以太坊的量子策略与贾斯汀·德雷克

对。

Right.

好的。

Okay.

我是迈克尔·塞勒。

So I'm Michael Saylor.

我拥有很大一部分比特币供应量，大约占流动供应量的3%。

I own a percent a large percentage of the Bitcoin supply, like 3% of the especially the liquid supply.

我会得到比特币的两个版本。

I get both copies of the Bitcoin.

我们正在分叉比特币区块链，就像2017年比特币现金和比特币之间的分叉战那样。

So we're forking the Bitcoin blockchain just like we did during the Bitcoin fork wars between Bitcoin Cash and Bitcoin back in 2017.

我是迈克尔·塞勒，我想保护我的资产价值。

I'm Michael Saylor, I want to preserve my value.

所以我卖出所有量子易受攻击的比特币。

So I sell all of the Bitcoins that are quantum susceptible.

而我会保留所有位于比特币版本中的币，该版本已销毁或锁定所有量子脆弱的比特币，因此，比特币区块链的价格——即那些未被触及、仍存在量子脆弱性的比特币——会下跌。

And I keep all the Bitcoins that are on the version of Bitcoin that burned or locked all of the quantum susceptible Bitcoins, and therefore, the price of the Bitcoin blockchain, the Bitcoin on the Bitcoin blockchain that has quantum susceptibility, the untouched blockchain, that one goes down.

而那些已销毁所有量子脆弱比特币的比特币版本，价格会保持高位，因为没有人会抛售这个版本。

And the price of the Bitcoin, the version of Bitcoin that is having all the quantum susceptible Bitcoins burned, stays high because no one's selling that one.

迈克尔·萨伊尔不会抛售，你知道的，贝莱德也不会抛售，或者其他任何人。

Michael Saylor's not selling, You know, BlackRock's not selling or whoever.

任何相信这个理念的人都不会抛售。

Anyone who believes in this isn't selling.

所以你所说的，其实就是量子安全的比特币价格会更高，因此，通过市场力量，它将成为主流的比特币。

And so what you're saying is simply the price of the quantum solved Bitcoin will be higher, and therefore, that will, by market forces, become the canonical Bitcoin.

是的。

Yeah.

迈克尔甚至可能决定用那些脆弱比特币的出售收益，来购买已被销毁的比特币版本。

And Michael might even decide to buy, you know, the the burned version of the Bitcoin using the proceeds of the the vulnerable Right.

从而从5%增加到5.5%之类的。

And go from, like, 5% to five and a half or whatever.

对。

Right.

不过有个问题，这难道不意味着需要某种自上而下的协调，来决定哪些钱包被冻结、哪些不被冻结吗？

Question though, doesn't this mean that there needs to be some level of top down coordination on which wallets are frozen and which wallets are not frozen?

所以，这其实也是一个需要做出的选择：显然我们可以标记中本聪的钱包，肯定要冻结它们，但还得冻结一些其他钱包，而有些钱包我们能相当确定属于已故人士，冻结它们没问题。

And so isn't that also a choice that needs to be made of like, okay, clearly we can label Satoshi's coins, we will definitely freeze those, but then we have to freeze a few more and there are some wallets out there that are, you know, we can be meaningfully sure about is like, it's okay to freeze those because that person's dead.

但我们实际上并不清楚该在哪里划线，哪些钱包是应该冻结的，哪些是属于某个活人、只是长期未使用的钱包。

But we actually don't know where to draw the line on who which wallets are valid to be frozen and which wallets are actually owned by humans somewhere that are just dormant.

那里有明确的界限吗？

Is there a clear line there?

我们该如何做出这个选择？

How do we make that that choice?

嗯，有个概念叫‘谢林点’，也就是在没有中央协调者的情况下，人们如何达成共识？

Well, there's a concept called the shelling point, which is, you know, in the absence of of a of a central coordinator, how do you come to consensus?

对于比特币来说，我想谢林点可能是挖矿减半发生的那个区块。

And, like, for Bitcoin, I guess the shelling point might be, you know, the the block where halving might happen.

所以你可能会选择第一次减半、第二次减半或第三次减半。

So you might pick the first halving or the second halving or the third halving.

这看起来相当中立合理。

That seems like reasonably cardiopy neutral.

任何自第二次减半以来一直没有动过的币，都被视为如此。

Any coin that hasn't moved since, let's say, the second halving is is considered that.

所以我们直接选一个日期，然后说：嘿。

So we just pick a date, and we say, hey.

如果你在这个日期之前仍将你的钱包和比特币存放在量子不安全的钱包里，我们将在我们分叉出的这个比特币二级链上销毁你的币。

If you are leaving your wallet, your Bitcoins in a quantum insecure wallet by this date, we are going to burn your coins on the this Bitcoin secondary blockchain that we're going to fork.

是的。

Yeah.

这其实有一个相对宽泛的设计空间，有些人已经尝试过一些创新的方法。

It's like there's a relatively wide design space, and some people have tried to be creative.

例如，有些人试图一次性解决两个问题：量子安全问题和安全预算问题，他们的提议是：拿走200万枚币，不是销毁它们，而是将它们加入到新币发行中，以此来推迟安全预算的问题。

So for example, some people are trying to solve two problems in one go, both the quantum one and the security budget problem, where the proposal is, let's take the 2,000,000 coins, and instead of burning them, we just add them to to to issuance so that it it kicks the can down the road for the security budget.

我猜这在比特币协调方面会变得更加雄心勃勃。

I bet that becomes even more ambitious in terms of Bitcoin coordination.

我不知道你是否想让比特币的协调能力超负荷。

I don't know if you wanna overload Bitcoin's coordination ability.

是的。

Yes.

如果我是赌徒，我会押注非常简单的销毁方案，比如在第二次减半之后。

If I were a betting man, I would just bet on very simple burn, let's say, after a second halving.

好吧。

Okay.

但这非常困难，因为正如你之前提到的，贾斯汀，这会打破不可篡改的叙事，以及产权叙事。

This is so difficult though because to to your point earlier, Justin, this does shatter the incorruptible narrative, the the property rights narrative.

因此，任何关于冻结或销毁的决定都会在某种程度上破坏比特币纯粹的本质。

So this this is any decision on a freeze or burn somewhat shatters the the the pure nature of what Bitcoin is.

我必须想知道，尼克·卡特在他的文章中提出了一个不同的故事，其中没有销毁或冻结的场景。

And I must wonder so Nic Carter in his essays about this goes through a different story where there's not a burn and freeze scenario.

相反，这是一种 salvage 情景，你只是让这些币留在那里。

Instead, it's it's the salvage scenario where you just leave the coins.

在他的情景中，有一个私人量子实验室提前破解了 ECDSA 算法。

And in his scenario, he goes through there's a private quantum lab that, you know, cracks the the ECDSA ahead of schedule.

它们恰好位于美国境内。

They happen to be kind of US based.

美国政府迅速秘密将它们国有化。

The US government quickly nationalizes them in secret.

政府开始收购比特币。

It goes and starts acquiring the Bitcoin.

他们与财政部协调。

They coordinate with treasury.

他们与大型比特币ETF提供商、贝莱德、迈克尔·塞勒等人协调。

They coordinate with the big ETF providers, BlackRocks, the Michael Saylors of the world.

最终，美国财政部拥有了比特币供应量的10%。

And at the end of this, The US ends up with the 10% of Bitcoin supply in the treasury.

他还会分析一些虚构的价格图表，当人们意识到比特币网络正遭受量子攻击，且币量正被他人接管时。

And he goes through fictional price charts, of course, when people realize the Bitcoin network is under a quantum attack and the supply is being taken by someone.

价格暴跌了73%。

Price spikes down by 73 percent.

但当人们得知实际上是美国政府掌握了这些币，并利用海事打捞法合法没收这些比特币时，市场开始反弹，人们非常兴奋，因为美国拥有了这种比特币战略储备金库。

But then when it's revealed that actually the US government has it and they're using salvage laws, maritime salvage laws in order to legally confiscate this, then the market rebounds and is very excited because The US has this, you know, Bitcoin strategic reserve treasury.

所以这是他的另一个情景——你只是放任比特币不管，某个国家，也许是美国政府，确实破解了它并获得了这些币。

So that's his other scenario and kind of you just you just leave the Bitcoin and some nation state, maybe US government actually cracks it and and gets that.

你觉得这种情景有可能发生吗？

Do you do you find a scenario like that plausible?

因为至少在这种情景下，你并没有侵犯任何财产权。

Because at least in that scenario, you're not breaking any property rights.

