Hashing It Out
Hashing It Out

Episode 42 · 3 years ago

Hashing It Out #42 - Monero Research Lab - Brandon Goodell

ABOUT THIS EPISODE

We shouldn't pick favorites, but this is definitely one of our favorite episodes so far. We have the extreme pleasure of learning from Brandon Goodell, Research Associate at Monero Research Lab, about Monero, how it's designed, privacy in Monero and how it compares to other coins like ZCash, scalability, and consensus mechanisms in general. This is exactly the kinda conversations we built this show for, and there were more than one eye opening moments. Definitely scope this one out!

Links

  • https://www.getmonero.org/resources/research-lab/
  • https://github.com/b-g-goodell
  • https://monerokon.com/

Sponsorship:

Thanks again to Trail of Bits for sponsoring this week's episode. Go check out their great article on how to safely store cryptocurrency and while you're there, check out all their content on the blog! Stay safe out there.

Hey everybody. Before we get the show started, I want to tell you about our sponsor for this episode. Once again, we're sponsored by trailer bits. Trailer Bits is an auditing firm and the cryptocurrency community. They're available for consulting services, for doing audits on various smart contracts and APPS, as well as company infrastructure and setting up process of procedure. They also released the suite of tools open source through the community, free to use when developing smart contracts that integrate directly into embark and truffle, as well as run on their own. So they're really great to use. Lots of it is mentioned desutorials of Turlibitscom and how to get to use them. This episode, on the other hand, talks about a few of the other things they do. Last time we mentioned the conferences that they hold. This time we're going to talk about a lot of the blogs and writing that they do to give general ideas on best practices and how to's on how to navigate your way in this space. In particular, we wanted to highlight a blog. It's called how to safety store cryptocurrency. In this blog, drill bits goes through the process of taking making sure that you own your private keys, secure private keys and maintain them safely. Will include that and the show notes for you to check out. Highly recommend it, as well as everything else on their website and blog. I really enjoyed reading these things, going through the analysis they give, as well as some of the insight and how to use on how they help you navigate the space secure clearly, safely and and efficiently. Enjoyed the show. Entering work. Welcome to hashing it out, a podcast where we talked to the tech innovators behind blocked in infrastructure and decentralized networks. We dive into the weeds to get at why and how people build this technology the problems they face along the way. Come listen and learn from the best in the business so you can join their ranks. Welcome back to hashing it out. As always, I'm your host, Dr Corey Petty. I have my trustee cost with me, calling Crouche. Say What's up provided Colin. What's up everybody? Colin? Today is episode forty two, I believe, and today we have a we have another outstanding guest highly technical audience. It's Brandon Goodell, a researcher. Doctor. Brandon goodell sorry, the researcher for Fermin Arrow. Never is it never research institute. What exactly is the narrowleawed? It's Great Monaro Research Lab. It's the name that we came up with in two thousand and fourteen and it's kind of stuck. And I'm looking through your linkedin you do like you are a legitimate like this is a postdoctoral research position for you, as I correct. So this is the problem with having had a crow funded open source project, as you can kind of pick your own title. One of my former advisors always it gave me the advice to call it a post doc until you know you're not in an ECONAMIA anymore. So I it's I do post doctoral work, I have a doctorate and I do doctor at research. I don't have people advising me in the same way a traditional post doc would, and so I've sort of changed my title to research associate to be able bit closer to the reality of the situation. Make Sense? I didn't in that case. Let's why don't we give you a quick introduction or allow you to introduce yourself? How did you get into the space? Like how did you get into doing kind of bleeding edge research on grouper currency and blockchain and related technology. Well, in two thousand and thirteen, the guy who another one of the Manara researchers, Surrong, no other he he introduced me to the idea of Bitcoin and I was laughing really hard because, you know, it's like you're mining bitcoin in your basement and you're making money on your computer. That's just ridiculous. But I started looking into it and there was this point where there was this like intellectual switch that got thrown and I realized I was I was like trying to learn about bitcoin without learning about it and I was being really lazy about learning about cryptography and Hash functions and stuff like that, and I just set the switch was thrown in my head where I was like, okay, I actually need to like learn how this works from the ground up, under the hood, cryptic, cryptographically, computer on the computer science end of things, how the network works, everything. And at that point I started looking into other white papers and looking into other coins and Ricardo Spawnee, the lead developer at the time Fluffy Pony, he contacted me...

...about doing a review of the white paper for Monaro, for the Cryptonite White Paper, and he offered to help help pay my rent a little bit in the middle of Grad School and Exchange for review of the Cryptonite White Paper, and that's how I got sucked in. So two thousand and thirteen, two thousand and fourteen, I guess you know you're you're looking at this stuff, you're trying to differentiate it between while gold and like actual like her it's yeah, really, what is this like? This is like, what is this candy crush jems like? Yeah, that's how I kind of originally like approaches, like come on, and then you know, you look into it, you see this assaw. One of your earlier comments a long time ago is basically you you were kind of like still seemed a little skeptical around that time and it was a you said you're getting into Minero, which seems like Bitcoins, like cousin or something, and like. So how would you like, how did you sort of like feel when you saw Minnaro, and what did you actually listen? St All that back a bit. What is manarow like? How does it work like? What is what makes what's sets a manarow apart from bitcoin? What are the fundamental concepts which make Manaro have a specific level of privacy and what are the limits of those levels? So at firstly, unlike other cryptocurrency projects, Monaro is not a fork of bitcoin. We have our completely have a completely different protocol called Kryptonote. That was described ostensibly in two thousand and twelve, but that's a that's a debatable, debatable thing. Murder has kind of a shady beginning history. But what's interesting about Monaro is it operates very similarly to bitcoin and the same way that you have a transaction and that transaction consists of some inputs and some outputs and a fee and those transactions are all recorded on a ledger in a consistent way, in a way that everybody can check that it's correct, right. So these things are very similar to bitcoin. Anybody can hop on the network and anybody can help them and anybody can hop on the network and transmit a transaction. So it's permissionless, just like bitcoin. The the differences are are sort of like in the abstract, but as a consequence the the fundamental architecture is very different. So, for example, one of the things that makes monaro different than Bitcoin is that bitcoin is sort of like a classic check right, like everybody's written a check to their landlord. It has a from, it has a to, it has an amount, it has a date. In monarow the from field consists of eleven other people or ten other people, so you can never really tell exactly which of these people the transaction came from. So having a monaro transaction is sort of like having a check, except you can't really tell who signed it. And that's the first way that Monaro protects people's privacy. The second way that Monaro protects people's privacy is that it sort of obscures the amount of the transaction so that somebody looking at this transaction, instead of seeing a usual check with a from field in a two field and an amount, they see a from field with like eleven possible senders and they see an amount field that just looks like a guard, like arbitrary garbage. It looks like white noise, and so you're hiding who's signing a transaction and how much they're sending, and the only real question is whether or not you can hide who receives the transaction. And of course, if you're announcing these transactions on the network, then you also have to hide where the transaction is coming from, with like your Ip address broadcast over tour or whatever. So there are a couple of routes to try to verify a bitcoin transaction. One of them includes checking the key. Another of them includes checking that the amounts add up to zero, the inputs minus the outputs, and so on and so forth, and Monaro has an analog for each one of these things. But since we try to obfuscate every component of the monarow transaction, sometimes are checking systems can be pretty complicated. For example, if I want to send a hundred Mon Arrow to call in, but nobody can check if my transaction actually consists of a hundred mon Arrow, then I could send him a thousand and send myself negative, a hunt, negative a thousand, and it looks like I sent zero. And if I can do that, then we have certain problems. So when we're obfuscating any amounts, we need to equip them with bullet like range proofs, and our range proofs are built with bullet proofs, which are extremely fast implementation of range proofs. So basically, when I say that Monaro is like a cousin of Bitcoin, I mean for every little component that exists over in Bitcoin, there exists a corresponding component, an over in Mon Arrow, except it's designed to try to protect your privacy. If I had to...

