Alex:
Hi Chris, thanks for joining us today. To get us started, would you like to tell us a bit about your background in your time leading up to founding Quantus?
Chris:
In school, I started out studying classical piano, and then I switched into psychology, and then I switched into math and computer science. I was interested in psychology, but that really transformed into an interest in AI, which is what I did my PhD on. I talked my way into a software job at this very small R&D firm, and worked with some really smart people, like an ex-professor from MIT, and we were working on high-performance computing. So if you have a Samsung phone, there's code I wrote running in its bootloader.
Then I got into Bitcoin and started doing crypto startups. We went through a BoostVC hackathon, a startup competition, and we ended up winning, and then they stuffed some money in our hands and said, “start a company,” but I didn't even know the people I was on the team with. It was like a crash course, and I had no idea about how to do business back then.
"People talk about Q Day, and I suspect it's not going to focus down into one point, and then that'll be the day. It's a useful fiction, but it's not going to be a single day."
So I ended up doing a few different tech startups, the most successful of which was Lunyr. It was Wikipedia on the blockchain. It was an early ICO on Ethereum. I'm quite proud of the tech we built, but it didn't get enough traction for it to really take off as a product.
Regarding Bitcoin, Bitcoin is not perfect. It has problems, and I was quite frustrated with the block size wars. It was, to me, as though this is a straightforward engineering decision. Fast forward, we're in this pretty interesting situation where we were expecting all the Wall Street boys and the governments and the sovereign wealth funds to be buying Bitcoin. And now, they all seem to be quietly backing away from it for some reason.
Alex:
So we're already talking about Bitcoin here. Let's just dive in and talk about Bitcoin's quantum threat model and its risk. What post-quantum cryptography capabilities do you think matter the most for Bitcoin?
Chris:
Well, I think there's definitely a red herring flying around crypto Twitter where they're worried about quantum miners, or they talk about SHA-256 and whether it's quantum-secure or not.”
But mining is not the soft target. It's a distraction, whether intentional or accidental. Really, the elliptic curve signatures are the weak point. And unfortunately, digital signatures are probably the most critical piece of a blockchain.
I mean, blockchains are all about digital ownership. How do you prove you own something? It's with a digital signature. So if the signatures are faulty or broken, there's really no more critical failure of a blockchain.
Bitcoin doesn't have a built-in upgrade mechanism, and everyone owns their own keys, which is great, but then if you have to update or if you have to migrate to a new key system, everybody has to do it individually. It’s quite difficult to get people to do anything, much less in Bitcoin, where you don't have an email list of everybody to say like, “hey, guys, it's time to upgrade your keys.”
It's actually much easier for banks to just say, “no, actually, we control the database. Now we're upgrading the cryptography.”
So I think we're rediscovering the advantages and disadvantages of decentralization. People in America, I think, have realized that, “OK, actually, the centralization of China's government does give it some advantages.” They can snap their fingers and do things that would take face clawing to do in a democracy or whatever this country's form of government is.
The thing that I'm most worried about is the Bitcoin devs. People hear "Bitcoin devs" and they think these are the people who invented Bitcoin, which is not true. That was Satoshi. He handed the keys off to Gavin. Gavin was pushed out by Craig Wright and the Blockstream guys.
So it's a different crew. And I feel like they don't want to upgrade Bitcoin [even though] the tech is relatively easy.
Alex:
They could add a new address type. Bitcoin has account abstraction already built in.
Chris:
Yes! They can add a new address type with a different key system and let people opt into it, but there's this very challenging question of “what do you do with the old keys?” They can't be migrated, like Satoshi's coins and, in this respect, Bitcoin's maybe more vulnerable than the other blockchains.
Basically all the big blockchains are using elliptic curves somewhere in their system, and they need to change that and then migrate the keys. Most blockchains have that problem, but most blockchains don't have a dead founder with a huge portion. With Satoshi, I think we should assume that he won't move his keys. If they do move, it's probably because somebody cracked them.
I think there's complacency. We work in this environment where it's open collaboration, everything's open source. You're on GitHub and you dig through other people's code and you learn from other people and you can comment.It's like this infinite garden thing that Ethereum talks about and it's beautiful, but not everybody lives in that world.