一个价值数万亿美元的网络竟然遭遇这种事，还伴随着如此巨大的奖励，这确实令人难以置信。

It certainly is incredible that this will have happened to a multi trillion dollar network, and there's such a prize bounty.

这简直是前所未有的。

It's, like, just unprecedented.

但这种情况也可能发生，也许这对比特币来说是更好的结果。

But that could happen as well, and maybe that's a better outcome for Bitcoin.

是的。

Yeah.

所以我有一些想法。

So I have a couple thoughts.

第一个是，有一种相当复杂的方法可以在不使用私钥的情况下证明对比特币的所有权，这就是所谓的助记词证明。

The first one is that there is this rather sophisticated way of proving ownership of Bitcoin without going through the private key, and this is what's known as a proof of seed phrase.

生成比特币地址的过程分为三个步骤。

So the way that you derive a Bitcoin address is in some set in in in three steps.

第一步是生成你的助记词。

Step number one is that you generate your seed phrase.

第二步是对助记词进行一些处理，包括哈希运算，这一点很重要，目的是推导出你的私钥。

Step number two, you do some manipulations on the seed phrase, including hashing, and this is an important point, to derive your private key.

然后从私钥推导出公钥，也就是链上使用的地址。

And then from the private key, you derive the public key, you know, which then is the address that that that that that that goes on chain.

但私钥不幸地不再能作为证明所有权的手段。

Now the private key, unfortunately, is no longer something that can prove ownership.

但由于哈希步骤的存在，如果你知道你的助记词，它仍然是所有权的证明。

But because of the hashing step, if you know your seed phrase, that is still a a a proof of of ownership.

因此，可能发生的一种情况——从技术上讲也是最稳妥的解决方案——是冻结比特币，但允许任何人通过助记词证明来恢复他们的比特币。

And so one thing that could happen, and technically speaking is the the the soundest way forward, is to freeze the Bitcoin but to allow anyone to revive their Bitcoin with a proof of seed phrase.

然而，助记词证明不幸地非常复杂。

Now the proof of seed phrase, unfortunately, is quite complicated.

它需要一个SNARK，一种零知识证明，这可能会显著增加比特币的复杂性。

It requires a SNOC, a zero knowledge proof, and so it would significantly potentially complicate a Bitcoin.

但我想我们稍后再回到这个话题，因为我的预测是，比特币必须解决后量子签名的所谓尺寸问题。

But I guess we'll get back to this later because my prediction is that Bitcoin is going to have to solve the so called size problem of post quantum signatures.

比特币以不愿增加区块大小而闻名。

So Bitcoin is very much known for not wanting to increase its block size.

不幸的是，后量子签名的大小大约是ECDSA的十倍。

Unfortunately, post quantum signatures are roughly 10 times larger than ECDSA.

为了给你具体的数字，ECDSA 是 64 字节。

Just to give you the concrete numbers, ECDSA is 64 bytes.

这是一个非常小的签名。

It's a miniscule signature.

最小的 NIST 标准化后量子签名是 Falcon，它有 666 字节，超过十倍大。

The smallest NIST standardized post quantum signature is Falcon, which is 666 bytes, more than 10 times larger.

因此，如果你天真地用后量子安全的签名直接替换 ECDSA，而不增加区块大小，你的吞吐量将下降大约十倍。

And so if you were to naively swap out ECDSA for something that is post quantum secure without increasing the block size, your throughput is gonna go down roughly 10 x.

所以比特币的 TPS 将从每秒 3 笔下降到 0.3 笔，在我看来，这是完全不可接受的。

So your TPS on Bitcoin will go from three to 0.3, which, in my opinion, is a is a nonstarter.

因此，我们为以太坊开发的是这种先进的后量子签名聚合技术，这样即使签名很大，也不必直接把原始签名上链。

And so what we're building for Ethereum is this, like, fancy post quantum signature aggregation technology so that you don't put the raw signatures even if they're large on chain.

你只需要上链这个聚合证明。

You only put this aggregation proof.

我预测比特币将采用自己开发的解决方案，因为除此之外没有其他技术上可行的前进路径。

And my bet is that Bitcoin is going to adopt the solution that Bitcoin will develop because there's just no other technically sound way forward.

我明白了。

I see.

所以你之所以不看好这种挽救方案，是因为你认为他们会采用这种方法。

And that's why you're betting against the salvage type scenario because you think they'll they'll go with this approach.

如果他们采用这种方法，那么他们就能以更可信、更中立的方式，某种程度上冻结资产，而不是完全冻结。

And if they go with this approach, then that gives them a way to more credibly, neutrally, like, kind of, like, freeze the assets because they're not completely freezing it.

如果你能证明所有权，就可以访问那些旧的遗留比特币。

If you can prove ownership, then you can access the the old legacy Bitcoin.

是的。

Yes.

不过，不幸的是，如果你是财产至上主义者，这并不完全令人满意。

Now, unfortunately, you know, if you're property rights, Maxi, this is not completely satisfactory.

对。

No.

原因是，有一些被冻结的地址，其对应的种子短语是未知的。

And the and the reason is that there are some subsets of the frozen addresses for which there is no known seed phrase.

例如，助记词标准是在创世区块后好几年才出现的。

So for example, the seed phrase standard only came several years after Genesis.

所以所有早期的中本聪地址都没有对应的助记词。

So all of the earlier all the Satoshi addresses, for example, won't have a corresponding seed phrase.

还有一些钱包，比如基于MPC的钱包，也没有对应的助记词。

And there's some, like, wallets, for example, MPC based wallets, where there there is no corresponding seed phrase.

所以这并不是一个完美的解决方案，但它能帮你解决80%的问题

So it's it's not a perfect solution, but it it gets you 80% of the

了。

way down.

真乱。

Messy.

不管怎么处理，这都太乱了。

This is so messy no matter how you cut it.

是的。

Yes.

是的。

Yes.

我想强调的另一点是，很多人认为当你窃取比特币时，BTC资产的价格会暴跌，于是你窃取的资产就会变得一文不值。

The other thing I wanted to highlight is that a lot of people think that when you steal Bitcoin, the price of of BTCD assets will crash, and then, you know, the asset that you've stolen will be worthless.

但实际上，有一种非常简单的方法可以对冲比特币的价格。

But there actually is a way to basically hedge the price of Bitcoin, which is very easy.

你只需要做空BTC。

You just go short BTC.

假设你非常确定自己已经破解了一个钱包的私钥，而这个钱包里存有10万个BTC。

So let's say you know for sure that you've cracked the the the private key of a of a wallet that holds, let's say, 100,000 BTC.

你只需要做空10万个BTC，这样就能锁定你10万个BTC的利润，无论比特币价格涨跌，你的利润都已锁定，可能高达数十亿美元。

What you do is you short a 100,000 BTC that locks in your your profit of a 100,000 BTC, then no matter what the price of Bitcoin does, it goes up or down, you've locked in your profit, which could be, you know, tens of of billions of dollars.

现在

Now

我想指出一点，贾斯汀，你的思维方式很特别，而这种思维方式正是你成为以太坊支持者的原因。

I do want to flag that, Justin, you think in a particular way, and the way that you think is why you are an Ethereum.

如果你是个比特币支持者，你会以不同的方式思考。

And if you were a Bitcoiner, you would think a different way.

比特币支持者的思维方式非常独特、鲜明，就像瑞安刚刚提到的产权至上主义者。

The Bitcoiner way of thinking is very unique, very distinct, like kind of Ryan just alluded to a property rights maxi.

我认为，如果贾斯汀掌管比特币，他的做法会与广大比特币支持者集体掌管比特币时的做法大不相同。

I think what Justin would do if he was in charge of Bitcoin is very different than what the general aggregate of Bitcoiners would do if they're in charge of Bitcoin.

我其实没有一个具体的、可操作的问题，但我只是想强调一下，哦，是的。

And I don't really have, like, an actionable, like, question here, but I just do want to highlight that Oh, yeah.

我的意思是，比特币支持者们的做法可能并不是你会去做的那种。

Well, I mean Bitcoiners do is not is probably not what you're going

你会去做的。

to do.

尼克·卡特的指控是，许多比特币核心开发者实际上是在掩耳盗铃，声称二层方案不是真实的，或者至少在二三十年内不会成为现实。

Nic Carter's charge is that basically what many of the Bitcoin core devs are doing is kinda burying their head in the sand and saying two day is not real or it's not going to be real for, like, twenty to thirty years.

