比特币者如何应对量子计算？与马特·科拉洛对话 | SLP719

随着时间推移改进这项技术仍然需要好几年、甚至十年或二十年。

Improving the technology over time is still gonna take years and years and and decade or or two.

大家好。

Hi, everyone.

欢迎回到Stefan Lovera的播客。

Welcome back to Stefan Lovera podcast.

今天，与我一起重返节目的嘉宾是Matt Corallo。

Today, rejoining me on the show is Matt Corallo.

Matt是Spiral公司的全职开源比特币和闪电网络开发者。

Matt is a full time open source Bitcoin and Lightning over at Spiral.

对于还不了解的人，他是一位资深的比特币开发者，对生态系统中各种动态有着深刻的见解和贡献。

And for people who don't know, a long time Bitcoin developer, and, obviously, has a lot of, you know, in insight and input around, various things happening in the ecosystem.

今天，我主要想和Matt聊聊量子计算相关的话题，但也会看看其他相关的内容。

Today, I wanted to chat with Matt kind of mainly about the quantum stuff, but we'll see whatever else is relevant.

所以，首先欢迎你回到节目，Matt，让我们听听你的想法。

So, you know, first off, welcome back to the show, Matt, and let's get your thoughts.

你对是否很快会出现所谓的密码学相关量子计算机，有什么最新的看法吗？

Do you what's your updated view on whether we see a so called cryptographically relevant quantum computer anytime soon?

是的。

Yeah.

是的。

Yeah.

谢谢邀请我参加。

Thanks for having me.

是的。

Yeah.

我的意思是，我不是量子计算方面的专家。

I mean, I'm no I'm no expert on quantum.

显然，他们在工程上面临很多挑战。

Obviously, there's a lot of just engineering challenges they have.

冷却、扩大这些设备的规模，你知道，它们需要在绝对零度下运行。

Cooling, scaling these things up, you know, they need to be running at absolute zero.

建造一个足够大的冰箱来容纳大量量子比特是相当困难的。

There's, building a large a large enough refrigerator to to fit a lot of cubits is is kinda hard.

我们目前还没有很多这类技术。

We don't really have technologies for a lot of these things.

他们还有很长的路要走。

They have a long ways to go.

我认为，有些人担心的——无论合理与否——实际上推动了这种叙事的，是担心会出现某种突然的突破。

I think what some people are worried about rightfully or wrongfully that's actually driving some of the narrative is more fear that there's gonna be some kind of sudden breakthrough.

如果你想象一下，某个实验室正在使用大语言模型，而这个模型产生了一个极其创新的想法——我认为以现在的LLM不可能做到，但也许几年后有可能。

So if you imagine a you know, there's some lab that's using an LLM, and the LLM gets some super creative idea, which think it's not gonna happen with today's LLMs, but maybe in a few years.

他们可能会在制冷技术上取得巨大突破，而这种突破我们过去两百年都没能实现，或者在材料科学上取得重大进展，比如室温超导体，那样可能会加速量子计算的发展。

And they come up with some massive breakthrough in refrigeration technology that we haven't figured out in the last two hundred years or some massive material science breakthrough room temperature superconductors or something, then that that might unlock quantum faster.

我认为，这就是一些人所担忧的。

And I think that's what some people are worried about.

以当前的大语言模型来看，这可能并不是一个巨大的风险，但我认为更大的担忧在于，这种突然的突破，而不是技术缓慢进步——毕竟，即使缓慢进步，也仍需要数年、甚至十年或更久。

With current LLMs, it's probably not a huge risk, but I I think that's the bigger fear versus just the slow progress of improving the technology over time is still gonna take years and years and and decade or or two or whatever.

我明白了。

I see.

关于不同时间线，比如你刚才提到的，这种突然突破的担忧，你对此有什么看法吗？

And do you have any thoughts on the I guess, talking about the different timelines, like, as you were kind of touching on, maybe the fear is this sudden breakthrough.

除此之外，你对专家们在这个问题上的看法有什么了解吗？

But outside of that, do you have any thought on where what what are some of the experts saying on this?

比如，我看到的专家们普遍认为，这更像是一个二十年左右的事情。

Like, at least the experts I'm seeing are saying it's more they see it's more like, you know, like a like a twenty year thing.

是的。

Yeah.

我觉得这和我所了解的情况一致。

I think that lines up with what I've seen.

显然，我不是量子材料科学领域的专家。

Obviously, I'm no quantum material science physicist expert.

但我认为，那些并非一味炒作的专家们，普遍提到的时间线是十年、十五年、二十年，甚至二十五年。

But, yeah, I I think the the experts that I've seen who aren't really just trying to pump a bag are talking about ten, fifteen, twenty, twenty five years kind of timeline.

这并不意味着我们不应该为十年、十五年、二十年、二十五年后的可能性做准备，但那毕竟还很遥远。

That's not to say that we shouldn't worry about doing things to prepare for that in ten, fifteen, twenty, twenty five years, but it's still a long ways off.

是的。

Yeah.

另一个主要争议点是，我知道你和尼克·卡特在这方面有过一些讨论，那就是：比特币开发者是否认真对待量子计算？

Now the other big, point of contention, let's say, is and I know you've had some back and forth with Nick Carter on this, is this this point of, are the Bitcoin developers taking quantum seriously?

那你对此怎么看？

So what do you what do you think about that?

是的。

Yeah.

我的意思是，十年前，比特币开发者普遍忽视了量子计算的可能性。

I mean, think there's it's definitely the case that historically, say, ten years ago, Bitcoin developers largely wrote off Quantum.

我认为这与当时主流密码学界的立场也是一致的。

I think that lines up with where the mainstream cryptographic community was at the time as well.

我认为，比特币社区中有很多人，虽然不是有影响力的核心开发者，也没有积极参与比特币开发，但他们要么认为量子计算永远不会实现——这种观点在核心比特币开发者中并不常见，要么就花大量时间谈论它离我们有多远，因为总有人拿这个来批评比特币很糟糕。

I think there are a lot of members of the Bitcoin community who aren't necessarily influential developers or aren't necessarily contributing actively to Bitcoin have either concluded that quantum will never happen, which I I don't think is very common among kind of influential Bitcoin developers, or spend a lot of time spend a lot of time talking about how far away it is because there's this conversations like, Bitcoin's terrible.

