Hashing It Out
Hashing It Out

Episode 46 · 2 years ago

Hashing It Out #46 - Ren - Loong Wang

ABOUT THIS EPISODE

We have CTO of Ren, Loong Wang, on to educate us on their token transfer protocol. Ren is building a system that allows a user to transfer a token from one change to another, without the drawbacks found in techniques like atomic swaps. They have a network of "dark nodes" which run on their virtual machine, RenVM, to computer across the transactions and share data over the network. Interesting technology with many use cases!

Links

  • https://renproject.io/
  • https://twitter.com/bzlwang

Donate

  • https://donate.hashingitout.stream

W injury, cincast retwork welcome to hashing it out pocast forretock to the ATTECH intovators behind blocked in intrastructure anddecentralized networks. We dive into the weeds to get at Wyan how peoplebuild this technology n the problems they face along the way home, listenand learn from the best in the business. Hov E joined our racks, we'LL COMEBACK: everybody evisod fortysix hashing it out. As always, I'm Yo Ho Stuckor Cory, petty and my Trusticohost today, who has a special reveal um on't, you sink obout everybody andtell them o tell who you are hello, everybody. As you know, I'vebeen operating on this pie cast for almost a year now, actually it'sbeenexactly a year. Almost I think and I'v Been Operatin the sudn CalinCuche. Well, I just want to let you know that in reality I am creater of Bicoyn treg right. So that's a good! That's a good thingto have on the show. We have the official crack right. Um talking aboutthe stuff best. Now A tother court get my actual name changed back becauseright now, it's so Calin Cochet and I's just gointo mess things up, but yeah.No, I mean I e Yeah Right, yeah speaking of secrecy and operating on asuit Ovento we're going to talk a lot about privacy today, um particularlythe rim project. So we have long long with us to discuss everything about therent project. So whydn't you give us a quick introduction as to kind of howyou got Indo the space and what the rent project is and what you're tryingto do. Yeh sure. So I go into the space with a longtimefriend and colleague of mine, tiing, Jan s, the sea and um I've be kind ofworking in distributed systems for a while. I did a lot of research withthem. While I was at university M and I've, I guess done a lot of projectsthat require working with these types ofsystems, never in a trustless manner and in thesan and seventeen. When Ticame to me with this idea too sort of implement ad desentialized dock, so it was late, O twend and seventeen.I jumped on that opportune. It was just perfect to take M my passion fordistributed systems and translate it into an industry that looked like itwas really booming and Hasnond to do so since then. So what specifically, is the retproject? What is what does it do like? What's the with the goal and what hasit differentiate itself from from other things like it? The goal with the rent project is totake liquidity from all sorts of different blockchains, whether they arecompatible with each other or not, and to make them completelyinteroperable, and to do it in such a way that you can keep everything secretif you, if you want to into doin such a way that it's completely seemless forthe user and w really defrentiates us from fromother projects, is a there's a Gulf or do sentralization Trusti pormission esall that good stuff Um, which a couple of the intrrpribility solutions don'treally focus on. The other focus for us is to make surethat, even if the block Chans that you wantto connect didn't intend to be connected together,you can still do it. So there are some projects like pocadotocosmus whichwhich tackle intor robability. By saying, let's create a a uniform protocol that everyone willwill implement and then we can all talk to each other. But of course theejisting Boscans don't do that yet...