这就是他在说他们正在做的事。

That's what he's saying they're doing.

为了澄清一下，我关于燃烧机制的预测，只是我认为最可能发生的情况，并不是我本人会采取的行动。如果我真的完全拥抱产权原则，我根本不会去碰比特币，因为我没有这种短期偏好。

Just to be clear, my prediction around the the the burn willing out is, you know, a prediction of what I think is most likely is not what I would do if I would actually just not touch Bitcoin and and embrace the property rights, you know, just because I have, you know I don't have this this this this short time time preference.

我认为许多比特币爱好者会同意我的观点，但不幸的是，迈克尔·萨勒尔的影响实在太强了，某种程度上，比特币在社交层面上已经变得中心化了，而这也带来了巨大的权力和相应的责任。

And I think many Bitcoiners will will agree with me, but, unfortunately, you know, Michael Sailor has just such a strong influence that, you know, in some sense, Bitcoin has been centralized at the social layer, and and and that comes with great power and great responsibility.

我其实同意你的观点。

I actually agree with you.

我也会这么做。

That's what I would do too.

我会让寻宝过程自然发生。

I would let the treasure hunt happen.

我会让回收过程自然发生。

I would let the salvage happen.

我不会去干预任何事情。

I would not touch anything.

这才是比特币真正关键的地方——让一切顺其自然。

That is the key thing that Bitcoin does and just let the chips fall where they may.

不过，让我问你同样的问题。

Let let me ask you the same question, though.

所以，并不只是比特币供应量中有一部分存在后量子时代的不安全问题。

So it's not just some portion of Bitcoin supply that is, you know, post quantum insecure.

以太坊也存在这个问题，只是涉及的供应比例不同。

Also, Ethereum has this problem too, but with a different percent of supply.

你能映射出同样的问题吗？

Can you map that same problem?

所以我们进入了一个后量子时代的情景。

So we get to a post two day scenario.

天啊。

Oh my god.

假设有人没有冻结或销毁这些币。

Somebody let let's say they didn't freeze and burn.

有人正在收集、抢夺那些中本聪的比特币。

Somebody is is is grabbing, scooping up the the Satoshi Bitcoin.

此时此刻，以太坊上正在发生什么？

What is happening on Ethereum at this point in time?

有多少比例的供应量容易受到攻击？

What percent of supply would be susceptible?

现在我们假设以太坊还没有解决量子计算的问题。

Now let's just say Ethereum didn't solve, you know, quantum yet.

我们就假设它仍处于当前状态。

So let's just say it's in its its current place.

有多少比例的供应量会受到这种攻击的威胁？

What percent of supply would be vulnerable to this type of an attack?

以太坊的一个优势是，没有像比特币那样有5%的供应量由一个人（中本聪）控制，而这部分很容易丢失。

One advantage that that Ethereum has is that there isn't the 5% of supply controlled by one person, Satoshi, which is kind of fought to to to to be lost.

另一个优势是，以太坊的历史较短，并且从第一天起就有价格。

The other advantage in some sense is that Ethereum is less old, and it had a a price from day one.

所以，从一开始就有理由好好保管你的以太币。

So, you know, there was a reason to take care of your your your Ether, you know, from the very beginning.

而在比特币早期，它只是垄断货币，人们对于私钥的保管普遍缺乏良好的安全习惯。

Whereas in the early days of Bitcoin, it was just monopoly money, and people just didn't really have very good hygiene with with with their with their private keys.

因此，尼克·卡特提到的那1.7%很可能确实是真正丢失了。

And so it's much more likely that, you know, the the 1.7 that Nic Carter was talking about, you know, are actually, you know, true truly truly lost.

当我参与超声波项目时，我们曾试图计算已知丢失的币的数量，以便将其与销毁量一起添加到仪表盘上，但发现这个数字微乎其微，所以我们根本没去统计。

Now when I was with the ultrasound project, one of the things that we were trying to do is calculate the amount of known lost coins so that we could add it to the to the dashboard in addition to to to the burn, And it was just such a negligible amount that we didn't even bother doing doing it.

当时有一些，比如

There were, like But

你有像Parity黑客这样的事件。

you have, like, the parity hack.

那不是很大一部分吗？

Isn't that a large portion?

是的。

Yes.

非常好的观点。

Very good point.

所以那曾是列表中的首要问题，但碰巧这是一个BRICK智能合约，对量子计算机没有漏洞。

So that was, like, the number one item in in the list, but it so happens that this is a a BRICK smart contract, which is not vulnerable to to to quantum computers.

所以

So the

实际上只是被卡住了。

actually just stuck.

这并不是没有私钥的问题。

It's not about not having private keys.

就是纯粹被卡住了。

It's just literally stuck.

它已经报废了。

It's bricked.

是的。

Yes.

没错。

Exactly.

它已经报废了。

It's bricked.

好的。

Okay.

然后，你知道，有一些关于几个人的案例研究。

And then, you know, there's, like, a few case studies of a few people.

如果你真的去深挖Reddit上的讨论之类的，你会找到一些东西。

You if you really go digging in in the in the, you know, Reddit discussions and and and whatnot, you'll find stuff.

但在大局来看，总数还不到0.1%。

But it it in the grand scheme of things, it's, you know, sum total less than 0.1%.

这就是已知的丢失供应量。

So that is the known lost supply.

但现实地说，会有一些代币在接近量子时代时才被发现丢失了，如果我要猜的话，这个数字在个位数的小范围内，比如两三个百分点，或者5%左右。

But, you know, realistically, there will be some coins which, you know, will be revealed to be lost closer to to to QDay, and that if I were to make a guess, you know, that is in the small single digit, call it, I don't know, two, three, 5% maybe.

所以你认为，最多可能有2%、3%或5%的以太坊供应量既已丢失，又存在于可被量子破解的地址中？

So you think maybe at max two, three, 5% of Ethereum supply is kind of both lost and in quantum crackable addresses?

没错。

Exactly.

是的。

Yes.

我的意思是，如果我要做一个具体的预测，我会说大约是2%，这大致比比特币低一个数量级。

I mean, if I were to make a a concrete prediction, I'd say, you know, 2%, which is roughly on order of magnitude less than than than than Bitcoin.

而且，这种数量上的差异实际上会带来质的不同，那就是在以太坊的情况下，我强烈主张什么都不做，真正尊重财产权，因为归根结底，2%根本不算什么。

And, you know, this this quantitative difference actually has a a qualitative consequences, which is that in the case of Ethereum, I would strongly advocate for not doing anything and really honoring property rights because at the end of the day, whatever, 2% is not a big deal.

而在比特币的情况下，15%就完全是大事了。

In the case of Bitcoin, you know, 15% is is is a massive deal.

所以以太坊也必须做出同样的选择。

So Ethereum will have to make this same choice.

对吧？

Right?

是的。

Yes.

是选择冻结并销毁，还是让它变成一场寻宝游戏，比如3%这种情况。

Whether to you know, so let's say it's something like 3%, whether to do the freeze and burn or just let that be a treasure hunt.

而你的期望是我们选择寻宝游戏的方式，这意味着某种量子攻击者能够获取那1%、2%、3%的以太币。

And your hope is that we just go with the treasure hunt option, which means some sort of quantum attacker will be able to scoop up that one, two, 3% of Ether.

如果你放眼大局，我们会发现，以太币正逐渐成为比比特币更好的货币。

And if you zoom out and you look at the big picture, we're basically moving towards Ether being, you know, much better money than BTC.

它将采取不干预的态度，尊重财产权。

It will be noninterventionist, respectful of property rights.

它将具备抗量子安全性，并且不会像比特币那样，在未来几次减半后陷入安全预算问题。

It will be, you know, quantum secure, and it will not have the security budget issue that is going to plague Bitcoin in, you know, a couple halvings.

因此，我认为这对这个资产来说是一个巨大的机遇。

And so I think this is a big opportunity for for you for the asset.

好的。

Okay.

所以我们刚刚讨论了量子计算带来的这种温和的社会性问题。

So we have just talked about kind of the the soft social issue that quantum computing brings up.

为了使链的其余部分实现抗量子安全，我们还面临许多技术挑战。

There's a lot of technical challenges that we also have to face in order to make kind of the the rest of the chain post quantum secure.

我想分享一条我看到的来自Hazeep Qureshi的推文，他是节目的朋友。

I I wanna bring out this this tweet that I saw from, Hazeep Qureshi, friend of the show.

他说了这段话，并且是对Vitalik关于以太坊抗量子路线图的帖子进行引用回复。

He said this, and he was quote tweeting a Vitalik post on Ethereum's quantum road map.