我们需要卖出我们的比特币，因为量子计算会摧毁它。

We need to sell our Bitcoin because Quantum is gonna destroy it.

于是人们回应说，嘿，真正的专家都说还要十年、十五年、二十年、二十五年，根本不用担心，诸如此类的话。

And so people respond with, guys, they're like real experts are saying ten, fifteen, twenty, twenty five years away, like, don't need to worry, whatever.

而这就被解读为：哦，这些人认为我们什么都不用做。

And that that then gets read as, oh, these people think that we shouldn't do anything.

我们不需要担心这个问题，或者他们认为我们不应该做任何事。

We don't need to worry about this or that they that they think we don't need to worry about this, that we shouldn't do anything.

我不认为从他们的话中得出这样的结论是正确的。

And I don't think that's necessarily the right conclusion to draw from their words.

他们只是没有谈论：好吧，我们正在做什么。

It's just that they're also not talking about, well, here's what we're doing.

我认为确实人们没有在谈论正在进行的工作，但事实上是有工作在进行的。

And I think it is true that people aren't talking necessarily about what work is being done, but there is work going on.

所以如果你真的去查看一下——我想我之前说过，如果你想了解有影响力的比特币开发者怎么想，或者他们的思路是什么，就去看看资助比特币开发者的顶级机构，比如Brink、Chaincode、Blockstream Research，还有其他几家，然后整体看看这些机构，以及其中不同人员在做什么。

So if you actually go look at I think that a comment that I made is if you wanna look at what influential Bitcoin developers think or what the thinking is, go look at top organizations that fund Bitcoin developers, organizations like Brink, Chaincode, Blockstream Research, There's a few others, but and then look at the organization as a whole as a whole and look at what different people within that organizations is are doing.

所以如果你看一下Chaincode，他们的加密货币团队发布了一篇研究报告，讨论了比特币与量子计算、不同时间线、不同方法以及如何解决这些问题等。

And so if you look at Chaincode, well, Chaincode's crypto folks came out with a research paper talking about Bitcoin and quantum and the timelines for different things and different approaches and how it could be solved, etcetera.

显然，他们正在认真思考这个问题，至少在探讨：什么是限制条件？

So clearly, they're thinking about it and taking it seriously, at least approaching the problem is like what what are the constraints?

我们应该做什么？

What should we do?

我们能做什么？

What can we do?

等等。

Etcetera.

再看Blockstream研究团队，那里的密码学家，比如蒂姆·鲁芬和乔纳斯·尼克，一直在从事比特币抗量子密码学的研究。

You look at Blockstream research, well, of the cryptographers there have been working on Bitcoin post quantum cryptographic research, both, Tim Ruffing and Jonas Nick.

Brink在这方面少一些，但Brink更侧重于比特币核心的日常维护工作。

Brink a little less so, but Brink focuses more on day to day, maintenance of Bitcoin Core.

所以我认为，你不能合理地得出这样的结论：既然那些雇佣了一些顶尖比特币开发者的机构正在研究这个问题，就说明比特币开发者们根本没有在做这件事。

So I don't think you can reasonably conclude that because the organizations that, you know, hire some of the top Bitcoin developers are working on this, clearly Bitcoin developers aren't working on this.

我不认为这是一个合理的结论。

I don't think that's a reasonable conclusion.

对。

Right.

而且，我知道还举办过一次普雷西迪奥比特币量子峰会，我记得是在五月左右。

And, I know there was also the Presidio Bitcoin Quantum Summit, and that was I think it was May, around there.

所以，当时有很多知名的比特币开发者、研究人员，还有一些量子物理领域的专家出席了会议。

So, there was a lot of, you know, well known Bitcoin, you know, developer, researcher types who were there along with some quantum people.

因此，我确实认为，也许那些认为量子计算很快就会到来的人会感到担忧，觉得这样的应对速度不够快。

So certainly, I think maybe the concern from the, let's say, people who think quantum is coming really soon, Maybe they see it like, oh, that's not fast enough.

或者，他们担心比特币社区还没有制定出应对计划。

Or or there's this concern of, oh, the Bitcoin community doesn't have a plan in place.

但我认为，制定一个计划也可能有些棘手，因为我们在试图——我认为彼得·维拉在《比特币OpTech》播客中提到过这一点：你如何让未来的社区遵守这个计划？

But I think it's also maybe a bit tricky to have a plan in place because we're trying to and I think this is a point Peter Willa made on, the, Bitcoin OpTech podcast, which was how do you bind a future community to this plan?

我们可以现在制定一个计划，比如以2026年2月的现状为基础，但五年后、十年后的比特币社区会怎么想呢？

Like, we could put a plan and say, is what we think right now as of February 2026, but what do Bitcoin people think five years from now, ten years from now?

是的。

Yeah.

我认为这是对的。

I think that's true.

确实，要讨论在量子计算机成为对比特币现实威胁的某种情景下应该发生什么，会变得非常复杂，因为具体情景的细节非常微妙。

And I it does get very complicated to talk about what should happen in a quantum in some scenario where a quantum computer becomes a realistic threat to Bitcoin because there's so much nuance to exactly what the scenario is.

我们是经历了多年的缓慢技术进步，然后才开始接近那个阶段的吗？我认为这几乎是最有可能的情景。

Did we have years of slow technological progress and then we started to get to that point, which I think is by far the most likely scenario to be clear.

但又有多少钱包已经迁移到某种抗量子的方案了呢？

But then also how many wallets have migrated to some kind of post quantum scheme?

它们是什么时候迁移的？

How long ago did they migrate?

是在过去两年内吗？

Was it in the last two years?

还是十年前就迁移了？

Was it ten years before?

是就在之前吗？

Was it right before?

他们根本就没有迁移吗？

Have they not migrated at all?