...kind maybe recap that a lot of ways, it's like when I try to explain Bitcoin to a lot of people, I usually often tell them that it's it's not necessarily the components that make up bitcoin that are that are new and novel. It's the way which they were combined that made them novel, that made the whole thing novel and I gave us kind of digital scarcity. But each of those components exposes something about the ind user in terms of the pseudonymous name, the amount they're sending, where they're sending it from, so on and so forth. And when you try to explain the narrow maybe where you just kind of said on one is that it tries to take all of those components, figure out what's being exposed in terms of user privacy and tries to Opu, obu skate that as much as possible using different different components or embetroove components. That's a fantastic summary. That's a fantastic summary. And if you look at something like z cash, which is arguably our best competitor in terms of privacy. They sort of do the same things that they try to throw it all under one big Zksen oark umbrella. And there's tradeoffs to the two different approaches. But that's basically entirely correct. So, without giving too much judgment on either approach, what what? What are the tradeoffs there? Well, the tradeoff trying, the primary and most important tradeoff in my mind, is the trusted setup. Z cash and Monaro vary from each other, because I can construct a mon Arrow transaction without ever really having to trust that some random number was correctly thrown away, but if I use Z cash, I do need to trust that. Now the thing is, we can we can argue about whether or not this trust model is practically important, because almost all of us use well as Fargo or US bank or some bank system they it is practically already an intermediary in controlling our transactions, and so by moving from something like Wells Fargo to z cash, I view that still as a net gain, because even though I'm trusting a part a third party, in some way it's not in the same way that was. For I Trust Wells Fargo with my information. And, of course, moving from Z cash to Monaro I no longer even need to trust that the original developers were were honest in the way that they executed things. And if you guys remember the recent dust up about the transcripts from the Z cash generation key generation ceremony, it's not always obvious whether or not things we're done correctly. And if something was not done correctly and then somebody purposely deletes a file in order to make it look like it's been done correctly or in order to hide some evidence, that's sort of like a really great example of why we try to avoid the trust and set up in the first place. So, again, not trying to pass judgment on the Z cash development team, because there is an enormous amount of philosophical differences that I I don't even grasp it between the two communities, just as a matter of practical trust. If you're getting into the BITCOIN space because you're into permissionless currency, ze cash seems like, well, it's better than Wells Fargo, but you're still trusting a third party. And Yeah, so that's interesting to me. I kind of see where you're coming from with that. There are benefits to snarks, which is probably why they shows it, in that it's a bit faster or dude, snarks are really cool technology. Yeah, I love they're like fantastic. But like, in the end it's not the snarks that I'm criticizing, just like the Ze cash, people aren't really criticizing the unforgeability of ring signatures. They're criticizing the anonymity set sizes or ring signatures. What do you know that, oh gosh, so Um so, if you have so, okay, before I before I say, before I answer your question, I need to preface this because this is the sort of conversation that can lead to Fud so let me let me just be really clear here. A black hole in the in the middle of the galaxy leaks information about the contents behind the event horizon. There is no way that Zk, snarks or ring signatures are ever going to completely protect your financial information from the most prying of eyes. Maybe I could, maybe I can interject here and change, I think, what the arguments of both both networks tend to focus on. It's not necessarily no part of it is the actual technology and what's being aufous kid. A lot of it is what you've mentioned. Just think called an anonymity set, and that is the amount of forensics we can do with the available information to the d couple with a uscated from Um users. It's so the answer, the short answer is yes, the ring signature setups that we currently have because of our anonymity set sizes, the information that is leaked from our our system can be leveraged to greater effect than the information...

