Hashing It Out
Hashing It Out

Episode 42 · 2 years ago

Hashing It Out #42 - Monero Research Lab - Brandon Goodell

ABOUT THIS EPISODE

We shouldn't pick favorites, but this is definitely one of our favorite episodes so far. We have the extreme pleasure of learning from Brandon Goodell, Research Associate at Monero Research Lab, about Monero, how it's designed, privacy in Monero and how it compares to other coins like ZCash, scalability, and consensus mechanisms in general. This is exactly the kinda conversations we built this show for, and there were more than one eye opening moments. Definitely scope this one out!

Links

  • https://www.getmonero.org/resources/research-lab/
  • https://github.com/b-g-goodell
  • https://monerokon.com/

Sponsorship:

Thanks again to Trail of Bits for sponsoring this week's episode. Go check out their great article on how to safely store cryptocurrency and while you're there, check out all their content on the blog! Stay safe out there.

Everybody before we get the showstarted. I want to tell you about our sponsor for this episode once again,we're sponsored by trail of bits. CILIBITS is an auditing firm in thecriptocurezy community, they're available for consulting services fordoing Audison, Various Mart contracts and depths, as well as companyinfrastructure and setting up process O proscedure. They also elease a suit oftools open source to the community for to use when developing smart contractsthat integrate directly into embark and trufle, as well as run on their own. Sothey're, really great toews lots of Mation Etorials, a tarlobits dot comahad to get to use hem. This episode, on the other hand, talks about a few ofthe other things they do. Last time we mentioned the converces that they holdthis time, we're going to talk about a lot of the logs and writing that theydo to give general ideas on best practices and how tose on how tonavigate your way. In this pace, in particular, oned a highlight a blog,it's called hot, a safety store. CRYPTO COC in this blog trelbich goes throughthe process of taking making sure that you own your private keys, Securrprivate keys and maintain them safely, we'll nglude that and the show notesFou to check out. I highly recommend it as well as everything else on theirwebsite and blog M. I really enjoyed reading these things going through theANALSIS THEY DIV, as well as some of the insight and how tos on how theyhelp you navigate the space securely safely and and efficiently enjoy theshow now injuring kind work welcome to hashing it out, Apacast orretalk to the ttech innovators behind blocked in intrastructure anddecentralized networks. We dive into the weeds to get at Wyan how peoplebild this technology the problems they face along the way I'me, listening andlearn from the best in the business syou can join. Teir ranks wocome macn Ashin out. As always, I'myour host doctor, Corey, petty. I have my trussy coast with me, calling Cochet,say: whats separverybody, calling what's up everybody calling today is episode. Forty two, I believe, and today we have a we have anotheroutstainding guest, highlige techical audience. It's brain and Goodell. I researcherDor Brannin, go I'm sorry, a researcher for for Minero. I I no researchinstitute. What exactly is the MNAR Labitra Monero research lab? It's thename that we came up with in two thousand and fourteen and it's kind ofstuck and and I' looking Torg, you Likin, you do like you are a legitimatelike this is a postocal research position for you a are Um. So this isthe problem with having an a ONA open source project. Is You can kind of pickyour own title? Um? One of my former advisers always t gave me the advice tocall it a postock until you know you're not in an ECINEMEA anymore Ahso, I I it. I do post Actora work. Ihave a doctor and a DU doctorate research. I don't have people advisingme in the same way, traditional post, ock would and so um I've sort of Rchanged. My ntitle to research associate to be aittl bit closer to thereality of the situation. Ense. In that case, let's, why don't we give youquick introduction or allow you to introduce yourself? How did you getinto this space like? How did you get into doing Kindo, beeding, edgeresearch on CRIPPA currency and block Chan Related Technology? Well in twothousand and thirteen, the guy who another one of the minoro researchersSurong nowith her he he he introduced me to the idea of Bitcoin and I waslaughing really hard 'cause. You know it's like Youre mining, BI, t coin inyour basement and you're making money on your computer. That's justridiculous Um, but I started looking into it and therewas this point where Um uh there was this like intellectual switchthat got thrown and I realized I was. I was like trying to learn about biiynwithout learning about it, and I was being really lazy about learning aboutcryptography and hash functions and stuff like that, and I I just set thisswitch was thrown in my head where I was like okay, I actually need to likelearn how this works from the ground up under the hood crypticcryppographically comput on the computer science end of things have thenetwork works everything and Um. At that point I started looking intoother white papers and looking into other coins and...

Ricardo Spane, the the leat developerat the time fluffy pony he contacted me about doing a review of the white paperfor Monera for the cryptonite white paper Um and he offered to help helppay my rent a little bit in the middle of Grad School in exchange for reviewof the cryptonote white paper and that's how it got sucked in so two thousand thirteen, two thousandand fourteen. I guess you know you're you're, looking at this stuff, you'retrying to differentiate it between wild gold and, like actual like Ertr, likewhat is this like. This is like what is this candy crush gyms like yeah? That'show I kind of originally like approachd is like come on, and then you know youlook into it. You see this. I saw one of your earlier comments h long time ago. It was basically you y.You were Kindo like still seemed a little skeptical around that time andit was a UM. You said you ere getting into Maner,which seems like it. Coins like cousin, or something and like so how would you like? How did you sort oflike seal when you saw Minero, and what did you actually, let's just al, thatback a it? What is Minerro? How does it work like? What is what makes what sets minero apart from big coin, what arethe fundamental concepts which make Minero have a specific level of privacyand what are the limits of those levels? So, firstly, unlike other cyptocurrencyprojects, Monero is not a fork of bitcin. We have a COMP. We have acompletely different protocol called cryptonote that was describedostensibly in two thousand and twelve, but that's a that's a debatabledebatable thing. Um Monera has kind of a shady beginning history, H, butwhat's interesting about Monero is it it operates very similarly to bit coinin the same way that you have a transaction and that transactionconsists of some inputs and some outputs and a fee Um and thosetransactions are all recorded on a leger in a consistent way, in a waythat everybody can check that it's correct right. So these things are mvery similar to bit coin. Anybody can hop on the network and anybody can help them in anybody, canOPF on the network and transmit a transaction. So it's permissionlessjust like bit coin Um. The the differences are are sort of like inabstract, but as a consequence, um. The the fundamental architecture isvery different. So, for example, one of the things that makes monarodifferent than Bitcoin is that big coin is sort of like a classic check. Right,like everybody's written, a check to their landboard. It has from it has ato it has an amount. It has a date in Monero. The from field consists ofeleven other peope or ten other people, so you can never really tell exactlywhich of these people, the transaction came from so having a Monirotransaction is sort of like having a check except you can't really tell whosigned it and that's the first way that Monera protects people's privacy. Thesecond way that Monora protects people's privacy is that it sort ofobscures the amounts of the transaction, so that somebody looking at thistransaction instead of seeing a usual check with a from field in a two field.In an amount they see afron field with like eleven possible senders and theysee an a mount field that just looks like a Gar like arbitrary garbage. Itlooks like white noise and so you're, hiding M who's, signing a transactionand how much they're sending and the only real question is whether or notyou can hide who receives the transaction. And, of course, if you'reannouncing these transactions on the network, then you also have to hidewhere the transaction is coming from, with, like your ipaddress broadcastover tour or whatever. So there are a couple of routes to try toverify a bit coin transaction one of them includes checking the key. Anotherof them includes checking that the amounts t add up to zero Um, the inputs,minus the outputs and so on, and so forth and Monero has an analogue foreach one of these things. But since we try to obfiscate every component of theMONARA transaction Um, sometimes our checking systems can be prettycomplicated. For example, if I want to send a hundred Monera to call in Um, but nobody can check if my transactionactually consists of a hundred Monero um, then I could send him a thousand and sendmyself negative a H, negative, a thousand and it looks like I sent zero,and if I can do that, then we have certain problems. So when we'reofficcating the amounts we need to equip them with bullet like rangeproofs and our range froots are built with bullet proofs, which are extremelyfast implementation of range proofs, so Um. Basically, when I say that Monerois like a cousin of big coin, I mean for every little component that existsover in bigcoin. There exists a corresponding component, overin Monero,except it's design to try to protect...

