know, hash based ones probably still won’t be tiny, but they’ll be reasonably cost efficient. ⁓ And so, yeah, I mean, maybe there’ll be a quantum witness and you’ll say, okay, well, to spend coins, have to… ⁓

have both the traditional insecure segp signature in normal Bitcoin and then also there’s some segwit v2 that also requires a ckproof or something and we can figure out what that looks like at that time.

Stephan Livera (33:10)
Okay, yeah, interesting. ⁓ And so when it comes to the specific, I guess, I don’t know if you have any thought on the specific quantum, post-quantum crypto, like whether it’s hash-based or lattice-based or some of these other ⁓ forms. Have you looked into those or do you have any thought on that?

Matt (33:33)
Yeah, mean, doing something right now, it seems clear that it should be hash-based, like when we’re talking about adding something as a taproot leaf so that wallets can start to have this as an option. ⁓ It seems that hash-based is the only good answer there. Lattice has matured a lot over the last number of years, but is still relatively novel cryptographic assumptions. ⁓ And when we’re really talking about…

things for wallets to do where we anticipate them not, hopefully not needing to use this at all, we can make really conservative cryptographic assumptions like just taking on, just using hashes, SHA-256 hashes, and not worrying too much about the extra cost of doing that versus a lot of scheme. So we should, it seems fairly straightforward to me that for that kind of use case,

hash base just makes a lot more sense right now. ⁓ Whether, you know, in the future when quantum becomes more urgent, kind of more on the short-term horizon, then we, the Bitcoin community that exists at the time, will presumably reevaluate what the post-quantum cryptography ⁓ landscape looks like and then make a decision at that point to add something more efficient for people as an option.

But hash-based isn’t terrible, mean, you 10x more cost or something. ⁓ So it’s expensive, but not impractically expensive.

Stephan Livera (35:12)
Okay. And now another question. I just thought of this as well. And I was just wondering if, okay, so let’s say we do the, I don’t know the name of the Matt Corrello scheme, right? The, you know, the, the tap script, ⁓ quantum ⁓ thing. Let’s, let’s say you pick a specific thing, like whether it’s shrinks. Is there a risk that let’s say like a bunch of people just kind of do this now and there’s no soft fork for this, let’s say.

and they use world set encoded into that, but is there a risk that the future community could rug them and say, ⁓ no, no, we don’t want to use shrinks, we want to do lattice space or some other thing? Is there a risk that you could think you’re doing the right thing by doing this scheme, but actually the future community doesn’t want to go that way, or is it not gonna matter because you would have already, you know.

Matt (36:02)
Yeah,

mean sure potentially, right? You can never predict what the future community might do, but of course if there is a material number of coins that have opted into post-quantum security via some scheme that is standard and well understood, I can’t imagine the Bitcoin community will say, we’re going to try to argue that would be very antithetical to the value proposition of Bitcoin, but I do think…

just enshrining the scheme and making clear this is exactly the scheme and everyone should use exactly this and here’s how it works ⁓ by going ahead and doing a self-work in the short to medium term ⁓ makes sense. ⁓ Not because I’m worried about people getting rugged, just but it makes clearer that this is exactly what we’re doing. This is the thing. At least for now.

Stephan Livera (36:50)
Right, that this is the pathway that at least, you know, the community…

Okay. Yeah. And so, Gone.

Matt (36:57)
I there’s

one last part of the picture that I see in terms of getting that I imagine the Bitcoin community will want ⁓ in a post-quantum world. So in the short term, I think we should add a tap leaf and then the Bitcoin community in the future will simply disable the key path and mini wallets will be upgraded.

I imagine the Bitcoin community will disable insecure spend paths, but allow those who have seed phrases to continue to access their funds, which is going to basically reduce the number of coins at risk of being burned to very, very low number. But then lastly, I imagine, and I think the Bitcoin community will probably also enable a quantum commitment scheme, right? So if you are this Potoshe miner,

these coins that people assume are Satoshi’s, this early miner. ⁓ And the Bitcoin community doesn’t want to burn your coins, but also doesn’t want to kind of flush you out, right? We don’t want to necessarily force this early miner to reveal whether they have the private keys or not by making them spend the coins. ⁓ We could also say, okay, look, here’s Q day. So here’s the day at which Bitcoin is going to disable

insecure spend paths, the day at which we’re worried that after this a quantum computer might exist. If at any point prior to this, you put anywhere on the blockchain, on return, in a witness, whatever, ⁓ a hash commitment to your private key and your hash based public key. So I just literally hash, here’s the private key that I have, here’s a hash based public key. I hash that, I put it on the blockchain.

If at any point prior to Q day you do that, then at any point after Q day, even though into your spend paths are disabled and you can’t just spend these outputs with a normal signature, you’re allowed to spend it because you committed to a new public key. So you can go on the chain and you can say, actually, I’m going to go spend that output. Here’s proof that I committed to at the time years ago, I knew the private key before quantum computers existed. I’m.

and also I committed to the new public key which is post-quantum and now I’m gonna sign with that new post-quantum public key. This would avoid the risk of kind of flushing out these early users or forcing them to go on chain and spend things and that way, ⁓ you know, it doesn’t kind of, it enables these people to still have their coins without wrecking their privacy.