...that is leaked through Zk snarks. However, both can be leveraged like crazy and if you look at recently kability papers, both for Monaro and Z cash, the situation isn't as private as the public facing PR departments of you know want you to think so, and that's why I mentioned that the black hole is never really going to protect your privacy in the same way. You know, like the the changes that we can make to mon Arrow to improve anonymity set sizes. Let's say I'm writing a paper right now and there's some statistical evidence that hasn't come out yet. It's like preliminary evidence that suggests that like relatively small ring sizes like twenty can be just as good as a zk snark. If that's the case, then, like, is there really that much of a practical difference between the two coins. I'm not so sure if both coins can be linked in a probabilistic way and the same way that twitter can sort of like figure out your interests in life. Whoever's watching the blockchain might not be a hundred percent sure that you were spending at this particular vendor, but they are like sixty percent sure and that might be enough in some sort of tyrannical regime, and you know, North Korea or something like that, for you to get killed. But if that's the case, then you're talking about the threat model is just using cryptocurrencies is is enough to get you shot. And so the main difference between Ze cash and Monaro is is that monaro focuses on plausible deniability. You can't determine plausibly determine the path of money and in the court of law, in a nation of laws, that's probably going to be good enough. Privacy. I'm not sure if I answered you guys as questions directly. Sorry, but you know, I like to bring in the bigger picture of this as well. It's not alone going to be enough, but it is a it is a trail that can be followed and lead to other evidence. Yes, and in fact both blockchains can be leveraged with each other. So anything that I learned about a user on the Monaro blockchain I can then apply to that same user in the Z cash blockchain. I might not know which user he is, but I can apply that information and in fact, vice versa. If I'M A for example, if I'm a KYC exchange and I'm watching all the Z cash transactions that are coming in and out, first off they're already all transparent, so I'm going to be able to clean quite a bit of information. Even after ze cash deprecates their transparent addresses. Then you know, these KYC exchanges can still track everything that's going on at the exchange, so they can already comply with the law in any way. So you know, there's a certain point at which this is such a lot. It's not a perfect laundering system. Is basically my big fear about up manarrows is that I don't I am a low information, you know person when it comes to manarow I think a lot of my focus is mostly been an etherium space, in a little bit in the bitcoin space, but for them, but for a minute or I'll just kind of like not looked at it too deeply just laying that out. Were there right now? Sure, when I hear about it, to me it sounds like a money laundering machine, but if you think that's actually not the case in any real sense, do you think the same thing about Zekash? I'm curious. Yeah, okay, anything that's that's did that high I actually saw here's here's a I've I have a differentiation there and a lot of ways they could they both could be. One has particular use cases because the one pivotal thing that manarrow does is that it's private by default. So your name and anybody set of people using the privacy features of a narrow is everyone, whereas he cash it isn't. It's much more difficult to actually use shielded addresses. That makes a huge difference in the actual granted privacy of doing things when using the privacy set of a given blockchain. That being said, I feel like the the initialization of Z cash was mostly, and this is maybe just my personal opinion, for research funding, research purposes of pushing the idea of that novel cryptography that makes it up zero knowledge starts and and the cryptographers that do it. This gave them a really good funding mechanism to push that research and make applied cryptography in that area. A narrow potentially initialized or started out with different purposes but then grew to a much more legitimate project that. And then you have who's actually using it. And since when the dark the darknet and the darknet kind of market places started opting in for doing a narrow by default, that change the perception of what narrows used for drastically, even though it's you know, what it could potentially, you'd be used for. is so there's a lot to unpack here. Firstly, I okay. When you say it calm, when you save money laundering machine, I have to I have to stop you because because the thing is is okay, is if we don't think of cash as a money laundering machine, then we should not think of monarrow as a money...

...laundering machine. And if we think of cash as the currency of choice of somebody who wants to buy a banned book in an authoritarian regime, like if you want to buy the Bible in North Korea, you're not going to be using your state credit card, right you, you're going to use some sort of cash or bartering. And so the thing is about the phrase money laundering is that it's so loaded. Is like money laundering is a crime. You're hiding your income from the government so that you can avoid paying taxes or whatever. But general criminal usage of a technology is is is a tricky thing. Whether or not a tool is is criminal itself, I'm not so sure about. I do know that not all laws and all nations are just, and so what is a criminal act in North Korea may be considered a just act in America, and so I really, I really try to stop thinking of these. To be fair, I was actually speaking a more abstract sense. So right now, if you buy, if you buy a bitcoin that's dirty, there's no way for you to really UN dirty it, right. But you can if there's a market place for dirty Bitcoin, which there probably is, then there's a or you know, use cases or somebody. Can you still use a bitcoin that's dirty because they're doing dirty things anyways, who cares? And then you have this dirty, Dick Bitcoin. You want to get legitimate bitcoin. One Way to do that would be to sell the BITCOIN and exchange for an Arrow and then from minarrow by clean bitcoin. Yeah, and all that does is Tain't the new clean bitcoin. Does it really. So if you mean I to to, if you use an just any even like let's say cash. Okay, you give the example, so we perfect. So I meet somebody in person at a coffee shop and I say I want I want your Bitcoin, you want my minarow, let's do a trade. Nobody's going to face that. So a moment ago corey just described one of the benefits of Mon Arrow or a SCUPC cash over monaros the anonymity set size. And then he followed it up by saying, but you know, if it's transparent and it's hard to use the shielded then like, who cares? What you just described is the monarow equivalent of entering the unshielded pool and then exiting the going back into the shielded pool. Explain, I think again. And also, but what's a SHAPA pool? And so the shield pool in Z cash is the pool of coins that you can't tell which one's being spent at any given time, and the transparent pool of coins. and Ze cash it acts almost exactly like Bitcoin, totally transparently. And one of the criticisms, one of the ways that you link Ze cash transactions is you watch somebody send a transaction out of the shielded pool and then send it back into the shielded pool, or vice versa. A transaction goes into the shielded pool for a certain amount and since it left a trip transparent address, you know what the amount is. And then just a few moments later, the same track, the same amount comes out of the shielded pool to a new transparent address, and anybody who has half a brain can look at that, those pairs of transactions and say one point four seven, one two eight bit ze cash went into the shielded pool and then one point four seven Baba bad ze cash went out of the shielded pool. Gei wonder what happened there. Right. If you do the same thing with Monaro, you might take some Monaro, buy some bitcoin with it, send it to a vendor. The vendor may then immediately buy some Monaro with it, and anybody would be able to look at those transactions and link them together, both on the Monaro blockchain and the bitcoin block chain. or it can go in the other direction and you were not buying from a vendor, but you're trying to clean a bitcoin like you just describe. You have a dirty Bitcoin, you buy some Monaro and then you immediately sell it for the same amount of Bitcoin at a new address. All you've done is link the two blockchains together. You haven't obscured anything, not necessarily, but yeah, I mean like his personal exchange as well. But yeah, I see what you're saying. Right now, the one way that we think at Monaro that you can avoid these problems. For Z cash. You okay, and in any case, if you're going to a transparent pool with transparent amounts, you're not really going to be able to avoid the problem. But if you're going to like, for example, in monarow you're doing totally default transactions, all of the amounts are shielded. You can send a transaction to yourself a couple of times and this will reduce the probability that somebody can link the inputs in the outputs. Okay, and that's called churning, and we're currently writing a paper on formalizing that. Okay. So, so every time, sorry, every time you send a transaction in either the Z cash shielded pool or monarrow, you can think of it as taking a step further into a bigger and bigger crowd and then trying to get lost into the crowd. So if you send a transaction to yourself a couple of times. You go really, really deep into the crowd before you construct your true...

