Hashing It Out
Hashing It Out

Episode 71 · 2 years ago

Hashing It Out #EP 71-Grin-Michael Cordner and David Burkett

ABOUT THIS EPISODE

Michael Cordner / Yeastplume, long time Grin contributor and part of the core team, and David Burkett, long time member of the Grin community, creator of the C++ standalone implementation of Grin, proposer of the soon to be released TOR transaction building method, and lead on Litecoin's Mimblewimble Extension block project. They've both agreed to come on the show.

LINKS

Entering work. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they faith along the way. Come listen and learn from the best in the business so you can join their ranks. Everybody, welcome back to hash it out. I'm your host, Dr Corey Petty, with my hosts Colin cucher. Say Hello Everybuddy Colin. Hello everybody, Colin. Today we are going to be talking about grin. Yes, grint, it is a blockchain project. We have Michael Corner, a season grint developer for a quite a long time since the beginning of project, and David Burkett, who built grin plus plus, I would also consider a seasoned grint developer. Guys, why don't you'll start us off by kind of introducing yourself? Michael wants you go first. Yeah, sure, so, as you saw, my name is Michael Cordon are. I go by the the handle of yeast plume and a big commodore sixty four logo. We're just talking about on the project. So yeah, I've been at about, not quite since the beginning of the project, but I'd say maybe five or six months into after the kind of initial code appeared in Github put the Bay, the project founder. I notice, and I mean since, that my my work is mostly been as a fulltime developer on the project of the last a year or so, mostly focused on kind of the wallet. So yeah, so that's that's me. Then I'm David Burkett. Like like mentioned, I worked I built grin plus plus. It's alternative node wallet, completely not based on the the core code. It's written in C plus plus, a different language, and I've been working on the project, contributing in various ways for about a year and a half now. I started about five or six months before lunch. Awesome, so let's let's do that. The general recap. I'm sure some of our listeners are not aware of what grin is. Can you kind of talk about the guests high level architecture of what grin is and how it differenti it self from other projects? Yeah, sure, I mean the most start off with the most basic. So whereas grin is based on something called the mimbowimbo protocol, which seems like kind of like a normal word to us. We've been working with a personal long but for for anyone, anyone come into this press, it's a Harry Potter term. It's it was the name of a tongue tying spell. So that ties into the kind of private the aspects of the chain at a very, very basic, high level. So, for instance, when you have a bitcoin transaction or you sink up a bitcoin chain, you need to go through the entire chain history authenticating and verifying each transaction all the way back to the genesis block one by one, in order to validate it. With a membowimble chain, you you only need to kind of validate the sums instead, and that's done through math, a kind of mathematical process, and will probably get into that deeper a little bit later on. But what this basically gives you are two, two kind of main big advantages over a kind of more traditional block chain formats. So the first one would be privacy, because from just looking at the chain data itself or the say the Utx so set, you should not really be able to tell anything about the amounts or the particular the users who put the transactions onto their there's there's kind of addresses that are generated by a wallop, but it's hard, just if you're just looking at the chain data alone, to link that to any individual account, so to speak.

The second feature gives you is scalability, is that you don't need as much data to do an initial sink. You don't need as much data to store as much data in the in the chain data set in order to use and join the the grim network. And Yeah, I mean at a better, very, very basic, high level. That would be what grin is about, just that a little more. So. That's that's what Mimble Wimble is about. Grin, you know, an implementation of memble Wimble. Completely Fair launched, decentralized project created by a sutonymous founder. After memble Wimble was posted by a different pseudonymous author. But yeah, there's there's no pre mind. It's completely fair launched. It's, you know, no dev tax or anything like that. So it's a pretty cool project. was so much was such privacy. How do you know that it's that fair? Like you mean not being able to see like rich lists and stuff like? Yeah, is that what you ask? If you I mean know that everybody kinds of fair chant. Everybody has a fair chance to acquire coins. There's no there's, you know, no one person who has a significant advantage over anyone else. As long as you've heard of the project, which you know it had been known for several years before actually launching, as long as you've got access to basic hard where maybe you know slightly newer GPU or you know, willing to buy from exchange, you can acquire coins pretty easily. Yeah, so it's it's not necessarily distribut it did, you know, very in a share manner like that. There may be someone who owns a decent amount of what? I doubt it, but, like you can't really know. It's a private coin, like you said, but everybody had a fair chance at acquiring those coins, much like the like the original blockchain, it was just whoever was around first got the sair distribution based on their effort, right. Yeah, back then it wasn't well known, right. So it's just a much people yeah, market. There were way you know, the launch of Grin was known about four years and it was very anticipated. Like the launch date. I had I don't know how many thousands of different GPUS mining against it. Like it, you know, everybody had a much greater chance of getting in early on Grin. Yeah, I mean I mean the sorry, yeah, the the were not to confuse like two different concepts of fairness and privacy. So I mean the privacy enhancing features kind of inheritanmimbwimbro are one thing, but the grin coin and the Grin Project itself was David was was pointing out, is very much kind of operates under a principle of trying to be as fair as possible. So I mean the the for instance, like it's a completely open source coin. There's a development fun you know, I'm paid from it, some, you know, some people are paid out of it, but there's no kind of backing corporation or group of investors expecting a return like you'd see in many, many other coins, which means that kind of decision making can be can be can be very long term, it can be, you know, not all, not always perfect, but at least try to be more inclusive of the community as well. So I think the principle of fairness, or least the goal of fairness is, is definitely a driving one in the grin project. So a lot of our our audience comes from various backgrounds and and we have a pretty good set of people specifically in the bitcoin space. The history of how, like Mimbowimbo came to be, for my understanding is that it's based off of Greg's, Greg Maxwell's coin join. Could you kind of go to how, like the history started? What coin joint is,...

