Hashing It Out
Hashing It Out

Episode 62 · 2 years ago

Hashing It Out #62 – Bolt Labs – Ayo Akinyele

ABOUT THIS EPISODE

This episode, Corey interviews Ayo Akinyele, a former security researcher turned CEO of Bolt Labs. Bolt Labs is a privacy solution for the Lightning Network which allows for an asymmetry of knowledge in the channel. While this is quite useful and interesting, we instead turn our focus on things such as attribute-based encryption, a security researcher’s view of blockchain systems, and much more. Join us for an awesome conversation of where we are as a community, and where we’re going!

Links:
– Bolt Labs
– Ayo’s twitter
– openABE

Entering work. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology and the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. Welcome back everybody. I'm your host, Dr Corey Patty. You're listening to hashing it out. Colin is not with us today. Something came up last minute that he had to attend to. It will be with us next week or the week after, depending on how I can take some to attend to those things. Today's guests we have Iowa can yella from CEO bolt labs. Why don't we do the normal introduction and tell us kind of how you got into the space? We can talk a little bit about what boat ball about bolt labs, but I think the majority of this conversation is security focused and interesting things outside of kind of boat labs, but also like a tangentially useful for boat labs. So so hey, Corey, thanks for having me on. Appreciate the the opportunity to talk about you know, security and bolt labs. So my background is in cryptography and specifically crytographic engineering and software engineering. So I basically combined, you know, applied cryptography with writing code that Johns Hopkins worked on a lot of problems related to transitioning you know, theoretical advanced crypto to the real world. So I built a lot of libraries and compilers and primammer language tools to make that easier for cryptographers as well as system developers. That got me really interested in the applied side and spend a lot of time working on this idea called actually based, actually based encryption, and it's a it's a advanced form of public key encryption that allows you to basically combine confidentiality with access control, so you can encrypt data in a way that you specify attributes that describe that data and then later you can give out keys to the individuals that you want to be able to decrypt with the right credentials, and so it's a really nice way to do, you know, all kinds of access control based encryption. And and so I spent a lot of time, you know, building that academically and then did a start up around that. After I graduated from Hopkins, you know, called the Open Abe tool kit, and part of that experience, you know, I spent, you know, basically about four and a half years just understanding how these advanced Scripto primitives can be used in the real world, and part of that journey was understanding the the practical uses of of the of the encryption, and so I enjoyed, you know, essentially the the opportunity to get government funding to build this commercial library. This was work done with some of my collaborators at Hopkins and after that I, you know, got introduced to Bitcoin through one of my advisors, me. He had already did a bunch of work in terms of privacy and Matt Matthew Green in particular. So we you know, he he had basically done a lot of work in this space and I've kind of been watching from afar. I was skeptical, but I was interested, and so probably around it on seventeen is when I kind of jumped in, you know, full time in terms of auditing for Cryptographic, sorry, for cryptocurrency related projects, and then transition to working on both full time as a result of working with macgreen and Indian Myers. Yeah, so let's bolt and time it goes. A quick introduction of Scat by first before we see, before we start that, I guess we have a whole interview basically with you on block channel where we discuss the INS and outs of Bolt. So if you're interested in that, you're if you're more interested in that further than what you just say, I'd recommend the audience to go listen to that on block channel to get more details on bolt. Thanks of the plug. And there's also another podcast with epicenter. He perfect me to talk about bolt from a different perspective. But yeah, so. So...