...transaction, and then somebody's like, oh, well, I know this money came from some were in that big crowd of people over there. That makes perfect sense. Yeah, I did even think about that. So you can actually yeah, okay, that makes okay. And when you say send money to yourself, you mean literally create another address. You're not actually sending you to your same address. Correct, in monarow you can send it to your same address. Holy Shit, because of the way the way it defaults, like there are no there is no turning off the privacy features of the narrow so by doing it every time you do something and basically, Oh my God, mixes all of the coins for well, I would make movies contract. Basically, I wouldn't say it mixes, but yeah, essentially. So monaro addresses, you are just like bitcoin addresses. When when you're talking about Wallet addresses, well, I don't want to say just like, because they're from a different curve, but they're. They're just a big string of characters. Every transaction is associated with a new one time key that is generated from your recipients public key. So you can send the same public key over and over again. Every single time you're going to get a new one time key describing your transaction and they're not linkable between transactions, and so somebody can't necessarily tell that these eight different one time keys went to the same person. So you can just send it to yourself. So so that kind of changes the definition of okay. So to me that's interesting. So it's not even like an account model. How you store things? Is that correct? Oh, correct account. So that's the same things and all. Describe this please, like yeah, and this also might explain why use bulletproofs. Just to be so, there's starks, there's starks, there's snarks, there's bulletproofs. Snarks obviously require trusted set up the very fast, but not as fast as bulletproofs, and well, are a little bit larger and storage size. Starks, on the other hand, have a much larger footprint, and so if you're going to be doing this over and over and over again with these range this range proofing, then you're going to want a smaller footprint, which means bulletproofs, despite the fact they're not. I'm sorry, snarks start snarks and faster and bullet pers or is it church share? But you said I'm saying like the recontextual footprint size that you're concerned about, which is why you would choose bulletproofs over starks, is extra in term of footprints size. That's actually an interesting question because, okay, so let's say the bit the blockchain is going to grow at a fixed rate for the next year and each transaction has a fixed size. Right. One question that we ask it when our research lab before we make any changes or consider changes, as we ask, okay, after one year, what's the download and Sinc time going to be for a new node hopping onto the moon are network? And if our change is going to make the download and Sinc time better than if we did not make the change, then we'll make the change. So let me give you an example. Ring signatures. We currently have a handful of sublinear ring signature schemes and for the people in the audience, this is this is proving that you know one of any different keys. But it's sublinear in the sense that it takes up less than, Oh, a big O of n space. So it's like log rhythmically sized so proving this is less than proving like in space, yes, but in verification time it's always going to be linear. There ain't nothing you can do about that. You always have to touch every bit and of every in every key, otherwise you're going to be breaking unforgibility. So the confirmation time, the verification time is is always linear in the the ring size. But we have a couple of sublinearly sized ring signatures. So the question is, if it takes a certain amount of time to download the blockchain and then for each of those bits I need to verify it, if I add together the download and verification time after a year, will I get a payoff? And it turns out that these sublinear ring signature schemes, even though they save space, they're a little bit slower and verification time. So after a year, even though our blockchain would be significantly smaller, our verification time would have blown up and we would have had a problem after a year. So we have an instituted any of these nice sublinear ring signature schemes which would give us really big anonimity set sizes, specifically because verification time is still just going to be murderous. So these little tradeoffs between space and time, for example. They occur throughout all of the development process and cryptocurrencies. Right now, in the privacy space we have Zek starks and Zk snarks, and I'm not actually going to comment much on either of those because even though I technically know what they are, how they work, so on and so forth, I'm not an expert in those things and I don't want to overstep my bounds. But I do know that bulletproofing a statement is slower than Zk snarking a statement,...

...depending on the statement. A bulletproof is a general proving system for proving linear relationships. It's basically an Algebra game and it's not as fast and efficient as zk snarks, but it still can prove almost are like arbitrary arithmetic circuits, which is really cool. And then there's like our ring signature schemes. And if you think things have gotten a complicated with like acronyms by this point, our ring signature schemes are about to explode, because right now we're okay. Our original ring signature schemes were l sacs schemes and then we did ring confidential transactions with ML SAG schemes. For multilayered and now we're looking into like lightning style off chain stuff using dual output dl sags, and we just figured out a way to save both on verification time and signature space with our CEL SAC compressed El Sac signature schemes. So basically all of our signature schemes are about to blow up. On the plus side, we have com pressed our ring signature schemes and one year from now it's going to be a lot faster to download and sake the blockchain because of the changes that we're making over the next couple of weeks. Oh really, what are those changes? Oh, so, I believe his name is random run. He's a contribut Manero, contributor on github. He realized that we could compress our signatures by computing things in a slightly different way, makes smaller signatures and after testing it, it looks like the signatures are faster to verify. So not only do we have the speed game but also the space game. So like one year from the next big fork that we implement this, I don't think it's going to be going into the next fort but one year after the fork after that you're gonna be able to look at the Minera blockchain graph and see the day that are small signatures, small fast signatures went live. It's going to be pretty cool. You think that there's this father a lot of, I guess, funding of legitimate cryptography research going into narrow are you? Are you sharing this with other projects? Do you feel like other projects are doing something in pretty dinner? Is there? Is there redundant work and a lot of these things, like how does this work out? Because, like I, there's the technology that you that you use. Parts of it can definitely be used across the entire crip currency space. Like signature schemes are useful across all applied cryptography, but how they fit in is is, you know, subtle and the devil's in the details. But are there? Are you going to meet ups as Minero actively participating and trying to bolster the security, our privacy feature set of all crypoo crisis or communely kind of? So actually, there's a lots of unpacking your question again, because you asked about both funding and the participation of Monaro and other projects and those are two, two different animals. So the first thing is the Monaro crowdfunding system. Is actually how I get my salary. Technically, anybody can apply to get funding from the Monaro crowdfunding system and ask the crowd for money, and anybody will be able to get that money if they can convince the community to pay for it. That's how me and Sarrong both got our jobs, as we humbly went to the community and we said Hey, we have cryptography experience, we would really like to work for you guys, and we got hired. That's how the monarow open source hardware projects are getting paid. And so the Z cash foundation, or not sciving? Not The CECASH Foundation, the Electric Coin Company recently instituted like a new, similar like funding model so that people can start applying for grants. Or maybe it was the Z cash foundation. I always get the two confused. So, in terms of the funding model, if anybody out there wants to get funded from the Monaro community, the only thing that's stopping you is your ability to convince the Monero community to fund you. And I know that sounds silly because technically it's always true. The only thing stopping me from getting funded from the city of Denver, I guess, is me convincing the city of Denver to give me money for some random project, right. It's always true, but in this case you can go to get monarow dot org and you can open up the crowdfunding system and it's sort of like crypto go fund me. So that answers the question about funding in terms of funding for other projects or getting funding from other projects. Monaro Conferenceo, is actually partially funded by the Z catch foundation. They are one of many don't they just donated directly to the Monero Conferenzo, which is our con our first annual conference with that we're holding this summer, and they just donated as if they were regular miner community member, along with all the other different one community members. So we have interactions with various product projects. In fact, I do want to speak a little bit more about that in a minute here. And actually, I guess your other question was involvement in this fits directly in with that perfectly. So, yeah, we're hosting the first MONERO conference of this June and it's partially funded by the Monaro community community, just all donors, and then the...