...things like bar coin, which isreallythe well Iquidity, is at the moment Um. If you want to connect thatto other chainge, you have to take a completely different approach n andthat's what we're tryin to do. So, I'm pretty sure the rest of thisconversation is US trying to figure out how the hell you're going to do that. That's that's a lot of things to tryand to try and accomplish, and there's a lot of minds trying to do it, I'mkind of curious as to like how what what approach rend takes to Doin andwhy they can why they think they can do it so so well and so n in such a manner.That's so useer friendly yeah! I mean it's, it kind of seems like privacyiniropability of these two somwhat ofugenal pieces of the puzzle but m.When you take the persh that we're trying to take- which we we reallybelieve is one of the only sane approaches to take privayintopabilitycind have become the same problem, and if you can solve that, you solve everybut Yousel O, both of them kind of in one go. Why is it theyretypically use two very separateproblems, WHA? Why is privacy and interoperability the same problem? So I don't quite understand how youmake that connection yet firstlly. It depends on what kind of privacy you 'retalking about. So if you're talking about individual privacy, where you sayI wanna, I want to transact money to you and I don't want anyone to know theamounts. But I want to bet a test of that on the blockchain. Then they'renot really Thi Sane Oben, but if all three of us want to engage in somecollective computations, such as an exchange- and we want to do thatwithout any of us, knowing anything about what the other person is doing,then suddenly that does become the same problem and the reason for that isbecause it falls into this category O of Privacy, qual, secure, multi partycomputation, which is a fancy way of just saying. Let's get a bunch ofpeople together, they all have gimput to a program and they want to executethat program on that input, but they don't want anyone to find out what thatinput was, and probably they don't want anyone to found out what the AUPL GISeither. So I guess my question is like I hearthat, but I don't see how that's ineroperability that'st me. It's justanother level of privacy like if I wanted to make ta a token transferbetween one smart contract on one chain to another. SMART COD completelydifferen chain is, is that n? Is that also a privacy problem? or I mean, likeI, don't understand how you ma. I've still not seen that kind of connection,if that makes sense, Yeh so m its kids really Su, and it comes from the factthat when you have that ability, not only can you input data into such sucha system, but you can also generate data in that system, data that no oneever nots. So, for example, Yo, could generede random number th. No one everknew what that number was, but you can guarantee that it's random, but morespecific. You can generate the private key that no one has ever seen beforethat no one has access to and you can control that pravaky using this networkof thousands of machines and because no one knows thiss PRI PR, you no one canspend that money unless that thousands of machines collectively work togetherto to agree on what they're going to do with that key and suddenly, when youhave this single private Kyn, which to any BOKchangejust, looks like one normal user, but in reality that one normal user isactually thousands of machines, H, regent consensus about what they wantto do. Now. You have this special trusted user. That isn'tactually trusted, and it's not centralized in smot commission that cantake tokens from one chain accept them mint, a copy of them on the other chainand then Heyprester youth, you've got and because this has dond in anenvironment which is inherently secret. That process can also be done in such away that the amounts aren't necessarily revealed, assuming that the originblock chain doesn't have the amounts revealed, but t e fault, so you couldtransition Z, cash, toitherium and and not revealthe amount of of zcastransferred. That's assuming that those assets areinside that I think Wer refere to on at...

...least in your documentation is theRinvia. This is the thing that people are interacting with that Ofese cates.All of these things right. So if, if that is the case, in order to dothat transaction, there means to be available capital. There needs to be something like if you're going totransfer, etheorium or Zcash to Atherium, then burning to betransaction elicited from sea cash and then t a transaction that enters into atherio. So that means capital lockup at some point has to go from a therum intothe opposite direction. Basically, it's just your basic. What I'm saying islike you're offiscating, that lingth between the two things that's right: yeah, that's right: You're, takingthiehr you're, locking it up by sending it to Bren Diem, an renontex control of verse ones and then a mentsa copy of zcash onto I e one to one and then, when you burn the copy on therium,it will react that burn by releasing that Dayou cash back, and you can buildthese sort of standards which kind of becomes Gren as a whole which allow youto do this in such a way that the USTER doesn't even realize it's what they'redoing so. They say I WAN NA an interract with a deck. Let's SA uniswapSuper Popular Um, I wanna. I want to send big coins of that in exchange PHYCcash, they wil send bicoin just like a normal bicon transaction to a normalwallet and, at the same time, they'll specify the zcas addressed hat theyrwant to receive what they're buying to and then theyll just wait and as theacasual appear in that that wallet that therespecified they don't have to worry about rapping or unwrapping. They don'tsee, what's happening, bon the scenes and they don't even have to interactnecessarily with e the guest token on ontherium or whatever other blocon. YouHappen to okay. So let me see if I get this rightin a recap way, and then I have some questions because we have talked aboutthis subject a couple of times before, like with the interleger folks and suchm. So what W W at make sure I understand is hat. Let's say you have asmart contract on a theorya which represents a Zecash token rightrepresents a PZ cash. IS THAT MAKE CEN? Is that correct? Yes, you'd beinteracting with a token and ERC, for instance, that represents a a a asseton another chain, and so what rentn project does is I it have we hev't gotten into trust axpectof this yet, but I'm sure will cover that at some point, Butius treated as asingle like intermediary and exchange booth like currency exchange, t at likethe airport N. I give you a dollar it'll, take that physical dollar andthen put it in it's. It is coffers and then give you another dollar back andput it in your dead, a card or whatever. Basically, what you're doing is is Y U',you're letting say transaction go to a particular wallet Iwould assume at like on Biin and then that would produce a token intheetherium watching which is equal in value and pegged to one bit point andthen, when somebody wants to redeem that for Biquin on the bitcoin chain,that is in pulled out of the big point, a dress or a chain or whatever and thenput into back into whatever circulation that theyare assigned to have. So if,like let's just say my address debeef says I want to relinquit, I'm going tosell back my theoryum token that have been using a srade on the theryumnetwork. I that represents a bitcin. I said I'Gan to sell that back and just redeem it for a streeght Bickwin. Is thataccurate, yesthat's exectly? What okay? So then? I guess my next question is Um. What technique are you using for thetransfer now on the show, you've kind of discussed things like htlcs, Hash,Timelok contracts, M and atomic swops, and there are some interestingcomplications surrounding all these kind of techniques. We've also talkedabout possibility of multiparty threshold signatures to release theactual funds. What what kind of tools are in your toolbox and how do youcompose them to actually enable a...

