Whats the Plan For a Post-Quantum Soft-Fork? | Bitcoin 2026

Hello. Hello. My name is Anafam. Uh I'm a Bitcoin journalist for over 10 years and author of the Genesis book. I'm not a cryptographer, let alone a quantum researcher. I know next to nothing about this. I know a little bit more about, you know, how Bitcoin can handle it or not. Uh but fortunately, I have a very well-informed panel with me and I'm gonna try to guide you all through uh their thinking. So, I'll I'll let the panelists introduce themselves. Let's start here with Ian. >> I started off with cryptocurrency and learned about Shor's algorithm in 2002. Um, but I did not publish the research that I had. I should have because it was it was bad and maybe people would have learned some of the mistakes that they're making today still. The uh shores algorithm is something that I've followed up with every few years and I've just tried to keep up on on quantum. In 2024, I read more papers, freaked out and switched full-time to quantum safety. I'm Chris Papathanu. Uh background cyber security 20 odd years and about two years ago I was thinking about how do I hedge the quantum risk? Well, what can I do to secure Bitcoin? What are the biggest threat scenarios that would absolutely kill Bitcoin? And one of those that stood out was quantum. So, I started going down that rabbit hole and learning as much as I can. Ultimately, I created a a side chain which I call QBTC which uh implements postquantum cryptography in order to secure uh Bitcoin. >> Uh Mike Casey, I am formerly with MEA uh where I headed up the enduro group. We spent the last year working on quantum initiatives including incubating uh BIP 360 or P2MR uh and um co-author on hourglass. Um hi I'm Jonathan Beer. I published a book called the block size war which is about like a kind of battle in Bitcoin from 2015 to 2017. Uh like Aaron I really had no idea about quantum computers. I I've read on uh some papers, but I really don't really understand what they are, when they might happen, but I am interested in kind of upgrading Bitcoin. So, I can talk about that side of it. >> Okay. Well, let's start with that last point. Let's start there because there's a lot of disagreement, it would appear. I don't know if there's going to be a lot of disagreement on this panel. We'll see. But that's about how how imminent is this threat really? I've seen estimates ranging from this could become a real problem within a year or two to this is at this point pure science fiction and it's nowhere near like even talking about it is kind of a super primitive. Ian, where do you stand on this? Um, so first off, the people who make the quantum computers are saying they're going to have sufficiently sized computers available in 2027 and 2028 depending on the manufacturer. in 2024. >> Just to be clear, this would be sufficiently sized to >> break elliptical curves at 256 bits. >> So that's a year from or something like that. >> 2027 is what they've said on their road maps. >> Uh I don't necessarily believe the companies, but I think that's a good point at which we should say this is where the risk begins because if they haven't built it yet, then there's no risk. uh if they when they say that they can build it and they're destined to have it built on their road map, that's when we should at least begin the clock for you know a very low risk percentage. Uh and then each month that proceeds after that the risk goes up. There was over 45 companies making these machines in 2024 and of those 45 companies only three had road maps targeting 2027 and then they moved two of them to 2028. Uh in 2028 you're looking at like 10 companies uh that are targeting the same sized quantum computers. However, there's now 4,000 companies making parts of these machines or these machines. So, my concern is that they might just start gobbling each other up, do a bunch of mergers, and then bring some innovations inhouse that they didn't have and be able to release quantum computers uh sooner rather than later. Again, targeting 2027 if that's when the, you know, if the mergers start this year. Uh the idea that people are just going to sit around and not make anything for three or 10 years is uh a bit awkward. >> Okay. I I one quick follow-up question and then we'll move on. It sounds like your assessment is mostly based on their assessment, but they do you have a reason to like isn't it possible that they're just exaggerating to get investments or for whatever reason they might have? >> Uh Ion Q often exaggerates. They claimed that they were going to have income from Shor's algorithm in 2027 which would be elliptic curves at 256 bits. Uh I don't believe them even though they released a paper last month saying you know all sorts of innovations. Uh the thing that uh I think is more plausible are the the companies that continue to deliver the systems are targeting 2028 and that is I think the more likely date. So, if I were to, you know, bet on one three-month period, I would bet on delays and those delays would put them in, you know, somewhere between August and November of 2028. Um, I think the risk is, you know, they could possibly succeed before then, but I think that the risk is very high when a lot of companies are saying we're going to deliver by then. >> Okay, Chris, where do you stand on this? >> I'm not a physicist. Um and as as Ian rightly said, we we