...rest is coming from ticket sales and sponsorships. So if people want to come out to Denver this June to attend the minor conference. So we would love for you guys to come out. Not all the talks are about Monaro specifically. We're trying to have talks on privacy and society in general. And so, personally I haven't gone to a lot of meetups. I try to hold a couple of mine air meetups recently Li and I just don't I just don't have a good control over my own calendar in general. So, like I'm really bad at stuff like that. So hosting the conference so has been an interesting challenge. But yeah, I think that answers both your questions. So all right. So something I really want to touch on here. I think we brought it up in a previous episode. I just can't remember which one. Is some concerns about scalability with regard to blockchains in general. And who did I ask this? I can't remember. Maybe you'll remember after I say the question of quarry, but I asked can Lee or two solutions, such as like state channels work on privacy coins like manarow? And I think maybe a side question on that is smart contracts as well. How does all that work in manarow right now? I don't think you have like a scripted smart contract system, or maybe you do. I don't know, correct our smart contracts, as we don't have a smart contract. We don't have a scripting language, I should say, Um, we currently have a version of multisake, which writing the multi Ringsick, the version of the version of ring signatures, that is multisake. Is Weird and strange land to be dwelling in mathematically, but we have multisake and so as soon as you have multisake you have the ability to start doing some of the very basic for example off chain atomic swaps from the original proposals. So like as soon as you have that you're good to go. Also, that DL SAG signature scheme that I mentioned earlier. Me and Sarong and Pedro Moreno Sanchez at Tu Vienna and another Co author, we're currently working on a paper describing return addresses and Monaro for use in off channel or like stay channels and stuff like that. So the short answer is I don't know about the scripting language. I don't know how far off that is, honestly, but I do know or whether or not we're ever going to do it. But I do know that the idea of lightning, a lightning network from an Arrow is within spitting distance, and that's kind of been our current, I wouldn't say our current focus, but it's been an active area of research. Okay, so let's let's let's let's dissected us a little bit. So that's a payment channel and that's great and that's essential. If that's the core focus of Anaro, you've basically that's all you need really for for you know, a payment channel is not a state channel, but it is. It is a scaling solution. It's off chain. It assume it have similar privacy safety measures as narrow using the narrows the packing system. But let's just say we're looking towards the future and we want to make a privacy coin or we went to Extendminaro to have some sort of automated contract state. Okay, which you don't know when that will happen, but I understand. But what are the concerns with Scala building and taking, you know, those kind of things and making them kind of like scale as well? Like, first off, what is the scale building concerts of an aero presently, because I don't know that very well. Okay, so, before before we get to the scalability issues, of monarrow the way you're describing, for a smart contract or digital assets scheme built on top of the Monaro blockchain. That's what Tarry labs is working on right now. This is a fluffy pony. One of the lead to original relad developers of Monaro is working with Nevine Jane from Gosh, there's so many company names. Who they're building Tari laps. Their whole purpose is to build a side chain on top of Monaro that does digital assets. So I in fact I believe that you can download the a big neon of to buy concert tickets already and get tickets through Tari. I'm not so sure how decentralize their system is yet, but I do know that that's like one active area. So getting back to the scalability issues of Monaro. So my big white whale in Monaro it actually isn't scaling, it's privacy, because I'm genuinely concerned that somebody somewhere is going to be using Monaro to keep themselves safe and then a stupid decision on my part is going to get them harm somehow. Personally, I think that privacy, especially financial privacy,...

...is like a human rights issue. The twenty one century that we haven't noticed yet, especially if you look at like Equifax and facebook, and I mean like some of us have noticed it, but yeah, we've rousted. Yeah, right, our whole audience has noticed that way. Yeah, we are all on the same page, general publics. I say for instance, like I think we're trying to get at is I say, for instance, stuff takes off, we have mass adoption of people are using it without necessarily knowing it. What is the consequence? Like? How does it make you feel if you're a back Intov, the created that system, and it ends up having some fault that actually gets someone hurt because they thought they were right, but they're bok. I mean, like, I guess. What I mean is the reason I say this is because, okay, blockchains are big and they're slow and they grow over time. They never get smaller. You can't make a blockchain smaller. I mean, I guess you can prune, but then you're talking about light notes and that's a whole own security issue. If you look at something like, okay, so in Monaro, the way that we protect against double spens, remember earlier I was mentioning that. You know, we could construct a whole ring and you can't tell who signed the transaction. You need some way to protect against double spends, and the way that we did that, as with key images and the way that we so we basically take like a hash of the key that's signing the ring signature and we're including that in the transaction. But that means that every minor needs to keep track of every key image forever to make sure that there's no double spend attempts in the future. So now you have an extra set of information that every minor needs to keep around forever. And so, like there's a bunch of scaling issues that are built into cryptocurrencies that it just seems to get bigger and bigger over time with no way of making it smaller. I don't want to the advantages of account model, right, you can actually say, Hey, all right, well, after this plan, I could kind of say, like these accounts are square, I'm pretty sure this is correct. Yeah, yeah, that's a pretty is. So like you can't really do that with Minarow, can you write? The problem with account models is, man they are so vulnerable to reorganizations. Right, like if the past twenty blocks get reorged, or ten or ten blocks get reorged and your new ten blocks have transactions occurring in a different order, all of your accounts are all garbled and in some accounts that maybe should have lost money don't, and so on and so forth. Account based models are extremely vulnerable to network reorganizations or a skive me blockchain reorganizations, due to network dynamics like delay and latency. So they make it pretty hard to run a permissionless cryptocurrency network unless you have a really long confirmation time, which most people don't find acceptable in any way. Personally, I wouldn't use a cryptocurrency that has an account based model unless it had like longer than like a twenty four hour confirmation time and probably a huge hash rate. What's what's the time to fun out? You know, acceptable time to finality and confirmation only narrow. What's the equivalent on that? Onleman are, if you sounds like you don't do that. So I mean don't reord still happen in Minera? Oh yeah, reorcs happened in my when. Are All the time. But if you're doing an output based currency, then a Reorg can't turn an account negative. Got You right. So so output based currencies are always monetonically growing, but are extremely resilient to reorgs, which it makes it particularly suitable for a decentralized network. Account based stuff is really good for centralized organizations. Okay, that's something I gotta definitely took a little time to impact because I hadn't really thought of it deep oh dude, this is something that like come, yeah, I there's there's like a whole class of concepts in the cryptocurrency space that every time that I get exposed to them, I have to sit down for like an hour and twenty minutes and think about them and then like all forget them. In a month later somebody's like, Oh, you forgot about the Monaro's stealth addresses. I'm like, God damn it. So, yeah, the account based model. There's a lot of things in this space. Okay, so the word species is probably the single best word for two thousand and seventeen, two thousand and eighteen cryptocurrency. Like everybody sits around and like makes these specious arguments that seem reasonable and they really aren't. And this is how you talk to yourself. Into proof of space or fletely misteak. I was like proof of space, like we're going to talk? Actually, no or no? No, I actually do have my doubts up for space, but for different reasons, and I don't want to quantify them because I haven't thought about them recently and I'll forget some fundamental concept and someone would be like, a, you forgot about x, and I'll be like, damn it. I've kind of particularly excited about proof of space over time. In particular, replications stuff is something I'm particularly looking at because it has wider implications. If they can crack it really well, it does wider implications. It just cryptocurrency. It changes the game in the way that we store data and incentifize people with empty hard drive space. I'm really hoping...