In fact, most of the business universe does not live in that world; they're obsessed with intellectual property. This idea of waiting until a giant corporation tells you they can crack your key, before you start upgrading, seems like a very short-sighted, a myopic strategy. It's a bad idea.
To play the devil's advocate, there's good reason for people to be skeptical about quantum computing because there have been a lot of companies that are like, yeah, we're going to do all this stuff, and then it didn't really materialize. So it's an interesting needle to thread.
"Bitcoiners use this, and say, “oh, well, you have a four-digit PIN, but we have a 256-bit key.” I'm sorry, guys; that's just not how it works."
The criticisms I hear from the Bitcoin devs or all the Bitcoin influencers who mysteriously became quantum computing experts overnight, don't actually align with how the experts on the topic, physicists and mathematicians, talk about it. There are quantum computing experts who are relatively skeptical [on quantum computing], like Scott Aaronson was known to be a skeptic for a long time, despite being an expert in the topic. And he recently flipped to be a quantum-bull, saying it could happen before the next election.
And really, I think that the big breakthrough that has brought it into the news is the Google Willow chip that shows that you can do error correction. Before you could add qubits and then the error rate would blow up. Willow showed that, okay, under certain circumstances, you could add qubits and the error rate goes down. So error correction is possible; it doesn't answer all the engineering questions, but it showed that there was at least maybe a path forward.
I understand people want to protect their bags and they want to keep the vibes high; I guess that's the role of an influencer or something, but that particular fact has not been addressed by the Bitcoiners broadly.
I think it's a very valid, important point. That's what changed Scott Aaronson's mind about the timeline. I think that we're in a soul-searching moment for Bitcoin. We got really exuberant with all this fast money and leverage and laughing about buying a meme coin and making money on it and then getting robbed.
But that was a distraction from the mission of permissionless finance for planet Earth.
Alex:
Really, it was just something that got tacked on there, not necessarily related to that mission. If there's a venue for speculation, capital desires to speculate, at least until it leads to you getting rug pulled 100% of the time, right?
Chris:
Right, right. No one goes to the casino if you always lose.
Alex:
Exactly, you need to have some chance of delivering outperformance.
You mentioned this a little bit with what you were saying about Scott Aaronson, but in terms of the quantum computing threat timeline to Bitcoin or to crypto more generally, what milestones would you say would make you upgrade that threat from being something to monitor and work to guard to something that is the house is burning down?
Do you think that point is close? If not, how far away are we? Why?
Chris:
People talk about Q Day, and I suspect it's not going to focus down into one point, and then that'll be the day. It's a useful fiction, but it's not going to be a single day. It's going to be a variety of breakthroughs that happen, and not all of them will be made public or maybe made public but not immediately. I really think every single one of these breakthroughs is cause for concern.
I'd say every time the maximum number of logical qubits goes up, that's one of my metrics. IBM claims that they have something in the 54 range, 54 logical qubits. It's dependent on what's an acceptable error rate, which has to do with how big of a computation you are trying to do. Every company has their own acceptable error rate, their own definitions, essentially, of what a logical qubit is. It makes it hard for non-experts to look into to say “okay, how far along are we, actually?”
The big bottleneck here is really the error rate: if the error rate gets squeezed down enough, then there's other things, too, like actually packing a bunch of qubits into a space. It's pretty miraculous what's happening here because you have to get these guys entangled with each other, make sure they're not entangled with anything else, and then very precisely manipulate them with laser pulses or other physical manipulations.
"It's spy versus spy; cryptanalysis gets better and then they make the keys larger, but then someone finds a flaw in the algorithm."
So there's tons of challenges and, but really, the metric to watch is the number of logical qubits.
Shor's algorithm, as stated, takes a certain number of qubits and gates in order to work. Recently, they cut the number of qubits needed to crack Bitcoin keys in half. It's around 1200 now or something. But the tradeoff was tremendous, because now you have like 256 times as many gates.
But it shows that we can hit this from both sides, right? We can bring the number of qubits needed down and we can get the number of logical qubits up.