have to go by what we hear in the market. Now when I've been to multiple conferences where these vendors are also present, uh some of those conferences are for example um government conferences where where they're presenting to closed audiences. um and when they are directly questioned on these types of topics, you know, how soon and of course these stakeholders are very worried because it's not only Bitcoin that's affected by this, but it's all our communications as well and things that secure our financial system. Um so the so so the audience asks very pointed questions and their answer is always we are publicly listed companies. whatever we put to the market uh needs to be validated by science and we cannot make false statements uh as a publicly listed company. Now that you know you have to take them up on that and hold them against that and you know we are seeing a lot of consolidation. So, for example, I think I think they were called Oxford Ionics just joined Ouon Q. Um, ION Q seems to be the more bullish, the one that's making mo the most noise if you will in the market. But then as well, you have PSI quantum who who is also uh extremely bullish and providing almost similar timelines. Uh what people have to appreciate is not so much, you know, forget about the timelines for a second. you're ultimately talking about the computational power, the equivalent of an atomic bomb. And this is kind of like the Manhattan project, right, of computing. That that is ultimately what we're talking about. And you have lots of little Manhattan projects right now that are creating little atomic bombs of computation that can that are dual purpose and dual use. They can be used for incredibly beneficial things for society. uh finding drugs and protein folding and all sorts of beautiful things, but they can also be used for um other purposes, military and and of course attacking ECC uh encryption. So, we don't know what the timelines are. What we do know is there's when there's lots of smoke, there's fire and we as an industry need to prepare against that. >> Okay. So, so far we have Ian, you're saying two years is plausible. >> No estimates. >> No estimates. Okay, Mike. >> Okay. Well, I don't think I can give an estimate, but the way that I look at it, um, NIST, the National Institutes of Standard Technology, they've said, and this has been for a couple of years now, um, there's been some increase uh, in activity in a couple academic papers saying it could accelerate. Don't know. But NIS guidelines say that you have to have postquantum cryptography ready for government interacting systems. They have to be present by 2029 and by 2035 you have to have sunsetted any non-postquantum system. This is per standards. Right? So that's their timeline. And you know when I think about quantum research you have to think the NSA is likely ahead of any private actors at this point. So they should the the the government may have knowledge of a state that quote computer Peter's at that isn't available to the general public. That may very well be the case. They may not. I don't know. Um but as to concrete I you know I don't know if it is even possible. >> Can I real quick is there a concrete reason to think that is the case that NSA is further ahead than the Googles of this world? >> The funding >> fun. So, uh, SI Quantum was originally they've built four quantum computers. They have not released any specifications on any of them. Uh, they were going to create their fifth quantum computer in Brisbane, Australia. They were courted by the NSA and they agreed to create a building inside Chicago. The Chicago construction needed uh the land sale, the permits to build permits for liquid hydrogen or excuse me, liquid helium 2, which is the common kind. Uh they needed permits to begin the construction. They needed all the contractors and approval and they got everything done in four weeks and began construction. They're like, "Oh, our construction is going slowly." And the NSA pushed them, I think, because suddenly they have three shifts working in Chicago, which is completely unheard of. Who has three shifts of contractors working in Chicago? Now, the thing is that the NSA is like apparently wielding influence on behalf of Sci Quantum. Uh, Scantum has been doing mass production for two years. These are horizontally scaling two cubit devices. is they plug them into these giant uh solid steel fridges. They cool it down to 2 Kelvin with liquid helium and then they measure just the cold part and they measure the photons with 99.1% accuracy according to their 2023 spec. It's their algorithms that scared me in 2024 because they didn't need 7 million or 10 million or 50 million cubits. they can reuse the cubits and cycle them through these these systems that are able to generate uh photonic pairs uh perform calculations on a a switch and then measure the results reliably and that was their their 2024 papers. So the the question here is just a matter of scale and they're anticipating a 1 million cubit system by 2028. they could possibly break ECC 256 with um around a 100,000 cubits without having to do enormous, you know, reuse to make that happen. Uh, the reason that I think that they're ahead of the curve and kind of the the darling of of the NSA at this point is that they've been leading all of these things and they were the first to win most of these awards and