Bolt is really a improvement on on lightning for bitcoin that focuses on the ability to do privacy for two party channels where you are locking up funds in escrow and you're moving value using that scrow at a very low cost. So it's a way to do fast, cheap payments where you're using the blockchain as the root of trust and you're taking the intermediate updates to that scrow account off chain and so allows you to amortize the cost of moving value over a long period of time. And so this is the de facto way to do, like you know, bitcoin on a on a on a massive scale, where you have all of these trusted connections between entities or between parties and you're able to kind of use these these established channels to move value, you know, efficiently and cheaply, and so bolt is building on that by adding privacy and the the the limitation with how lightning is constructed today is that the state in the channel is symmetric. So both sides of the Channel See, you know, every state update, and so what both is trying to do is make it asymmetric where one side, whereas who's going to be the customer, is able to see that state and then convince the counterparty, who could be a hub, could be who knows who else is connected to that that their party. But you're essentially proving in zero knowledge each state update, you know that it satisfy certain constraints, which is that like, you have sufficient balance in the channel, you are someone that the person has interacted within the past and that you know, you have a range proof on the updated balance of the channel. And so they don't learn the current balance of the channel, but they're convinced that, you know, you are a customer that they've interacted with in some past and so you're able to hide in the in the set of all the over the set of customers that that count of Party has open channels with. Yeah, so basically, you start off, I say these are this, this is the Rupe set they were going to agree to, and then when you start fac us the conversation between one another, you don't see what the content of that each messages. You only see that it that it's within the constraints of what that initial rule set was. And that's kind of whole ideas your knowledge proofs, right. Yeah, so those, your knowledge proofs, are a way to prove, you know, publicly to a verifier that a statement is true without having to reveal any secret information. And so, you know, our variant is like proving knowledge of a secret and so, which is a variant of a just a traditional knowledge proof. And so that's based on the hardness of the discrete log problem. It doesn't require any, you know, any sophisticated trust assumptions. And because of that, you know, it allows us to prove very simple statements about the the channel, you know, at you know, at a very low cost in terms of efficiency. So it's fast to verify, fast to generate and then you know, it allows us to essentially, you know, build this payment proof that gives this customer this flexibility to not reveal everything about their wallet, their off chain Wallet, but they're able to convince this, verify and update the state of the channel blindly, and so it gives them a way to achieve vananimity and it solves the problem of you having to trust the counterparty, like right now. You know, there's implicit trust that built into the lightning protocol in the sense that, like, you're assuming that the counterparty won't share your data in terms of how you how you use that channel with a third party. And so both is a way to take some of that control back and and deduce the amount of information that that hub has to store for each channel. And so I also view it as a way to harden routing nodes and that their only job is to perform this function of moving value across different channels. They can obviously rebalance to make sure that, you know, they have sufficient capacity, but you can learn that information and aggregate rather than be able to being able to link the identity of a particular customer that's making a payment with that actual payment. And so, you know, we're able to kind of achieve this, this balance by by using Zo knowledge fruits and blind signatures and commitments. That's really cool and keeps kind of a balance on on what hubs are capable of doing if they get to the point of like having too many connections, too many peers which are there, too too much centrality and the graph of what the networks actually doing right, right, and so this is great from a like capability standpoint in the guarantees, the privacy guarantees that we have, but the the main constraint is that you still require that hubs have sufficient liquidity. So you know, who are the entities that can actually be these...

...trusted third parties or trustless third parties that you know, are able to perform this song? So exchangees come to mind obviously, because, you know, use a gravitate to their service, OTC providers, custodians of Bitcoin, qualified custodians of Bitcoin. So entities like Anchorage and and cryptobanks, you know, so silver gate signature. These are banks that are comeing up that are crypto friendly and are able to, you know, provide, you know, essential essentially, you know, serve as as as lenders for you know, crypto startups as well. So I mean, I think any any any entity that that is sitting on a stockpile of of Bitcoin or whatever the asset is that that you want to take off chain can conserve what be part of this network. Essentially, it kind of done that. Sorry, go ahead. I find that interesting in terms of like this is this. It runs with the theme that I see a lot of what this, this whole technology is doing, and that's like giving people options to interact with the people that they want to interact with the way they'd like to interact with them and not like confining yourself to as a narrow form of communication. Right. So, like you can still do all of the things you would like to do, like if you want to have these symmetric relationships with people, you can have them. If you don't bring this gives you an option to not do that, which then the entity that provides these services can then have like a fine grain resolution and and how they interact with you based on what the customer needs exactly. And then I think that's the optionality that I think we need a layer two for block chains, just because we don't know what will be built on top. Right. We know we have an idea of the type of network that we want to have, but we don't know the applications that will capture the value from a mainstream per sense perspective, and so having this ability to kind of pick between the two is really the the starting point and for us, you know, privacy isn't an important ingredient to be able to achieve this. There's really no other way to do it, and so all all our approach has really been to focus on the business to business use case, you know, and in talking to some of the exchanges that that are, you know, adopting lightning and thinking of different ways to use it, you know they have, you know, requirements to, you know, not only protect the the bitcoin that they're holding, but to allow users to move that bitcoin outside of their ecosystem, like outside of their security boundary, and so lightning is a way for them to do that at a very low cost. And so when you add privacy on top of that with Bolt, then you can essentially think of what we're doing as a private network that allows these trusted exchanges, to all these these exchanges that that hold a lot of assets to move value privately and hide their on chain activity. From essentially hackers, right, because I mean they're they're dealing with, you know, having to increase their security budget to secure hot wallets and, you know, continue to try to hide what they're on. Chain footprint is right, but it's really a delicate balance. And so from a regulatory standpoint versus protecting from, you know, hackers that are trying to, you know, steal those bitcoins. And I think what Web to point now is definitely taught us the idea that the more you aggregate value into a single place, the more tension you'll drest your attract yourself. And and the data breaches alone could tell you all the things there, as well as like where people, we're hackers, spent a ten tend to spend all their tension, time and effort. And and with public blockchain or trust this blockchain systems, they're inherently public. So if someone does the same type of activity, it only makes them worse that they may be a traditional to point out what's to point out and to taste so like act. Things like this just help them get up the standard in terms of how they would like to protect themselves from having having value stolen. Right, right. And so for us you know, we've been trying to kind of identify how we can, you know, best solve these these important pain points that allow the ecosystem to continue to grow, but like allows us to show the value of where privacy can have the most impact. You know, for you know, the massive corporations that exist in crypto today that don't seem to be going anywhere right. I mean, obviously we want the these exchange to be completely decentralized, but you know, based on the trend you know that's not likely within the next five years. You know, decentralized exting just still too small into but but there is an opportunity to have a bridge between, you know, centralized exchanges and decentralized exchanges, and I think later two is the best way for us to build that kind of network. And you know, so I think over the next couple years it might not be user facing per se,...