...your privacy. I had to try and mayberecap that a lot of Waye it's like Peopn- I try to explain Biccoin to alot of people. I I usually often tell them that it's, it's not necessarilythe components that make up their coin, that Ar tat are new, an novel, it's theway which they were combined, that made them novel. They made the whole thingnovel and they gave in Scot of digital scarcity, but each of those componentsexposes something about the inuser in terms of the sydonymous name. Theyamount theire, sending where they're sending it from so on and so forth, andwhen you tri to explain he narrow, maybe w you just kind of said on ont-is that it tries to take all of those components, figure out what's beingexposed in terms of user privacy and tries to o opfuscate that as much aspossible, using different different components or I bedroof components.That's a fantastic summary, that's a fantastic summary, and if you look atsomething like Z, cash, which is arguably our best competitor in termsof privacy Um, they they sort of do the same things that they try to throw itall under one big zcn our umbrella and there's trade offs to t twodifferent approaches, but that's basically entirely correct. So withoutgiving too much judgment on either approach. What what? What are the tradeoffs there? Well, the trade off TR, the primariy most important trade off in mymind, is the trusthed set up Um, Zcash and Monero very from each other,because I can construct a monarrow transaction without ever really havingto trust that some random number was correctly thrown away Um. But if I useDCASH, I do need to trust that now the thing is we can. We can argue about whether ornot this trust model is practically important, because almost all of us usewells Fargo or U S, bank or some bank system that is um practically alreadyum an intermediary in controlling our transactions and so by moving fromsomething like wils Fago to Zcash. I view that, still as a net gain, becauseeven though I'm trusting a part, a third party M in in some way, um it'snot in the same way that wells F. I trust wells Fargo with my informationand, of course, moving from Zikash to Monero. I no longer even need to trustthat that original developers were were honest in the way that they executedthings. And if you guys remember the recent dust up about the thetranscripts from the zcash generation, key generation ceremony Um, it's it'snot always obvious whether or not things were done correctly and if something was not done correctly.And then somebody purposely deletes a file in order to make it look like it'sbeen done correctly or in order to hide some evidence. That's sort of like areally great example of why we try to avoid the trust and set up in the firstplace so again, not trying to pass judgment on the Zcash development team,because there is an enormous amount of philosophical differences that I I don't even grasp between the twocommunities Um, just as a matter of practical trust if you're getting intothe biccorn space, because you're into permissionless currency M Zcash seemslike well it's better than Walfargo, butyou're still trusting a third party yeah. So That's interesting to me. I kind of see where you're coming fromwith that M. There are benefits to slarks, which is probably why theyshows it and that it's a bit faster, ordude snarks, are really cooltechnology. I Ron they're like fantastic, but h like in the end. It'snot the snarks that I'm criticizing just like the zcah ankle, aren't reallycriticizing the unforgability of ring signatures, they're criticizing theanonymity set sizes or ring signatures. Well, you know that Oh gosh, so Um, soif you have so okay before I before I say before, I answeryour question. I need to practice this, because this is the sort ofconversation that can lead to Fud MSO. Let me let me just be really clear here:a black hole in in the middle of a galaxy leaks information about thecontents behind the event horizon. There is no way that Zca, snarks orring signatures are ever going to completely protect your financial information fromthe most prying of iyes. Maybe I can maybe I can interject here and change.I think what the arguments of both of both the networks tend to focus on.It's not necessarily no part of it is the actual technology in what's beingofiscated. A lot of it is what you've mentioned. Tos think calld thananonymite said, and that is the amount of forynsics we can do with theavailable information to the D couple with ofuscated for abominable users. Sothe answer, the short answer is yes, Um, the ring signature setups that wecurrently have because f our aninymoty set sizes. The information that isleaked from our our system can be...

...leveraged to greater effect than theinformation that has leaked through Zk starks. However, both can be leveragedlike crazy and if you look at recently ability papers both for Monero andzcash, the situation isn't as private as the public facing PR departments of youknow want you to think so, and that's why I mentioned that the the black holeis never really going to protect your privacy in the same way. You know likethe the changes that we can make to Monero to improve anonymity set sizes.Let's say I'm writing a paper right now and there is some statistical evidencethat hasn't come out. Yet it's like preliminary evidence that suggests that,like relatively small ring sizes like twenty, can be just as good as I ZCsnark Um. If that's the case, then like H, is there really that much of apractical difference between the two coins? I'm not so sure if both coinscan be linked in a probablistic way and the same way the twitter can sort oflike figure out your interests in life? Um Whoever's watching the blockchain mightnot be a hundred percent sure that you were spending at this particular vendor,but they are like sixty percent sure, and that might be enough in some sortof tyrannical regime in you know North Korea, or something like that for youto get killed. But if that's the case then you're talking about the threatmodel is just using cryptoccurrencies is, is is enough to get you shot and soth. The main difference between Zcach and Monero is. Is that Monero focuseson plausible deniability? You can't determine plausibly, determine the pathof money and in a court of law in a nation of laws. That's probably goingto be good enough privacy, I'm not sure ow. I answered your guysis questions Directlys. You know I like to bring in the the bigger picture ofthis as well. It's not alone going to be enough, but it is a. It is a trailthat can be followed and lead to other evidence, yes and in fact, both WalChane to be leveraged with each other. So anything that I learn about a useron the Monero block chain. I can then apply to that same user and the Z cashblockchain. I might not know which user he is, but I can apply that informationand, in fact, vice versa. If I'm, for example, if I'm a a KYC exchange andI'm watching all the ZCASH transactions that are coming in and out, first offthey're, already all transparent, so I'm going to be able to glean quite abit of information, even after Zcash Jeprecates, their transparent addressesUm, then you know these KYC exchanges can still track everything that's goingon at the exchange, so they can already comply with the law in any way Um. So you know there's a certain point inwhich H thiss- not it's not a perfectlaundering system is basically my big fear about Maneri is. Is that I don't?I am a low information. You know personay. It comes to Minero Um. Ithink a lot. My my focus is mostly been in the therium space and a little bitin the big coin space, but for but for min just kindof like not looked at ittoo deeply, just laying that out, er there right now sure when I hear aboutit to me, it sounds like a money laundering, machine Um, but it'sink.That's actually not the case in any real sense. Do you think the same thingabout Cashi'm, curious, yeah, anthing, anything thats to that Hig I actuallyso erehere's. I I have a different ciation here in a lot of ways: Um theythey both could be. One has particular usecases because the one pivotal thingthat Manero does is that it's it's private by default, Youananibiset ofpeople using the privacy features of Manero is everyone, whereas he cash it.Isn't it's much more difficult to actually use shielded addresses thatmakes a huge difference in the actual granted privacy of doing things whenusing the privacy set of a given Panchin? That being sed, I feel likethe H. Inmitialization of Zcash was mostly- and this is maybe just mypersonal opinion for research funding research purposes- of pushing the ideaof that novel cryptography. That makes it up. Zer Knowledge starts and and thecropographers that do it. This gave them a really good funding mechanism topush that research and make apply cryptography in that area, narrow,potentially initialized or started out with different purposes, but then grewto a much more legitimate project that and then you have um who's actuallyusing it, and since, when the dark, the dark net and the dark net kind of marketplaces started, opting in fordoing minera by default that changed the perception of what marrors used fordrastically. Even though it's you know what it could potentially you'd be usedfor. CEU M there's a lot on pack here, Um. Firstly, I okay, when you say it calmwhen you save money laundering machine I have to. I have to stop you because, because the thing is is is c: If we don't think of cash as amoney laundering machine, then we...