most companies have not been able to get any kind of, you know, DARPA funding. It's very rare to get DARPA funding. ION Q recently got DARPA funding whereas Cyclantum got it years ago. So yeah, I think they're ahead and the only thing that they had to do differently is have those uh these photonic switches perform faster and that was their main bottleneck. But they've been mass-producing those for months also. So they have everything that they need except the building. We're just waiting on the building. >> Okay, Mike, sorry you were interrupted there. Please finish your point. >> Yeah. Well, it's important to note scantum like he was talking about is just actually one of five different flavors of quantum computing being pursued right now by various different factions that have different trade-offs. So, if any one of them hits in a substantial scalable way, you know, we could see an exponential increase in the ability to chain these cubits together. Uh, and on top of that, there's been breakthroughs or perceived breakthroughs in error correction. So, I mean, all suffice it to say is it really is anybody's guess. It there's a chance it could never happen at all, but the math says it will, and there's more and more engineering dollars going into it every day. >> Okay. Do do you feel comfortable putting any sort of timeline on this or also not really? >> I have asked, >> but that was still a question for Mike. Oh, for for me I mean >> we have two unclear and >> yeah it's it's unclear but my my time frame would you know as early probably as a few years from now but I mean we could hit unknown roadblocks that could make it not a thing for 15 20 years. It's it's very you know it's it's a very very long window. Johnny. >> Um, >> yeah, I have absolutely no idea on the timeline, but I do think it's a very interesting problem and it is worth thinking about how to upgrade Bitcoin to at least give people the optionality of spending Bitcoin in a quantum safe way. And then the people that are worried about the timeline and are concerned can prepare and then another set of people who aren't that concerned can carry on using Bitcoin in a the same quantum vulnerable way. Um, and I actually think a key part of the plan should be Taproot because I think Tap Routt was an upgrade to Bitcoin in 2021. And it's pretty neat because you can use a Tapcript path where you can have multiple ways to spend Bitcoin and you can hide different ways behind a hash. Uh, and a hash is pretty much quantum safe. Uh no tap routt itself is quantum vulnerable because the the public key and the keypad spend is shnore public key is posted directly to the blockchain as address. So without a soft fork of any kind tap routt is completely quantum portable. >> Yeah. So you'd need two kinds of soft forks. One to >> let's get more into this in one minute or I have one quick follow-up question on on this topic and then we get into how to upgrade Bitcoin to it. So to what extent would we actually see it coming? Is it one of those fears where it's like now it's here and we're all all vulnerable coins are gone or is it is it more reasonable to assume we're going to see papers and progress and you know we're going to have a better idea how long it's actually going to take before it's too late basically >> on the network it's indistinguishable. So, um, all you would see as as a common person observing the blockchain would be a sudden movement of coins, nothing else. And you wouldn't know who did that. Was it the genuine owner of that wallet or was it uh a quantum enabled attacker? Coming back to the NSA point, there's a the NSA has released a standard. It's called the CSNA CSN CNSA version 2.0. In that standard they they mention that all traditional communication shall not use uh public key cryptography after I believe 2030. Uh they also stipulate in that standard that uh of the latisbased postquantum algorithms only MLDDSA version five is approved for top secret communication. So u yeah. >> Okay let's move to Bitcoin and upgrading Bitcoin. Johnny already touched on it, but what are currently the most viable or in your opinion best plans to prepare for Hudday as they call it, right? >> Where who wants to start? Mike. >> Um, yeah. So, um, I think the most viable plan forward is >> Wait, real quick. So, what in what way is Bitcoin actually vulnerable? Maybe that's a good intro to >> So, yeah. Yeah, the the quantum problem itself. Okay. So yeah, the the the quantum problem with Bitcoin, there's there's a couple different exposed output types. Uh the first being the Satoshi era coins, which are the T P2PK coins. Notice there's no H on that because it's not hashed. The original 1.7 million bitcoins that were mined that are left over from the old days of the Satoshi era. Uh have the public key exposed on the chain and as such they are vulnerable to quantum attack directly. uh and they store 50 BTC per that's one class. Then you have uh P2PKH and the witness variant of it. Uh those for reused coins. So if you have a reused address and by that I mean an address that was spent from not sent to multiple times but spent from and then was sent to again afterward or sent itself its change. uh any of those addresses because uh in order to spend from it, you have to reveal the public key and the signature. Therefore, they can be reversed as well by a quantum computer. Um so all that represents