...how we got to like the cut through start, like can you tell me about like how the evolution came to well up being mimbalable? Yeah, I'm not such necessarily sure. I agree that coin join was the basis for it. The the real basis, I think, would be the confidential transactions paper. But again this is by Greg Maxwell and I'm back, I believe, and the the original of the confidential transactions paper. It kind of got us a part of the way as far as being able to to create a transaction, add outputs into a transaction and have them completely that the amounts concealed. The mimbowimbo paper itself that came along a little while after that, based on that, actually added the kind of mimbowimbo concept to it, which was a method of putting these transactions together on somemming them in such a way that you could also prove ownership through something called an excess value. So I'd argue that thoughts that's ready were where the foundations of Membo Wimble if comes from. In the author of the paper, pseudonym Tom Elvis, I just sir. He he actually refers to confidential transactions, coin join in a couple other things. So according to him, it's like build on four different technologies. I believe free at least. So yeah, there's no I agree that confidential transactions probably is the bigger part of it, but he does, he does at least refer to coin joints and a few other things. So okay, so I want to build my own version of memble Wimble. Where do I start? What is what is the what are the four core technologies? How do they work and how do they all combine together to build something like Grittin? Yeah, so, so coin join, as you mentioned, the way it works is basically you can have a bunch of parties come together and to decide to build one big transaction. So normally your transactions have inputs and outputs and typically all of the inputs would be owned by the same person and then in a standard transaction there say two outputs. One would be, you know, to whoever you're sending to and then the other would be your change. So That's pretty terrible for privacy because you can basically follow coins along and people have done that. There's all off channel. Yeah, companies that you know, their whole business model is this. So what coin joints do is they, instead of having these small transactions with inputs by the same owner, you actually use some kind of centralized coordinator where you would you would give your inputs and everybody would give their inputs and then after that everybody would then give their outputs and everything has to sum up correctly. But you end up with one transaction with, you know, inputs from multiple different parties and then I'll put some multiple different other parties and so that you lose some of the original links back to the you lose kind of which person is sending which coins to WHO. So it's a privacy thing. And like with Sabbie Wallet and implements it now, and Bitcoin and a few others. But the big problem with coin join outside of memble Wimbo, is the amounts are still transparent. So you have to actually agree on an amount that of each output. So each output, or each I think each maybe input, has to be or no, I think it's each output has to be let's say one Bitcoin, for example. So then you have to everybody has to send their out. You send their coins and one bitcoin amounts, or else one bitcoin increments, or else you can easily find the original link. It's let's say, you know there's fifty...

...participants, but only one of them has an input high and you know input of point zero, zero, zero three or something, and you know there's the outputs. You can maybe find some that add up to that amount whatever. So you know there's just you leak way too much data with all these transparent amounts. So you have to actually agree on an on a specified increment that you're going to send that in order to kind of obscure the link. Some Butt Mibble Wimbo improves on that with confidential transactions and stuff. But yeah, the core component is coin joint and it's also interactive. That's a problem too. You have to actually you have to meet it some kind of some kind of meeting location, some kind of centralized coordinator who has to interact with all the different parties that are building the transaction. So that's, you know, another big problem with coin join. That memb one will solves. So, yeah, that's that's core technology. One you SPLOME. Do you want to cover when the other ones? Okay, so what are they are? So we have confidential transactions, we have the kind of coin join US process properties of Membo Wimble. Do we want to talk about proof of work? Just mentioned what wether's? There's snore and then there's still, yeah, INTA. Okay, those are the four that I see. Is the core. Okay, that's I mentioned that first. Yeah, yeah, yeah, actually, yeah, that's a good point. Okay. So this is another kind of big difference with Membo Wimble to other blockchains is that the protocol at a transaction building level, is is interactive, and I say interactive in the cryptographic sense, in that both parties involved in a transaction need to interact to create the transaction and the transactions are created and against more signatures fit in very nicely to this, which is why they're implemented, is that both parties are just like us, example of two parties at the worm, even though you can have as many as you want. So the the person who's putting in the inputs in, puts their inputs in and then there's those are summed up and then the person who is actually receiving the funds puts creates a new output, puts it into the the transaction. And then there's something in the transaction the current called an access value. I'm going to keep that out of out for now just not to confuse the example, but basically what happens is all of the inputs plus all of the outputs in the transaction basically equal zero. Okay, and that's a kind of a very, very basically level how a transaction works. There and then each transaction to something that created that we call a transaction kernel, which contains an excess value and a signature for that access value that's created by summing all the individual signature parts from everybody who put their inputs and outputs into the transaction. So each party can and be involved in a transaction without necessarily have to reveal any other private information they used to sign their parts of the transaction. And then at the end of it you get a combined snore signature that can be used by validators to validate the entire transaction. And that's part of that. That's suddenly made possible through like the the expanded feature set of shore signatures correct. Yeah, absolutely. I mean the first the first version was it was just using the regular DSA signatures and it meant the parties had to reveal their private keys. But snore actually allowed us to put together really kind of elegant scheme combining snore with with the Membo Wimble interactivity to create our transaction model. So yeah, somebody coming from like a bitcoin world, they just to give an analogy. Mean you have to basically everybody has to sign the same transaction, like the exact same transaction, with their probably key directly. Can you can you maybe tell how the dynamics of that...