...should not think of Monero as a money,latering machine and if we think of cash as the currency of choice ofsomebody who wants to buy a band book in an authoritarian regime like if youwant to buy the Bible in North Korea, you're not going to be using a yourstate credit card right, you you're, going to use some sort of cash orbartering, and so the thing is about the phrase money wandering is that it'sso loaded is like money laundering. Is a crimeyou're hiding your income from the government so that you can avoid payingtaxes or whatever Um, but general criminal usage of a technology.Um is is a tricky thing. Whether not a tool is, is criminal itself Um, I'm notso sure about. I do know that not all laws in all nations are just, and sowhat is a criminal act in North Korea may be considered a just act in America,and so I I really. I really try to stop thinking of these it. To be fair. I wasactually speaking on more obstract on so rig ow you buy. If you buy a bitcoin, that's dirty Um! There's no way for you to really undirty it right. WEL!You can. If there's a marketplace for dirty Bitcoin, which there probably isUm, then there's a or you know use cases or somebody canstill use a bick in that's dirty because they're doing dirty thingsanyway. Sho Cares. Um A D N. You have the TURDY DIC Bick Wen. You want to getlegitimate, bicoin Um. One Way to do that would be to sell the big coin inexchange from an Arrow and then from anarrow by clean bicoin yeah, and allthat does is taint the new clean book coin. Does it really? So? If you I meanI tp to t if you use just any sor et like let's say cash:Okay, you give the anplan wit Europick. So I meet somebody in person at acoffee shop, and I say I want. I want your Bickan. You want my minero. Let'sdo a trade nobody's Gon ta face that so a moment ago, cor just described an oneof the benefits of M Monero Skipz cashoer Monero as theanonymite set size, and then he followed it up by saying. But you knowif it's transparent and it's hard to use the shielded then like who cares?What you just described is the Monero equivalent of entering the unshieldedpool and then exiting the going back into the shielded pool, explain: HatAmi Again: altowhat's a Tilepol, so the shieled pool in Z cash is the pool ofcoins that you can't tell which one's being spent at any given time and thetransparent pool of coins and Zea cash. It acts almost exactly like Bitcoin,totally transparently and one of the criticisms. One of the ways that youlinkxcash transactions is you watch somebody send a transaction out of theshielded pool and then send it back into the shielded pool or vice versa. Atransaction goes into the shielded pool for a certain amount and since it lefta ttransparent address, you know what the amount is and then just a fewmoments later. The same t, the same amount comes out of the Shieldad toolto a new transparent address, and anybody who has half a brain can lookat that those pairs of transactions and say: Oh One, point nine, nine fourseven one to eight Zcash went into the shielded pool and then one point: Nine,nine, four seven Bababa Zcash went out of the shielded Pool Gee. I wonder whathappened there right? If you do the same thing with Monero, you might takesome Onero buy some bitcoin with it, send it to a vendor. The vendor maythen immediately buy some Monira with it, and anybody would be able to lookat those transactions and Lincomn together both on the Monera blockchainand the bit coin block chain, or it can go in the other direction and you erenot buying from a vendor but you're trying to clean a bit coin. Like youjust describe, you have a dirty bit coin. You buy some Onero and then youimmediately sell it for the same amount of Bitcoin at a new address. All you'vedone is link the two block chains together. You haven't obscured anything,not necessarily, but I mean like his personal exchange as well yea. I seewhat you're saying right now, the one way that we think at Monero that youcan avoid these problems for Zcash you, okay. In any case, if you're going to atransparent pool with transparent amounts, you're not really going to beabl to aivoid the problem. But if you're going to m like, for example,Monero you'rg doing totally default transactions, all of the amounts areshielded you can send a transaction to yourself a couple of times and thisillreduce the probability that m somebody can link the inputs in the outputs, okay and that's called churning and we'recurrently writing a paper on formalizing that okay, so every time sorry everytime you senta transaction in either the zcash shielded, pool or Monero. You can thinkof it as taking a step further into a bigger and bigger crowd and then tryingto get lost into the crowd. So if you send a transaction toyourself a couple of times, you go...