uh roughly 7 million coins on total. So um a third of the full supply around. Um so that's the total 1.7 million for those. And then the smaller would be tap routt because taproot natively uh puts the public key on chain or at least the x only variant of the public keys. Yeah, but still the same thing applies but that's due to the key path spend of tap routt which makes all the tap tweak functionality possible. Um so that those are the vulnerable types. There's also bare multistake but nobody used that. Uh but of those vulnerable types um the uh upgrading tap routt without something being done to it or you know just saying hey we'll throw it on tap routt unless you disable the keypath spend um it is insecure because by nature it would always have to do that uh but what what our team proposed uh is BIP 360 which is P2MR paid to Merkel route uh which basically it removes the tap routt from tap routt it no longer has tap tweaking or the keypad spin the tap routt functionality. Instead, you're just left with mass tree. So, you still get all of the masked activities of being able to have multiple keypads um or tree, you know, spin paths through through the tree. Um so, you can do most of the tap routt functionality. You just can't play the fancy key tweaking games that are enabled by elliptic curve. Um but what this does is this gives us a solid foundation to implement new op codes or overrided of check sig which allow us to instead introduce postquantum cryptography directly into bitcoin for use. >> So will we lose anything by doing this? So for example with tap routt one of the nice things that any spans can look the same right any cooperative spans would that be lost or maybe >> well you can't you don't have the happy path of the keypath spend but anymore it's a mass tree. Yeah, it does it doesn't it doesn't look like a traditional one if you use the happy path, but you're forced to using the tree, but only the path on the tree that you actually use is revealed. You're unaware of any other paths, right? >> So, yeah, >> but we would lose that property then. >> Yes, you would you would lose the happy path key path spend property where it looks like just a normal non-tap router transaction. Yes. >> But but the great thing about that tree is you can of course have one branch that is quantum safe and one branch that is quantum vulnerable. >> Correct. So you can continue to use with the new address types and maintain all the very uh preferable characteristics of of schnore signing uh until such time as there is a quantum event in which time you would switch over to the quantum protective ones which are much heavier. >> Yeah, exactly. So you're preparing for the quantum risk while still getting all the benefits. >> Correct. and more. >> And the big difference between taproot and this is with taproot if you implemented all that today you would still have to take another additional step in the future at some point unknown of disabling the keypad spend. Uh and for some people who >> but that would be in other software then >> exactly but that might be confiscatory for some people if they were relying on the keypad spend. So then maybe now you can't get the keys out so or the the coins. >> Yeah. Well, let's get to that topic in a bit. The confiscatory concern and argument. Um, first of all, so with the this you're describing BIP 360, I think, right? >> Yep. >> Is there any is anyone on the panel >> against it or what are there any problems with rolling this out tomorrow? But let's say >> it's a it's a it's a fantastic proposal 100%. It's it's an immediate solution that we can implement. Um so so there's two parts of course to to migrating to to to implementing quantum security into the Bitcoin protocol. Number one is effectively BIP 360 um bit 360 doesn't create quantum u address outputs however um so >> not quantum safe yes >> quantum safe addresses outputs so that would potentially be in the form of a second bip that would come that would define how uh quantum safe outputs can be created quantum safe signatures on the bitcoin protocol potentially using let's say a witness is version three um either using hashbased signatures uh sphinx or or something like that. There there there's there's a very cool proposal by Jonas Snake from Blockstream right now about shrinks. The concern around that is something around uh hashbased signatures. They they have uh a state variable effectively. So if you reuse a hashbased signature, you effectively compromise your entire wallet. Uh sometimes that you know that could work well on hardware wallets but sometimes it doesn't work well on let's say a laptop that you that gets formatted or something. You may end up reusing one of your signatures and then compromise your coins. Of course latisbased signatures are not as uh tested thoroughly. So that that that's a concern there. There is a big preference towards hashbased. problem with hashbas is they're so big. Latisbased MLDDSA right now verifies as fast as ECDSA. Um so we're likely going to see a second BIP come out uh that talks about how to add quantum safe spending on Bitcoin >> of just to be clear. So the difference here is there there are coins in addresses and that's that's what 360 solves basically. So three 360 provides an upgrade path to a future soft fork that would introduce or you could combine them in introduce a safe signature