哪种类型的钱包？

Which types of wallets?

比特币社区有哪些群体？

What groups of Bitcoiners are there?

这完全取决于具体发生的情景，我不认为我们不仅不能强迫社区接受我们现在做出的决定，甚至很难预测他们将来会怎么做，因为影响他们决策的因素有很多，我们只能推测。

It's so much depends on the exact scenario that happens that I don't think not only can we not bind the community to some decision we make, the future community to some decision we make now, but it's kind of hard to predict exactly what they'll do because there are a lot of things that are gonna go into that decision that we can guess at.

我认为我们有一些合理的推测，但并不明确。

And I think we have some reasonable guesses, but it's not clear.

是的。

Yeah.

所以现在我们来讨论一下，作为比特币用户，我们能做些什么，比如进行一次或多次软分叉来应对这个问题。

So in the now talking in the realm of what could we Bitcoiners do in terms of, okay, having a soft fork or multiple soft forks that do something about this.

显然，人们热议的一个重大提案是Hunter Beast提出的Bit $3.60，还有Ethan Harman，以及另一位我暂时想不起名字的人。

Obviously, the a big one people are talking about is the Bit $3.60 by Hunter Beast and, I think Ethan Harman and, I think one other person, I forgot the name right now.

然后，大概的思路是这样的：

And then the I guess the general approach is like this idea of, okay.

假如你设计一种特殊的输出类型，具备抗量子特性，选用某种后量子密码学方案，这可能就是这个想法的核心。

What if you had, a special output type that was quantum resistant and, you know, pick some flavor of post quantum cryptography, and that might be that idea.

我知道你自己也提出过一个方案。

Now I know you've also put out an idea yourself.

我不确定这个方案有没有正式名称。

I don't know if there's a name for it.

所以，在我与Jonas Nick的对话中，我们姑且称之为‘Matt Corrella方案’。

So, in my episode with Jonas Nick, we were kinda calling it the Matt Corrella plan, let's say.

那你对这个Matt Corrella的量子方案有命名吗？或者它叫什么？

But do you have a name for the Matt Corrella quantum plan, or what is it?

没有。

No.

所以，为了稍微回顾一下历史背景，在比特币的发展过程中，钱包采用新技术的速度一直非常缓慢。

I so I I think it's there's so to set the stage maybe a little bit, historically in Bitcoin, it's been the case that wallets adopt new technology at a glacial pace.

事实上，在大多数情况下，钱包根本不会采用新技术。

In fact, in most cases, wallets simply don't adopt new technology.

新技术得以被采用的唯一途径，是当旧钱包失去流行度、停止运营或不再维护时，由新的钱包取而代之。

And the only way new technologies get adopted are when wallets cease being popular, go out of business, stop being maintained, and new wallets get built instead.

因此，讨论一种新的抗量子输出类型会带来巨大的生态系统成本，正如我们所见，采用新的输出类型、新的地址格式都极其缓慢。

So talking about doing a new output type that is quantum resistant has massive ecosystem cost, As we've seen adopting new output types is new address formats, new output types is really, really glacially slow.

现在，Bech32m（Taproot输出类型的编码）以及之前的Bech32，都设计得具有一定的向前兼容性。

Now veg 32 ms, the taproot output type encoding as well as veg 32 before it are designed to be a little forward compatible.

因此，即使你今天不理解一种新的输出类型，理论上你仍然可以向它发送资金，但谁也不知道所有钱包是否真的做到了这一点。

So you should be able to send to a new type of output even if you don't understand it today, but who knows whether all wallets actually do that.

更重要的是，我认为任何一种在使用时会产生显著成本的输出类型——所有量子或后量子方案的运算速度普遍慢得多，体积也远大于现有的SECP签名。

More importantly, I think any output type where spending it has a material cost, which all of the quantum post quantum schemes are much slower, generally much larger than existing than existing SECB signatures.

因此，这将导致更高的交易费用，对吧。

And so that's gonna be higher fees, right.

如果你要使用一个与这些交易的钱包，你将面临更高的费用，而且是显著更高的费用。

If you're gonna if you want to use a wallet that transacts with these things, you're gonna have higher fees and really materially higher fees.

不仅仅是高出10%之类的，我们说的是费用翻倍、三倍甚至四倍，这突然之间就变得很重要了。

Not just 10% higher or something, we're talking double, triple, quadruple the fees, and all of a sudden that's kind of material.

所以，我不太相信这些钱包会在任何有意义的时间范围内采用这些方案，对吧。

And so these I don't really buy that these wallets are going to that these schemes are gonna be adopted in any time horizon that makes it relevant, right.

今天将后量子签名添加到比特币的唯一理由，是为了让那些用于极长期存储的钱包采用它。

The only reason to add post quantum signatures to Bitcoin today would be for very very long term wallets to adopt it right.

我们说的是冷钱包，人们可能刚开始使用比特币，但没怎么在意，然后就忘了，五年、十年、二十年后才想起来。

So we're talking cold storage wallets, people who might just start to use Bitcoin and not think about it, and then forget about it, and come back to it five, ten, twenty years later.

任何因为费用高出4倍、5倍而让钱包不愿采用的方案，都无法实现这个目标。

And any scheme that wallets aren't going to jump to adopt because it has 4x, 5x higher fees just doesn't accomplish that goal.

这并不会真正产生实质性的推动作用。

It doesn't really move the needle materially.

不过，这终究是我们将来需要的东西。

Now that's something we're we're gonna need eventually.

所以很高兴有人在研究这个问题。

So it's good that people are working on this.

再过十年、十五年，当密码学上有意义的量子计算机即将成为现实时，那时我们就需要这样的方案了。

In ten, fifteen years, when a cryptographically relevant quantum computer is kind of more imminent, then okay, yeah, we're gonna need a scheme like this.

我们需要开始把所有人迁移到这种方案上来，因为再使用secp签名已经毫无意义了，它们根本不安全。

We're gonna need to start migrating everyone over to this because it doesn't even make sense to have secp signatures for anything anymore because they're just not helpful, they're not secure.