...really really deep into the crowdbefore you construct your true transaction andthen somebody's like oh well. I know this money came from somewhere in thatbig crowd of people over there. That makes perfect sense. Yeah. Ididn't even think about that, so you can actually yeah okay. That makes okayand when you say, son money, you RSELF, you mean literally create anotheraddress, you're, not actually sending it to your same address cre in Monero.You can send it to your same address, Holly Shit because of the way he wet defaults likethere are. No, there is no turning off the privacy. H FEATURES OV e nerrow. So by doing itevryevery time you do something. Basically, Oh my God mixes all of thecoins. O Oby is CONTROAC Pe, I wouldn't say it mixes, but yeah, essentially Umso Moniro addresses are just like Ba coin addresses Um wh n wh when you'retalking about wallet addresses. Well, I don't want to say justlike becausethey're from a different curve, but they're they're, just a big string ofcharacters. Um, every transaction is associated with a new one time, keythat is generated from your recipients, public key, so you can send the samepublicy over and over again, every single time, you're going to get a newone time key, describing your transaction and they're not linkablebetween transactions, and so somebody can't necessarily tell that these eightdifferent one time keys went to the same person, so you can just send it to yourself so so that kindof changes thedefinition of Okay S. to me, that's et, so it's not even like an account model.How you store things is that correct, oh, correct, um, asisleing things, yeahh've described this please like yeah, and this also might explain why o usedbulletproofs just to B so starts their starts. They'R snarks e,full of proofs snarts. Obviously, requirer trusted set up h very fast,but not as fast as bulletproofs. Well, a little bit larger in storage.Size starts, on the other hand, have a ave, a much larger footprint, and so,if you're gongto be doing this over and over and over again with these ranger,this ringe proofing then you're going to want a smaller footprint, whichmeans bulletproofs. Despite the fact they're, not Um, I'm sorry snart starksnarche fasterandbullpers or is it se shr? But you SI ip saying like theReser I on footprint size that you're conserded about, which is why you wouldchoose bulletproofs over starks is EXCO in term of footprint size Um. That'sactually an interesting question, because, okay, so let's say the big,the block chain's going to grow at a fixed rate for the next year and eachtransaction has a fixed size right, um. One question that we ask at when a aresearch lab before we make any changes or consider changes. As we ask okayafter one year, what's the download and sink time goingto be for a new note hopping under the Minar Network and if our change is going to make thedownload and sink time better than if we did not make the change, then we'llmake the change. So let me give you an example: bring signatures. We currentlyhave a handful of subline or ring signature schemes and for the people inthe audience. This is. This is proving that you know one of n different keys,but it's sublineer in the sense that it takes up less than O bigo an space. Soit's like logrithmically sized so proving this is lest improving like tinspace. Yes, but in verification time, it's always going to be lineer thereain't nothing! You can do about that. You always have to touch every bit andof ever in every key, otherwise you're going to be breaking unfortubility. Sothe confirmation time, the verification time is, is always lineer in theringsize. But we have a couple of subliniarly sized ring signatures. Sothe question is: If it takes a certain amount of time to download the bokchain and then for each of those bits, I need to verify it. If I add togetherthe download, an verification time after a year, will I get a pay off andit turns out that these sublinor ring signature schemes, even though theysave space they're a little bit slower in verification time. So after a year,even though our block chain would be significantly smaller, our verificationtime would have blown up and we would have had a problem after a year, so wehaven't instituted any of these nice sublineer ring signature schemes whichwould give us really big anonymity, set sizes Um, specifically becauseverification time is still just going to be murderous Um. So these littletrade offs between space and time, for example, they occur throughout all ofthe development process and crypt currencies right now in the privacyspace we have Zka starks and Zk snarks, and I'm not actually going to commentmuch on either of those because Um, even though I technically know whatthey are, how they work so on and so forth. I'm not an expert in thosethings and I don't want to overstep my bounds, but I do know that bulletproofing a statement is slower, Andzca,...

...snarking, a statement depending on thestatement. Um a bullet proof is a general provingsystem for proving LINEOR relationships. It's basically an Algebra game M andit's not as fast and efficient as Eka snarks, but it still can prove almost R,like arbitrary arthmetic circuits, which is really cool m and then there'slike ring signature schemes and if you think things have gotten complicatedwith like acronyms. By this point, our ring sigture scemes are about toexplode because right now we re okay, our original ring signature schemeswere El Sax schemes and then we did ring confidential transactions with MLSAG schemes for multilared and now we're looking into like lightning style,offchaine, h, stuff using dual output dlfaxs, and we just figured out a wayto save both on verification, time and signature space with R CLSC compressedlax signature schemes. So basically, all of our signature scheemes are aboutto blow up Um. On the plus side. We have compressed our ring signenter schemesand one year from now, it's going to be a lot faster to download and sick theblock chain because of the changes that we're making over the next couple ofweeks. Oh really, what are those changes? Ohso um believe his name is random, run he's acontrminer contributor on getub. He realized that we could compress oursignatures by computing. Things in a slightly different way makes smallersignatures and after testing it it looks like the signatures are faster toverify. So not only do we have the speed game, but also the space game solike one year from the next big fork that we implement this, I don't thinkit's going to be going into the next fork, but, one year after the fork,after that you're going to be Abeto, look at the monorof block cangraph andsee the day that our small signatures, small fast signatures, went, live it'sgoing to be pretty cool. You think that theres there's really a lot of. I guess.Funding of legitimate chrotography research going into Manero. Are you?Are you sharing this with other projects? Do you feel, like otherprojects, are doing something OPL dimmer? Is there? Is there a redundantwork in a lot of these things like? How does this work out because, like Ithere's the technology that you that you use parts of it can definitely beused across the entire cipocurrency space, like sipiature schemes areuseful across allapplied CROTOGRAPHY, but how they fit in is, is you know,subtle and and the devils in the details, but are there? Are you goingto meet ups as Menaro pactively participating and trying to folster thesecurity or privacy future set of all cribocrasis, or so actually there's alots onpacking your question again because you asked about both fundingand the participation of Monero and other projects, and those are two twodifferent animals. So the first thing is the Moniro crowd. Funding System isactually how I get my salary technically, anybody can apply to getfunding from the MONORO crowd funding system and ask the crowd for money, andanybody will be able to Um get that money if they can convince thecommunity to pay for it. That's how me and surrong both got our jobs as wehumbly went to the community and we said: Hey, we have croptographyexperience. We would really like to work for you guys and we got hired Um.That's how the Monero opens. fource hardware projects, aregetting paid and so the Zcash Foundation, or notIVEN OU thezca foundation. The Electric Coin Company recently instituted like anew a similar like funding model Um, so that people candn't start applying forgrants, or maybe it was the Zcash Foundation. I always get the tooconfused Um. So in terms of the funding model,if anybody out there wants to get funded from the Monaro community, theonly thing that's stopping. You is your ability to convince the Monarocommunity to fund you, and I know that sounds silly because technically it'salways true. The only thing stopping me from getting funded from the city ofDenver. I guess, is me convincing the city of Denver to give me money forsome random project right. It's always true, but in this case you can go toGetmanora ork and you can open up the crowd funding system and it's sort oflike Crypto H. Go Fon me so that answers the question aboutfunding Um in terms of funding for other projects Um or getting fundingfrom other projects. H, Monera Conferenzo is actually partially fundedby the Zcash Foundation. Um. They are one of many, don't they justdonatit directly to the Monro Conferenzo, which is our coour firstannual conference that we're holding this summer and they just donated as ifthey were regular, minor community member along with all the otherdifferent Min community members m. So we have interactions with variousproduct projects m. In fact, I do want to speak a little bit more about thatin a minute here. Um- and actually I guess the other questionwas involvement, and this fits directly ind with that perfectly so yeah we'rehosting the first monor conference of this June um and it's partially fundedby the minair community, Um Commu, just...