type. >> Yeah. And that is needed for when you do actually spend the coins and while they're in the me pool someone else could >> but there are there is much debate as to what type that will be but yes. >> Right. I see. So my concern is that it's basically three bips and it's takes a long time to get bips passed. So, I'm concerned that it may just be too late. Uh, there are other alternatives that are available now. They're expensive and slow. uh for example the uh quantum safe bitcoin which requires $150 worth of GPU time to create a bitcoin script that has certain properties and every single path inside that script needs to have a dur uh compatible output which means it has to match the cryptography requirements um and it's expensive to create those outputs they're not available they haven't been completely tested yet no one's actually spent one. Um there are other types of vulnerable bitcoin addresses and output types. Uh one of them is the pay to uh script. If there is a public key in the script, that public key will may eventually have a balance that can already, you know, be solved by a quantum computer when it arrives. And so if the payment happens later, then they're able to drain the payment as soon as it arrives. Um, another one that is quantum vulnerable is lightning and there's not really been any bips or proposals around lightning. Uh, our team has talked about methods of making lightning quantum safe. It needs to be a BIP. There needs to be more BIPs involved and we need to pass them faster, implement the code and you know make these things live sooner rather than later. Um, and then the last output type is every time that there is a fork and you spend the fork and say, "Oh, I just got dropped Bitcoin Cash. I'll spend it and I'll that reveals your public key on Bitcoin." So we need to have a method of providing uh the ability to spend or claim coins on forks that does not reveal your public key on you know bitcoin core you know or you know bitcoin um that would probably involve one of the other proposals inol involving a zk stark on based on the seed which is a longterm proposal there are other proposals for example um where you commit to an output and then you reveal the uh commitment later on. This is like I'm going to have an I'm going to have a receipt that looks like this, but I'm not going to give my credit card until it's time to actually pay for the goods. They approve the receipt in advance and then you show your credit card and then it's charged and there's no vulnerable time for them to like redirect the transaction halfway in between the what we call a short attack. uh eventually all Bitcoin become vulnerable be if they're using elliptic curves and this is rumored to happen you know years after the first break but um from my studies in I I think that it's closer to the 3 to 9 month mark after the first break um three months if it's fatonix or superconductor I don't think superconductor will do it but around like nine months for um trapped ion and neutral atoms. U the other quantum computers have not been produced at scale. So I'm just you know ignoring things like uh non-volatile diamond nitrogen excuse me nitrogen vacancy diamonds and things like that. But th those all have these like well-known scaling and well-known networking methods. And as soon as you can provide either scaling, just making more onto the same machine or networking, I'll connect four of them together, you've turned an eight hour short a long-term attack into a, you know, 15 or 10 minute short-term attack. Okay. So on this panel at least the general consensus seems you know better safe than sorry like there's no real harm in getting Bitcoin quantum resistance through BIP 360 for example. Johnny do you concur with that? Like do you foresee this to indeed be a smooth upgrade or do you foresee another block size war type of uh future with this stuff? >> Um I don't know. I mean, yeah, the one argument against doing bit 360 now is, of course, there's no way that anyone could use bit 360 today in a quantum safe way. So, the argument is you don't activate bit 360 yet. You wait till you've decided on some quantum safe signature. >> Bit 360 would make the mast attributes of taproot resistant to uh long exposure attacks. That's the one thing that it does do. It does not protect against, you know, short exposure inflight. I've broadcast the transaction. But unlike taproot with has the the public key posted to the blockchain, what it would do currently is allow you to use that Merkel tree functionality without exposing your private key for one. >> Yeah. So you could use the Merkel tree functionality and have the same security as pay to public key hash. >> Yes, correct. >> Yeah. >> So that's that's the one advantage it would give you without having a postquantum scheme which does protect you for a little bit longer from a quantum vulnerable world. Um, but yeah, in terms of it, I mean, it is a very controversial topic. Um, but I don't think it should be that controversial just to add a quantum safe way to spend Bitcoin. And as I say, if you're not, if you think that quantum stuff is all just FUD and science fiction and it's similar risk to like a time machine going back in time and stealing Bitcoin or whatever, um, you don't need to worry about it. you can just carry on using Bitcoin in a quantum vulnerable way and somebody else using Bitcoin