Stephan Livera (39:27)
Interesting.

Interesting, in the case of, well, Patoshi out there, I hope you’re listening, but joking, but more seriously, if Patoshi, this hypothetical miner, because those coins aren’t just like in one fat output, right? It’s like many, many, many, many outputs of like 50 BTC or whatever, is Patoshi and whoever else is in a similar boat, are they gonna have to do that hash commitment per UTXO that they control, or is there a way to like batch it into an OP return, or how are they gonna do that?

Matt (40:15)
Yeah, you could enable a hash tree, right? So you could allow them to do all of these commitments in a Merkle tree and then hash all the way up to the root of the Merkle tree and just commit to the root of the Merkle tree and then they could ⁓ they could then spend by revealing the Merkle tree path. So you could allow them to do it in one big commitment, of course, that would force them to kind of when they do go to spend their coins, they would be forced to reveal that like they had all these coins, but that they were all owned by one person.

Stephan Livera (40:42)
Right, it would be like one big consolidation

on the post Q day thing, but at least they still got their coins, they didn’t lose them. So that’s the key point.

Matt (40:45)
Yeah.

Right, right, so you

could do it in one 32-byte commitment if you wanted.

Stephan Livera (40:53)
Okay, so yeah, so that doesn’t kind of become impractical for Patoshi or some other early miners to kind of have to like put in like 200,000 whatever commitments or whatever. It can be kind of batched into one, let’s Interesting, okay. And so I guess now you spoke earlier saying that theoretically to do this plan, this tap leaf plan, the quantum tap leaf plan, let’s say, you don’t need a soft fork today.

But you said it might be a good thing if the community were to agree on that, just for the sake of formalizing and committing to it, let’s say publicly, and all of us together saying this is our current plan, or at least one current plan for quantum mitigation.

Matt (41:40)
Yeah, I think that makes sense. I think, you know, there’s still more work to be done. I think probably it makes sense to do it based on Shrinks, this new work by Jonas Nick, I think this year, I think it actually was in January. That is…

Stephan Livera (41:52)
Yeah. Yeah. Listen, as you can check out my recent

episode with Jonas, we covered that a little bit there.

Matt (41:57)
Right, right. ⁓ Shrinks is great. I think it’s cool to have this option to be stateful or stateless and get smaller signatures or larger ones and kind of give people the option. But Shrinks also has more to go. It needs to be concretized. Shrinks is kind of a high level, here’s what we can do and here’s a few different options and here’s the kind of sizes for those options, but we have to concretize it and say, no, here is Shrinks Bitcoin the way it’s gonna be done.

⁓ I think Jonas is working somewhat on that. ⁓ And then from there, mean, it’s straightforward. You just add it to a TAP. If you take one of the OP success, you make it OP shrinks verify or just OP shrinks and you’re done. ⁓ But yeah, I mean, I think we should do that. I think there’s some work left to be done to get there. There’s progress going into it. Jonas is making progress. think Tim might start helping ⁓ soon is what I’m told. ⁓

Stephan Livera (42:57)
Okay, yeah. So in terms of things that would break today, do you have any thoughts on that? Like, ⁓ whether it’s things that rely on elliptical elliptic curve cryptography today. ⁓

even I think off the top of my head things like silent payments and even some of these adapter signature style things that rely on adapter signatures. ⁓ Even as we talked about before, hardware wallets are gonna have to change. Our software that we use is going to have to change. It’s a wholesale, it’s a big lift. It’s not just kind of, because I think there’s like a perception of like, hey, why haven’t the devs just done this already? And it’s like, nah, there’s like all these.

bits and pieces that have to get fixed all around the ecosystem. So do you have any thought there or any comments there just on like what needs to be fixed or changed?

Matt (43:49)
Yeah, I mean, you’re right. is ⁓ a lot of pieces. You know, I think, again, if we assume that a future Bitcoin community disables insecure spend paths, which again, I’m pretty confident in for many reasons, just because the market’s gonna be the one to decide and the market cares about supply and demand. ⁓ But if we assume that, then it’s really just about these kinds of

more unique wallets that don’t use seed phrases that need to adapt. ⁓ So that’s Bitcoin Core, that’s some of these large custodians, that’s software design for some of these large custodians. There’s maybe some other wallets that I’m not really thinking of. ⁓ Most wallets use seed phrases, so it’s not ⁓ really as much an immediate concern for them. ⁓ And so it’s really just getting those wallets to move. Bitcoin Core has some hardware wallet support, but