...all donors M and then the rest iscoming from ticket sales and sponsorships Um. So if people want tocome out to Denver this June to Attendiv Moneor Conferenceo, we wouldlove for you guys to come out. Not all the talks are about one erospecificallywe're trying to have talks on privacy, ND society in general, and so personally I haven't gone to alot of meat ups. I try to hold a couple of Monairo meat ups recently and I justdon't I I just don't- have good control over my own calendar in general, solike I'm, I'm really bad at stuff like that, so I assumng the conference O hasbeen an interesting challenge but yeah. I think that answers bothyour questions, so all right, SOS something I reallywant to touch on here. I think weve brought it up in in a previous episode.I just can't remember which one Um is uh. Some concerns about scaleability with regard to Blocchans in general and Um. Who did I ask this Um? I can't remember maybe you'll rememberafter I say the question quarry but um I asked canly or two solutions such as like state channels, work on privacy coins like Minero, and I thinkmaybe a side question on that is smart contracts as well Um. How does all thatwork in Minera right now? I don't think you have like a a scripted, smartcontrat system, or maybe you do. I don't know correct our our smart,contraxt St. we don't have a smart contract. We don't have a scriptinglanguage, I should say Um. We currently have a version AF multisig, whichwriting the multe ring s. The version of the rversion of ring signatures that ismultisick, is a weird and strange land to be dwelling in mathematically Um,but we have multisak, and so as soon as you have multisik, you have the abilityto start doing some of the very basic Um, for example, off chaining atomics walpsm from the original proposals so like as soon as you have that you're good togo. Also that deal SAG signature Schme that I mentioned earlier me and Srongand M Pedro Morino Sanchez at Tu, Vienna and another Um coauthor, we'recurrently working on a paper describing return addresses in Monero for use inoff channel or like state channels and stuff like that Um. So the short answeris, I don't know about the scripting language. I don't know how far off thatis honestly, but I do know or whether or not we're ever going to do it, but Ido know that the idea of lightning a lightning network from Monero is withinspitting distance and that's kind of been our current Um. I wouldn't say our current focus, butit's been um an active area of research oky. So, let's, let's, let's uh, let'st suck thes a little bit, so that's a payment channel and that'sGreat N. that's ow central! If that's the core focus of Manera you, basically,that's all you need really for. For you know, a payment channel is not a statechannel, but it is. It is a scaling solution. It's off chain, thewould,assume Itd, have similar privacy safety measures as narrow using Meneras thepacking system. Um elets. U Say we're looking towards the future and we wantto make a privacy coin or we want to Exteminero to have some sort of Um automated contract state, okay M, whichyou don't know when that'll happen, but I understand but um what are theconcerns with Skale building and taking you know those kind of things andmaking them kind of like scale as well like first of what is the scalebuilding conseres of an area presently 'cause? I don't know that very well. Ah,okay, so before before we get the scale ability, isshues, O Menero, Um th. Whatyou're describing for a smart contractor? Did you lass at schemebuilt on top of the Monero blockchain? That's what Tari labs is working onright now, um! This is a R faffy pony. One of the M original reled developers of Monero umis working with Nevine Jane from Oh Gosh there's so many company names,Um, H, they're, building, tary laps theirwhole purposeis to build a side chain on top of Monera. That does digitalassets Um, so I n. In fact, I believe that you can download the at big neonof to buy concert tickets already and get tickets through Tari, I'm not sosure how to centralize their system as yet. But I do know that that's like oneactive area um so getting back to the scale ability issues of Moniro Um. So my big white whale in Monero, Iactually isn't scaling it's privacy, because I'm genuinely concerned that somebodyssomewhere is going to be using Monero to keep themselves safe and then astupid decision on my part is going to get them harmed somehow Um. Personally,I think that privacy, especially financial privacy,is like a human rights issue of the...

...twenty first century that we haven'tnoticed. Yet, especially if you look t like Equifax and facebook- and I meanlike some of US- have noticed it, but yeah wee momised it right. Our wholeaudience has noticed that yeah, we are all on the same page, er, general publics. They say, for instance,like I think what we're trying to get at is ix say, for instance, this stufftakes off. We have mass adoption, an people are using it withnot,necessarily knowing it. What is the consequence like? Has It make? You feelif you're back in Dev, that created that system and it ends up having somefault that actually gets someone hurt because they thought the right, but Imean like I guess what I mean is Um the reason I say this is because okayblock chains are big and they're slow and they grow overtime m. They neverget smaller. You can't make a blockchain smaller. I mean I guess youcan prune, but then you're talking about light notes and that's a wholeown security issue. Um. If you look at something like okay, soin Moniro, the way that we protect against double spends. Remember earlier,I was mentioning that you know we could construct a a whole ring and you can'ttell who signed the transaction. You need some way to protect against doublespens and the way that we do. That is with key images and the way that we, sowe basically take like a hash of the key. That's signing the ring signatureand we're, including that in the transaction Um, but that means thatevery minor needs to keep track of every key image forever, to make surethat there's no double spend attempts in the future. So now you have an extraset of information that every minor needs to keep around forever and solike there's a bunch of scaling issues that are built into crpcurrencies thatit just seems to get bigger and bigger overtime with no way of making itsmaller Um. I go one of the advantages of anaccount model right. You can actually say hey all right. Well, after thisplan, I could connisay like these accounts are square. I'm pretty surethis is correct. Yeah Thattheproni is like you can't really do that withMinero. Can you right the problem with account models is man. They are sovulnerable to reorganizations right like if, if the past twenty blocks getreorked or ten ten blocks get reored and your new ten blocks havetransactions occurring in a different order. All of your accounts are allgarbled and in some account that maybe should have lost money, don't and so onand so forth. M Account based models are extremely Um, vulnerable to networkreorganizations or Askin me Blocchan reorganizations, due to networkdynamics like delay in latency, so they make it m pretty hard to run apermissionless crypticcurrency network. Unless you have a really longconfirmation time Um, which most people don't find acceptable in any way.Personally, I wouldn't use a cryppicurency that has an account basedmodel unless it had like longer than like a twenty four hour, confirmationtime and probably a huge has ra. What's what's what's the time to findout, kN W acceptable time to finality and confirmation on like Naro. What'sthe equivalent on that Onmanero, it sounds like you don't do that, so Imean don't Reyard still happen in Menero. Oh Yeah reorks happen moneerall the time, but if you're doing an output based currency, then a reorcan't turn and account negative GOTCA right Um. So so outlut based currencies arealways monuntonically growing but are extremely resilient to reorgs, which itmakes it particularly suitable for a decentralized network account basedsoff is really good for centralized organizations. Okay, that's something! I gottodefinitely take a little time to impact, because I hadn't really thought of it. DEPO DUDE! This is something that, likeCOM yeah, I there's there's like a whole class of concepts in the cripticcurrency space that every time that I get exposed to them. I have to sit downfor like an hour and twenty minutes and think about them and then, like I'll,forget them and a month later, somebody's like Oh, you forgot aboutthe Moneras Stealth addresses a d I'm like God, Damn it so yeah the account base model. There there's alot of things in this space. Okay, se. The word specious is probably thesingle best word for two thousand and seventeen two thousand and eighteencryptocurrency, like everybody sits around and like makes these speciousarguments that seem reasonable and they really aren't Um, and this is how youtalk, O yourself into proof of space or LE e Latwa. Oh purpose: stake iwslike proof a space like we're going to CK OAGULAT now, or I actually do havemy dabts Tu purfose space, but for different reasons, and I don't want toquantify them because I haven't thought about them recently and I'll forgetsome fundamental concept and someone will be like. Ah, you forgot about Xand I'll, be like damn it. I'm KINDOF particularly said about prufos spaceever time in particular. Have replication and stuff is something I'mparticularly looking at because have wider implications if they can crack itreally. Well, IT DOS wider implications, Ot just cryptoccurrency. It changes thegame in the way that we store O r data and insensivize people with MPTYhardrive space. I'm really hoping that...