我很高兴有人在研究它，但我认为它今天并不相关。

I'm so happy people are working on it, I don't think it's relevant today.

那么，今天我们能做些什么来推动钱包的准备工作，确保未来当密码学上有意义的量子计算机成为迫在眉睫的威胁时，比特币社区不会有疑问，而是拥有更多选择？

Oh, what can we do today that moves the needle on getting wallets ready so that there's no questions by the so that Basically, so that the future Bitcoin community, when a cryptographically relevant quantum computer is an imminent threat, has more options.

我们的目标是让钱包完成迁移，使这个社区在未来面对这个问题时拥有更多应对方案。

Our goal is to get wallets migrated so that that community has more options on what they can do to address the problem.

而我认为今天唯一可能被钱包采纳的、真正有意义的做法，是没有任何额外成本的方案。

And the only thing that I think makes sense today that really wallets might adopt is something that has no additional cost.

所以蒂姆·鲁芬实际上发表了一篇更正式的论文，分析了Taproot输出，并得出结论：如果我们有一个Taproot输出，其脚本路径花费中包含一个后量子签名，并且有软件可以禁用密钥路径花费，那么这就是量子安全的。

And so Tim Ruffing actually did a more formal paper analyzing taproot output and says that concluded, look, if we have a taproot output with a post quantum signature in one of the script leaves, in the script path spends, and there's a software to disable the key path spends, then that's quantum secure.

所以量子计算机无法以某种方式将Taproot解包成不同的脚本路径之类的东西。

So the quantum computer can't somehow unwrap the Taproot into a different script path or something like that.

这实际上是Taproot的设计目标之一。

It's it's this was actually a design goal of Taproot.

这是一个有意的决定，但蒂姆·鲁芬写了一篇更正式的论文分析了这一点，并得出结论认为这一设计是正确的。

This was a deliberate decision, but Tim Ruffing wrote a more formal paper analyzing this, concluding that it was done correctly.

所以我们可以这么做。

So we could do that.

我们可以决定，在Taproot的一个叶子中添加一个非常昂贵的基于哈希的签名方案。

We could say, okay, we're gonna add a very expensive hash based signature scheme in a Taproot leaf.

结果，未来的社区可以选择禁用密钥路径花费。

And as a result, the future community could decide to disable that keypad spend.

现在这些钱包就没问题了。

And now these wallets are fine.

它们已经升级了。

They're upgraded.

它们已经完成了。

They're done.

对吧？

Right?

所以它们一直把这东西藏在Taproot的叶子中。

So they've been hiding this thing in the taproot leaf this whole time.

它们从未公开过它。

They never revealed it.

它们从未使用过它。

They never used it.

它没有任何额外成本，因为它们现在只是使用键控支出。

It had zero additional cost because they just use the keypad spends today.

然后在未来的某个时候，比特币社区可以说：好吧。

And then at some point in the future, the Bitcoin community can say, okay.

现在它有风险了。

Now it's a risk.

我们要禁用那个键盘支出功能。

We're gonna disable that keypad spend.

现在你必须使用另一个更昂贵、更大之类的替代方案。

Now you have to use this other thing, which is more expensive, you know, larger, whatever.

但这也无所谓。

But it's still fine.

你还是拥有你的钱。

You you still have your money.

这没什么大不了的。

It's no no biggie.

是的。

Yeah.

所以让我们花两秒钟确认一下没有人掉队。

So let's just take a second just to make sure we haven't lost anyone.

当我们今天在比特币中进行支出时，对吧，在Taproot的背景下，如果你使用的是p2tr Taproot输出，正如你所说，你有一个密钥路径，据我理解，这就像一个智能的公钥和签名。

So when we go to spend in Bitcoin today, right, in in the Taproot context, if you're using a p two t r Taproot output output, you have, as you mentioned, this key path, which is like as I understand, that's like just the you know, it's like a smart, like, public key and signature.

然后你还有使用脚本路径的选项和机会。

And then you also have this option this opportunity of using a script path.

他们设计协议的方式是，你希望使用这个脚本路径。

And then the way the they're sort of designing their their protocols and things is that you wanna use that.

在大多数情况下，你希望使用密钥路径，但你可以将许多其他条件放入某种脚本路径的花费方式中。

In most cases, you wanna use the key path, but you can put in a lot of other conditions and things into some kind of script path, spending path way.

你所说的正是这个想法：嘿。

And what you're talking about is this idea of, hey.

如果我们只是使用现有的Taproot，但配上特殊的、抗量子的脚本路径花费方式呢？

What if we just use the existing Taproot, but with special, like, quantum resistant script path spending pathways

这些路径在你不需要时不会显示，只有当你真正要花费该路径时才会出现。

that are not shown, until you actually need it, until you actually go to spend that pathway.

我理解得对吗？

Have I got you have I got that right?

没错。

Exactly.

是的

Yeah.

所以这完全是透明的。

So it just it's totally transparent.

钱包会自动处理。

Wallets do it.

根本不用去想它。

Don't even think about it.

你知道，这只是它们创建地址的方式略有不同。

You know, it's just a slightly different format for how they create the address.

地址看起来一样，功能也一样。

The address looks the same, functions the same.

然后在某些时候，如果需要，它们就可以切换到使用它。

And then at some point, if they need it, then they can switch to using it.

在此之前，它完全是透明的，没有任何额外成本。

And until then, it's totally transparent, zero additional cost.

好的。

Okay.

因此，钱包显然需要升级，构建出一种包含量子抗性加密的特殊脚本路径，比如Sphinx Plus、Shrinks之类的各种方案。

And so then while wallets would obviously need to do an uplift on, like, building out that special script pathway that has, like, a quantum resistant cryptography built into it somehow, like Sphinx plus or shrinks or whatever the whatever these different ones are.

但Taproot输出部分本身无需更改。

But the actual Taproot output part of it does not have to change.