in a quantum safe way shouldn't be your problem. So at least from that perspective hopefully it won't cause a war. And then the other big issue is of course a quantum freeze. Um, but I would say we should not worry about that or argue about that at least until we have got a quantum safe way to spend Bitcoin because what is the point of arguing about a freeze if at the moment everyone who uses Bitcoin and spends it is quantum vulnerable to a certain extent. Only once there's a quantum safe way to spend Bitcoin and people are using it and there's millions of coins that are quantum protected. uh only at that point is it even worth considering or talking about a freeze in my view and before then we should just ignore that issue and not let it cause an argument or a split. Well, yeah. Okay. So, well that that's that's the next topic I want to get in. So, thanks for getting us started. But that that's the question of what do we do with all these coins that are currently vulnerable if there is a quantum computer and should we freeze them or should we just allow them to be taken by a quantum computer? whoever builds the first one or like are there other ways of thinking about it or dealing with that? You want to take this first? >> Chris, you you first? >> Yeah, sure. >> Yeah, take take the lead. >> So, I along with Ian and Jame Lop and a few others, we co-authored BIP 361. Uh BIP 361 talks about how do we migrate coins to quantum safety and it proposes three phases. The first phase is let's prevent the problem from getting worse. Let's prevent people from sending to old vulnerable addresses and they should start sending to quantum uh quantum outputs. Okay. The second phase >> hang on that would in itself be a softwork. >> Correct. >> It would in itself it just makes it invalid on the protocol to even send bitcoins to a quantum vulnerable address. >> Correct. >> Right. That state >> it would it would be after bit. But but you could still >> uh a previous address like a like a P2PK could send to a quantum address um but it cannot send to a P2PK address effectively. Right. >> Right. So that okay so first 360 that's that's sort of the road map that first 360 and then the next step is >> only send it to these kinds of addresses. Yeah. Okay. Phase two is um five years after activation, we uh disable effectively uh the the ability to to send to uh sorry that was phase one >> to send from elliptic >> send from electric curves. You can only send between um quantum outputs, >> right? So at that point you're really freezing coins for for the people that didn't move their coins like maybe Satoshi or like Right. Am I saying that right? >> Except there's a ZK Stark >> exactly on your >> This is So when the BIP went out everybody on Twinter went crazy and said uh Bip 361 is freezing is proposing to freeze Satoshi's coins. That was never the intention of any of the authors. Um because in the BIP itself, BIP 361 itself, it talks about uh a ZK proof ability to to uh prove ownership of a seed phrase, >> but Satoshi doesn't have a seed phrase. >> I was about to say that you you you caught me. So, however, uh seed phrases, BIP 39, whatever it was, uh only applied uh after a certain point and don't apply to Bitcoin to Satoshi's coins. So for those uh what we were discussing is maybe there's a there's a commit reveal scheme that can happen. So we're we're trying to come up with all the ways that even if somebody was not able to migrate in time, they would still have solutions available to them regardless of the output types they have to be able to migrate even after the deadline. That was the intention of the authors. It was never to freeze anybody's coins so long as as they they take the the steps at whichever point they want. However, if if the person's coins have already moved, there's no way for for uh technically speaking for people to know if those coins moved using a quantum computer by the genuine uh uh owner of those coins. So that that's that's but if you if your coins have never moved whatsoever on the chain and uh then there will be methods to to uh to recover them. actually the one of the co co there's there's lots of discussion right now on um bitco sorry on the bitcoin mailing list somebody has actually successfully created a zk proof for seed phrases um and that is a very positive development that that's come much sooner than what we thought uh and now it just remains the second part of the equation of how do we migrate satoshi use coins or how do we give tools to people who have p2pk outputs to migrate them when they so wish. >> Yeah, I don't think that that's possible for the P2PK set because they're randomly generated. There's >> it's only possible if they take mitigating action. >> Yeah, if they take mitigation acid before the effectively. Yes, >> exactly. >> That's the only way. Otherwise, once they're frozen, they're frozen forever. >> There there is another approach. >> Yes. >> My my concern is that the freeze will probably include Qday in between this like slow period. This this period between the, you know, BIP 360 and the freeze. If Qday happens during that time, then they can just drain all of those those coins regardless. Uh, if they have the ability to do a fast attack as well, then well, then they gain even more of the coins. So, the time in which the first seed phrases were began was 2014. It was 2013 when the PTUPK