...kind kind of work out, eventually, okay,so consider the following: What happens when proof of space becomes like athing and all of a sudden disk drive space becomes highly valuable? Whatwhat happens? We have tons of DDISTRIVE spaceyeah, who has the most centralize organization, such asImwazon Yeah. So as soon as you moved to purfoce space, you have Basil's coin yeah except well. I understand that butlike even even then like you're, just proving the space like you'R wo, likeyeah they'll, be the greatest minor on the planet, but that's okay, becauseeverybody benefits everybody would have their files literally being insentivizein a dynamic market place exce that set through you know a a demand market: that's notregulated by amazonis regulated by a decentralized protocol which can't beviolated. If they do then t it it. Basically, the system becomes itselfworthless. A D before we go too far hour, todays N, I cansal or wite dont. Now how tostand a tangent, I think it'd be interesting to go into what is aprecursor tor this, and that is the fact at also goes in account of thedifference between proof of work and pstake. Is that, ultimately, when doing any type ofconsensus, there needs to be some resource that goes into Um, weighing someone's vote in in thatconsensus with proof of work? That's typically, some form of energy, whichis then o use the Great Hash power which is en use to give you a chance atsolving a puzzle that gives you the opportunity to Atablon Sake. That's itthat's a so that's an external resource. It's energy put into the bloc Chan,tocotify it group of space is, is actually using hard drive space as asthat external resource, ofo stake, gets rid of an external resource and uses aninternal resource to do the same thing, no go Um, so the best explanation that I've heardof proof of stake other than like that. One website thatwould allow you to like upload a picture of a Ribbi and you'd get atoken or something Um. Proof of stake is like a formalization,a cryptographic formalization of the stakeholder model of CorporaCorporation and when you have the stake, holder, Mol ofthe corporation you're, inheriting all the flaws and all the benefits of thatmodel Um. So I'm not so sure. If there's actually resource that is atplay, Improv of stake. I know that a lot of coins try to tie energy somehowto stake so that they can solve the nothing at stak problem. I'm notconvinced it's possible. If you look at proof of work. You're talking aboutthermodynamic energy, the laws of thermodynamics are what you have towork against. In order to UNDU transactions in profalwork proof astake. It seems to me that you just need to undo people's opinions wh, which is a vine morghanism correct.So it's it's willpower and work and labor, that's being that's being intied to t so t it's a more abstract concept, I would say than electricityor you know hard to assure me, but it's still it's still. That's actual, likethat's a real thing. La Bess, lavor energy is a thing and that's what Ithink purfose a actually is it's a measurement of Lasurni of fun. Ideally,ideally, I think right. You know it remains to be seen in my mind, but youknow conceptuoal standpoint to say that it's not tied to anything. I don'tthink that's. I think that's just ignore. Well, it's tied to the sea.It's tied with the same level of like strength of ties, as our current systemis to social norms right like if you're talking about the stakeholder model,you're talking, Aboutur, backup, holding social norms and right now, Ialready like trust, an enormous number of institutions in my everyday life,ranging from like the gas station to not be watering down. My gas to youknow the bank that I use to like pay my rent and stuff, and so I, in that sense proof of stake, is not necessarilyworse than our current systems, but because of their the level of so socialunprovable nonquantifiable stuff, going into just persuading enough people'sopinions, I don't like it as a base layer of of things for confirmation.The reason I like thermodynamic energy and, in fact also why I like proof ofspace, is because there's it's something that you can't fake. Youcan't fate their modenimic energy. You can't fake space, I might be able toSibil attack the board of directors. I might be able to convince them one byone that I'll harm their families if they don't vote in a certain way and sooading and Proov a steak is literally just locking up your coin. That's it!It's just saying hey. I believe this network to be true, yeah, sure and, andthe thing is said- if it's not true- that's also provable by anybody who hasaccess to not irk the protcolls, open...

...and and the the software that runs theProtocolis open and everything operates on the same language of how tocommunicate and what is on what is true and what is not true proof. A stake isjust a way of disensenthavizing people from being dishonest actors and thereason they cal do. That is because it's public, so it's kind of invalid inmy mind, to say that Tepand, it's a voding mechanism even definitelydepends on the implementation of provt they're, not thatthat's, and that waydelegated proof. A stake is not proof. Astake, it's it's garb. I it's it'sAdow, it's it's a protocal level now, there's also and you're totally right tto say that this is voting, that any of these are voting. Mechanisms is amisinterpretation of what one vote. One CPU meant in like the original whitepaper and it's sort of like an on purpose. Um Misunderstanding thatpeople make is that you're voting on the order of the block chain of theLedger, 'cause technically abstractly, that is kind of what you're doing, butit's not like you're voting, every block for every change right and sovesting in it. That's what you're doing is you're literally staking your stuffand getting return for doing some basic work like really easy work, and andbecause you have money in the network and you're, locking it out and takingit out of the economy, you're, basically giving value to the networkitself through its own coint, which to me it's just like that's, that's Avitit', it's it's using the resource of value and labor rather tha. I think it's quatifiable. Idon't think I think it is a type of of alid or Colleo urge to a lot of. What'shappening with Um, the of two point o and the way proof of Sak is, is beingmapped out in there. I think yeah at all things that people talk about sakeis mostly delicate, approve Istak like Cosmois tenerment yeah. I don't. Idon't. I think, there's a good research project. Yeah sorry didn't mean to saythat, like bichars and stuff, I think was also delit a proof. A stake likethese are these are nice ideas, but they don't work out N H, r they'retotally cabal ridden like. So I think that I think that perfof steak is nicefor certain things like Um. I just don't want to face a currency onproof of stake. If I'm going to be basing something like a currency. On Imean I e I'd, be fin basing a derivitives market or a stock market,or something like that on proof of stake, but the idea of basing a basecurrency on stake instead of thermodynamics or space or raw time.Somehow I mean you can't have time without oclock and you can't have aclock that privof work Um, if, if you're thinking about it interms of like fundamental physical stuff, like physics, stuff, there'sspace in there's time- and these are things that can't be faked- and theonly n and Stak can't really be faked, because you're constructing signaturesand they're unforgable, but they don't have a direct one to one relationshipwith space or time or energy, and because of that, I I I just don't thinkthat they're as elegant to a solution. Well, I think I mean I'm still in thecamp or the Moralien, but I I think I like I like the theorya model for thatso much because it's inheriting the Thermodynamic, Potitiotean Yeah, it'sbeen boodstrapped by proof of work, which means like for all these years.For since, like two thousand and fifteen, it's been mine and all thatthermodynamic energy gave value to the network, and then it decided. Okay,we've already distributed the value through this this this this, you knowelegant proof of work system. Now we can now we can sort of find another wayto unsentivize. It doesn't like use that waste hole system and instead inherit the value that we've gottenbefore and now our currency since hat's already been distributed. Has You n?You can just invest it and that's good enough n d to me. I think that's I meanpersonally m and I I think that my big concern with proof of work is that isactually a barrier to entry and actually more cavalriden than proof ofstake. Anybody could go out and buy thirty. Two, a theoryum right nowbecome a staker in the network. When proof estate comes out right, but noteverybody can buy a mining farm in China. Rigt leave that I hurt news outof other discussion, so I wanted to use like what you just said as a perfecttransition to what I would like to move a conversation to, and that is most ofthe the I'd say. Arguments Against Group of work is the unfairdistribution of the hardware required to mine, and this is Ye h, mainlygeared towards Bitcoinan and things that are mine with asics or like thosespecialized asics, now cript a ot orte night th. The way you which you mind,Oger them and what you mind Menero is- is changed. It's different! It's it's!You know basic resistance, wher to call that. Can you explain a little bitabout that and also the distribution of like required hardware for MiningMinoro right so m? If you go back to the Crypton White Paper, one of thethings that jumped out of me when I was first reading it years ago, which hasbr what brought me to the monar...