...are little different for bitcoiners? A big wins understanding on how signature building happens using these store signatures? Like specifically, what is the feature the shore that enables you not to need to do that? Well, we have it because it's additive, right, because I'm only signing for my my inputs and outputs in the transaction. So that means I can sign a partial basically sign a part of the transaction. So it's only my inputs that up put in. So I put in some inputs in a change output, I create a signature that it's rights for the value that was created by those and inserted into the transaction. On the other side, someone puts in, say, an output, one single output for their money that they're taking out of or the coins they're taking out of the transaction, and just signs for that amount, right and then we have kind of an interactive say we we take those two signatures, combined them at the end and then we have a signature that will cover the amount of the every all the inputs and outputs that have gone in there right without and as they say that, I mean that all adds up, and then that should be used by validators in order to be able to validate that. The way I kind of see this is the the process of including snore and kind of the way it all comes together is you've reduced the adomicity of what a transaction is in the entire block change. FAUSE, if you look at like the model of that coin, you have nose or miners aggregating transactions of individual people, putting them into blocks and hashing that block, whereas Sifilari will people are doing something similar, but they're not just putting it into block and Hash cout block up RW. They're aggregating that signature with snore and that sickenature zeal him that actually exists in the block. So I think we're a little bit inaccurate here. I think there's still there's still each transaction has its own snore signature, so you can't just aggregate all of them together. Okay, I think we might need to take a step back. I think we've glossed over a little too much of confidential transactions, how they work and and like how to go from that to Mimbo Wimble. So just just to cover those real quick. So confidential transactions, a whole point of them or that to hide the amounts. So in an easy way of doing that is you just multiply them by some elliptic curve generator points. So, you know, take g or whatever you or I think eight. Let's start with h. So we have, AH, this just common point that everyone knows. And you have your amounts. So if you are sending two inputs with one for one bitcoin in one for two, you would multiply the one times the H and the two times the H and you would add those up and that would give you three bitcoins, or three times H. would be your your input amount, and then you could send that amount to another person, someone else create some output for it that's worth three bitcoins and that would be the amount you would show in the transaction. Then would be three times eight. You wouldn't show the three. So they wouldn't know the inputs of one and two and they wouldn't know the output of three. This has a flaw which you know. There's a limited range of what these values can be. So we have to actually add in a blinding factor as well, so it's no longer just one plus one times AH PLUS TWO TIMES A to goes three times ah like that. You have to make sure the balance equations correct there. But you know you can route force that to determine what those original values were. So you add in this blinding factor, which can be any, you know, private key on sex P to fifty six K one, so that any any private key on the curve and you multiply it by a different generator, call it g. So then each input would have its own blinding factors.

You would have for our one bitcoin input, we could have a blinding factor of, you know, some huge number and then a different blinding factor for the other one. And and you know, you add those all up and then you have to have that same the combination of those blinding factors. Would have to, you know, also multiply that by the the G for the output as well. So you obscure the amount. But you can still do a basic balance formula of, you know, do the amounts of the on the output, the input amounts is that, you know, equal to zero. No new coins were created, and as long as that's true, then it's a valid transaction. And that's how confidential transactions work, and that's you know, they could be added to Bitcoin with a soft fork today and you know, but you still have those links and you there's no way of pruning there. You all you do is you you hide the amounts and they actually are kind of large because they have this range proof involved. So, you know, Mimble Wimble takes those and it's all based off that that same formula. The inputs, the amounts for the inputs all have to add up to the same, you know, amounts in the outputs. And it it builds on it farther and it it adds this kernel which use flume mentioned, which ends up being like a private key. So it's it's an additional blinding factor that's not encoded into the inputs and outputs. It's I'm trying to think I'd explain this. It's a way of I don't know, you know how to go about this flum from where I went. So challenge. So it's like you can instead of having, you know, let's say you have that when one bitcoin and two bitcoin in inputs, right, and you have your two blinding factors there. Let's call them seven and twelve. Okay, those add up to nineteen, right, and then you also have you need to make sure that the output has a blinding factor of nineteen as well. Well. Instead, what you do is is you have this addition. You actually have an additional blinding factor here. Call it seven, or call it I guess we are used that. Let's call it ten, okay. So we have seven and twelve, nineteen, and then ten, right. So we have twenty nine and we add that in the kernel. We had the ten there, and then on the other side you have it has to equal twenty nine there. So it's kind of like another input there, but it's it's doesn't affect the try, I think. I guess it doesn't go in your output, then right, absolutely be to it in put yeah, it's like an additional thing. So your input no longer add up to your outputs then, but your inputs or your inputs do. Yeah, your inputs and your kernel no longer add up to your outputs. You have an additional amount there. And then you kind of like the snore signature comes and play there, where you sort of sign that you know what the blinding factor of the kernel is to prove that, like you were the actual owner of those coins there, so to prove that you actually knew what the blinding factor of the current was. So then, like the the if you know, let's say your blockchain, you know there should be for grin, there's sixty coins per block. And let's say, you know we have ten blocks, there should be six hundred coins. Well, all the remaining output should all add up to six hundred times the The Times the age that that elliptic curve point. So we know, you know, we want to check that all the outputs add up to that. But they'll have this an additional amount to that will add up to which would also be like the sum of all these kernels which are...