他说：以太坊要实现抗量子安全的路线图比比特币更艰难。

And he said this, Ethereum has a tougher road map to become post quantum than Bitcoin.

实际上，在解决EO和私钥问题之前，还有很多依赖项需要处理，因为抗量子证明的体积很大。

Actually, a lot of dependencies before you can tackle EOs and private keys due to post quantum proof sizes.

所以他的观点是，以太坊前方的挑战和路线图比比特币要艰巨得多。

So his take is actually the challenges and the road map ahead for Ethereum are much tougher than Bitcoin.

你怎么看这个说法？

What do you think about that?

有两个问题需要解决。

So there's two problems that need to be solved.

有一个技术问题，还有一个社会问题。

There's the the technical one and the social one.

如果你看技术层面，CB说得对，以太坊需要解决三个问题，分别对应以太坊的各个不同层级。

If you look at the the technical one, you know, has CB is correct that there's basically three problems that Ethereum has to solve, each of the different layers of Ethereum.

首先是共识层，我们使用一种叫BLS的密码学技术。

So there's the the consensus layer where we have this cryptography called BLS.

然后是数据层，我们使用KZG，再下面是执行层，使用ECDSA。

There's the data layer where we have KZG, and then we have the execution layer where we have ECDSA.

这三部分密码学技术都存在漏洞。

And each three of these pieces of cryptography are vulnerable.

这比比特币的情况更复杂，比特币只需要解决ECDSA这一个问题。

And that is a superset of what you have in Bitcoin where you only have the the ECDSA problem.

所以某种程度上，我们需要升级的东西是三倍之多。

So in some sense, have, like, three three times more things that that that we need to upgrade.

但当你放宽视野，我认为更大的问题——可能占80%——是社会层面的。

But when you zoom out, I would argue that the bigger issue, maybe 80% of it, is is is social.

你知道，我们已经讨论过是否要销毁代币，但还有一个更根本的问题：我们是否承认这确实是个问题？

You know, we've already touched on whether to burn or not to burn, but there's something even more fundamental, which is do we accept that this is even a problem?

在比特币世界里，有一种免疫反应，基本上会拒绝任何可能对价格产生不利影响的叙事。

And in Bitcoin land, you have this immunoresponse, which basically just rejects any kind of, you know, narrative which could potentially be bad for for for the price.

而且像亚当·巴克这样的人会说，量子计算机至少还需要几十年才能实现。

And you have, you know, people like Adam Back that are saying, you know, quantum computers are at least decades away from from from today.

所以，第一步是必须承认这个问题确实存在。

And so, you know, step zero is is to have some sort of acceptance that there is a problem.

有可能比特币会稍微慢了一步，这带来的后果将远比技术层面的滞后要严重得多。

And it it's possible that, you know, Bitcoin will be slightly too late, and that would have, you know, much bigger consequences than than than on the technology side of things.

所以你认为，总体而言，比特币会面临

So you think, generally, Bitcoin will have

一个

a

更棘手的问题，因为他们的社会层根本不愿承认这一现实，也不愿接受链上的新发展。

harder problem because of their social layer is is just, like, not acknowledging this reality and is less willing to engage with new developments on chain.

是的。

Yeah.

让我这么说。

Let me say this.

我愿意赌上一大笔钱，以太坊的三层都会在比特币的单层之前完成升级。

I'm willing to bet a large amount that all three layers of Ethereum will be upgraded prior to the single layer of of

对。

Right.

对。

Right.

所以，我们在以太坊这边面临三倍大的问题，但归根结底，这只是一个工程问题。

So the we have three times larger of a problem, but it is on the Ethereum side of things just an engineering problem at the end of the day.

不仅如此，这正是以太坊正在积极应对的工程问题。

And not only that, it is is an engineering problem that Ethereum is taking head on.

因此，虽然比特币的工程问题规模较小，但它是一个社会问题、协调问题，从根本上更难克服。

So while, you know, the Bitcoin engineering problem is a smaller engineering problem, it is a social problem, a coordination problem, which is fundamentally harder to get over.

是的。

Yes.

没错。

Exactly.

即使从技术层面来看，这也是我们已经研究了将近十年的问题。

And even on the technical side of things, you know, we this is a problem that we've been working on for, you know, almost a decade now.

所以如果回溯到2018年，我们向Stockware提供了500万美元的资助，用于研究基于哈希的后量子SNARK，并奠定SNARK友好哈希函数的基础。

So if you rewind the clock back to 2018, we gave a a $5,000,000 grant to Stockware to study these hash based post quantum SNARKs and to lay the foundations with, you know, SNARK friendly hash functions.

Poseidon哈希函数就是由此诞生的。

This is where the Poseidon hash function came came came out from.

而且，如果你看看最近的情况，比如2024年，就宣布了Lean共识链，它以前被称为BEAM链。

And, you know, if you look, you know, in more recent past, know, in 2024, there was the Lean consensus chain that was announced, formerly known as as the BEAM chain.

去年，我们在剑桥举办了后量子研讨会。

We've had, for example, the post quantum workshops in Cambridge last year.

我们现在拥有一个专门的后量子团队，由Thomas和Emile负责。

We now have a dedicated post quantum team with Thomas and Emile.

而且，我们有一个名为Strawmap的文档，详细列出了实现这些升级的关键里程碑。

And, you know, we have this this Strawmap, which really details some of the the the key milestones to to to making these upgrades.

我们能逐个讨论这些问题吗？

Can we talk about each of those problems one by one?

我知道，贾斯汀，你在密码学方面可以深入到极其细节的程度。

And I and I know, Justin, you can get into extreme detail with respect to the cryptography.

但我们希望保持在大卫和我能理解的水平上，也就是更简单一些，贾斯汀。

We wanna try to keep this at the level that David and I can understand, which is much more simple, let's say, Justin.

不过，我们当然理解以太坊堆栈的不同层级。

But we we do understand kind of the different layers, of course, of the Ethereum stack.

也许我们可以从执行层开始，因为这是我们一直讨论的主要内容。

And maybe we can start with the execution layer because that's been the main thing we've talked about.

ECDSA是比特币地址和以太坊地址背后所使用的签名方案。

ECDSA, this is the signature scheme behind both Bitcoin addresses and Ethereum addresses.

在后量子世界中，如果有人能够破解它，就能直接窃取实际的资产。

That's the thing that would be cracked in a post quantum world where somebody could go and and take the actual assets.

那么，ECDSA的升级路径是什么？

So what's the upgrade path to ECDSA?

我的意思是，这是一项历史悠久的密码学工具。

I mean, that is a long standing you know, cryptography, like, tool.

我们已经有可以替代它的方案。

And we have something that can replace it.

这个过程是怎样的？

What's what's the process for that?

是的。

Yeah.

首先，我要强调，这本质上是一个非常庞大的任务——改变区块链的基石，即基础密码学，并用具有完全不同的特性的新方案替换它。

So first of all, let me just highlight that this is a very big task fundamentally where changing the the pillars of of blockchains, the the the the base cryptography, and swapping it out with with something new with completely different properties.

如果你是个外行，你的答案可能会很简单。

Now if you were kind of a layperson, your answer might be it's simple.

我们有一个标准机构，叫做NIST，即美国国家标准与技术研究院。

We have a standard body called NIST, the National Institute of of Standards and Technology.

他们基本上举办了一场后量子签名竞赛，并选出了几个方案， namely Falcon、Lattice 和 Sphinx Plus。

They've basically come up with this post quantum signature competition, and they've selected a few, namely Falcon, the lithium, and Sphinx Plus.

所以我们只需要从中挑选一个或几个选项。

And so we just need to pick, you know, one or several of these options.

问题是，NIST 并没有为区块链用例设计这些方案。

The problem is that NIST has not designed for the blockchain use case.

他们设计的是针对互联网上单个消息的独立签名场景。

They've designed for a use case where you have individual signatures for individual messages that are, you know, used on the Internet.

在区块链环境中，你面对的是交易批次。

In the context of blockchains, you have batches of transactions.

例如，对比特币来说，每个区块中都有成千上万笔交易。

For example, for Bitcoin, you have, you know, thousands of transactions per block.

而且，我们还面临后量子签名体积过大的问题。

And, again, we have the size problem with the post quantum signatures.

这些签名至少大了十倍，甚至可能大一百倍。

That that at least 10 times larger, if not a 100 times larger.