...community was this focus on aGalitarian mining and- and I feel like the author Er authors identified thisparticularly important trade off, which is this linearity in rsubliniarity inpayoff for putting money on the mining equipment. So, for example, if if Iquadruple the amount of money that I put into mining equipment for proof ofwork M with that coin, in particular M, then I'm going to more than quadruplethe amount of hash power. I have right. There's this superlinear growth and howmuch hash power I can buy per dollar. As my dollars go up and it's just aneconomy of scale thing. If I can buy a whole warehouse filled with minors,then I'm going to be able to operate at a better bottom line than m somebodywho's mining in their basement, with two with two minors Um. So they identified this Galitarianmining concept as trying to make it as linear as possible, so that, if you aregoing to want to quadruple your total hash rate, you're going to have toquadruple your investment umyou, don't have to spend one pointfive time to your investment, and so the original Cryptonite Hashougerthmwas designed to occupy a lot of the L, three cash and a computer and, as aconsequence, sort of like force, the hashing out or them through some of theslower parks of the computer. Um in that way, every single computer,whether they were in Asic or not, they would have to fill up their whole lthree cash over and over and over again in order to find a, not Um. Basics were constructed for that, andour team Deci decided that we were going to try to switch up the proof ofwork out. The RIG ouder them in a little bit in a way that made it sothat Asex that had been taped out for this project would then be useless. So we specifically designed not a change TOR outer them not to keep thewhole thing asic resistant forever, but to take any investment that people hadmade into asx recently and destroy it, which Um was arguably sort of like aradical decision to make, because when we've made our first groof of workchange our network dropd attach rate by eighty percent s thatis tha instolutionby the way H. No, it's not a long term solution. O'll get to that in a secondUm. Our whole hash rate drop a like eighty percent, which means four andfive minors were asex operated by this buctby. Whoever was making these asicsUm we've since changed our ALGARITM again, because we suspectthet ASEX hadarrived and again we saw about an eighty percent crash in Ashrate, so umthat was with a six month turn around time. Somebody out there canmanufacture asix rapidly enough so that within six months they can they cancatch back up to where they were Um and, after speaking, with a couple of Asicchipmakers and such Um, some people at core scientific in in San Francisco anda couple of other peoples that the people of the recent pitcoin conferencein Stanford Um. I suspect that an ESIC can be pushed out in thirty days orless SOM. There's something here that I think I would like that say. Have you have you heard or lookedinto any of the recent pegramatic group of work work being done in the a community? Actually, yes, Um! I was it's funnythat you mentioned Progpa M. I was sitting on the Zcash Board of Directoror Notboardo Fractorthe Grant Committee last year and prog power came up and-and we discussed that and we decided not to to fund it. Um H, but Um yeah,I'm familiar with that right now, Howard Chu, who is with SinusCorporation and is a big contributor to the Monero community, he's been workingon Um, a Provo work algorithm that is designed around randomly generatingtasks so that only a CPU can really keep up Um, and I believe that he'spresenting about that at the Minero conference o this June Um, which willbe a really interesting thing, because it's right after we have some people in the communitywith very, very strong opinions about asicus and prival work and they're allgoing to be gathering together and fighting in June. It's going to begreat. It's going to get it Al on camera, I guess for the audience. Sowhat proof of work tried to do, or as is trying to do, is like first to getrid of the concept of of Asic proof is that's not a thing hit's a force andanything an ACIC can be made for any algorithm. The goal for Asic Resistancein terms of algrithe proveliment is to develop an augorithm that maps to hardware in such a way thatrating as specialized Asic, for that algorithm has no economic gain, comtocommoditize hardware, and so, for...