You know, we have to adapt Bitcoin Core. Bitcoin Core is often used just as a straightforward wallet without hardware wallet ⁓ use. So, you in those cases, it would be relatively simple. ⁓ But yeah, I mean, there’s quite a bit of work. Descriptors have to be updated to include this derivation scheme, to include these public keys. ⁓ But yeah, I think it’s not as crazy an amount of work because we don’t necessarily need every type of wallet.

update immediately. Of course we’d like them to update because in all likelihood this will be cheaper. if you are a wallet and you have both of this Shrinks embedded pubkey and also your key is derived from a seed phrase so you could do the zkproof approach. The zkproof approach is probably going to be slower. It’s going to be larger on chain. It’s going to be more costly, higher fees. So you still want to migrate so that if Qday happens you aren’t

50Xing your fees, I’m going at a number, I don’t really know what the number would be, you’re 50Xing your fees, you’re only 10Xing your fees, ⁓ that would be good. So we do want wallets to upgrade over time, but they’ve got time, they’ve got a lot of time to do it, it’s more about getting that process started, getting off zero, starting moving, ⁓ because it just takes a lot of time, as you mentioned.

Stephan Livera (46:11)
Interesting. And so there’s also this notion of, you know, this famous like memes of like Linus saying, don’t break user space, right? And I think ⁓ today, the way many people use Bitcoin is they might have shared their X pub around with different services. And that is a problem, right? If you have shared your X pub.

like the quantum computer will get you hypothetically, right? Like, so that’s like another thing where, or this concept where people have like watching wallets, right? So they might have the private key in the hardware wallet, but they might have a watching wallet on their computer or on their phone. Like that concept has to shift. I mean, they might be like equivalents in a quantum world, but like some of these aspects have to…

shift and I guess that’s just going to be also part ⁓ of this managing a transition into a post quantum.

Matt (47:01)
Yeah, mean, as new address types have been added, descriptors have changed, right? So when Taproot wallets started to become a thing, you still had to adapt the ecosystem of watch-only wallets, like you mentioned, hardware wallets, whatever, to support these new forms of descriptors that support Taproot. ⁓ And the same is true here, right? We’re gonna have to have a new form of descriptor to support this specific Taproot leaf. ⁓

so that wallets can verify it and identify the output as theirs and properly derive the keys. Yeah, I mean, it takes time. It’s a very slow burn. It’s just a question of getting that process moving. And no matter what we do, if quantum happens tomorrow, right? Like tomorrow there’s some huge breakthrough in refrigerant technology and all of a sudden,

Stephan Livera (47:45)
Yeah.

Matt (47:58)
You know, someone comes up with the best refrigeration design in 200 years, and now, you you can build a large quantum computer fairly easily and more qubits is doable. ⁓

these things are gonna have to happen, right? You can’t, on quantum day, whether Bitcoin burns ⁓ old coins, disables insecure spend paths or not, you can’t transact with SecP, right? Either you transact with some post-quantum scheme or you try to transact with SecP and you lose your money. So like either way, these technologies in, you know,

most likely in 10, 15, 20, 25 years, we’ll have to adapt anyway. So it’s good to just start getting that ball moving, give them an option that’s hash based so that the ecosystem can start to adopt that, start to support that over five, 10 years. So that, okay, maybe in 20 years we add lattice based crypto, but at least

Okay, if you haven’t updated your wallet, if wallet software is slow to adapt, which again, it tends to be, then you can just use the hash based stuff and maybe you pay a little higher fee, but that’s okay. Stuff still works.

Stephan Livera (49:16)
Got it, okay. So yeah, so there’s different things that, let’s say, the community and Bitcoiners have to think about and understand, okay, what path, what direction is it gonna be? Is it gonna be like a specific quantum output from the get-go out of the gate, or is it gonna be this…

I don’t know, we don’t have a name for it. Quantum, Tap Leaf, the Matt Corallo plan, let’s say, the Matt Corallo plan. So we’ll have to decide that. And then there’ll be other things too of like, okay, are we doing the block size increase or not, like to compensate or just like leave it as is. And maybe that’s gonna help the people who think there’s a security budget issue or whatever. So there’s probably lots of things people have to sort of think about there. But I guess, yeah, we’ll leave it there. Any final things you wanna mention?

Matt (50:00)
Yeah, I think for the most part, you know, these decisions don’t need to be made today and can’t be made today because it’s up to the future Bitcoin community to decide these things. ⁓ And we can’t decide that in advance for them. The only thing we can do now is provide an option that we think is likely to be adopted, that we think wallets can start using today that prepares them for the future in the best way possible. And I don’t…

really see anything that’s better than putting in the tap leaf, maybe indicating that at the consensus level, so that wallets can adopt it, start using it, ⁓ but aren’t paying a high fee today and aren’t just screwing their users into a really high fee today.

Stephan Livera (50:47)
Yeah, what do we do about quantum? Let’s leave that for the listeners. listeners, check out Matt Corrella’s work. We’ll put all the links in the show notes. Matt, thank you for joining me today and helping discuss your ideas.

Matt (51:01)
Yeah, of course.