至于交易所的支持，比如交易所的发送和接收功能，这部分很容易实现，而且可能是一个渐进的过渡过程，因为人们可以继续使用他们现有的设置，而无需完全转向一种全新的范式——如果我们最终要全面采用量子输出，谁知道呢？

And in terms of exchange support and, like, exchanges sending and receiving and things like that, that part is easy, And it's maybe a bit of a gradual transition because then people can just, like, keep using the same setup that they already have without having to kind of go into an entirely new paradigm where if we're going to, like, fully quantum outputs and maybe we eventually are gonna go there, I mean, who knows?

但要做到这一点，我们需要专门的硬件钱包、专门的软件，以及一套不同的用户流程，对吧？

But we're gonna need like special hardware wallets for that and special software for that and like it's it's gonna be a different user flow, isn't it?

是的。

Yeah.

是的。

Yeah.

所以这确实让事情变得更简单了。

So it it does keep things simpler.

但现在这仍然不是免费的，硬件钱包需要知道这种新地址类型是如何派生的，因为硬件钱包必须能够识别哪个地址是找零输出属于我的？

Now it's it's still not free, you might a hardware wallet needs to be aware of how this new address type is derived, because the hardware wallet has to be able to identify which address is that change output mine?

这个输入地址是我的吗？

Is this input address mine?

因此，比特币社区仍然需要进行一些非 trivial 的升级，但对普通钱包来说要简单得多。

So there is still a non trivial lift across the Bitcoin community, but it's much simpler, especially for just a simple wallet.

如果你只是一个普通的钱包，不支持硬件钱包或类似功能，只是一个钱包，那就非常简单了。

If you're just a normal wallet that's not doing hardware wallet support, doing anything like that, you're just a wallet, is really easy.

对吧？

Right?

因此，这至少能让一些更简单的情况真正开始推进。

And so that at least enables some of the simpler cases to really start moving.

好的。

Okay.

所以

So

我只是在努力理清这个思路。

I'm just trying to think this through.

所以，另一点是，这些抗量子或后量子密码学通常要大得多，比如在链上占用的空间之类。

So and then I guess the other thing is because these quantum resistant or the quantum the post quantum cryptography is generally much bigger, you know, in terms of the size going on chain and things like this.

但据我理解，你只有在花费这条特定路径时才需要展示它。

But as I understand, you would not have to show that until you're spending that particular pathway.

对吧？

Right?

当你花费这条特定路径时，比如你只是进行标准的Taproot公钥花费，你现在并不需要承担这笔额外开销。

You're spending that particular like, if you're just doing, you know, standard Taproot, you know, pubkey spend, you are not having to pay that extra price right now.

这只有在未来才会发生。

It's only in the future.

对。

Right.

它甚至不会出现在链上。

It wouldn't even appear on chain.

没人知道你正在做这件事。

No one even knows that you're doing this.

我认为这种方法还有一个开放的问题是：让人们知道你在做这件事，真的更好吗？

And I think that's one open question with this approach is, is it better that people know that you're doing this?

所以，围绕着当量子计算机是否即将对比特币构成威胁时，比特币是否应该禁用不安全的支出路径，存在一场广泛的争论，对吧？

So there's this whole debate around when or if a quantum computer becomes an imminent threat to Bitcoin, should Bitcoin disable insecure spend paths, right?

即没收或销毁那些没有量子安全支出路径的资金。

So seize or burn money that doesn't have some quantum secure pathway to spending.

如果人们通过链上数据根本无法知道钱包是否已升级，也就无法判断钱包是否具备后量子安全性，这会限制比特币社区在那时做出决策所需的信息。

And if people have no idea whether wallets have upgraded by looking at the chain, they can't see whether wallets are post quantum secure or anything, that limits the knowledge the Bitcoin community has at that point to make that decision.

因此，这里就出现了一个问题：你是否真的希望在链上做标记，是否需要采用不同的Taproot版本，或者要求公钥的某一位必须是偶数或奇数，仅仅为了让人们能够统计性地判断这一升级路径是否已完成？

And so there is a question of like, well do you actually want to tag it on chain, you want to have to get different Taproot version or something just so that or require that the an extra bit in the public key be even or odd or something just so that people could statistically determine whether this upgrade path has completed.

因此，这里确实存在一些疑问。

And so there's some question there.

我认为这是一个亟待解决的开放性问题。

I think that's an open question that needs to be resolved.

但就这种方法而言，我觉得相对简单，就是我们可以直接这么做。

But in terms of this approach, think it's relatively straightforward in terms of like, yeah, we can just do this.

这并没有太多复杂性。

It's not a lot of complexity.

我们会让一些钱包脱离零状态，给人们提供一条路径，并清理好相关事宜，以便在问题变得紧急时，我们有这个选项。

It's we'll get some wallets off zero, we'll give people a path and clean things up so that if a problem becomes urgent, we have this as an option.

因此，看起来我们确实应该直接这么做，但时间和重点是个问题。

And so it seems relatively straightforward that we should kind of just do this, but timeline and focus.

我明白了。

I see.

所以帮我们比较一下所需的软分叉数量。

So just help us compare the number of soft forks required.

对吧？

Right?

比如，在类似比特360的方式中，你可能需要一个软分叉来支持这种新型输出，而且这还可能取决于是否包含了特定的后量子密码学类型。

So in the, let's say, in the bit three sixty style of, like, you you might you'd need a soft fork to to give you that new type of output, and maybe it depends on if they also include, like, the specific type of post quantum cryptography.

然后可能还会有另一个，比如，如果他们要进行沙漏操作或销毁之类的。

And then maybe there might even be another one to, like, if they if they're if they're gonna do, like, hourglass or a burn, etcetera.

在你提出的使用抗量子的Taproot脚本路径的方案中，我猜我们实际上并不需要软分叉来完成第一部分。

In the let's say, in your proposed idea of using a Taproot script path that is quantum resistant, I presume you don't need we don't actually need a soft fork to even to do the first part of that.

你只需要一个软分叉来销毁密钥路径即可。

It's just that you might you wouldn't you have a soft fork to, like, burn the key path.

或者，抱歉。

So or to sorry.