was actually deprecated saying we shouldn't use this anymore and it still took you know some time before the wallets shifted to PTU PKH. Uh so there there is a lot of um catastrophe for old wallets possible if they are unwilling to migrate before Qday. If they migrate after Qday, it's probably just a quantum computer doing it instead. So, this is what I consider uh good trolling. Uh I did not really think this was going to be a technical proposal. The reason that I I thought it was um a bad technical proposal is that all the timelines are just way too way too long. There is too much time for a quantum computer to just go in there and just yank the coins. they could then they have quantum safe coins or they sell them or whatever. The the second reason why I think it was quote unquote good trolling is that at the time it was written it was a year ago and everyone was still talking about quantum computers doing mining which thankfully no one is talking about today because it would take about 5% of the output of the sun to do yet last year's uh difficulty curve on a quantum computer at six watts per cubit. The other reason why I think it was quote unquote good trolling is it moved the discussion forward. We're now actually talking about it and I don't think it's as good as a as a proposal as hourglass. >> Uh yeah, thank you. Is it is it okay if I talk about hourglass? >> Please. >> Yeah. Yeah. Yeah. Go for it. Yeah. Hourglass. Yes. We have a couple minutes left. Yeah. >> All right. Um yeah, we don't have much time but uh um so the the two schools of thought of what to do with the P2 uh PK coins which are susceptible generally speaking have been uh the liquidationist view which is not your keys not your coins. If somebody has the coins they have the right to send those coins. Uh and then the confiscationist view which is primarily typically a soup coiner view to say hey no we must conserve this and uh you know we we have to freeze Satoshi's coins in order to preserve the sanctity of the Bitcoin value proposition and these two are you know night and day different. Um but yeah, there is another proposal that Hunter Beast and I put forward called called Hourglass and the current version of Hourglass is rather than uh letting it run loose or freezing it uh confiscationally, it is a restriction and you restrict it down to a single BTC output per block which uh we ran the math on it. one BTC >> one >> or one output >> one output in the latest version one output and one BTC from that output and the rest is sent back to the original address okay >> so you know you that way it's only one BTC output per block so the uh if you do nothing then somebody if they pre-cracked all the keys let's say they had an advanced photonic quantum computer and they could pre-rack all of the keys then they could clear it out by mining it in under three hours worth of blocks so it would take them that long to claim 1.7 million bitcoin. 1.7 million bitcoin um with uh hourglass in place like that, the same action would take over 32 years. But it's still non-confiscatory because if Satoshi or any one of the early miners found their keys, if in the absence of a quantum attacker who is constantly bidding up the value for these, which is now a new limited scarce supply, um in the absence of that, they would be able to reclaim their key or their Bitcoin in a reasonable manner. One of these 50 uh BTC P2PK outputs uh given given that frame, you could uh clear out nearly three of them in a day. So to somebody who, oh, I found this old wallet, they would be able to access their Bitcoin in a relatively reasonable manner. And of course, you you wouldn't introduce this thing immediately. You would try to do it with as much warning as possible to give anybody who does want to move their coins prior to a restriction the ability to do so before plenty of warning, >> right? But this would also be a softwork in itself. >> Yes, that that that of course would be a software, >> right? Okay. Uh any final thoughts on this? We have a 30 second less left. Johnny, >> it's a great proposal. It's a great proposal. Uh, of course, you know, right now there's there's technically it's technically possible to do quantum security on Bitcoin right now, right? And, uh, there's even ways to do it on an L2 level and I know Blockstream has done it. We've done it as well. Um, what what people need to take away is that quantum security on Bitcoin has been already solved. It's just a matter of getting consensus on implementing it. >> Right. Well, Ian, please stop reusing. >> What's the hourglass? I think >> we just need to do the migration sooner rather than later. We need to put all the tools and let people, you know, select what tools they want to use. I don't want to pick any outcome for any coins. What I want to do is just give everyone the tools to make a decision for themselves and make it as safe as possible and make them function as well as possible. >> Okay. Well, that's our time. Uh, thanks to the panelists. give him a hand. And I think the next panel is also going to be about quantum but different angle maybe. Thanks guys. >> Every year this community comes together to celebrate, to debate, to build what comes next. And every year the stage gets bigger. Sound money center stage. So where do you go to celebrate the next chapter in Bitcoin history? You come home. Nashville, July 2027.