This is a nonlinear process. I would watch the people who are more likely to hear about quantum computing breakthroughs. The people who are more likely to hear about them first, like say the military or the banks. If they seem to start moving a little bit faster, that's a signal. And they are moving. I mean, at this rate, African banks are going to be quantum secure before Bitcoin is.
They've already made announcements that they're going to do that. Bitcoiners say, “oh, well, you have a four-digit PIN, but we have a 256-bit key.” I'm sorry, guys; that's just not how it works.
Your PIN has a maximum number of retries. A quantum oracle can’t hit the bank’s API. And with Bitcoin, there's no recourse; the ledger is the source of truth. At a bank, there's a guy in the back who has the database. Of course, there's the Federal Reserve who could just press a button, and now there's a trillion more dollars. The ledger is not the final say in the fiat world. And, again, this is an advantage of centralization.
From that perspective, yeah, there's maybe a couple orders of magnitude that need to be broken through. But, that could happen, who knows how fast that's going to happen. That could be just in as little as a few months, or it could be several years.
Alex:
I would think if it's one order of magnitude, if a company puts all of its resources into it, of course, it can be hurdled pretty quickly, maybe a few years.
But when you start to talk about two orders of magnitude, I think probably that's when you think, in my opinion, at least five years before there's enough scaling, and that's under the absolute most pessimistic set of assumptions for security, including that there's a lot of unknown things that turn out unfavorably.
Chris:
Sure, nothing is straightforward in engineering.
Alex:
There's always something that goes wrong that you didn't expect, and rarely something that's engineered such that it goes right when you don't expect it.
But, so on that note, what principles do you think of as being non-negotiable for designing a system that's intended to survive into the post-quantum world whenever that may arrive?
Chris:
One thing we absolutely need is account abstraction or“crypto agility”.
It's spy versus spy; cryptanalysis gets better and then they make the keys larger, but then someone finds a flaw in the algorithm. Cryptographers are finding new, more efficient ways to attack cryptographic algorithms all day long. On average, it doesn't break them.
"I think most people would be terrified if they looked under the hood and just see how messy and squirrely cryptography is, but we built the modern world on it."
There's all these different ways you can attack and they all take some excruciatingly long amount of time. Then sometimes one gets pretty close to cracking it altogether and they're like, “OK, we're on the defense, we need to increase the key length.”
But there can be catastrophic failures; with RSA, at the beginning they were like, “well, you take two big numbers, multiply them together, and it's hard to figure out how to factor them.” And then it turns out that it's not just any two numbers; they need to be primes, which reduces the set of actually hard problems in that space, and there's a similar thing with elliptic curves.
I think most people would be terrified if they looked under the hood and just see how messy and squirrely cryptography is, but we built the modern world on it. We built this whole new financial system for the world on it, and it does seem to work most of the time.
Regarding Bitcoin, the Bitcoiners have definitely overstated how impossible a hard fork is, but a hard fork is a big operation. It's pretty messy.
They do these signaling through the blocks. How much of the hash power is behind your fork? And then there's no central forum, and then the forums that are there are heavily censored by somebody.
It's not an ideal decision-making process. I think there's a lot of valid criticisms of Curtis Yarvin, but I think he's right about this whole explicit versus implicit power structures thing. That if you don't have an explicit governance process, you end up inheriting an invisible one. You get a deep state, essentially, if you don't have a clear state.
For upgradeability, Ethereum had it because they had the Ice Age thing where they're going to force everyone to do the hard fork after a certain period because this chain's just going to slow down.
And, but really, at the bare minimum, the cryptography needs to be updatable. It's never going to be able to just sit still.
Bitcoin needs to just add a new address type. They already have account abstraction in some form. So add a new address type that's post-quantum and let people opt into it. That would be the absolute bare minimum. Give people who are concerned an action to take to protect their money. Don't force them off the chain.
It's just infuriating to see how Blockstream's solution to all of Bitcoin's problems are essentially “don't use Bitcoin, use something else.” No! Users are so hard to acquire! And once they're there, try to keep them!
So for the first version of our chain we actually just forked Bitcoin. It added a new address type, and it took about two weeks.