比如，禁用Taproot的密钥路径花费。

To, let's say, disable the key path spend on Taproot.

是的。

Yeah.

我的意思是，理论上，钱包现在就可以开始这样做。

I mean, in theory, wallets could start doing this now.

他们可以说，好的。

They could say, okay.

我要去实现shrinks功能。

I'm gonna pick I'm gonna go implement shrinks.

我要开始把它作为Taproot脚本树的一个叶子节点嵌入。

I'm gonna start embedding it as a leaf on the Taproot script tree.

我永远不会公开它，所以没人能使用它。

I'm never gonna reveal it, so no one can ever use it.

这完全没问题。

And it it would be totally fine.

这不会破坏你的钱包。

This wouldn't break your wallet.

可能值得进行一次软分叉，为这个机制提供共识层面的意义，从而正式确立这个定义。

Probably it makes sense to do a soft fork to actually provide consensus meaning to that to go ahead and kind of enshrine that definition.

这样钱包就不会面临这种奇怪的风险：如果你脚本树的另一部分泄露了，别人就可能偷走你的钱。

So that wallets don't have this weird risk of like, well, if this other part of your script tree leaks, then someone could steal your money.

所以最好还是这么做，但你说得对。

So probably good to just do that, but you're right.

从技术上讲，不需要它。

Technically, don't need it.

那么我们需要的是未来某天进行一次软分叉，以禁用密钥路径支出。

What we do need then is some soft fork in the future to disable the key path spends.

我认为这引出了一个问题：未来的比特币社区是否愿意销毁不安全的币？

And I think that is where you get into this question of does the future Bitcoin community want to burn insecure coins?

因为如果他们愿意，我们就不需要不同的脚本版本，也不需要不同的Taproot版本，只需禁用密钥路径支出即可完成。

Because if they do, we don't need a different script version, we don't need a different taproot version, you just disable the keypad spend and you're done.

而如果未来的比特币社区明确表示：不，我们不想销毁不安全的币，那就需要一种更明确的 opted-in 方式。

Whereas if the Bitcoin community in the future says strongly no, we don't wanna burn insecure coins, then there needs to be a way to more explicitly opt in.

对吧？

Right?

那就需要一个不同的Taproot版本，以便你可以声明：嘿，我已经升级了。

There would need to be a different Taproot version so that you can say, hey, yes, I'm upgraded.

当存在风险时，请禁用密钥路径支出。

Please disable key pass spend when it's a concern.

在我看来，比特币社区几乎毫无疑问会烧掉你的币。

I think in my view, the Bitcoin community is kind of almost without question going to burn into your coins.

我很好奇你为什么这么说

I'm curious why you say

那是因为它有点

that because it's kind of

不太一样。

like different.

但是，我的意思是，我们来谈谈这个，因为如果我——你知道——捂住耳朵，只是感受一下现在的氛围，看，也许这只是声音大的少数人，但我感觉实际上大多数比特币人似乎更倾向于这种想法，哦，也许在他们看来，他们不想做像ETHDAO那样的事情，就是所谓的'回滚链'，或者他们用了个花哨的词来形容，对ETHDAO做了某种特定处理。是的。

But, I mean, I let's let's talk about that because if I kind of, you know, finger in the ear, just kind of read the read the vibe now, look, maybe it's a loud minority, but the sense I get is that actually most Bitcoin people seem to side more on the idea of like, oh, it's maybe in their mind, it's sort of they don't wanna do like the ETHDAO thing where it's like, quote unquote, rolling back the chain or they they had some fancy word for it where they kinda did a, you know, a specific thing to that to the ETHDAO Yeah.

你知道，就是那次黑客事件。

You know, hack.

因此有一种看法认为，如果你销毁这些量子易受攻击的币，那在某种程度上违背了我们在比特币内部珍视的产权概念。

And so there's a perception that, you know, if you're burning these quantum vulnerable coins, then that somehow is cutting against the property rights notion that we that we treasure inside of Bitcoin.

所以这似乎是主要的反对意见。

So that seems to be the main opposition.

我的直觉也倾向于这个方向。

I I I'm sort of my gut feel is towards that direction also.

所以我想知道你对此的看法如何。

So I'm curious where where you're at on that.

你为什么认为大多数比特币用户实际上会支持销毁呢？

Why do you think most Bitcoiners are actually gonna be pro burning?

是的。

Yeah.

听我说。

Look.

现实是，最终会出现一次分叉，对吧？

The reality is the winning there will be a fork, right?

因此，在中期内面临较高的量子计算风险时，有人会编写代码来定义一次软分叉，对吧？

So in the face of some high quantum risk in the medium term, someone's going to write the code to define a soft fork, right?

所以会出现两种币，对吧？

So there will be two coins, right?

到了那时，就像一贯的情况一样，决定权在市场。

And at that point, as is always the case, it's up to the market.

所以市场会审视这两种币，评估更看重哪一个，想持有哪一个，又想抛售哪一个。

So the market is gonna look at those two coins, evaluate which do they care more about, which they wanna hold and which one they wanna sell.

我认为，正如我们已经相当明显地看到的，市场有非常强烈的动机迅速达成共识：不行。

And I think as we've seen pretty robustly, the market has a very, very strong incentive to converge quickly to say, oh, no.

只有当只有一个比特币时，才有价值。

There's only value if there's one Bitcoin.

因此，一旦市场开始行动，所有人都会争相跟进，最终只会剩下一个比特币。

And so once the market starts moving, everyone's gonna get a jump on that and there there will be one Bitcoin.

所以问题在于，市场会更看重哪一个？

So the question is which one is the market gonna value more?

这确实如此。

And it's true.

你知道，这很复杂，因为它涉及各种可能的情景，以及构成每个情景的诸多不同因素。

You know, it it's complicated because it because it it's it gets into how many different scenarios there are, all of the different pieces that might go into a scenario.

比特币被升级了多少、比特币有多脆弱、实际有多少时间可用——所有这些不同的事实。

All of the different facts of how much Bitcoin has been upgraded, how much Bitcoin is vulnerable, how much time actually is there?