...that kind of kind of work out eventually. Okay, so consider the following. What happens when proof of space becomes like a thing and all of a sudden, disc drive space becomes highly valuable? What what happens? We have tons of just destrove space. Yeah, who has the most centralized organization, such as Amazon? Yeah, so as soon as you move to proof of space, you have Bezos coin. Yeah, except, well, I understand that, but like even then, like you're just proving the space like you're worth. Like yeah, they'll be the greatest minor on the planet, but that's okay because everybody benefits. Everybody would have their files literally being incentifized. In a dynamic market place, it's sept that's set through, you know, a demands market that's not regulated by Amazon, is regulated by a decentralized protocol which can't be violated. If they do, then it basically the system becomes itself worthless. Before we go too far to this, granted I can talk for a white I don't know standing tangent, I think you'd be interesting to go into what is a precursor to this. So that is the fact. Like that also goes into account. The difference between proof of work and proof of steak is that, ultimately, when doing any type of consensus, there needs to be some resource that goes into weighing someone's vote in in that consensus. With proof of work, that's typically some form of energy, which is then used to create hash power, which is then used to give you a chance at solving a puzzle. That gives you the opportunity to add a block proof steak. That's a that's a so that's an external resource. That's energy put into the blockchain to help stify it. Proof of space is is actually using hard drive space as as that external resource. PROOP of steak gets rid of it external resource and uses an internal resource to do the same thing. Now Go. So the best explanation that I've heard of proof of steake other than like that one website that would allow you to like upload a picture of a Ribby and you get a token or something. Proof of steak is like a formalization, a cryptographic formalization, of the stakeholder model of corporate. Is it corporation? And when you have the stakeholder model of the corporation, you're inheriting all of the flaws and all the benefits of that model. So I'm not so sure if there's actually a resource that is at play in proof of steak. I know that a lot of coins try to tie energy somehow to steak so that they can solve the nothing at stake problem. I'm not convinced it's possible. If you look at proof of work, you're talking about thermodynamic energy. The Laws of thermodynamics are what you have to work against in order to undo transactions in proof of work. Proof of steake it seems to me that you just need to undo people's opinions, which is fine, isn't correct. So it's will, power and work and labor that's being that's being instant, the tied to the so it's a more abstract concept, I would say, than electricity or, you know, hard for sure, but it's still it's still that's actual, like that's a real thing. Labels, Labor, energy is a thing, and that's what I think purpose take actually is. It's a measurement of laser idea. Well, ideally, ideally, I think right. You know, it's remains to be seen in my mind, but and you know my conceptual standpoint, to say that it's not tied to anything, I don't think that's I think that's just ignore. Well, it's tied to the scene. It's tied with the same level of like strength of ties as our current system is to social norms. Arms Right, like if you're talking about the stakeholder model, you're talking about current like upholding social norms are right now. I already like trust an enormous number of institutions in my everyday life, ranging from like the gas station to not be watering down my gas to you know the bank that I use to like, pay my rent and stuff, and so in that sense proof of steake is not necessarily worse than our current systems, but because of their the level of so social, unprovable, non quantifiable stuff going into just persuading enough people's opinions, I don't like it as a base layer of things for confirmation. The reason I like thermodynamic energy and in fact also why I like proof of space, is because there's it's something that you can't fake. You can't fake thermodynamic energy, you can't fake space. I might be able to Sybil attack the board of directors, I might be able to convince them one by one that I'll harm their families if they don't vote in a certain way. And so houting in proof of steake is literally just locking up your coin. That's it. It's just saying, Hey, I believe this network to be true. Yeah, sure, and and the thing is said, if it's not true, that's also provable by anybody who has access to the network of protocols open and in the software...

...that runs the protocols, open and everything operates on the same language of how to communicate and what is on what is true and what is not true. Proof of steake is just a way of disincentivizing people from being dishonest actors, and the reason they could do that is because it's public. So it's kind of invalid in my mind to say that depend it's a voting mechanism even definitely depends on the implementation of proof stake. They're not. That's that's the fight and that's my delegated proof of stake is not proof mistake, it's it's garbage, it's a dou it's a it's a protocol level Dou there's also, and and you're totally right to say that this is a voting that any of these are voting mechanisms is a misinterpretation of what one vote, one CPU meant in like the original white paper, and it's sort of like an on purpose misunderstanding that people make is that you're voting on the order of the block chain or the Leger, because technically, abstractly, that is kind of what you're doing, but it's not like you're voting every block for every change right and so vesting in it. That's what you're doing, is you're literally staking your stuff and getting returned for doing some basic work, like really easy work. And and because you have money in the network and you're locking it out and taking it out of the economy, you're basically giving value to the network itself through its own coin, which to me is just like that's that's valid, it's but it's using the resource of value and labor. Rather than that. I think it's quantifiable. I don't think. I think it is a type of valid or pollen is referring to a lot of what's happening with fear of two point out and the way proof of stake is is being mapped out there. I think. Yeah, I don't think that. People talk about group steake. is mostly delicate ad proof of stake like cosmost tenderman's. Yeah, I don't. Don't. I think there's a good research project. Yeah, sorry, I didn't mean to say that, like bit shares and stuff. I think was also deleated. Proof of steake like these are these are nice ideas, but they don't work out. They're totally cabal written like. So I think that I think that proof of steak is nice for certain things, like I just don't want to base a currency on proof of steak. If I'm going to be basing something like a currency on. I mean they like I'd be find basing a derivatives market or a stock market or something like that on proof of steak. But the idea of basing a base currency on steak instead of thermodynamics or space or raw time somehow. I mean you can't have time without a clock and you can't have a clock that proof work. If you're thinking about it in terms of like fundamental physical stuff, like physics stuff, there's space and there's time and these are things that can't be faked. And the only end and steak can't really be faked because you're constructing signatures and they're unforgeable, but they don't have a direct one to one relationship with space or time or energy, and because of that I I just don't think that they're as elegant to the solution proof. Well, I think. I mean I'm still in the camp the more alien and but I think I like, I like the theory and model for that so much because it's inheriting the thermodynamic distribution. Yeah, it's been booted out by proof of work, which means like for all these years, for since like two thousand and fifteen it's been mind and all that thermodynamic energy gave value to the network and then it decided, okay, we've already distributed the value through this, this, this, this, you know, elegant proof of work system. Now we can now, we can sort of find another way to incentivize it. Doesn't like use that wasteful system and instead inherit the value that we've gotten before, and now our currency, since it's already been distributed, has you know, you can just invest it and that's good enough. And then, to me I think that's valid. I mean personally, and I think that my big concern with proof of work is that is actually a barrier to entry and actually more caval written than proof of steak. Anybody could go out and buy thirty two thereum right now become a steaker in the network when proof of state comes out right, but not everybody can buy a mining farm in China right leave the current news out of the others discussion. So I wanted to use like what you just said as a perfect transition to what I would like to move a conversation to, and that is most of the I'd say, arguments against proof of work is the unfair distribution of the hardware required to mind, and this is mainly geared towards bitcoin and things that are mine with a sex or like the specialize a sex now Krypton oute or cryptononite. The the way you which you mind the algorithm and what you mind the narrow is is changed. It's different. It's, you know, a sick resistance you're going to call that. Can you explain a little bit about that? And also the distribution of required hardware for mining manarrow. Right. So, but if you go back to the cryptoe white paper, one of the things that jumped out of me when I was first reading it years ago, which is brought what brought me to the Monera community, was this focus on a Galitarian mining and and they, I...