There's a whole bunch of other aspects that account types don't solve.
It doesn't address Satoshi's coins.
And , I would say we need to raise the block size, because those signatures, those post-quantum signatures, are way bigger, so your TPS is going to drop below one, way below one, if you just leave it as is.
So if I get two wishes from the genie, the first one would be to please just add another address type, and give people a safe place where they can put their coins.
"We're all open source, maybe like 99% open source… Starknet pioneered this stuff, we just took it and applied it"
Now, here's the thing. In this situation, you have to run faster than the bear, not just faster than your friends. If North Korea gets a Chinese quantum computer, and then they go crack Satoshi's keys, and then they market dump them as part of a terrorist attack, your keys are fine, but the price isn't. So it's still not a complete solution, but I think it would also be a tremendously good signal to all the very risk-averse institutional people who are getting into Bitcoin.
It took them over a decade to finally say that Bitcoin is okay for us to use. These are not fast movers. They have a very low risk tolerance. When they hear about quantum, they don't understand quantum computers. But they have customers with big pockets who care about this topic.
To fix it, just add another address type. And I'm sorry, BIP360 is not enough. I'm glad that it's fixing something that should never have been done with Taproot.
Just add another address type. I don't know why people are acting like this is an impossible thing to do. It took me, by myself, two weeks to do it. I'm not the best dev in the world. There's smarter people out there who could do this faster.
Alex:
That's a really great segue to the next topic that I wanted to discuss, which is the Quantus security model.
You mentioned that essentially it was initially closely related to Bitcoin. But obviously, you've built a huge amount on top of that since then, because you want to make it quantum secure.
So what do you feel like telling us about the wallet architecture, the threat model that you have in mind, or the way the keys are handled.
Chris:
We're all open source, maybe like 99% open source. The issue with post-quantum cryptography from an engineering point of view is that the keys and signatures are bigger, and so then that just means that everything is going to take longer and take up more space.
It's better to be a year too early than one minute too late. So we're using Dilithium, which is a lattice cryptography, and we use the largest key size because it's newer cryptography.
We're trying to be conservative. There's security levels above 256-bit elliptic curves, and there's the same thing with RSA. There's different key sizes and more key means bigger key size, so then more bits of security.
Every digital signature scheme is also a prover verifier scheme; you prove you own the key without revealing the key. So the techniques of ZK generally boil down to a system where the prover does extra work, so the verifier can do less work.
This is how we get scaling. We make everyone's clients do a little bit more work, the mobile wallets or whatever, so that the chain can do less. And now, unfortunately, most ZK systems in the wild are pre-quantum, and they use elliptic curves.
There's only a handful that are post-quantum. Starknet pioneered this stuff. We just took it and applied it. It's similar to Zcash in some ways. We don't have a shielded pool, but we use ZK to authenticate that you actually own the coins that you're spending.
You can think of it in terms of like amortization. You pay this upfront cost, but you can pack as much computation as you want into that.
So that's how we're scaling post-quantum cryptography. To give you an idea of just raw numbers, like a Bitcoin transaction, each additional input that you spend is going to cost you maybe 100 bytes, sometimes more, but that's a reasonable approximation. With ZK and aggregating the transactions, you can amortize it so that it ends up being about 100 bytes again.
In this ZK space, I think we're actually leaders. The privacy system we built is, I'd say, a little bit less private than Zcash's, but in return, it's more scalable. That was the trade-off we made.
Alex:
And so can you tell me a little bit about the privacy model that you're using with Quantus?
Chris:
I like to think of myself as an artist, because I steal like an artist. There's lots of good ideas floating in the space, and I just try to steal all the best ideas.
Our technique is from Vitalik, the ZK wormhole technique, it's basically proof-of-burn . Basically, you send coins to a burn address, but the burn address looks like a normal address. So from a blockchain observer, it looks like some coins just went into an address and stayed there.
But secretly, it's a burn address, and you can prove it to the circuit. You prove it in a ZK circuit, and then you post that proof onchain.
"I'm just so frustrated with a lot of the crypto industry, I feel like we really lost track of why we were here. We were on a divine mission to make a permissionless financial system for planet Earth, and we got distracted."