...but I think, you know, once we get through this wave where we've established this this network for these exchanges to kind of move value cheaply and and and be better custodians of Crypto sets, then, you know, and and obviously OTC providers and the custodians are in this bucket, but it gives us an opportunity to, you know, look at the the user, consumer side of things and, you know, kind of you extend these thing capabilities to them, and so I my philosophies is really that the Betab case is the best chance for getting our technology embedded, and then BTC will come after that and make sense. So I was I've set this quite a few times and poet of the other podcast that I do, the Bitcoin podcast, and it's, I think, the main thing that we're doing here in the blockchain space and in total is really really pushing and sentivising researchers and businesses to make cryptography usable right, right. None of this, none of these things are remotely capable of existing if we don't have these strong security guarantees around the cryptography that we use. That there's like the primitives of building these things up right. When you entered this space, and especially to coming from a making theoretical cryptography and encryption applicable to systems and having at a deep understanding of how this works and what and what constraints could you use this particular thing when you will go outside of it? How did you view all of this and how do you do this space coming without coming from that background? So I think the great thing with academic cryptographies that we have it's like what, we're always ten years ahead. Like a lot of the technologies that that are being deployed today have been well researched over the last, you know, a couple decades, and so I think back to e cash. You know, that was originally proposed like in early s by David John, right, and it was proposing, you know, blind signatures with RSA, and so we've kind of see, I mean it didn't take off because of the the problem of like trust. Writing. He was still leading the trust that intermediary bank, right, yeah, you had to trust the intermediary. And so, you know, bitcoin remove that right. It's a decentralized way of doing it and and I think since Bitcoin we've seen more academic cryptographer is kind of switching to this space and looking at the problem of how do we continue to innovate around removing trust? And so privacy is really where a lot of that effort has been directed. And so if you look at ze cash, you know, they started out as a you know, as a just trusted set up type of approach to generate these this key material, which they call like a toxic way that allows bootstrapping these your knowledge proofs so that you can generately very compact and and and easy to verify proofs, you know, for the consensus layer. In a way that like that. But but the main problem is that this chey material comes out of this trust to set up, and this trust is set up is, you know, depending on how you run it, and you know, it was running a way that was polarizing or it's and so there's been a lot of innovation around improving, you know, how we do trust, its trust trust it set up and making it more trustworthy and, you know, making it possible to update these initial parameters for Zcase narks over time. And so we've seen a lot of work from very talented cryptographers in this particular space, because it's, you know, the Zcash technology starting to spread, or has been spreading, you know, to other chains. And so, for for example, they um TS OSS is considering adopting sapling and so on and on we go in terms of how this technology continue to spread. And so I think cryptographers are starting to focus more on, you know, the points that we trust into mediaries and you know, removing that trust and looking at solutions that allow us to do that. And so this also involves like distribute a key generation and all of this stuff is is related to, I think, in my opinion, you know, making things more making blockchains more trustless. Yeah, and efficient, and a lot of the stuffs like this, like striving, because we had zero knowledge proofs or zero for starks that for so long, but they just were inefficient. And this, like this type of thing, pushes for the the applicability of a lot of the stuff in redward system so that, you know, ind users can actually benefit from the cool things you can do with with numbers. In that sense, like I did my PhD and and Bait more or less quantum mechanics, and based in that, there's likes a tremendous amount of information theory, because it's a probabilistic based theory, right, and it comes, I come to find out,...