因此，在我看来，直接将这些单独的签名简单地打包并拼接到区块中，是完全行不通的。

And so in my opinion, it's a it's a total nonstarter to consider these individual signatures that we're just naively packing and concatenating in in in the blocks.

我所看到的唯一解决方案是签名聚合，即将多个签名合并成一个多重签名，然后验证这个主多重签名，等同于验证所有单独的签名。

The only solution that I see is called signature aggregation, where you take multiple signatures and then you squish them into one multisignature, if you will, and then verifying this master multisignature is the same as verifying all of the the individual constituents.

当你深入研究可聚合的后量子签名设计空间时，会发现可用的选项其实非常少。

Now when you do your homework, you know, looking at the design space for aggregatable post quantum signatures, there's just not that many options.

在我看来，至少以我们当今的技术而言，唯一可行的方案是使用SNARKs，特别是后量子SNARKs。

There's essentially one option that is, viable in my opinion, at least with the technology that we have today, which is to make use of SNOCs, specifically post quantum SNOCs.

而我们所知的后量子SNARKs本身也不多。

And there's not that many post quantum SNOCs that we know about.

基本上只有一大类，那就是基于哈希的SNARKs。

There's basically one major family, which is the the hash based SNOCs.

基本思路是：你取每个后量子签名，然后证明你掌握了所有这些签名，最终生成一个最终的SNARK证明。

So the basic idea is that you you you take individual post quantum signatures, and then you prove knowledge of all of these signatures to end up with a final SNOC proof.

如果你选择基于哈希的SNARKs，那不如也直接采用基于哈希的原始签名，也就是未聚合的原始签名。

Now if you're gonna go with the hash based SNOCs, you might as well also go with the hash based leaf signatures, the un aggregated raw signatures.

原因是这能带来简洁性和安全性优势。

And the reason is that this gives you simplicity and security benefits.

这是你能拥有的最简化的安全假设，你只需假设你的哈希函数是安全的。

It is the most minimal security assumptions that you can have where you you're just assuming that your hash function is secure.

在区块链世界中，哈希函数已经是沉没成本。

And in the world of blockchains, hash functions are sunk costs.

它们无处不在，用于构建模块、默克尔树、状态树，以及通过哈希进行链式连接的区块链。

You we have them everywhere, you know, for for building blocks and Merkle trees and then state trees and and and, you know, blockchains where the chaining is done with with with hashes.

因此，以太坊基金会投入了大量努力，从基于哈希的签名开始，确保它们尽可能适合SNARK，以降低聚合成本。

And so, you know, the Ethereum Foundation has put in a lot of effort to start with hash based signatures and make sure to make them as SNARK friendly as possible so that the cost of aggregation is as low as possible.

我很高兴地报告，这种方法的性能实际上足以满足所有区块链的需求。

And, you know, I'm pleased to report that the the the performance of of of this approach is actually good enough for all of the blockchains.

所以，无论你的链的吞吐量如何，你都可以在合理的硬件上，比如笔记本电脑的CPU上，部署一个聚合器，持续聚合所有这些交易并生成一个与区块一起提交的最终证明。

So, you know, the whatever the throughput of your of your chain is, you can have an aggregator on on reasonable hardware, for example, on a laptop CPU that can just be aggregating all these all these transactions and producing a final proof that gets accompanied with the block.

这种方案的一个讽刺之处在于，它实际上相比我们今天的技术实现了可扩展性的提升。

And one of the ironic things about this approach is that it's actually a scalability increase relative to what we have today.

原因是你不需要每笔交易都承担固定的64字节开销。

And the reason is that you don't have the fixed cost of, you know, 64 bytes per transactions.

交易本身几乎不包含签名数据，而只有一个主签名，其成本被分摊到区块中的所有交易上。

The transactions have, like, zero byte of signature data, and then you have this one master signature which gets amortized away across all of the transactions in the block.

明白了。

Okay.

这对于以太坊之后的许多其他智能合约区块链来说是一次升级，尤其是那些注重速度的链，比如Solana。

So this is a upgrade for many of the other smart contract blockchains downstream of Ethereum, especially the ones that optimize for for speed like Solana combined.

智能合约。

Smart contract.

对吧？

Right?

比特币也是。

Bitcoin as well.

ECDSA。

ECDSA.

是的。

Yeah.

对。

Right.

对。

Right.

对。

Right.

所以，我原本以为像Solana这样的链会因为必须使用更庞大的签名而受到限制，就像比特币的TPS因签名开销而降至每秒0.3笔交易一样，Solana在后量子时代也会因为交易体积变大而变慢。

So, like but the idea here what I thought going into this episode that chains like Solana would be income encumbered by having to do beefier signatures just in the same way Bitcoin TPS slows down to point three transactions per second, Solana would similarly also slow down because transactions just would be beefier in a post quantum world.

但你所说的是，有了这项技术，这种情况就不会发生，反而能让这些链普遍变得更快，从而解决这个问题。

But what you're saying is with this technology, that it won't be true and it actually will allow chains to broadly get faster and solve that problem.

是的。

Yeah.

没错。

Exactly.

就像中本聪用ECDSA为整个行业确立了事实上的标准，我们甚至复制了他所选用的曲线——k1曲线，这在当时是非常不寻常的选择。

And just like Satoshi with ECDSA set a de facto standard for the whole industry, and we basically copied even the curve, the the, you know, the k one curve, which is very unusual to pick with Satoshi.

没人知道他为什么选了这条曲线，但它最终成为了事实上的标准。

No one knows why he picked that curve, but that became the de facto standard.

我认为以太坊有机会成为先行者，确立这一事实上的标准。

I think there's an opportunity for Ethereum to be a first mover and set the de facto standard.

而我们采取的策略实际上是与比特币社区合作。

And the strategy that we're taking is actually to collaborate with the Bitcoiners.

在比特币领域，有两位人物，米哈尔·库迪诺夫和尼克·乔纳斯。

So in the Bitcoin land, there's a couple individuals, Michal Kwudinov and Nick Jonas.

他们都是Blockstream的成员，同时也是基于哈希签名的专家。

They're both part of Blockstream, and they're both hash based signature experts.

我们正在与他们合作，确保我们在以太坊领域开发的内容也能适用于比特币。

And we're basically working with them to make sure that whatever we develop in Ethereum land is also applicable to Bitcoin.

如果比特币和以太坊都采用这一标准，那么整个行业很可能也会随之采用这一标准。

And if Bitcoin and Ethereum uses that standard, then the whole industry presumably will also use the standard.

有个令人兴奋的消息。

Some exciting news.

我们即将推出一个新的播客，帮助人们理解加密货币周期，以及如何应对它。

We are launching a new podcast to help people figure out the crypto cycle, how to navigate it.

我认识的最出色的加密货币周期投资者，他的名字是迈克尔·纳托。

The best crypto cycle investor I know, his name is Michael Nato.

他运营着《DeFi报告》。

He runs the Defi report.

就是这位人士，在10月10日价格暴跌前给我发了卖出提醒。

This is the guy that sent me a sell alert before the 10/10 price drop happened.

他的周期分析一直非常精准。

His cycle analysis has been absolutely on point.

我已经关注他好几年了。

I've been following him for years.

今年，我们开始每周录制播客节目。

And this year, we started recording weekly podcast episodes.

每一期，我们都会深入分析他的投资组合，他持有哪些资产，市场结构，入场目标，比特币和以太坊的公允价值，以及我们当前所处的周期阶段。

Each one, we get into his portfolio, what he's holding, the market structure, entry targets, fair market value of Bitcoin and Ether, and where we are in the cycle.

每周三都会发布新一期内容。

There's new episodes that are released every Wednesday.

每期时长三十分钟。

They're thirty minutes.

内容很短。

They're short.

简洁有力。

They're punchy.

我认为这个加密周期比以往任何一次都更难把握，让我们一起应对吧。

I think this crypto cycle is harder to navigate than most, so let's do it together.

赶紧订阅这个播客吧。

Go subscribe to this podcast.

在你常用的播客平台——YouTube、Apple、Spotify——搜索‘DeFi Report’，或者查看节目说明中的链接。

Search the DeFi report wherever you get your podcasts, YouTube, Apple, Spotify, or find a link in the show notes.

现在有一集新内容在等着你。

There's a new episode waiting for you now.

这太棒了。

That's fantastic.

所以我们有一种方法可以在不牺牲性能的情况下解决执行层的后量子升级问题。

So we have a way to solve the execution layer, you know, post quantum upgrade without a performance hit.

不过，我想再问你一个问题。

Let me ask you another question, though.

那安全性呢？

How about security?