...these like extra blinding factors that we've added on to obscure the links that you know. That's what actually obscures the link from input out, but if you didn't have that you could easily tie the two together. Yeah, it's it's very confusing without like a whiteboard or some shad course. Yeah, I know, I just throw in. Like David, I think there's done a good job explaining it there. I'm probably better than I could do, but it kind of the first thing that everybody does when kind of learning about member wimbows and new technology is spend about a month trying to figure out the the basic mathematics and work out on their head how it all works together. So for for you know relatives to how how Bitcoin Works, it is quite complicated and there's a few kind of mathematical concept that maybe you know cryptographer as well know, but kind of the rest of us, you know, normal developers and such, take a little wilter during the language of how it all works together. So I definitely encourage anyone who's WHO's interested to look at the kind of the intro that we have on our on our on our site that we talked about a bit later. That kind of goes over this in detail, has examples of how this all sits together. Yeah, we were, and it's not. Sorry, it's not as complicated as it sounds, but it's definitely, like, you know, there's just a lot of moving parts. So just just kind of listen to something like this and gain how it works. It's not it's not very feasible, but it is, you know, it is something that you can learn. It's not. It's just all based on the same the same concepts as Bitcoin. It just adds additional like all these blinding factors and stuff. You just have to you kind of have to slowly add them in and see which one would each one does, like the kernel is added just to prove ownership of coins, and then from that point on we have this additional like kernel offset, or transaction offset that we call it, and that's like obscures the the link from the inputs the outputs. It's kind of like a privacy thing. So these it's just a bunch of components that build on top of each other. So, you know, if you take the time and you learn how confidential transactions work and then you go learn about what this kernel thing is, that can be used to determine ownership and that's what allows us to prune and things like that and then you know, go spend a little more time and then learn. Like this offset thing, it's just one piece that built on top of another. But when you know really good it's first off, it's modula designer. It's just fantast us. If you only have to know, you can become a special a special expert in one particular area. That makes you building a team easier, makes fighting of the work rate, makes it a good project to build. It has a lot of testability features. Were surrounding that, since everything specifically surrounding these particular components, you can test thos individual ponents. Script from a software engineering perspective, scraped from an educational perspective. I like the fact that you guys broke it down in the four parts. There's one feature, though, that I you do kind of touch on that I'd like to maybe see if you could get a little more into, and that's the size of storage space required for Membo Wimble relative to, say, bitcoin. You talk about pruning quite a bit. Can you talk about a little more in depth about what what kind of relative gain we're getting out of out of you know, Grin beam, like membo limbo coins, compared to say, bitcoin. Sure, so. Yeah. So, like mentioned, it's all based on about simple balance equation. All the inputs plus the kernels have to equal the the outputs, and so because of this, all that really matters is like Du tax so's, because if you spend one output and then you go then spend it that whoever receives that output then spends it somewhere else, so it becomes an input somewhere else. They end up crossing out right. They cancel each other out it. Since it's just to simple add all of those when you you know, when it's in the output, the utx O set, it's added. But then when you spend it again, you subtract that same amount. You subtract the input. So it ends up becoming a simple balance equation. So...

...since the outputs, since anything that's spent then cancels out like the previous output, all that really you need to add up is just the utx so set at that point. So you no longer in order to fully validate the chain, you actually only need the UTX so set. You don't need all of the outputs. Ever, like Bitcoin, bitcoin you have to download every single transaction since his you know s it's the genesis block for Grin. You don't. You just need the current unspent outputs. So it ends up freeing up I think trump says something like a theoretically X. I think it's closer probably two half of that is what we likely see after years of usage. So something like five times smaller, something one hundred fifth the size of a bitcoin transaction. Yeah, but that this also enables us to do something called fast sinc right, which is not an incomplete sync. It's just that, because we only need the sum in order to in order to validate the chain, instead of we can just pick a certain point, say you know, I'm, for example, the past two thousand. Go to thousand blocks ago, and how someone to send me over the UTX so set from there, and then we can we just need to kind of validate from there. I think that's something that whatever horizon we chose, to make sure that, you know, that everyone's view matches. So we so basically sinking up a new node. You need to download the the kind of transaction Hash set from a certain horizon from someone else and they can send you that over as a zip, and then you only really need to validate, say the kernels or so you need to validate blocks from there to the current which is, you know, validate the last two thousand blocks. Assume, because everyone's on the same page, two thousand blocks with that transaction set was good, and which means it takes, you know, a fraction of the time for a new note to join the network that it would take for, you know, someone downloading the entire bitcoin chain from scratch. This is something that I've I've always been interested in with how other blockchains are constructed, and that is the use of newer math and cryptography to provide further proofs or validity checks at each at each point, each step of the block chain. That gives you a lot of benefits a sense that like that you're removing the connection between inputs and outputs through some math, which gives a lot of privacy, if it also gives you a lot of speed up in terms of reducing the need to verify from scratch when verifying the blockchain total. So the right now what you do and Bitcoin is basically you get the entire you txo set and then you have, if you would like to make sure that's good, you get to start from scratch and verify every single transaction. That ever happens. Same thing with the theoreum. Yeah, to get to make sure that you get back fit utx so set, because the transition function doesn't take into it doesn't doesn't provide that extra feature set of of validity. I think a lot of like the ero knowledge proofs or then reducing the ability to have to start from scratching all our ways or at least give better checkpointing. And that's something that member one will is done and I'm curious as to like what other kind of maybe I can restart this question and by explaining how how I view these things. Like you get these benefits in a couple different places as you build a blockchain. One is going to be whatever signature scheme you do, and so like how you put together signatures which attests to data. The next is how you create what could be considered a valid transaction, and that how you gather a bunch of signatures to create some type of change from a user's perspective, on the like global data of that blockchain network. And then you have validators or nodes which aggregate these...