I really, really really have like a really I'm very interested at it. I love information theory, how it works and probabilities and how these things tend to kind of work and roll life systems. But had I known that, this world of cryptography would have blown up and a lot of ways are like open opened up in a lot of ways for for a lot of interest in new innovative technology. I probably would have done that instead. Right, right. So, like I'm kind of envious of all of the like photography researchers out there. They're like, Oh shit, like, yeah, like, not a lot. We know, we no longer have to even like stay within academia to be relevant. Right. There's were starting to build a lot of businesses and systems that then incentivised people that go out and do research and fund it a lot of ways, and I think that's one of the really great things that's happened in this space as well. Yeah, yeah, I think it's the perfect alignment for cups graphy in general because, you know, so for me, when I started out, my focus really was on data security and kind of preventing making harder for data breaches to happen, right, and building systems that do that. And in so, obviously cybersecurity is a huge field in itself, but you know, with with with Crypto or cryptocurrency, I mean it's it's like the perfect blend of all of these different concepts and distributed systems to cryptography to you know, find cryptoeconomics, right. I mean there's just so many different layers to do it and I think it's just provided the perfect application for for all of us, I think. Are you familiar with the Pyramid of pain? No, I'm not. Okay, so pyramid of pain is this basic blog that came out, I forgot how many years ago, about it's a cybersecurity concept and that like it's you're trying to move up the pyramid of pain to kind of it's like, as you move up this this like ladder basically of things you can detect and mitigate within your own infrastructure, you slowly start to make it more and more and more difficult for the attacker to continue attacking and basically, under the same under the premise that hackers are lazy, they're going to go after the easiest things that don't that don't make them change their behavior. It's a really interesting I'll put in a shoutout speed to check it out and I was interested because it from us, from a traditional web security point of view. There's very specific things you move up like a the like things that you change the things you can. They're did for I thinks you could protect against to basically protect organization and make it attack or say fucket, it's not worth it. Right, my times, right, but usually at the very end it's it's making of changes behavior in a lot of ways, and I was I was always curious if people have heard of this and if they thought about it in the context of Crypto or web or Web free and how that changes. Yeah, I think that's the term that I'm more familiar with, but yeah, like the yeah, I think that's that's definitely very true, just because, like the way the space is involved, like we want things to be decentralized, but we keep coming back to central like gateways, right, that that still require onboarding users. And one of the things that I remember from David Chalm's like experience, and I think I read this on Wikipedia when I was digging into this a little bit, but like his opinion on why Diggi cash didn't succeed, and he felt like, at least the limited deployment that they had, that that users didn't really understand the value of privacy and it was like too soon and it was kind of ahead of its time. And so this, this, this this brought up the idea that, like you know, we're still in this space where, you know, these gateways still represent the easiest way for users to so so what I'm getting at is the convenience of of Crypto and so those are the entities that seemed to, you know, capture the, I guess, the attention of users. And so this might be a little off topic, but you're common just got me thinking about at least about that and how we've got to do a better job of, you know, making things more usable. Here's here's the thing about that. But I have a lot of trouble with this, because I mean a securit engineer for a company trying to have induser facing customers who were re abstract away a lot of the stuff. But, like, it's a fundamentally different way of thinking about how you interact with a different within entity like the the channel of communication is fundamentally different. Are No longer offloading responsibility to someone else. I'm responsible for it. Like the whole tenant of a lot of like peer to peer systems and decentralization, and especially with focus on privacy, is that I'm no longer making someone else responsible for anything I hold value. I am, and with that there's a different social contract associated with it that people aren't used to m...