...feel like the author or authors, identified this particularly important tradeoff, which is this linearity in or sublinearity in payoff for putting money onto mining equipment. So, for example, if I quadruple the amount of money that I put into mining equipment for proof of work, with Bitcoin in particular, then I'm going to more than quadruple the amount of Hash power I have. Right there's this super linear growth and how much hash power I can buy per dollar. As my dollars go up and it's just an economy of scale thing. If I can buy a whole warehouse filled with miners, then I'm going to be able to operate it a better bottom line than somebody who's mining in their basement with two with two minors. So they identified this egalitarian mining concept as trying to make it as linear as possible so that if you are going to want to quadruple your total hash rate, you're going to have to quadruple your investment. You don't have to spend one point five times your investment. And so the original Cryptonite Hash Algorithm was designed to occupy a lot of the l three cash and a computer and, as a consequence, sort of like force the hashing algorithm through some of the slower parts of the computer and that way every single computer, whether they were in a sick or not, they would have to fill up their whole l three cash over and over and over again in order to find ans. A six were constructed for that and our team decide, decided that we were going to try to switch up the proof of work algorigam algorithm in a little bit, in a way that made it so that a six that had been taped out for this project would then be useless. So we specifically designed not a change to our algorithm, not to keep the whole thing a sick resistant forever, but to take any investment that people had made into a six recently and destroy it, which was arguably sort of like a radical decision to make, because when we've made our first proof of work change, our network drop att hatch rate by eighty percent. So chanes that solution, by the way. No, it's not a long term solution. I'll get to that in a second. Our whole hash rate dropped by like eighty percent, which means four and five miners were a six operated by this but by whoever was making these a six. We since changed their algorithm again because we suspected a six had arrived, and again we saw about an eighty percent crash and hash rate. So that was with a six month turn around time. Somebody out there can manufacture a six rapidly enough so that within six months they can, they can catch back up to where they were. And after speaking with a couple of a sick chip makers and such, some people core scientific and San Francisco and a couple of other people's at the people at the recent bitcoin conference in Stanford, I suspect that an a sick can be pushed out in thirty days or less. Something here that I think that I would like to say if you have you heard or looked into any of the recent programmatic proof of work work being done in the A, Theim community? Actually, yes, I was. That's funny that you mentioned Prog POW. I was sitting on the Z cash board of Director, or not board of directors, at the Grant Committee last year and PROC POW came up and we discussed that and we decided not to to fund it. But yeah, I'm familiar with that. Right now, Howard Chew, who is with Simus Corporation and is a big contributor to the Monaro community. He's been working on a proof of work algorithm that is designed around randomly generating tasks so that only a CPU can really keep up, and I believe that he's presenting about that at the Monaro conference. And so this June, which will be a really interesting thing because it's right after we have some people in the community with very, very strong opinions about a sick as im proof of work and they're all going to be gathering together and fighting in June. It's going to be great, that's gonna get it all on camera, I guess, for the audience that. So what proof of work tried to do, or is trying to do, is like first to get rid of the concept of a sick. Proof is that's not a thing. That's a farce, and anything in a sick can be made for any algorithm. The goal for a sick resistance in terms of algorithm development is to develop an algorithm that maps too hardware in such a way that creating a specialized a sic for that algorithm has no economic gain compared to commonetized hardware. And so, for instance, if you try and make an...