...things and validate them and put them onto the end of the chain, and and so like. At each point of these steps you can introduce new technology to provide either privacy, efficiency, like fluidity, like things like this that make it easier to do and all the different prices. You're doing it in different ways to try and like make there's unique. It's that you think it's a good at all for Roe, but what you're done or have how all this works. I mean absolutely. I mean a lot of things there, like like what I think one of the best things personally a bout cryptocurrency itself is that it's kind of it's brought cryptography itself into a more kind of a glamorous stage, which means it's been a lot more kind of advances and it's then there would have been without cryptocurrency either. Maybe so, I'll think a lot of bitcoin maximalist will hate me say in this or hate to hear me say this, but bitcoin kind looks to me like, you know, windows running windows ninety five these days compared to all the advances that have come since then. Obviously it's we're ten years on from more than ten years on from bitcoins launch the technology, but they're changed, obviously because there's so much money wrapped up in Bitcoin. It's not as easy as most other pieces of software to change or to stop, date or what have you. And I very much seem Membo Wimble or a grin and it and all of the kind of there's a few major projects now implementing Membo whimble now and I very much see this kind of as a another step in the evolution of technology as opposed to the be all and end all. So I mean even you can talk about the technologies of advances that have gone into to Membo instagram or two implementation of Membo Wimble, but even those now are look, you know, they're three or four year old technology, choices based on technology from three or four years ago. With there's already tons of talk and research about newer technologies, for instance some bls signatures which, you know, they work on a different, different they were comparing base curve cryptography, which is a, you know, a bit newer and not as tested as SETP and older curves. But if it were, if it were, there are we could imagine putting this together in such a way that you no longer and no longer need to keep these kernels around. You should be able to aggregate. You know, all transactions are block and provide one signature for all of them among go which has also, it's a good implications on, you know, privacy and scalability in the future. There's something called our sa accumulators, and when you start combining this with some of the you know, when we start to get into these fanciful conversations, it's almost like we're getting to the point where we don't actually need a chain anymore, we just need a block that moves every time but can still be validated. So I mean, there's a lot of I'm not an expert in any of these kind of new technologies and there's there's to be honest, as far there's too much of them to keep up with for any of any one person, and certainly personally someone who's a developer, not a mathematician. But there's really a lot of exciting stuff. When I very much see the work that we're doing now is a as part of that chain. You know, I expect in five years will have more new technologies that are built on top of this and more, you know, other projects that, you know, build on the engineering we've done here. So that's that's kind of the way I see it. That's kind of like what brings me to something I've been thinking about quite a bit lately is the technology is not going to stop moving right. We're going to keep, yeah, putting money into the development of applied cryptography and distributing consensus and so on and so forth. Or digital scarcity? Right, how we do digital scarcity? How does that? How does grin or in any individual project who's done something unique and useful fit in over the long term? Is it like, what's the point? Because digital scarcity is always good, as the people who use it, or I care about it for that matter. Well, from Grin's perspective, I mean green is different from a lot of other coins, as I said earlier, is that it's not a for profit thing like the the the main purpose of the grin project is to try to advance Membo Wimbo technology, provide a platform for this, you know, and move the technology on. So I think you know, from our perspective that's I think that's fairly unique for what we're doing here. I mean we're very happy to see other projects pick up a...