这些是新的密码学技术，与已经存在已久的ECDSA相比，后者有Linde。

So these are this is newer cryptography versus ECDSA, which has been around forever, has Linde.

它已经被验证过。

It's been proven.

我们在引入新密码学技术时，是否应该担心存在某种隐藏的漏洞、零日攻击，或者可能彻底摧毁我们所构建的一切的风险？

Should we be worried in implementing new cryptography that there's some kind of hidden bug, zero day, something out there that, you know, could completely destroy what we've built?

所以我有一些想法。

So I have a few thoughts here.

我们对安全问题极其、极其重视。

You know, we take security extremely, extremely seriously.

总的来说，我预计我们部署的解决方案将比今天使用的ECDSA安全好几个数量级。

And, overall, what I expect will happen is that the solution that we deploy is gonna be orders of magnitude more secure than what we have today with ECDSA.

现在让我试着解释一下。

Now let me try and explain this.

ECDSA基于椭圆曲线，这些是复杂的结构化数学对象。

So ECDSA is based on elliptic curves, which are, you know, these fancy structured mathematical objects.

有可能某个聪明的数学家会提出一种全新的算法，利用某种人类尚未知晓的高深数学技巧来破解离散对数问题，而这类事情在过去确实发生过。

And it is possible that some clever mathematician comes up with an algorithm to break the discrete log using some very fancy mathematical trick that humanity was not aware of, and this is the kind of thing that has happened in the past.

例如，我们在因式分解和离散对数方面的算法正变得越来越先进。

You know, we have better and better algorithms for factoring, for example, and for discrete log.

而随着人工智能的出现，一种可能性是，我们可能会拥有比人类数学家聪明一百倍的数学家，他们能发现椭圆曲线中隐藏的结构，从而破解加密系统。

And one possibility with the advent of AI is that we just have mathematicians that are, you know, a 100 times smarter than than human mathematicians that discover this hidden structure, elliptic curves, and can can break up cryptography.

因此，我们构建的密码学不仅是抗量子的。

And so the cryptography that we're building is not only post quantum.

它还是抗AI的。

It's also post AI.

回到我之前提到的另一点，它仅依赖于哈希函数。

And going back to one the other thing that I said is that it only relies on hash functions.

所以，如果你考虑任何一种签名方案，它都会依赖于两个要素。

So if you take basically any any signature scheme, it will rely on two things.

第一是哈希函数，第二是可选的额外困难性假设，比如离散对数，或者在基于格的签名中，这些结构化的格。

One, the hash function, and then two, an optional additional hardness assumption, which might be the discrete log or, you know, in the case of lattice based signatures, like these structured lattices.

但在基于哈希的签名中，不存在这种额外的困难性假设。

But in the case of hash based signatures, there isn't this additional hardness assumption.

它仅仅依赖于哈希函数。

It's just hash functions.

所以，只要你使用的哈希函数是安全的，那就没问题。

So if your hash function is secure, then then you're good.

所以从这个意义上说，我预期这将优于现状。

So so in in that sense, I I expect to be an improvement versus the status quo.

但现在我想强调两个注意事项。

Now there's two caveats that I wanna highlight.

第一个注意事项是我们处理的是更复杂的对象，而我们这里的解决方案被称为深度端到端形式验证。

Caveat number one is that we're dealing with more complex objects, and the solution that we have here is what we call deep end to end formal verification.

因此，我们有我们的密码学对象，并希望从数学上证明它是可靠的，即不可能伪造签名。

So we we we we have our our cryptographic object, and we wanna basically prove mathematically that it is sound, that it is impossible to forge a signature.

我们不仅对数学部分进行验证，还希望对代码本身也进行验证。

And not only do we do this for the mathematics, but we also wanna do this for the code.

如果你在两三年前问我，这是否可行？

And had you asked me, you know, two, three years ago, is this something that, you know, that would be doable?

我会说可行，但那过程极其繁琐、成本极高。

I would say have said yes, but it was, you know, extremely laborious, extremely expensive.

但随着人工智能的发展，我们发现这种极其繁琐且昂贵的工作现在可以快上一百倍、便宜一百倍。

But what we're seeing with the advent of AI is that this very laborious and expensive work can be done a 100 times faster and a 100 times cheaper.

我们开始看到前沿的世界级数学成果。

We're starting to see, you know, bleeding edge world class mathematics.

例如，最近有一项获得了菲尔兹奖的研究，这相当于数学界的诺贝尔奖。

You know, for example, a recent result that won the Fields Medal, which is the equivalent of the Nobel Prize for mathematics.

这项成果已被人工智能在五天内完成形式化验证。

That result has been formally verified by an AI in five days.

他们生成了五十万行代码，从数学上证明了这是一个有效的定理，机器可验证的证明过程还发现了人类论文中各种拼写错误。

They produce half a million lines of code proving mathematically that, you know, like, machine checkable proof that this is indeed a valid theorem, and the process finding all sorts of typos in the proof of the the human written paper.

因此，我们需要这种程度的严谨审查，以避免出现漏洞。

So that's the kind of due diligence that we wanna have in order to avoid the bugs.

现在我还想强调另一点，那就是哈希函数本身。

Now there is another thing that I wanna highlight, which is the hash function itself.

历史上，区块链要么基于比特币使用的SHA-256，要么基于以太坊使用的KZG哈希函数。

So historically, blockchains have been built on either Shatu in the case of Bitcoin or hash function called KZGETH in the case of Ethereum.

我们为后量子以太坊提出的方案是引入另一种名为Poseidon的哈希函数，这种函数在某种程度上属于不同类型，因为它对零知识证明更友好。

And the proposal that we have for for for for, you know, post quantum Ethereum is to introduce another hash function called Poseidon, which in some sense is is a different type of hash function because it's it's snark friendly.

当我们推出Poseidon时，它应该已经相当安全了，因为那时它已经被深入分析了整整十年。

Now by the time we launch Poseidon, it should be pretty safe in the sense that it will have been, you know, analyzed for a whole ten years.

它将通过L2网络保障数十亿美元的安全，并且已经接受了该领域所有顶尖专家的密码分析。

It will have been securing many billions of dollars through the l twos, and it will have gone through cryptanalysis by all of the top experts in the field.

此外，最近我们刚刚宣布了100万美元的悬赏，旨在尝试破解Poseidon。

And, also, recently, we just announced a $1,000,000 prize, you know, to try and break a a Poseidon.

但确实有可能，作为一项新技术的Poseidon会被攻破。

But it is indeed possible that that that Poseidon, which is a new thing, would would would break.

不幸的是，设计哈希函数的方式是，你无法直接证明它们是安全的。

Now the way, unfortunately, that you design hash functions is that you can't just prove that they're secure.

你所能做的最好的事情，就是找不到任何能证明它们不安全的攻击方法。

The best that you can do is, you know, the lack of an attack that proves that they are insecure.

因此，这本质上需要一段‘熟成’时间，而我所设想的时间尺度是八年。

And so there's basically this this baking time, and the order of magnitude that I have in mind is eight years.

为什么是八年？

Why eight years?

因为当中本聪选择SHA-256时，它已经用了八年了。

Because when Satoshi picked shot to '56, it was eight years old.

当BITGET选择KZGET时，它也恰好用了八年。

When BITGET picked KZGET, it was eight years old, coincidentally.

所以，我想说它至少得有八年历史，当我们把它部署到以太坊时，它就会达到这个年限。

And so, you know, I I would want to say it on to be at least eight years old, which it will be when we do deploy it on Ethereum.

好的。

Okay.

所以这是执行层。

So that's the execution layer.

能快速谈谈数据层吗？

Quickly, could you talk about the data layer?

KZG需要升级为抗量子的方案，而共识层我们使用的是BLS签名。

KZG needs to be upgraded to something post quantum and the consensus layer we where we have BLS signatures.

这在替换ECDSA方面，与执行层的工作量相似吗？

Is that sort of similar in terms of the the level of effort to the execution layer in replacing ECDSA?

那我先从共识层开始讲，因为这个问题的答案比较简单。

So let me start with the consensus layer because it's a simpler answer.

粗略来看，这基本上就是复制粘贴。

At first approximation, it's basically a copy paste.

我们有类似的概念，有参与者生成签名，而且签名数量非常多。

So we have a similar concept, we have actors making signatures, and there's a lot of signatures.

你知道，这些签名占用了大量空间，我们希望压缩它们。

And, you know, they take up a lot of space, and we wanna we wanna compress them.

