 My question is about security, and I've listened to one of your talks about quantum computing. You had said that we can assume that the NSA has quantum computing currently. So my question is, how can Bitcoin safeguard against quantum computing? Because once that's reached, they'll be able to essentially break into the wallets simultaneously. That's a very good question. Quantum computing isn't an on-off thing. That's a double pun, actually. It's not like you either have quantum computing or you don't have quantum computing. The question is, how powerful is it? How many qubits of quantum computing do you have? The number of qubits you need to break the encryption that you have in wallets, the current set of encryption you have in most blockchains, is far greater than even the wildest speculation or what might exist in intelligence agencies. That doesn't mean it doesn't exist, but I'm not worried about the NSA having quantum computing. One of the things that is a very basic concept in security is the idea that, if you have a very powerful secret weapon, you do not use it. You wait until you have a very good reason to use it. One way of explaining that is what happened in Coventry when the British had broken enigma. The most important secret was keeping secret the fact that they had broken enigma, otherwise they would go change the encryption code. To keep that secret, they had to do parallel construction. If they found out that someone was going to get bombed, they had to capture a German soldier who knew about it, and then say that he told them so that they would have a different reason. When they didn't have a different reason, they let the Germans bomb Coventry. Thousands of people died to protect the secret of enigma. All I'm saying is, if the NSA has a quantum computer and people not know that quantum computer, which can also break all of the encryption keys on all of the nukes in the world, all of the communication keys, nuclear subs, military intelligence networks, and all of the commercial networks, I don't think they're going to use it to break Bitcoin, if you know what I mean. That small fish to them. The real problem becomes when you have broad commercial availability of quantum computing, but not broad enough that all of us can use it on our wallets. There's that interim period that's a bit awkward. During that interim period, Bitcoin needs to change its algorithms. One of the interesting things that happens is that, while you can change the algorithms on all of the active wallets, some wallets have lost keys, or the people who had those keys are dead. They can't change the signing algorithm, which means that those wallets will get captured by quantum computers. One of the interesting things that happens is that we will know when quantum computing exists, when Satoshi's coins move. That's one of the reasons they'll move. Eventually, they will move, because someone will be able to break the keys. But for the rest of the ecosystem, we can migrate quite easily to another algorithm. It's not really as big a threat as people think it is. The next question comes from JJ, about Satoshi's one million coins and quantum computing. If the protocol has to be upgraded to resist quantum computers, will such an upgrade likely require manually moving funds to a new type of address? Would this mean that everyone, including Satoshi with one million coins, be forced to move their funds? If they can't move them, then the funds might be claimed by a quantum computer, along with all of the funds from lost keys, by essentially cracking those lost keys with a quantum computer. Does quantum computing mean that at some point all lost coins could be reclaimed, because they can't be moved to an upgraded address? JJ, yes, that is the case. First of all, we don't know that Satoshi has one million coins. It's difficult to attribute exactly how many were mined directly by Satoshi. That's an estimate, but let's call it one million. There's a lot more bitcoin that's been lost over the years. I've lost keys and lost small amounts of bitcoin, and I'm sure many others have too. What happens with those? Quantum computing would basically mean that the elliptic curve digital signature algorithm would be vulnerable. There are two different categories of algorithms that are used within bitcoin. One is a hashing algorithm, SHA-256, and the other one is a digital signature algorithm, ECDSA elliptic curve. Quantum computing will most likely affect the elliptic curve digital signature algorithm first. Whether you can use a quantum algorithm to shortcut SHA-256, I'm not sure about that. I don't know if there is a quantum algorithm for that, or how easy it is. That's a different class of algorithm, and it might require a different approach to cracking. Let's say that ECDSA is affected. Ironically, if you lost your keys, but you had previously used that address, then a signature, together with a public key, will be visible and available on the blockchain. When you spend from an address, you leave behind a public key and a digital signature. Whereas Satoshi, for example, never spent, never moved any of the initial coins. If Satoshi had a million coins, and if those are sitting on the blockchain, because they haven't been spent, we don't have a signature, and we don't have a public key. What we have is an address, and an address is the result of a double hash, and is not the result of the ECDSA algorithm. Which means that if a quantum computer can crack ECDSA, but it can't crack SHA-256, then Satoshi's coins are safe. The only coins that are affected are the ones where those addresses had been reused several times. It's one of the reasons why it's a best practice to only use an address once. The first time a signature appears on the blockchain is when those funds have already moved, they're empty, that address never gets used again, that key never gets used again. Even if the public key can be cracked in the future, it results in a private key that doesn't control any funds. You only use it once. Ironically, people who don't follow that best practice may have their keys affected by quantum computing, long before people who do use that practice, and Satoshi, whose one million coins never got moved, and therefore never had signatures attached to them. Quantum computing doesn't necessarily mean immediately that all coins are vulnerable. It's only the case for those where perhaps a digital signature is visible on the blockchain. If SHA is vulnerable, but ECDSA isn't, then you can take the address and reverse it to a public key. That would require very big vulnerability in SHA. That's not simply finding a collision, that's reversing a hash algorithm, which is a whole different class of problem. In that case, you would still have to figure out from the public key that you have as a result, what the private key is. You'd have to break both SHA-256 and the ECDSA to move funds from an address that has never been reused or spent. It's not as simple, but the bottom line is that if quantum computing causes a problem, yes, we will need to move funds to a new type of address that uses a digital signature algorithm, or something like that that is quantum secure. Not a problem for the foreseeable future, of course.