...if I if, if I offload all the stuff, then my then what I have to do is not a lot. It's every easy inconvenient for me to use them. So by that nature, I'm off I'm offloading security for convenience in a lot of ways, it's true, and people take that as a fundamental thing, in which and which like what is convenience that you need to do that? I don't think you have to do that in spaces, but there's a tradeoff there in which, like, I need to be responsible for these things. I need to understand that, like, if I lose this, it's gone. No thing else, that anything. You Dude, like, do you think that we can get to the ease of use and convenience of web to point out, with the way in which we're building systems and web three? Yeah, I think we can. I mean, so there's this there's this wave of services that are coming out that make it more easy for users to maintain custody of their assets and still be part of the ecosystem, whether for payments or trading or whatever. It whatever, and one of the the things that, like, is really, really challenging is the key management problem, right, like if there's just so many ways you could, you know you can. You can screw that up and shoot yourself in the foot, and I think that scares a lot of people. But I think there are approaches to make that easier at that leverages, you know, cloud storage, you know things like dropbox, Google cloud, in which you can encrypt things, you know, stored to you just use those services as dumb storage to back up your most you know, sensitive and doing things like shamier secret sharing. Were like you. There's the break that break the encryption up in the multiple pieces and then stored on different places to that want into. Tea has full control over it. Right, and funny they should mention that that's one of the underlying building blocks for actually based encryptions. Like it's like seeker sharing combined with with with a over, you know, pairing based elliptic curves and combined with what are effectively called yes. So those are the two primitive CS, so secret sharing and overpairings, and it allows you to kind of break up a secret, you know. So that's it could be the thing that that's protecting a wallet and in such a way that you can, you know, attach specific policies for or conditions for when that secret can be reconstructed, and so these policies can be anything. So it could be like I have my you know device, so I have an attribute on my device, I have an attribute in the cloud, have an attribute, you know, in this other application, and so only when I'm actively logged into all three can I reconstruct the secret that allows me to decrect my wallet. And is it a more efficient way of multi factor authentication? It would be. Yeah, could be. My opinion, it could. It could definitely be. I mean there are some so. So the one problem with with actual base encryption is that it still requires a, you know, trusted third party, you know, for the key generation part of it. But if you are, you know, applying it this to your own data, then you are serving as your own trusted entity, right, okay. So, like, let's take it in the context of your familiar with what Universal Logan says and the etherium space not as okay. So it's basically a smart contract that exists as your identity and it ends up being like your management identity, where you then delegate various levels of trust to various devices that then can sign off on various things. Right, it seems as though this would be something, something useful there, and maybe that's actually how it works underneath. Yeah, so's I think that's the analogy for signatures, you know, for for what I'm describing, it's more for encryption and so so I think they are, okay, equivalent. So I mean for signatures it's easily called threshold cryptography. Okay, yeah, I'm trying to think of like. It also like because I work for I work for status, which is a like a which has a lot of private messaging associated with it, and the context of group chats, encryption of messages and how you you sinned, because most of the time when you do group private group chats, it's that's the same thing as having a one on one group chat, just scaled pairwise to everyone in the group, which does its scale very well in terms of managing keys, right, as and and revocation for that matter. And I'm very interested in new types of cryptography or butting types of cryptography that allow a scalable group chat that has a very good user experience in terms of adding and removing people from a group, right, right. I mean it's a very difficult problem. No signal has done a lot of work to make this more usable, but like there's still a lot of innovation to be done there and I think like revocation is as another problem, you know, especially when you think about people losing their devices and, you know, being able to recover. You know the history of a group chat and you know how far back you know. So there's a lot of of practical issues that make it you know, make it hard to build a truly usable group. That's the difference between that. I kind of like that user experience of centralized versus to centralize right, and it's...