Membo Wimbo like the three major implementations that I think are noteworthy. We have grin, we have a beam, which has a different model, but it's still, you know, very respectable engineering going into that and trying different things than we're trying to see how whether they work or whether they don't. We have David is working on on adding limber Wimble into Lightcoin as well, along with Charlie do, which I think is a another great initiative there. So so yeah, I'm kind of happy with where's also is on some narrow has a Tari Terry, how you say that, which is sort of a side chain thing for narrow. That is, you know, has its own implementation of whimble whimble and it's just launched his test net just last yeah, I willn't sure how far along that one. Yeah, so you know, we have four out there. So I was wondering if really quick this is there's no good way to transition to this. In November there was some claim that your privacy model is broken and that people can, law enforcement for instance, could monitor transactions. You guys have responded to that, but I was wondered if maybe on our show you could also respond to what you think of that privacy attack, maybe describe with the person did and why it doesn't matter. Sure. So our privacy model is not broken because our privacy model had never claimed to give this kind of privacy. But with withal. You know, this is cryptocurrencies we're talking about, so hype quickly, you know, gets the best of some points. So if you yeah, for so you know when Mimble Wimbo was announced and brand announced or whatever, just they are all these claims about all the privacy is going to provide, but as far as like it's actual privacy. The big privacy advantage here is the the amounts are hidden and we're still fairly confident that's the case, unless someone somehow finds a way to break Seck P to fifty six K one, which isn't going to happen anytime soon. So you know, we the amounts are hidden and the the chain history is lost unless you've personally recorded it. But what this socalled attack did was it just monitored the network for transactions being broadcast, because the way Membo whimble works is, you know, they aggregate. They do a coin joint, but they do a coin joint like as they get new transaction transactions, they can non interactively just add in a new transit, you know, just combine them together. So they have this men poal that just keeps combining transactions together to create an even, you know, bigger, you know, just a bigger coin, joint transaction that eventually becomes the block will. What this quote attacker did was just monitor the network for all those transactions and just record them. And something like ninety some percent of the transactions, grin transactions, were just broadcast, playing as day, you know, just here's the inputs, here's the outputs. So they learned the links there, you know, they that the chain analysis type links where you can just follow the inputs to the outputs. Those were those are typically broadcasts just, you know, transparently. There's you know, the amounts are hidden, but we still see in puts and outputs. As grin grows, as it gets more usage, we have this we use this this transaction broadcast mechanism called Dandelion plus plus which which, instead of just broadcasting your transaction when you create it, it actually sends it to one other peer who then passes it to one other peer and they just kind of quietly pass it around from one to another until one finally randomly decides just to broadcast it. Well, during that that stage where you just you know, handing it off to one neighboring peer. They can...

...actually aggregate other what we call stem pole transactions, transactions that haven't been broadcast yet. So they can actually get coin joined before anyone else on the network sees them, maybe with one or two other people, but with grin being young, that's not occurring yet. So for almost all transactions they're just broadcast. They eventually get broadcast by themselves without being coin joined with any other so the links are still known to anyone running a full node who's monitoring the network. Does that make sense? Yeah, it's the threshold for that. Like I let you have any type of metrics for when Grin gets big enough for that to start taking over and becoming more more useful? No, no exact metrics. It all depends on number of nodes versus number of transactions. But there's also things we can do to improve that. We've only just begun. We focused mostly on minimalism at this point, just trying to get a working MEMBO whimble protocol out there that scales well that we aren't going to have any long term technical debt to deal with, and I think we've done a good job of that. Yeah, absolutely. I mean, sorry, go ahead. Yeah, I mean we've done some, I mean when that came up. I mean the other goal to the grand project is to stain animal right and there are ways that you could kind of artificially, sort of speak, increase the anonymity set in order to provide less linkability. But that, you know, that involves technical debts. I mean, once you put something in like that in there, like you creak, you can create dummy outputs alongside each transaction if you want, but you can have a method where by people have to pay a higher fee to include more dummy outputs. But you know they're that that comes with problems. A lot of people are good. Dummy outputs are very easy to factor out in any case, and that comes with a lot of technical debt and it's not quite clear whether that would have a long term benefit or a long term attraction. You know. So, so the idea right now is to keep it very minimal and more keep an eye on what technologies are coming in if any you know, new insight t happen that could allow us to address this differently. And and yeah, that's that's that's our approach. Like, I'm very happy to stay minimal at this point like. It's a reasonable respective yeah, and there's, you know, there's all kinds of areas we could research aside from just dummy output's, like there's, you know, we could use payment channel hubs or something along those sorts. There's different avenues where people could go research and find some way, and I'm confident there are ways we can do it without, you know, without having to add some blow to our chain or anything like that. We just haven't yet gotten to implementing those where, you know, we're still focusing on building the foundations of money. People should not rely on grin for anything that for, you know, if their privacy is necessary to, you know, save their lives or keep them out of prison or something like that, don't use grint, don't use manarrow, don't use any of them. Use Cash. Right. Yeah, it's not there yet and it'll be a while till it gets there, but you know, it's it's in much better shape than Bitcoin as far as privacy goes at a more you know, and it's done more scalably. You know, the usually when you add privacy to a chain, it grows manarrows, like I don't know how many times larger than Bitcoin. Per Transaction. But you know, Grin is, you know, this this unique coin that actually your membal Wimbo is this unique protocol that actually shrinks the chain by adding privacy. It's really cool in that aspect. So, you know, we'll work on ways of adding more privacy eventually, but for now it gives us better than Bitcoin with, you know, far better scaling, which is important this as it's a good conversation here define that conversation on how changes affect the scalability of a give and blockchain really really are a function of where you add, where you add those changes right. So, like...