我们是提前发现这一点，还是缓慢地，还是非常迅速地发现？

Do we discover this in advance or slowly or really rapidly?

会不会出现某种快速突破？

Is there some rapid breakthrough?

所有这些显然都会影响这一决定。

All of these are going to obviously influence that decision.

但我认为，首要且最重要的是，供需法则占主导地位。

But I think first and foremost, the law of supply and demand is pretty king.

我认为，很可能我们已经看到钱包的变动非常缓慢，适应得极其缓慢。

I think in all likelihood, we've seen wallets move slowly, adapt very, very slowly.

因此，我认为，无论量子计算机何时以及如何成为对比特币的威胁，可供该量子计算机窃取的币数量都将非常庞大。

And as a result, I think no matter when and how a quantum computer becomes a threat to Bitcoin, the number of coins available for that quantum computer to steal will be huge.

即使我们今天就推出软分叉，且进展缓慢而渐进，且公开透明——我认为这两种情况都很可能——即便如此，要等到二十年后才出现量子计算机，这也很有可能、非常合理，即便在这种情况下，我认为钱包也不会在十七年内开始迁移。

Even if we roll out a soft fork today and progress is really slow and gradual and public, both of which I think are likely, and it takes twenty years before we get a quantum computer, which also seems very possible, very plausible, even in that case, I think wallets aren't going to start moving for seventeen years.

对吧？

Right?

因此，你会看到大量量子脆弱的地址。另一个需要考虑的是，量子计算对使用助记词的钱包并不构成风险，这取决于比特币社区如何应对。

And so you're gonna see a lot of quantum vulnerable The other consideration is that quantum is not a risk for depending on how the Bitcoin community approaches it, Quantum is potentially not a risk for any wallet that uses a seed phrase.

没错。

So Right.

如果比特币社区，或者说更广泛的比特币市场认为：有七百万枚比特币将被这台量子计算机窃取并进入市场。

If the Bitcoin community says if if the market around Bitcoin, not just the community, but the market around Bitcoin says, look, there's ten, five, 7,000,000 Bitcoin that are gonna be stolen by this quantum computer that are going to enter the market.

我指的不是比特币总供应量中的一部分。

And I don't just mean that's some portion of Bitcoin's total supply.

我指的是那些将被主动抛售到市场上的币，而不是已经丢失的币，那些原本由长期持有者持有的、原本不愿出售的币，现在却进入了市场的卖方一侧。

I mean, those are coins that are going to be actively sold on the market, not coins that are lost, you know, coins that were lost that are now on the sell side of the market, coins that were held by long term holders who aren't willing to sell that are now on the sell side of the market.

你知道，即使只有百万枚比特币，这也是一个巨大的供应量增加。

You know, that that's a massive increase even if it's only 1,000,000 Bitcoin.

这并不是供应量增加5%。

It's not a 5% increase in supply.

这是市场上供应量增加百分之十、二十、三十甚至四十。

It's a ten, twenty, thirty, forty percent increase in supply active on the market.

所以我认为这会给市场带来巨大压力，迫使它选择一方，那就是焚烧和安全币的一方。

And so I think that's gonna be a huge pressure for the market to pick one side, and that's gonna be the the burning and secure coin side.

也许我错了。

Maybe I'm wrong.

这在一定程度上取决于，我的意思是，正如你所说，这里涉及太多变量。

It kinda matters if the I mean, it's a bit like so as you said, there's so many moving parts here.

我们无法完全孤立每一个因素，但也许在二十年后，比特币价格达到每枚1000万美元或某种疯狂的水平时，情况会不同。

We can't exactly isolate everything, but it could also be that I mean, imagine if it's twenty years in the future and Bitcoin is, I don't know, $10,000,000 a coin or something crazy.

也许黑客们只是会把它囤起来。

Maybe the hackers are just gonna huddle it.

对吧？

Right?

也许他们实际上只想持有，而不是全部抛售。

Maybe they would actually just wanna hold it and not sell it all.

所以我不确定。

So I don't know.

也许吧。

Maybe.

但市场必须评估这一点。

But the the market has to evaluate that.

而且，显然，如果量子计算机在过去二十年里缓慢地被研发出来，那么它们的投资者会希望收回数十亿美元的投资。

And, obviously, if a quantum computer has been built slowly over the last twenty eight over twenty years, they have investors who want their many billions of dollars of investment back.

而这是他们收回投资的唯一方式。

And this is the only way they can get their investment back.

量子计算机并没有太多其他有趣的价值。

There's not a lot of other interesting value for a quantum computer.

所以我认为会存在很大的压力，促使他们尽快在市场上抛售相当数量的比特币。

So I think there's going be a lot of pressure to sell some of it, and to sell probably quite a bit of it at market as fast as they can.

无论如何，市场都必须评估这一风险。

The market has to evaluate that risk in any case.

是的。

Yeah.

我想，但人们最重要的部分是

And I guess But I people the on important part is

对，继续说。

Yeah, go on.

另一个重要因素是，如果他们决定这样。

The other important factor is if they decide this.

所以，如果市场说：不，我们允许量子计算机窃取所有币并出售它们，那么你就无能为力了。

So if the market says, no, we're gonna allow the quantum computer to steal all the coins and sell them, then there's not a lot you can do.

你只能提前升级到量子安全的输出类型，而我认为这种类型在很多年内都不会可用。

Like, you just have to have already upgraded to a quantum secure output type, which I don't think is even gonna be available for many, many years.

所以我认为，这将比市场说‘好吧，不，我们要销毁不安全的币’引发更多混乱，而后者不适用于拥有助记词的钱包。

So I think that's gonna cause more chaos versus if the market says, okay, no, we're gonna burn insecure coins, that does not apply to wallets that have a seed phrase.

因此，你可以禁用不安全的支出路径，并说：实际上，真正安全的是零知识证明，它能证明你知道那个推导出这个私钥的助记词。

So you can disable insecure spend paths and say, okay, actually what isn't insecure is a zero knowledge proof that you knew the seed phrase that derived this private key.