...with with birth privacy in mind. But as we I think, as time continues on and we keep having data breaches and instances of companies who hold this data taking advantage of it and profiting from it, people are going to wise it up and realize the privacy is really important to start to look for things that that give that. But at the same time it's a really hard problem. There's not a lot of people trying to solve it because, right, because the use ability so bad, so growing in a business side of it very hard. HMM. Yeah, and I find myself, like when I struggle with signal, I you know, revert to using things like telegram and group Chat, you know, and it's frustrating, you know, but it is what it is and I think I'm hopeful that at least with more innovation in the space, you know, we be able to have a truly usable, you know, group chat type APP with encryption built in. Where do you like? What do you where do you what are you excited about when you think about all the stuff, because I we are having a tremendous amount of focus on kind of rebuilding the web in a decentralized matter. You think that's going to work? Are you excited about it? I do. Do you see obvious problems that we're going to hit and then like hit real hard and maybe it's a wall? Yeah, so I'm I'm interested to see how it plays out, but I think, you know, there is a lot of potential to to build it in a way that allows us to do more. I don't I mean it's hard to identify the winners. You know, there's there's definitely a lot of interesting work going on, but I haven't paid as much attention as I should to, you know, at least the players. That's the kind of concept that I don't people think, people get a lot a lot of people understand is that as things get bigger and broader and people start to specialize into a specific field, as I think there's a cartoon basically is like PhD's basically just digging holes and just into specialization, and the further down you go, the harder it is to lift your head and see like that, even at ground level, see what's going on, to keep up. This is another thing. It's really, really hard. There's so much going on in the space that I remember we started this podcast, or like the Bitcoin podcast proper, I understood everything that was going on. I knew everything that happened within the bitcoin space because there wasn't that much it was very easy to keep up and give people a pulse of it. Now it's just it's everything that all of the different networks, all of the different innovation within a single network. It's a possible and so so I was interested in block stack for a bit but, like I mean, I'm not entirely sure on we're how they're doing in terms of, you know, mainstream uses. I mean I know they have like sample applications that are web three friendly. You know, things like Google Docs and or Google doc equivalents, you know, unity centralized way. And you know, I've paid attention to some social media related projects like, you know, the try to reinvent, you know, facebook in a centralized way and with privacy built in. You know. So I've seen those ideas. Just don't know how well they're going to do with users. And Yeah, it's like with the people who need to use them. If they're coming they're coming to them with the same idea that they're using the same thing, then they're going to have a bad time in terms of user experience. They're going to go back to it right. Yeah, yeah, for sure. I just had a question. I forgot it was dam it. Well, Oh, yeah, attribute based encryption. I see it. They said it's it's based on encryption. So you're wanted to trying to occuskate data on a certain button. Public key encryption also's an evant form of public ENCRYPTIAN OAKS. I'm thinking about like what. How could that set up potential use for something like the centralized storage? Yes, absolutely. So, so one of the so they're two flavors for and we can call it a be just. That's so there's a there's a key policy variant, which basically means that you know the policy that you want, that you have in mind for your access control, is attached to the key material that you generate and then attributes are are used for encryption, and so you can essentially give specific people, you know, keys that have a specific conditions that allows them to access certain content. So it more maps to like electronic medical records, where you have a diverse set of information and that you want to chop it up into data objects and encrypt each thing differently based on the attributes that best describe that piece of data. And then you have another variant called ciphertext policy...