You don't reveal which address the coins were burned at. And then the protocol says“well, okay, you burned some coins, so now I'll let you mint some coins to any address you want (minus a fee).”
Using this wormhole technique, we have outputs only. If you look at the explorer, there's a proof that some inputs were somewhere, but then it just mints new coins, you don’t see which inputs.
The Ethereum guys are discussing how they can possibly do this with Ethereum. There's lots of obstacles. One of which was, they truncated the hashes to make the Ethereum addresses. You only get 160 bits instead of 256 bits, and now that turns out to be a problem with this technique because it's not quite enough bits of security, and it would create an infinite money bug.
ZK is such a rat's nest of complexity. You're implementing another computer inside of the computer. In theory, any computation can be done in a ZK circuit, but in practice, it's extremely opinionated.
In ZK, you want to make it extremely predictable. The circuit is a fixed shape, and if you don't have as much data as another time, you need to fill it with zeros.
It's a different way of thinking.
Alex:
It's very interesting to hear so much about the engineering challenges of implementing ZK, because I feel like that's actually not talked about all that much, even though, obviously, everyone is rolling out the technology to the extent that they can right now.
I feel like the challenges are still greater at this point than you would expect, given how long they've been around.
Chris:
The tooling is definitely better than it used to be. Before, people were hand-coding these circuits.It was like the equivalent of coding in assembly.
Now there are attempts to make programming languages that will take your Rust code and turn it into a ZK circuit. But it's not great, because it's very easy to do something that seems reasonable in Rust that is not reasonable in the underlying circuit.
The abstractions around ZK are not super mature, so they leak a lot. What it means is that to do a toy version of it, you don't have to know much about ZK, but for more complex projects, you do need to know.
I think the tooling will get there eventually, like maybe a smart compiler. But the bugs can also be really subtle. It can be possible that your program works, but there's also another program that fits through there, which is not secure.
There's something almost alien-like about the computation. It's cool.
Alex:
This is a very broad question, but in the realm of post-quantum cryptography, post-quantum cybersecurity, ZK, and the blockchain, what's your prospectus for the next 18 months?
Because we're definitely in a crypto winter right now. Where do you think all these technologies are going in the near term?
Chris:
I think there is a coalescence around the question of what blockchain is for. In the beginning, we thought, Bitcoin's better than banks. And it actually was. It was a better way to send money overseas or to your friends. You can open a bank account instantly. Now, stablecoins have absorbed most of the benefits of blockchain into the dollar.
Ethereum is amazing, but I don't think we need a thousand different smart contracts. I think we need maybe five. We shouldn't be asking users to think about which chain you're on or what bridges to use or if this contract is secure. It's not good for users. I think there's going to be an industry-wide drift towards being opinionated.
It's not that easy because we let the banks just take our tech. We still have some advantages, but ease of use isn't one of them.
Even things like Coinbase seem harder to use than years ago. I'm an expert in crypto, and I get confused about how to use these things.
I'm just so frustrated with a lot of the crypto industry, I feel like we really lost track of why we were here. We were on a divine mission to make a permissionless financial system for planet Earth, and we got distracted with gambling and memecoins.
Alex:
I agree. One last closing thought. Tell us about the new trilemma.
Chris:
Vitalik's very smart. He had that original blockchain trilemma, and it was phrased in a way that people started thinking it was like a mathematical theorem, and it wasn't.
It was a set of engineering tradeoffs and tensions.
I think we should reframe it. Now there's a new trilemma of privacy, scalability, and quantum security, because these things are naturally in tension, but we can and should try to get all three of them.
As we said earlier, privacy is in tension with scalability. Likewise, quantum security makes all the signatures and keys bigger. So that also creates a tension with scalability. And also, the privacy systems we have are all largely pre-quantum. They need to be made post-quantum..
With our chain, I think we've made a pretty good set of trade offs there, and we're going to improve it over time. The goal is to be post-quantum, private, and as fast as Solana. And that's a high bar. There's no chain today that does that.
To keep up with the latest in blockchain technology and quantum computing, join us on X and subscribe to our newsletter.