共识层的问题在于，我们的签名数量远多于执行层。

The issue with the consensus layer is that we have way more signatures than at the execution layer.

人们没有意识到这一点，但我们有一百万个验证者。

People don't realize this, but, know, we have a million validators.

因此，每个周期有一百万个签名，每个插槽有三万两千个签名，每秒有数千个签名。

So that's a million signatures per epoch, which is 32,000 signatures per slot, which is thousands of signatures per second.

明白吗？

You know?

这比Solana的投票交易量还要多，你知道的。

It's like it's it's it's it's more than Solana, you know, in terms of of vote transactions.

为了实现一种仅在共识层可用的性能优化，我们引入了有状态签名的概念，即你签名的消息包含一个每次签名都会递增的计数器。

In order to unlock a a certain performance optimization, which is only available at the consensus layer, we have this notion of a stateful signature, which basically says that the messages that you sign have a counter that increases every time you sign.

这让你想到了什么吗？

And doesn't that remind you of something?

没有。

No.

插槽编号。

The the slot number.

所以在以太坊的共识层，你每个插槽只会签名一条消息。

So, you know, in Ethereum, at the consensus layer, you will only ever sign a single message per slot.

如果你在一个插槽中签名两条消息，就会被惩罚，所以你几乎永远不会这么做。

If you sign two messages per slot, you'll get slashed, so you you'll probably never do that.

我们利用这一限制，使签名的聚合效率提高了十倍。

And we use this constraint to basically have signatures that are 10 times more efficient to to aggregate.

但这是主要区别。

But this is the main difference.

你知道吗？

You know?

执行层所谓的无状态哈希函数，与具有递增槽号的有状态签名之间的区别。

The the stateless so called stateless hash functions at the execution layer versus the stateful signatures where you have this the slot number that that that increments.

而这种聚合技术，我们给它起了个名字。

And the aggregation technology, we have a name for it.

它被称为LeanVM，这是一种基于哈希密码学的最小化零知识虚拟机。

It it's called LeanVM, which is a minimal ZKVM for hash based cryptography.

基本上，LeanVM的作用是证明这是一个正确的默克尔路径，而我们目前还不完全确定的是，这种方法是否能实现我所说的‘地表气体前沿’。

Basically, what LeanVM would be doing is proving that this is a correct, you know, Merkel route, and the main thing that we're not completely sure yet is whether or not this approach can unlock, you know, what I call the the terra gas frontier.

所以，我们有一个非常雄心勃勃的目标：一层每秒十亿气体，即每秒一万笔交易；但更雄心勃勃的是，在二层利用数据可用性实现每秒一万亿气体、一千万笔交易。

So, you know, we have this very ambitious one giga gas per second at the l one, ten thousand TPS, but in some sense even more ambitious, one teragast, 10,000,000 transactions per second at at the l two using the the data availability.

我们讨论的是每秒一吉字节的数据可用性。

And we're talking about one gigabyte per second of data availability.

所以问题在于，ZKVM的性能是否足以处理每秒一吉字节的数据？

And so the question is, can the ZKVM be performance enough to crunch through one gigabyte of data per second?

而且，你知道，这仍有待未来优化来确定。

And, you know, this is still yet to be determined based on on on future optimizations.

但我们确定的是，FM将具备数据可用性，以实现L1每秒一吉加斯，以及若干其他L2的算力。

But what we do know for sure is that FM will have the DA to have the the one giga gas per second for the l one plus, you know, a handful of other l twos.

所以，我认为此时听众可能会想，哦，好吧。

So I think now listeners might be thinking at this point in the conversation, oh, okay.

听起来，以太坊社区已经有了向抗量子升级的计划。

It sounds like the Ethereum community has a plan to upgrade to post quantum.

他们承认量子计算机终将出现，存在QDay，并且已经制定了应对方案。

They're acknowledging that quantum computers will exist, and there is a QDay, and they have a plan.

现在他们关心的是时间表和所需的工作量。

Now they're wondering about timeline and level of effort.

我将Vitalik关于抗量子路线图的推文发给了Claude。

So I took Vitalik's post quantum roadmap tweet, and I I threw it into Claude.

我当时就跟Claude说：嘿，Claude。

And I was like, hey, Claude.

这里的工程量有多大？

What's the level of effort here?

我们到底在谈什么？

What are we talking about?

这真的有多难？

How difficult really is this?

Claude回答说：想象一下，这相当于九分之十。

And Claude responded like, think of this as like a nine out of 10.

明白吗？

Okay?

这是以太坊有史以来最重大的升级之一，可能是最重要的一次升级。

This is one the most significant upgrade, maybe one of or the most significant upgrade that Ethereum will ever do.

它实际上被比作合并事件，当时我们就像在飞行中的飞机上进行改造。

It compared it actually to the Merge where we sort of had to we had to we had a plane in mid flight.

我们必须把工作量证明引擎替换为权益证明。

We had to swap out the proof of work engine for proof of stake.

现在我们要替换以太坊大部分核心加密技术，这感觉是一项相当大的工程量。

Well, now we're swapping out all of the many of the core cryptography of Ethereum, and that feels like a pretty large level of effort.

所以你能为我们大致梳理一下吗？

So can you, I guess, scope this for us?

首先，我们能在2032年前准备好吗？

First of all, are we gonna be ready for this by 2032?

而且，当你深入进去时，这有多难？

And, also, like, how difficult is this as you're getting into it?

对我们来说，这看起来可能实现吗？

Does does it seem possible for us?

你觉得这令人望而生畏吗？

Does it seem daunting to you?

是的。

Yeah.

所以这个问题的答案有两个部分。

So I have two parts to this, to the answer here.

第一部分实际上比你描述的还要更具雄心。

The the first part is actually it's even more ambitious than the way you framed it.

原因是密码学的变更如此深入，几乎相当于重写了共识层，至少是大部分。

And the reason is that the the change to the cryptography is so invasive that it's essentially almost a rewrite of the consensus layer, at least.

因此，如果我们打算重写共识层，不如彻底重写，加入所有新功能，并清理所有的技术债务。

And so if we're going to rewrite the consensus layer, we might as well, like, properly rewrite it and, like, put all of the goodies and clean up all the technical debt.

这让你想到了什么吗？

And does that remind you of anything?

这就是精益共识项目，我们正在将多个重写工作整合在一起，包括单次最终性以及向抗量子升级的整合。

That's the Lean Consensus Project, where we're basically bundling together multiple rewrites, including the the single start finality with with the the upgrade to to to to post quantum.

所以，是的，这是一个非常雄心勃勃的项目。

So, yes, it is a very ambitious project.

某种程度上，我们是从零开始，构建一个惊人地优美、简洁、高效且可证明安全的系统。

In some sense, we're we're starting from a clean slate and building something, you know, amazingly beautiful and simple and efficient and, you know, provably secure and and and all of the good things.

好消息是，在很多方面，从零开始反而更简单，因为你不再需要应对这些繁重的技术债务，我们可以将规范重写得尽可能简洁明了。

The good news is that in in many ways, starting from scratch is simpler because, you know, you you you're you're you you don't have all of this this this this technical debt, and you we can rewrite the spec to be as as minimal and simple as possible.

这就是‘精简’这个术语的由来。

And this is where the terminology lean comes from.

对吧？

Right?

我们希望实现极致的简洁，让整个状态转换函数基本上只有千行Python代码，连高中生都能轻松读懂。

We wanna have maximum simplicity where we wanna have the the the whole state transition function basically be a thousand lines of Python code that some sort of smart high schooler can just just read.

目前，我们已经有了精简共识的测试网，规范简单到令人难以置信，已经有大约十支团队在没有联系以太坊基金会的情况下，自行实现并接入了开发网。

And right now, we have test nets sorry, dev nets for for Lean consensus, and the specs are so easy to to to ingest that we've seen about 10 teams all implement them, join start joining the the the the dev nets, and do so without even contacting the Ethereum Foundation.

因此，进入门槛相对较低。

So the the barrier to entry is is is relatively low.

我们正处在一个疯狂的时代，AI的发展让你在很大程度上可以靠‘直觉编程’来构建你的客户端。

And we're in this crazy world where AI development means that you can basically just, to a large extent, vibe code your your your clients.

我认为，我们拥有如此多客户端的一个重要原因在于，这些团队常常是单人团队，或者只有两三人组成的小团队。

And then I think there's a big reason why we have so many clients, and oftentimes, we're talking about either single person teams or, like, small, like, two person or three person teams.