...that has the relationship reverse. So you have attributes on the key and then you have a policy attached to the data. And then what this allows you to do is, you know, role based access control. So if you're a janitor or or building assistant, you know, you would only get credentials or the credentials can map to your key and you'll only be able to access whatever your rule is allowed to access, and so you can kind of segment data accordingly and so and so you basically encrypted data with the the policies that map to, you know, whatever that that data has been used for our to try and make out like a intuitive analogy here, people who use discord basically have a group bunch of people on a chat room and right. And and then you have different channels with different permissions around who gets access to those channels. Right, and that's all done through like role based access. Each each role can have specific permissions on various channels, so on and so forth. So, like this channel can only have this role, this role, this role access to its on and so forth. It's the same thing with data. If we just treat the text living in a database somewhere. HMM, that's the data that that's and then the different roles associated with access permission to that data two different channels. That that's basically the same thing if I'm trying to like picture it or give it an analogy for someone else of view. Right. And so this this time been chrishion. Is always best when there's an established way of expressing the access control properties, you know. So if it's you know, there's there needs to be an access control oracle, something that you can ask, you know, for you know, whenever you're trying to, you know, provide confidentiality and then that's really the best way to kind of deploy it. And so when we were working on this as a startup, you know, our focus was on protecting the navies, you know, classified and classify data with all the different secory levels. Right, that's a that's a very good, obvious use case or something like that. Yeah, but the challenge, though, was the key management number one, and then number too, how to generate the these access control policies in a way that doesn't reveal too much information about the data. And so that's an environment where, like, if you, you know, you know, think some keyword is not sensitive, like, but with enough metadata around this encrypted, you know, piece of information, you could essentially figure out what it's protecting. And so hiding the policies is is something that is needed in some yeah, a process of making the stuff encrypted. You don't want to say this is our bucket of super, super super viable stuff, right, right, right. And so that that's the the tradeoff. Like you have to their other techniques that you can, you know, apply on top to kind of hide the Metadata, but it just it's another tradeoff. It makes things a little bit more inefficient and it makes just the overall ability to deploy this bit more challenging, and so what we ended up doing was just kind of making the the library open source. We weren't able to deploy within the navy at the time just because they they didn't have the the right so so, first of all, it wasn't it wasn't a type of encryption that had gone through like an essay reviews. They were familiar with, you know, that they don't use anything without hard standards around them, except for my experience and government contracting companies, right, and so it took like an international body to standardize a bee around two thousand and eighteen that we were part of. And so that was like when I switched from, you know, that work to Crypto. Soldier self for Crypto. Yeah, yeah, but I'm still, like, you know, interested in, you know, companies building around this, you know, and I continue to you know, the support, you know, the library. But it's one of those things where I think it's still going to take time, you know, for us to see why deployment of Ab and it's kind of dependent on, you know, finding these it maybe cryptocurrency might be the best starting point, you know, especially when you think about's not just cryptocurrency so this is where I guess this is my this is my I guess I argument with Bitcoin maximalist is like what else could to do? HMM, right. And it's like, if we think about blockchains in general, it's just basically complicated permission control a lot of ways. If you look at smart contracts, right, the idea smart contracts and the Theorem like outside of Value Movement and the and the logic around who gets to move value or access value. In a lot of ways it's a lot of permission control or access control on certain things. And if you could build in some of these cryptographic primitives so they like the actual like you know, for graphic computation, in a trustless way, then you can build a lot of these...

...permission systems and access control systems and then layers on top and below that actually do really, really novel things without trusting an Intermedias or to do them. So it's basically like almost like a a multiparty computation on access, Yass control, right, right, and so that's an interesting thought. So one of the things that it's challenging with a B is is that, like, once you've encrypted that data, you can't really operate on it. You have to sense a decrypted to to do things, and you know, so in the in the concert etherium, it seems like that would be problematic because you know, you you would need to your homework encryption a lot of way exactly. So, so the perfect combination would be being able to encrypt in that way and being able to operate on and so this is where, you know, partial and fully homemorphic encryption come into play, but they aren't as so partial homeomorphic encryption is definitely efficient, but fully homemorphic is still, you know, ways away. But I think that's where we need to get to to be able to do this right, because it's me what we're essentially describing as functional, sorry, competition over, you know, encrypted data, right, and so the the less you have to decrypt things to do things with that data, the better off. And so this is why, you know, Maybee is best for like files and databases versus like things that that are stored on a blockchain, where you need to be able to, you know, process that data before you do things. You need to decrypt that data before you do that. Yeah, the obvious thing that comes to mind, but this is as you build stacks of technology on top of each other. You tend to have trade offs at each level you go up. That's true. I can't think of a situation where, like, the next layer up is the exact same thing in terms of all the all the guarantees you have about what's just halt like data, how that datas manage and access the security. It's hard so forth. And if we keep building layers and layers and layers and to make it essentially usable to the end user, how much are we going to have to give up, like we're going to be able to maintain an any's, any guarantees from the bottom layer? That's a great question. The goal is to, you know, preserve those guarantees as we build these layers. Is just really I think the the the bigger challenge is hiding the complexity of these approaches. Like just change the paradigm and require the the participation from, you know, the user and or, we're sorry, require interaction and and those kind of protocols are harder to deploy because more things can go wrong right, and so it's a delicate balance. But I you know, I'm I think the best we can do is, you know, try to just understand the threat models and and try to match, you know, the best solutions for the problem versus just, you know, deploying a complex solution just for the sake of deploying it. Right, we have to we have to solve these these problems iteratively and wing ways that we still preserve some amount of us of ability, you know, and I think that's you know that the usability side of things is where a lot of these ideas break down, you know, because it's like wow, so the user has to do x, Y and Z in order to get property x and so. or it increases the bandwidth of communication, so there's more data that's being sent back and forth, especially if you're talking about like multiparty computation tide protocols. That's another set of techniques that allows us to, you know, solve some of these problems. But, like I mean, it's, yeah, straight offs all the way. Let's take, for example, like the lightning network, is a great example of this. It's privacy preserving. What does that mean? What it means is that you're not publishing every single interaction you do on chain. Your instead giving that information to the counterparty the channel you have right and so it's like I guess it's not. It's the privacy is just more fine grained to who you're sharing it with, right, and then you can trust that person to make sure that they're not using it appropriate. They're using it appropriately, right. So, how we sell the stuff or how we talk about it, especially if we build things on top of lighting network and then that those things, those type of situations, then propagate to the next level, it's going to make. It's going to make basically each stack is going to be a very, very fine grain, specific set of like relationships that you apply to or you're a pay with, and maybe that's maybe that's how it ends up, is that, you know, we keep building different things for various types of communication and then you choose what you're what you want to subscribe to, because at the end a day, I can still use bitcoin. HMM, I just they're just it, just maybe an associated cost with it, instead of using something else. That is correct and and part of that for us, you know, trying to make a distinction between, you know, privacy and anonymity when it comes to payment channels, because while you know...