所以钱包从助记词开始，对吧，就是12个或24个单词，然后通过哈希算法生成私钥，再用私钥签署交易，区块链看到公钥并用它来验证签名。

So wallets go from a seed phrase, right, this 12 or 24 words, then they use a hash scheme to go to a private key, which then they use to sign transactions and the public key using the and the blockchain sees the public key which it used to verify the signature.

量子计算机可以从区块链上的公钥推导出私钥，但无法从私钥反推出助记词，因为这是一个哈希函数，而不是标准的椭圆曲线数学。

The quantum computer can go from the public key, which is on the blockchain, to the private key, but it can't go from the private key to the seed phrase, because it's a hash function and not standard EC math.

所以如果我们禁用不安全的支出路径，就可以说：好吧，如果你拥有助记词，你可以通过零知识证明来证明你知道这个助记词，而这就等同于一个签名。

So if we disable insecure spend paths, we can say, okay, actually, if you have a seed phrase, you can do a zero knowledge proof that you know the seed phrase, and then that will count as a signature.

因此，被销毁的代币数量实际上——特别是如果我们谈论的是十年、二十年后的未来——基本上只剩下那些已经丢失的代币了。

So the actual number of coins that are burned, especially if we're talking ten, twenty years in the future, is basically only lost coins at that point.

对吧？

Right?

基本上就是那些十年或二十年没有动过的代币，或者还在使用当前比特币核心钱包的代币。

It's basically coins that haven't moved for ten or twenty years or are using the current Bitcoin Core wallet.

到目前为止，这几乎是唯一不使用助记词派生机制的钱包。

That's about the only wallet out there at this point that doesn't use seed phrase derivation.

所以，希望我们能通过这种软分叉来启用OP_SCHNORR和Taproot叶子结构，然后将这些功能整合进比特币核心钱包。

And so, hopefully, you know, we can do this kind of soft fork to enable op shrinks and taproot leaves, then we can use to put that in the Bitcoin Core wallet.

然后就几乎没有钱包剩下了。

And then there's not really any wallets left.

所以在这种情况下，确实，如果我们将这个软分叉实施，并为这些长期存在的特殊钱包、Bitcoin Core 以及一些大型托管方等不使用助记词的钱包启用该方案，那么如今所有钱包在未来的比特币社区禁用不安全支出路径的世界中，实际上都已经具备了抗量子安全性。

So at that point, it's true that all wallets today, you know, if we we do this soft fork and we enable it for for this long tail of kind of specialty wallets, Bitcoin Core, some of these large custodians, whatever, and don't use seed phrases, and those wallets adopt this scheme, then it's basically the case that all wallets today already are quantum secure in a world where the future Bitcoin community disables insecure spend paths.

有意思。

Interesting.

尤其是如果这还是

Especially if that's a

一个很遥远的未来。

long a way out.

更有说服力了。

More compelling.

所以我认为，这其实是个不错的观点。

So I think that is that's a good point, actually.

我之前没考虑到这个想法：如果我们采用这种方案，当用户拥有助记词时，通过零知识证明来恢复权限，那么在这种情况下实施销毁可能更加合理，因为比如说现在，潜在易受攻击的比特币数量，人们估计大约有五百万到六百万枚。

Hadn't considered that idea that if we use that scheme when the they've got the seed phrase, the ZK proof thing that then allows them to recover, it could be more plausible then to actually do the burn in that scenario because if, like, let's say right now, the number of vulnerable coins is think people have thrown around numbers like five or 6,000,000 BTC that are potentially vulnerable.

但假设我们采用了这种方案，你拥有ZK之类的量子恢复机制——不管这方案叫什么，我不太确定。

But in let's say we did this scheme and you had the ZK kind of whatever quantum recovery, whatever that scheme is called, I'm not sure.

实际上，易受攻击的币数量会大幅下降，我们讨论的就只剩下中本聪的币以及一些零星的其他部分了。

The actual number of coins that are, you know, vulnerable would would drop dramatically, and then we're pretty much talking about, like, the Satoshi coins and, like, a few other bits and pieces.

是的。

Yeah.

实际上，像大型托管机构这样的专业钱包可能有更独特的设置，不使用助记词，但Coinbase也可以适应。

And and really, like, specialty wallets, like, large custodians maybe have more unique setups that might not use a seed phrase, but also Coinbase can can adapt.

Coinbase会迅速行动。

Like, Coinbase will move quickly.

他们可以雇用专业人士来做一些复杂的事情。

That's not can pay professionals to do, like, fancy things.

他们不太需要担心这些。

They're like, they don't have worry as much about them.

对。

Yeah.

所以那就是

I So that's

没那么令人担忧，我想。

not as much of a concern, I guess.

是的。

Yeah.

是的。

Yeah.

这很有趣。

That's interesting.

关于ZK的恢复机制，你知道这是否需要链上非常大的签名吗？

So the thing is with the ZK, kind of recovery thing, do you know if that would require, like, really big signatures on chain?

这会是一个很大的流程吗？

Like, would that be, like, a a big process?

想象一下这种情况发生了。

Like, imagine that happens.

这会不会是需要几年的交易量才能让所有人都迁移到新系统？

Is it gonna be, like, you know, a few years worth of transactions to get everyone over to the new scheme?

是的。

Yeah.

我的意思是，显然，当我们讨论自我分叉掉不安全的支出路径，并做出这类决策时，很可能会有关于是否应因签名体积增大而提高区块大小的讨论。

In the I mean, you know, obviously, in a case where we're talking about self forking out insecure spend paths and we're we're making these kinds of decisions, probably there's going to be discussion around whether the block size should increase as a as a consequence of the increased size and signatures.

所以，我其实并不担心这个。

And so I I'm not really worried about that.

我觉得区块大小会根据情况做出适当调整。

Like, I imagine the block size will be adjusted appropriately for the

那会是什么样子？

And what would that look like?

会是某种量子见证折扣吗？

Would that be like some kind of quantum witness discount?

或者，那到底会是什么？

Or, like, what what would that be?