...instance, if you try and make an egrthmspecific towards Gpus, you make you make one that works perfectly forcommontized GPUS. So if you were to make an asic for that agorithm, it'sbasically a GPU. So what you're saying is that Minero decided not to go forsomething like this, because you want to lean more towards CPU as opposed toGPUS. Is that a good way to say? I thought that's, what a and a Pash isash sh, so originally supposed to do in e original airat anyway, theyoriginally done that did a pretty good job, it's much better, much much betterthan like the coin, prof of work, but there's still quite a bit of acix speedup Alon the ways in term of like fifty x Gane for an Essix supposed to likewhat progpale offers, which is something along the lines of like onepoint two. So before you come a bran, I just I was actually going to ask beforeyou brought prog powe up. I don't know a whole lot about that. Either M wasyou. We have these big random number generators which are called blockchains, and there are a great random number generas- is basically what theyare and so, like my question, is: Why can't we just use that rannumber tocreate uniquealgorithm every time thet can kind of? Is that what progpouseintent is? Or am? I misunderstanding that, as far as I know, that is now what Proawas about Um, so, first off the the random number gener, the block CAIN isa random number generator concept. Um, the notion of a random beacon is onethat's been around for quite a while Um hasn't quite yet been been put intopractice. The problem is: Is that the information that you're putting inonto the BCOIN blockchain is adversaryly generated? It doesn'tnecessarily mean at smolicious, doesn't necessarily mean it's wrong. It justmeans that an adversary controls what is being what is going into the randomtape that is picking those random numbers, and if I, if you, if youimagine a computer, is a little like turring machine like a little likecomputer with like a ticker tape, machine that has a random taped feedinginto it and then, like it, spits out this output tape. If you can controlthe random tape, that's going into it, then you can control the output tapeand even if you only have a small bias Um, you can add that up over time right after all,Vegas is built on a small bias. Right, t called front running yeah, yeah,exactly and so um using a random a blockchain is a randombeacon is problematic because it gives people who have a financial interest inscrewing you over control over the random numbers that you're using forthings- and that is that's- that's pretty unacceptable. Unfortunately, allit takes is one extra transaction and throw the whole thing aff though, and if people are competing or sobasically, every Bo Ceteratat has been never a. You can't determine until it'sactually final St. but if that's the case, then somebody who's trying toscrew you over can span the block chain right before you, too are about to do atransaction. Al Rightis Trustbe, like thegeneralized block chain, is not a very good random number generator Bu, maybebeerless signatures could be then how those work with like the definitybeacon shade, that's a very, very, very different story, but the wate bloshadeswork now in terms of secure ranomer generation is terrible. Oh Yeah,susceptable to a lot of different social attacks associated Aouyeah Ihave to. I have to emphasize that M. it's actually like pro possibly this is.This is a very common idea that a lot of people bring up it's it's, possiblyone of the most catastraphic things that anybody could ever actuallyimplement. Um. The the reason is is that almost all of croptography isbased on selecting a uniform random number from somset m. If that set isthe numbers from zero, it's a two to the two hundred and fifty two orwhatever, then so, be it but you're picking a random number from theuniform distribution Um. If you look at the nonse density of the Monero blockchain, just look up nonstensity graphs: You will see how non uniform things canreally be when we're talking about blockchain data and if you're talkingabout people who can manipulate Um random number distribution, allegedlysuitaroundom numbers of distributions to the point where it's so it's visiblynon uniform. After only a few thousand data points, or even a few hundred datapoints, then then you're you're already n a territory where, like people canFord signatures. I didn't even know that so it's it's. I just kind offigured that over time. It would be way it would be very, very, very, very,very uniform just based off of. But what is what is causing that bias outof curiosity you're, the math guy, I'm not well, for example, Um. Let's say Iwas designing a casino that operates off of the the last digit of the Hashof the next of the toplock right. That's my random number generator, andwhat I'm doing is I'm running a casino. What I'm going to do is, after I'vemade a little bit of money in my casino I'm going to go, invest in thirtypercent of bit corn's Hash Power, and then I'm going to be able to controlthirty percent of all of the next...

...oncoming digits say that again, I'm sorry! So let's sayI build a casino and all I'm going to do is I'm going to take the last digitof the next bit coin: Block Hash and depending on the output, I'm going toeither going to pay you or I'm Gongta, take money from you? Okay, all I needto do in order to make sure that my casino makes money is. All I need islike five percent of the BITCIN blockshit B, like a hash rate, if I canget it five percent of the Hash rate that it gives me a five percent edge onevery single bit that we're going to be using as an allegedly fair coin, flipsot. Basically you find a block it doesn't. It doesn't know, adhere to theway you'd like to do it you throw it away and don't t donabitipreciselyblock, withholding attacks are Um block with holding attacks areactually one of the most interesting things in the entire space in Yo. Guysare a theorium guys, you'll like this Um, I think of Atherium as a Predatorand Bitcoyn is prey, and this isn't necessarily a positivething and I'll tell you why somebody can create a smart contract in etheriumand and t promise their uncle rewards to anybody who publishes it coin blocksthat don't make it into the Biuenblocchan as soon as somebody is like. Oh, I can withholdbitcin blocks and get etheoryum rewards. Well, since the uncle rewards intherium are subsidized by the network, what you're doing is you're actuallysubsidizing an attack on Bitcoyn's hash rate using the etherium network, andyou never actually pay for that attack. You just set up a smart contract andyou just prom give away your uncle rewards and when you start talking about peoplebeing able to use smart contracts in order to plike prey upon the hash rateof other cryptocurrencies, the entire economy starts to vary and change Um,so h when you're talking about somethingthat involves a random number generation stuff like that Um like that's just even that's, just likea tip of he iceberg in terms of ways that people can try to maliciouslymanipulate blockchin data. If the ETHERIAN block chain is subsidizing, AP,the lock withholding attack on Bitcoin, then the casino example that I justprovided. You requires a lot less hash, poertobull off an that beisignificantlyeasier in e world ware atomic swaps, or of thing where crealping Vallevalidations an thing. So things like popodot could literally destroy blockchain. Don't Knowtechni! You know what I meanthey're going to fix it, but like when you have interchain communication, you're opening up a whole new vector ofattacks, Yeaa tramenous about of of interestingthings to see in our future as the technology grows, and the connectionsbetween the talogy also grows and that's kind of like it. It's it's gonto be absurd and the things like this are not only like possible they're, more likely probable,because we're dealing with money and without taking too much of your time. You'vealreay took an hour and a half of o hour, O ten minutes of it, or youshould probably start to rap up thery there. Any questions that we probablyshould have asked you hore Y, wanted us to ask you that we didn't get around toUm e AE iani con sometime ther's, some on of our best eficits. Ilove this just make sure you cut out that partearlier when I was lame Um, when, if we're keeping it, I now you said thatit's ort of the things it's okay, um, so h, Gosh, Um, I'L I'll, be honest. I don't haveany! I don't have an I can talk about whene ear all day, there's a bunch ofquestions. I I'm going to Clumson University next week to give a talk. Umon the COFACTOR malleability exploit that led to like a a a minting bug inMonero in January of two thousand and seventeen no and it's provably notexploited in Monero and then bike coin. Somebody Minted Sixty nine million bikecoin just for fun Um. So I don't know like there's like abunch of different interesting things: Um there's another there's. This showcalled Breaking Onero that I've been occasionally doing with Surrong noitherand just an aerinaffer who's, Knoni Aon, Galaxy Player, Um they've uh, where we talk about all the beingthings that are wrong about Onero or things that have been going wrong ore,things that can be fixed ways to break it, ways to violate privacy ways tolike Ba, basically blackad analysis, although it's not it's not nearly asrigorous as some of the red teams that I've seen and so, like honestly, ther. Thesetopics are rabbit holes and for every topic that we brought up today. There'san example from bitcoin and there's probably an example from a theorium andthere's probably an example from Z cash...

...and we could probably spend all day,but no, I don't have any other h recommended. Oh yeah, buy tickets tothe CONFERENSO, guys go to go to Monerocon Dot Com with a K and checkout the Mo. The first annualmanaor Conferenzo e sure include that an ts inth in the show notes- and I would like to have you back on if we can't at aregular cadence cause I', really enjoy this conversation. I know Colinaz and if anyone had any type of issues with the research being done andlegitimacy of the research being done in the Marro, I think those those areyou know uh SI sufficiently quelld at this point and so thatforcomn othe show.We definitely appreciate your time and look forward future conversations. Yeah.Thank you so much for having me we have Monero. We Really! I don't want to saywe hatmn. We at Monera research lab. We, we really value Um educational out, reach and going on,shows and answering questions for people were also extremely shy. Inapotrocian types I can ask swrong to see if you wants to hop on on a futureepisode, but Um. This has been great and I really Wano.Thank you guys for Foravyon Ta Hous Ge Sai, thanks Loty have a OORUN.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)