我认为这将在可持续性方面带来一些有趣的后果，比如如何为这些客户端团队提供资金，以及如何对以太坊的升级进行治理。

And I think this is gonna have, you know, interesting consequences in terms of, like, sustainability, you know, paying for all of these client teams, as well as, you know, around governance of, you know, how do we make upgrades to Ethereum.

关于后一个话题，我们目前的治理方式大致是：我们有五个共识层客户端，它们都必须实现某个EIP升级才能向前推进。

Like, on this on this latter topic, the way that we do governance today, roughly speaking, is that, you know, we have five consensus layer clients, and they all need to implement the upgrade, so some sort of EIP, in order to to move forward.

而未来，当我们拥有十到十五个客户端时，我们可以只要求前80%或最快的80%客户端完成升级即可推进，这是一种更像达尔文式竞争的机制，能让我们更快地前进，而无需等待最慢的客户端。

And if we want in the future when we have, you know, let's say, 10 or 15 clients, we can just require the top 80% or the fastest 80% in order to move forward, and that's more of a Darwinian competition that allows us to move fast you know, much, much faster without having to to wait for the the the the slowest client.

那么，到2032年我们能准备好吗？

So will we be ready by 2032?

我们到底在什么时候才能准备好？

At what at what point will we be ready?

整个Strawmap已经详细规划到了2029年，这基本上和我在DevCon演讲中介绍Beamchain时所提出的路线图完全一致。

So the the whole Strawmap, you know, has everything laid out up to twenty twenty nine, which is basically the exact same road map that I gave at at my DevCon talk where I introduced the the the Beamchain.

那时候，

And back then

你是最不受欢迎的吗？

You were the most hated?

是的。

Yes.

那是我最不受欢迎的幻灯片，你知道，因为它跨越了四年半左右的时间。

It was the it's my most hated slide TM, you know, because it stretched over, you know, four and a half years or whatever.

而且，说实话，我过去在时间安排上一直不太行。

And, you know, I historically, I've been, like, bad with timelines.

我总是太过乐观了。

I've just been way too too optimistic.

但随着我年纪增长，变得成熟，头发也白了，我在时间规划上越来越好了。我认为这个现实又保守的时间表让有些人不满，但事实就是如此。

But, you know, as I age and I'm I'm mature and I have white hair, I've becoming I've been becoming better at at at at timelines, and I think it was a realistic slash conservative time line that got people upset, but, you know, that's just the the way it is.

但是

But what

为了补充背景，人们不满的原因是，当时正是Solana势头最旺的时候，而以太坊路线图却被认为缺乏技术进展。

was that For adding on the context, the reason why people got upset was this was in peak Solana momentum versus a perceived lack of technical momentum on the Ethereum roadmap.

所以，这也是时机和背景的问题。

So it was also the timing of the context.

不仅仅是你给出的路线图已经推进了四年。

It wasn't just that you were giving a roadmap that was, like, four years along.

我认为两年前也是这样。

I think that was also two years ago as well.

所以我们现在已经相当深入地推进了这条路线图，但当时的背景也很重要。

And so we're also we're decently all the ready, like, decently far into that road map, but it's also the context in the moment as well.

所以我不想让没有这些背景的听众忽略这一点。

So I don't wanna discount that for the listeners who don't have that context.

没错。

Exactly.

对。

Yeah.

那时距离目标还有四年半，而现在我们只差一年半了。

So we're a year and a half away, and back then, it was four and a half years ago away.

所以现在我们大约还有三年的距离。

So now we're roughly three years away.

我对我们可以实现2029年的目标相当有信心。

And I'm relatively confident that, you know, we can meet this 2029 milestone.

而且我认为，如果我们想加快进度，多亏了人工智能，这甚至是一个机会。

And I think there's even an opportunity, you know, if if we want to move, like, faster, thank thanks thanks to AI.

所以到2029年，所有这些都会根据路线图实现吗？

So by 2029, all of this would be implemented if it meets the road map?

我们刚才讨论的所有内容。

Everything we just talked about.

你保证吗？

You promise?

所有内容。

Everything.

我

I

我想到另一个问题，这来自一些老软件工程师，他们过去曾告诉我，他们会说，你知道吗？

another question as I was thinking about this, and this is sort of from old software engineering veterans that have told me in the past that they say things like, you know what?

重写从来都不管用。

Rewrites never work.

他们这么认为是有原因的，但我不是软件工程师，所以我说不出具体理由。

And they have reasons for this that, I'm not a software engineer, so I I I can't recite.

但重写本质上就像一个陷阱，因为这是一种谬论——人们以为重写能一劳永逸地解决所有技术债务。

But it it's basically like the rewrite is kind of a trap because it's a myth because, like, there's this panacea of getting rid of all the technical debt.

但实际上，你只是在现有代码基础上打补丁，结果从头开始反而变得异常棘手。

But, like, what ends up happening is is you just kind of do staple on to the existing code base, and it becomes so much more thorn thorny to start something from scratch.

在这种情况下，贾斯汀，你说的是，嘿。

In this case, Justin, you're saying, like, hey.

重写将是一个全新的开始。

A rewrite is going to be a fresh start.

它会成功的。

It's going to work.

你凭什么这么有信心？

What what gives you that confidence?

为什么我脑子里总有个古老的软件开发者在告诉我，重写从来都不会成功？

And why why is there something in the back of my head of some ancient software developer telling me that that rewrites never work?

还是说，为什么这个说法在这里不适用？

Or is why does that not apply here?

一个好消息是，从某种意义上说，我们已经做过这种大规模的重写了，就像你提到的合并事件。

One piece of good news is that in some sense, we have already done this type of large rewrite as you alluded to with the Merge.

我们彻底改变了以太坊的共识基础，从工作量证明转向了权益证明。

Like, we completely changed the consensus foundations of Ethereum from proof of work to to to proof of stake.

所以，这在某种程度上证明了这种事是完全可以做到的。

So that's, in some sense, is an existence proof that it can be done.

而且，以太坊对这种雄心勃勃的项目并不陌生。

And, you know, Ethereum is is no stranger to ambitious projects.

你知道的？

You know?

我们还做过其他非常雄心勃勃的事情，比如信标链和数据可用性采样，这些项目的规模也差不多。

We've had other, like, very ambitious things like bank shouting and and and data value sampling that is kind of on a on a similar scale.

另一个好消息是我们别无选择。

Another piece of good news is that we have no choice.

我们必须改变密码学。

Like, we have to, you know, change the cryptography.

这是一个非常强大的推动因素，单凭这一点，我认为就已经相当于80%的重写了。

It is a very strong forcing function, and that alone, you know, I would argue is is a, you know, 80% rewrite anyway.

因此，这使得协调和达成共识变得简单得多。

So that that is that makes the the the the the coordination and coming to consensus much simpler.

还有另一件事，你请说。

And then the other thing else go ahead.

我想我们应该强调，不仅仅是以太坊别无选择。

I guess we should emphasize, it's not just Ethereum has no choice.

整个加密领域都没有其他替代方案。

No one in crypto has an alternative to this.

加密领域的每个人都必须进行一次重写。

Everyone in crypto has to do a rewrite.

对于比特币来说，它只是使用ECDSA，但仅此就已经足够了。

With Bitcoin, it's just ECDSA, but that in itself is enough.

是的。

Yes.

因此，以太坊可能需要比其他链进行更多的重写，这与验证节点的数量有关。

So it's possible that Ethereum has to do more rewrite than other chains, and this has to do with the number of validators.

所以，如果你只有大约100个验证节点，那么你完全可以承受共识层上10倍大的签名所带来的成本。

So if you only have, let's say, a 100 validators, then, you know, you can just absorb the cost of the the 10x larger signatures at the consensus layer.

这并不是什么大问题。

It's it's not too much of a big deal.

因此，对于大多数权益证明链来说，实际上并不需要我们所具备的这种复杂性。

So for most of the the the the proof of stake chains, actually, you don't need the sophistication that that we have.

但对于以太坊，我们希望每秒插槽都有数万个验证节点参与投票，这相当于每秒数千笔交易签名，我们必须非常有创造力。

But for Ethereum, we're hoping to have, you know, tens of thousands of validators voting every single slot, which is, again, like thousands of seconds transactions, signatures per per second, and we we we we have to we have to be very creative.

我同意你的观点：所有区块链在执行层都必须做出重大改变，但其他链的好消息是，以太坊正在承担所有这些前期工作。

Where I would agree with you is that there has to be a very big change for all blockchains at the execution layer, but the good news for the other chains is that the Ethereum is doing all the homework.