...the interaction, like you said, is private, you know the anonymity is from the for the network right, being able to kind of be part of the network and not, you know, have to trust the the end points that you're connected to and in having to trust them with your information. And so everything you said is it's completely correct. And so I find that some people that I talk to that come from the you know, Bitcoin and lightning is private enough, you know, don't see the value of bolt and and so I try to kind of at least explain what's going on at the at the lowest level in terms of the interaction within a channel and the payments that I have in a channel, to try to at least, you know, clarify what privacy properties that we're talking about and where it's valuable. But I think you know they're there is a way to have both coexisting in a sense that you'll have, you know, channels that don't have bolt and but not but not necessarily like interact with channels that do have both. You could have two things, that was to separately options as options. Yeah, and so that would be the ideal for us and in a way that's still kind of compatible, interruptable, interoperable with existing all right, man, are there? Is there any weeks? Have to wrap up from here. Are there any questions that you wish I would have asked you or that you would like to have talked about that I didn't get around to you? That is a great question. Actually, not really. I mean, I think, you know, with with the other podcasts and then in this one, I think we've you know, we've talked about more things that didn't get a chance to talk about in the other podcast. Yeah, thank you for yeah, of course I've thanks for coming on and diving into more things that I'm fascinated by. I if I told my my wife there the day that if for some reason there's another massive bull run and we could cash out a bunch of money, that gives me about it allows me to sit somewhere and not care. I would just go back to school and get a PhD in cryptography because all the stuff is so fascinating and I just want to have I don't want to have any responsibility outside of focusing on the stuff to see how it works and work and go. I'm excited for a lot of the future. I just hope that we're able to do it in a way that's useful. I totally agree. Yeah, and if I could do it again as well. I would probably folks on economics. It's like that. I know, just another one. Yeah, that's going to be that's going to be a major at some point. Right, you're going to have, like, you know, computer science, economics cryptography as like your core course load, which is going to be something that because it seems to be like the cryptocurrency or block chaine specialty. Absolutely so. I just was they found out that Cryptono economics was a thing. I mean, I've been aware of that idea, but just the so I was at a summer school in VNSA is a plug for the first international summer school for a blockchain and security and privacy and and so there was a session on just crypt economics and understanding efficient markets and and that just blew my mind in terms of, you know, how the depth and the breath of what that means and arbitrage and all of the things that that has been happening in this space for the last several years. A lot of the same trade offs you think about in terms of like privacy and security, when you think about like value flow and and and then risk and trust on who gets the hold that value right right in the economics of security and the bitcoin network for ss other other chains. Yeah, it's really, really fascinating. That's one thing I'm dig dig into more right well, where do people go to preach? You find out more and get in contact. So I'm on twitter at Ja underscore. I can yelling. I basically have a blot. Well, the company has a blog on medium that you know. We're going to be pushing up more content and our website is boat labs dot tech and you can find information about you know the vision and you know links to our designed document and you know updates that we're looking to push out in the next few months also. And if they all like this episode, you have to subscribe button. Share with your friends, tell everybody, tell your dog, etc. Join the slack. You can have conversations with me and everyone else who talks about these things on the regular. I'm always available there and there's a few kind of special bonuses. There'll be only given a slack we don't give anywhere else. So thanks for listening and now thanks for coming on the show. Thanks again, Cory.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (127)