...algorithm specific towards Gpus, you make it. You make one that works perfectly for commotized GPUS. So if you were to make an a sac for that algorithm, it's basically a GPU. So what you're saying is that Manero decided not to go for something like this because you want to lean more towards CPUS, is opposed to GPUS. Is that a good way to say it? I thought that's what a hash is. Has F Hash so originally supposed to do? And originally, but anyway, they originally died, that it did a pretty good job. It's much better, much, much better than like bitcoin proof of work, but there's still quite a bit of a six speed up along the ways in terms of like fifty x game for an Essex supposed to like what prog pal offers, which is something along the lines of like one point two. So before you comment, Brandon, I just I was actually going to ask before you brought the PROG POW up. I don't know a whole lot about that either. Was You know, we have these big random number generators which are called blockchains, and there agreed random number generation is basically what they are. And so, like my question is, why can't we just use that random number to create unique algorithm every time? They can kind of. Is that what prog house intent is, or am I misunderstanding that? As far as I know, that is not what prog pile is about. So first off, the random number generate, the blockchain is a random number generator concept. The notion of a random beacon is one that's been around for quite a while hasn't quite yet been been put into practice. The problem is is that the information that you're putting in onto the Bitcoin blockchain is adversarially generated. It doesn't necessarily mean it's malicious, doesn't necessarily mean it's wrong. It just means that an adversary controls what is being what is going into the random tape that is picking those random numbers. And if I, if you, if you imagine a computer is a little like turing machine, like a little like computer with like a ticker tape machine that has a random tape feeding into it and then, like it spits out this output tape. If you can control the random tape that's going into it, then and you can control the output tape. And even if you only have a small bias, you can add that up over time. Right, after all, Vegas is built on a small bias, right, typically called front running. Yeah, exactly. And so using a random blockchain, is a random beacon, is problematic because it gives people who have a financial interest in screwing you over control over the random numbers that you're using for things, and that is that's that's pretty unacceptable. Unfortunately, all it takes is one extra transaction through the whole thing off, though, and if people are competing over there like so basically every blot generated, but nobody has you can't determine until it's actually finally but if that's the case, then somebody who's trying to screw you over can spam the blockchain right before you two are about to do a transaction. All right, just trust me. Like the generalized blockchain is not a very good random number generator. That maybe be unless signatures could be yeah, and how those work with like the definity beacon shade. That's a very, very, very different story. But the way block chains work now in terms of secure random number generation is terrible. Oh yeah, absolutely susceptible to a lot of different social attacks associated with it. Yeah, I have to I have to emphasize that. It's actually like props. Possibly this is this is a very common idea that a lot of people bring up. It's possibly one of the most catastrophic things in anybody could ever actually implement. The reason is is that almost all of cryptography is based on selecting a uniform random number from some set. If that set is the numbers from zero to two to the two hundred and fifty two or whatever, then so be it. But you're picking a random number from the uniform distribution. If you look at the nonce density of the Monaro blockchain, just look up nons density graphs. You will see how non uniform things can really be when we're talking about blockchain data. And if you're talking about people who can manipulate random number distributions, allegedly pseudorandom number two distributions, to the point where it's so it's visibly non uniform after only a few thousand data points or even a few hundred data points, then then you're you're already in territory where, like people can forge signatures and I didn't even know that. So it's I just kind of figured that over time it would be way, you know, it would be very, very, very, very very uniform, just based off of but what is what is causing that bias? Out of curiosity, you're the math guy, I'm not. Well, for example, let's say I was designing a casino that operates off of the last digit of the Hash of the next of the top block. Right. That's my random number generator, and what I'm doing is I'm running a casino. What I'm going to do is, after I've made a little bit of money in my casino, I'm going to go invest in thirty percent of Bitcoins Hash Power and then I'm going to be able to control thirty percent of all...

...of the next oncoming digits. Say That again. I'm sorry. So let's say I build a casino and all I'm going to do is I'm going to take the last digit of the next Bitcoin Block Hash and, depending on the output, I'm going to either going to pay you or I'm going to take money from you. Okay, all I need to do in order to make sure that my casino makes money is all I need is like five percent of the Bitcoin blockchain, but like hash rate. If I can get a five percent of Hash rate, that it gives me a five percent edge on every single bit that we're going to be using as an allegedly faircoin flip. So basically, you find a block, it doesn't it doesn't know adhere to the way you'd like to do. What you throw it away and don't do, don't submit it. Precisely, block withholding attacks are block with holding attacks are actually one of the most interesting things in the entire space. Since you guys are atherium guys, you'll like this. I think of Atherium as a Predator and Bitcoin is prey, and this isn't necessarily a positive thing, and I'll tell you why. Somebody can create a smart contract in etherium and and tip promise their uncle rewards to anybody who publishes bitcoin blocks that don't make it into the Bitcoin blockchain. As soon as somebody is like, Oh, I can withhold bitcoin blocks in get atherium rewards, well, since the uncle rewards and etherium are subsidized by the network, what you're doing is you're actually subsidizing an attack on bitcoins Hash rate using the etherium network and you never actually pay for that attack. You just set up a smart contract and you just promise give away your uncle rewards. And when you start talking about people being able to use smart contracts in order to pret like prey upon the hash rate of other cryptocurrencies, the entire economy starts to vary and change. So when you're talking about something that involves random number generation stuff like that, like that's just even that's just like a tip of the iceberg in terms of ways that people can try to maliciously manipulate blockchain data. If the etherium blockchain is subsidizing a block with holding attack on Bitcoin, then the casino example that I just provided you requires a lot less hash power to pull off, and that becomes significantly easier in the world where atomic swap sort of thing we're car help be valid validations of things, to things like Popa dot could literally destroy blockchain. I don't technically, but you know what I mean. They're going to fix it, but, like when you have interchain communication, you're opening up a whole new vector of attacks. Yeah, yeah, we're tremendless about interesting things to see in our future as the technology grows and the connections between the mythology also grows, and that's kind of like it's going to be absurd and the things like this are not only like possible, the more likely probable, because we're dealing with money. And without taking too much of your time, we've already just took an hour and a half of her hour to ad minutes of it, we should probably start to wrap up there. At their any questions that we probably should have asked you or you wanted us to ask you that we didn't get around to? Go on some time. By the way. They's some one of our best episodes. I love this. Just make sure you cut out that part earlier when I was lame when I first we're keeping it in now that you said that it's a part of the thing. Sorry, it's okay. So Gosh, I'll be honest. I don't have any. I don't have any I can talk about when are all day. There's a bunch of questions. I'm going to Clemson University next week to give a talk on the COFACTOR malleability exploit that led to like a minting book and Mon Arrow in January of two thousand and seventeen. No, and it's probably not exploited in Mon Arrow. And then bite coin. Somebody minted sixty nine million bite point just for fun. So I don't know, like there's like a bunch of different interesting things. There's another there's a show called breaking one Arrow that I've been occasionally doing with Sorong noether and Justin aaronhoffer, who's known as Sam's on Galaxy player. They ave a where we talked about all the being things that are wrong about Monaro or things that have been going wrong or things that can be fixed. Ways to break it, ways to violate privacy, ways to like basically black hat analysis, although it's not, it's not nearly as rigorous as some of the red teams that I've seen and so like. Honestly, there these topics are rabbit holes and for every topic that we brought up today, there's an example from bitcoin and there's probably an example from a theorium, there's probably a an example from Z cash and we could probably spend all day.

But no, I don't have any other recommended. Oh yeah, by tickets to the conference. So guys go to go to Monaro concom with a K and check out the Monaro, the first annual whenever conference. So sure to include that the test and in the show notes. And I would like to have you back on if we can't at a regular cadds, because I really enjoyed this conversation. I don't Callin has and if anyone had any type of issues with the research being done and legitimacy of the research being done and then there I think those those are, you know, sufficiently quelled at this point and so thanks for coming on the show. We definitely appreciate your time and look forward future conversations. Yeah, thank you so much for having me. We have monaro. We really I don't want to say we at Minerro, we at Monaro research lab. We really value educational outreach and going on shows and answering questions for people. We're also extremely shy mathletician types. I can ask Srong to see if you wants to hop on on a future episode, but this has been great and I really want to thank you guys for for having me on. So thanks a lout. Yeah, I have a good one.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (127)