I write, what we're seeing over the past, you know, year or two is a lot of development and the in a signature schemes and cryptography of like kind of aggregating things in a lot of ways that take the burden off what you're actually storing in the blockchain, which gives you a lot of scale and efficiency gains, whereas before that saw a lot of stuff being added on top of it, kind of the way an Arata stuff or previously did stuff, but which adds a lot of blow for at the cost of privacy and you and I think the future is going to keep leading that way of what can we do before things get added into the blockchain that increase our privacy efficiency and nobody security, so and so forth. Or Right? Yeah, yeah, like the existing methods, like you mentioned, they for privacy. A lot of them would just like they would artificially grow their in an amity set, you know, just a cover drop in time of right. Let's where I'm you've hit on a arrow. Takes about it's better to just let's not even have date at all, like let's not give them that data. And so you start shrinking then, instead of just trying to hide in, you know, hide in. You're seeing things like tap, root, right, and a lot of that, like the use of you sick, your students, like bls and Snore, are allowing for that for you. Or the majority of the logic is going outside of the blockchain and the blockchains being used more for just base proof, like a root proof of whatever. All the other stuff between the parties who care are doing. Yeah, so, I mean, yeah, you're right. Great, Grin Membo whims a prime example. Like transactions are built completely outside of the blockchain. I can meet you in a dark alley somewhere and exchange and transaction there and created there without even, you know, being near a node that all the the Membo Wimbo block chain stores as basically outputs, and make sure that those outputs all that up. Yep, and and then go even farther and we could go build a second layer on top of that, like lightning is. The current lightning implementation wouldn't work directly on Grin, but it can be adapted to work on Membo Wimbo to work on Grin, and so you could take, you know, transactions off chain entirely, just like lightning is doing. So, yeah, we can keep removing more and more from the chain. You're right. Yeah. So one of the problems that a lot of these coils are happen is so, for instance, a bitcoin or theorium even like if there I'm trying to say minor central I'm trying to say what is the minor, minor centralization look like with regard to grin, meaning that like, with like three or four phone goals, you could probably reverse a transaction in etherium. Of course, they probably won't have because the people in Atherium who are you would call, would be interested in doing that for you. But you know, I'm kind of curious what proof of work algorithm you guys are using, how you know a sick resistant you are or if you're even in taking that approach or you know what is. What is your philosophy on that? Okay, sure, what I mean, I can give you an overview of our approach towards mining. Well, I mean all of the thinking behind this is led by by John Trump, who's he's created an algorithm. This is very kind of memory hard proof, for kind of memory intensive proof, rather called CUCU cycle. I probably won't go on into the details of it now, other than to say that it is, like I say, it's very memory kind of resource intensive. So you be looking kind of a if you're mining on a GPU, for instance, you'd be looking at, you know, needing a minimum of okay, maybe, but that but like you know, in several gigs in order to mine. You know, depending on what version of the...

Algorithm's it's kind of a flexible algorithm. Is that you can you can have graphic sizes at different sizes, so I can either be searching three, you know, two to the thirty two or two to thirty three or thirty four. And you know, Grin will accept any solution kind of a higher kind of hinder, higher memory usages. But, as we were so the ethos towards proof of work and Isaac resistant or allowing you peus to mind is for the first two years at least, we've taken a very we're trying to make it as fair as possible. So and to us that means when you first launch a call and you want to be able to have as many people with as many gpus, you know being able to mind it. So you try and create a fair playing ground that way. At the same time, you kind of need to accept the fact that a sex are going to be coming and you want to for that reason, you want to try to encourage the AAEX that do come to be as open as possible and as available as possible so you don't have end up in a situation where you know one company has the fastest solver hardware and they're not sharing that with anybody. Wasn't very basically just to make the most efficient a sick at GPU. Sorry say that again. Isn't the idea. That is it's like mean, this is I guess this is a from what I understand, Prag pals whole idea is in order to combat or make things, quote unquote, a sick resistant, like, because a six can always be made for any given algorithm. The goal is to make the most efficient. A sick for an algorithm be mapped basically to a GPU. Yeah, but then does that work? Like proof that works? So far everything that has made claims like that. It's the goal, right as through the speed on. Yeah, yeah, I'm interested to see how prog path turns out, but so far all of the experiments have failed. A six eventually pop up for every algorithm. And so once John and in company realized that, you know, this is a sick ristic resistance is futile, they they changed it a bit and they made two different two different variants of cuckoo cycle in a sick resistant, you know, quote a sick resistant algorithm, and that's what's what they're using for the first two years. And we tweak it every six months, or John Does, just to make sure that no one had somehow developed some a sick for it. And Yeah, so it's tweaked every six months for the first two years and it we slowly taper it off in a are eventually replacing it with some another variant called Cook it to that is supposed to be more a sit friendly so that, you know, we can slowly on board a six and by making it, quote, a sick friendly, hopefully it doesn't give any one producer a significant advantage, a significant performance advantage over any other so that they don't, you know, mind by themselves and get, you know, two x x efficiency gains and approach. But, you know, we'll see how this plays out. So far there have been several companies claim that they're going to create a sick for grin. One of them dropped out early, you know, maybe three or four months after collecting orders. One is supposed to deliver this month. So hopefully we'll see if they come out and we'll see if any other competitors show up with an a six. So that's that's the idea. anyways. It's just slowly taper towards and basic friendly algorithm that doesn't, that shouldn't give any producer an unfair advantage. Yeah, yeah, what do you say that? The idea of not using proof of work? It's an interesting field...

...of research at the moment. I proof of Steak on heaven. There are obvious the experiments there. I don't think anyone has has proved convincingly. I know proof of work is very wasteful, it's energy intensive, but I honestly believe it is the best thing we have and the fairest. They can't release the potential to be used, the most fairly had anything we have. Yeah, it's fair. You mean the participants ability to yeah, add resources and participate at will and leave it will. Yes, it doesn't rely on them already having a steak in the chain, so to speak. Yeah, if someone takes over fifty one percent of the fifty one percent steak in the chain, they don't have to ever sell right. They can continue to hold those and so you know, there's there's no way you can force them to give you a future coins or to sell you future coins, whereas with proof of work you can just buy more gpus, more harbor resources whatever to it. So that the kind of stakes some would argue. And you know there's there's other problems with proper work other than just that. It's also adds a synchrony bound to whatever you're doing. So you're going to have to produce blocks or you have to have a difficulty and that's going to produce like depending on what kind of half powers in the system, the frequency in which things can get published. It doesn't allow for some more on demand finality like classical protocols do. So there's there's downsides other than just the absolutely like proof of work is kind of I think it's the least worst option we have at the moment. That's and that's basically just because, I mean this is also my perspective where things currently stand in terms of battle tested things. Prevent work is winning. Until something has proven itself and open that it's very difficult to make that change. It's called we know. Yeah, I mean fundamentally proved, like you need something in to change for the consentus network to demonstrate arified that an amount of time has passed since the last block, so that normally go back and rewrite it. Right now, proof of work is kind of the only thing we have that's, as you say, tried and tested and provides that as well as possible in terms of membership like inclusion. Right. Yeah, that's the main thing, as it involved mechanism. At the end of the day, it's really what actual bolls down to. Ye, great, so, like I want to know, like we have a little bit of time left here. I want to know kind of what's next for for Grin, like what's on the like kind of immediate horizon, where things are going and what you see kind of changing over the next the next year? Yeah, well, the next year, I mean like like the first year of Grin's existence. It's very much about getting the the foundation right at this point, you know, tightening up the code. A lot of the work could like I said earlier, I do mostly focus on the ballet a at the moment and it's about, you know, we don't have a nice Guie Ballet, but I think we have a very good API now and we encourage the community build, build your own wallets on top of API. So it's really about trying to you know, improve what's there. We add, you know, kind of new features as and when they come up and when they're appropriate, but it's really kind of getting the engineering right and getting the foundation there to you know, to let the community take this and run with it. So I mean some examples of the things we have in there. Like we've we've just added the ability to to create transactions via a tour in our last release with just I think is a huge step forward in terms of USABILITY. Will be looking at ways of allowing affine transactions because, as I said earlier, kinds actions are interactive, which makes it difficult to do it offline or into a cold storage wallet. So we'll be looking at solutions. They're so yeah, I mean we have a it's very, very early days and this coins development. There's still tons and tons of work to do and we're looking forward to it and also encourage anybody who's, you know, in any way interested in this, whether you're a developer, designer or, you know, a thinker,...

...math mathematically inclined, to come and have a look and contribute wherever and you know, wherever you can. David Yourn, yeah, yeah, I agree that the biggest priority, as used to it on is kind of right now. Most most exchanges and pools and stuff, they only implement http or h GPS transactions, which are really frustrating for end users because in order to receive VHTTP you have to have you have to forward report on your outer right and for every day, because that's not a that's not a reasonable approach. So tour is was our most recent initiative to, you know, move away from that, where tour automatically does that. You don't need, you know, all that nat whole punchings are done for you with to our so all you have is the address. Instead, instead of sending your Ip to someone and saying as send it on this port, did my, you know, public Ip, here we have tour, which just gives an address and a few ULS, a lot more like bitcoin. You still have to be online, but the user doesn't have to do all this complicated configuration and you still have an address you can give and you can use it for different signatures and stuff like payment proofs, which was also just implemented. So yeah, it's moving away from http now with hopefully an offline mechanism as well, so the user can they can still, like you, don't have to have both parties online at the same time. They can sort of finish their part as they come online. And then I think on the node side we're focusing more on improving our sync process right now. Used to mentioned Earli in the episode that for the the fast sink, we have this transaction Hash set which is really all the utxl's and kernels and just one peer gives you that. So it's if you get a slow peer and unreliable peer. It could take a long time to sink, or longer than it should anyways. So we're finding ways to break that up, to paralleled parallelize that and to, you know, just download a little piece from each user and validate as you get it and hopefully sink quite a bit faster. And then also it won't be implemented this year, but we're we're taking look at different signature schemes and ways of aggregating signatures or like bls and stuff. Or we're also looking at at ways of adding privacy. Should we deploy some form of decoys or not? Should we find other where? You know, are there other ways of breaking that linkability that we get when we broadcast transactions? Can we make improvements to our dandelion protocol to make sure that more aggregation occurs before being before each transaction is broadcast? So there's there's a few different initiatives we're looking at. On the node side, that's awesome. Obviously. Where do people go to learn more and help contribute solutely? Sorry, okay, right, so sorry. Our main stor main site is easy enough to find it. It's Gritin DOT MW. I'm not to take you right to the main site and from there you should be able to find links to our our key based channels, the GITHUB project itself. If you're there's a forum as well that's linked from there. So most of the conversation, I would say, these days would happen in our in our key based channels, with some more of it, maybe a bit less, going on in the on the forums, announcements and such in some kind of longer term topics. We do, we did have a good channel to reason, but it's actually being used less and less these days in favor of the key base, so that those that are yeah, all right,...

...awesome. Thanks for coming on shot. I really appreciate it and you've definitely helped me understand the concepts and how this is all constructed together. Yeah, thanks very much for having US.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (127)