...trustless transfer sat? I don't have toworry about whether or not that big quain address is got to get corruptedon the bitcoin chain and then strew over the etheorium chain. Likewise, howdo I know T, let's Yus, say Atheorum itself decides it's going to fork whereit happens to my tokens and that a t at that situation? So suddenly we havelike another situation like Ethn, etc split. So how do I know? So? What doesyour security look like? What s how's all this built together holy crap? Ijust asked t a huge question. I'm sorry! That's like thirty questions in one bat,Iyeah, just GIV egive me giveme. The arichitecture 'cause, like this justshows you where my curiosity oes well set that as a framework for how erediscussing this coat man Lel's do this. Okay, so um it doesn't use Hach, Timelocontracts. Up with that, to bet we used to use TATOMIC SWAPS UM to dosettlement before we arrived, where we've arrived now in terms of thetechnologiical capability that we have, we know long the use atomic swaps forthis. So the problem- twith tha, Tomics Wart- is that th y they take a longtime, but in terms of actually as a settlemen option, they hav this issuewhere it's interactive, so both parties have to be online through the wholeprocess. They have to sort of like do some back and forth, and if and one ofthem cancels that processd at and you point the whole thin collapses. So you,if you built an exchange around this there's this risk that the otherpersonis just going to pull out of the settlement when settlement comes andand the exposure that you thought you had you know, Wi actually have, and sothere's this huge counterpatty brisk mthe. Other issue with this is that youcindot need specialized software, that you have to convince the user toinstall and you have to get them ause and that's that's really hard to do uhand then what happens when you have users that typically intract withmultiple different types of exchanges? Is there going to be a standard forthis? Do they need? You know four different walds for four differentexchanges that are all attomy swo Ben abled Um, but the other real problem is thatyou're not actually because you're not creating a torganized representation onthe other chain? There's a a huge limit to what atomic wats can actually do. Asthen im implies that only good for swaring. So, for example, if you wantedto take bit coin in, you wanted to lock it up and make it out contract and useit to Midie. You couldn't do that with them Tommy's, for because there has tobe a single party on the other side, that's Takin, custody of those funds. So the approach that we take is calledsecure, multiparty, computation, Um, and I guess what that means is that youhave this collective of of parties, multiple of them surpriseand they worke together to do a computation and there's a coupleconstraints on that, which is that, unless, unless there's a certain dpercentage of these parties that are corrupted andcolluding and working together, you can guarantee that the data in thatcomputation states secret. But you can also guarantee that the computation iscorrect. And so those are two key key componentsand, and third, which is goft ignored. Is that Ou guaranteed it's going tohappen so that, as long as less than, let's say one third of the parties,which is a typical sort of NBEZANTIN threshold as long as less than onethird of them are colluding, maliciously you're guarantee that thecomputation is going to happen. You're guaranteed is going to happen correctlyand you're guarantee that Anydad involved that you want to keep secretwill be kept secret, and this allows you to take a privatey and distributeit to ou, know thousands of machines and it can only be used when there'sconsensus from the network. So in the case of a split chain on etherium, the nodeswould have to collectively decide, and they would do this rather naturally, whether or not they wanted to supportyou W, Etago or EDC, because obviously they can't support both. But if you had, you know only half ofthem going one way and only half of them going the other way. There is thisinherent risk that you won't actually have enough to stay lively, but as longas you don't have one ted parties being malicious, it'simpossible to get h. both chains h...

...suddenly miraculously having tworepresentations of big coin on on two different chains, but there's onlyobviously one version of that bicoining reality on the bicont loching, and so this inherent consensusrequirement and resistance against pesantin actors in Holthy, cadedcompucations is kind of what brings it all together and make sure that thewhole system is to sentralize and trustless and introduces disability forRen. To achieve H is consensus about difficult decisions that I might haveto make. For example, what tokens are we willing to support two? What block chains and really afork is a question. Is that question it's? What block Ain Are we supportinghere? Are we GOINGNA, because this technique is usable for any Blosham toany other blockchainge? There has to be limited. Whie ther dommus actuallyagree to to do this for and so obvously they're going to start off with withBir coin and Z, cash tather, bringing them to the Etherand blocken wic gosome other ones lined up later, but once governance of the nodes take over,they have to make those decisions and, in the case of Aforit, is really just aspecific case of that decision. Let's talk about O don'tknwgoverness is a reallyimportant discussion on this, and w maybe discuss that later. I'm not I'm more interested in tactual mechanism Um. I guess we UL start with. Like theanalogy of the troopit right. tribate was one of the larger EGASS multipartedcomputation, interactive, multiparte competition, Um platforms out there inthe ecosystem is it. It is hell hey're doing multipartycopertations similar tohow they work. We Ene them awhile backyes, so troopet is informallyrefered to as a multipartecompetation, but I guess an academic literature.multipitycomputation is a very, very specific meaning and and trubit doesn'tfall under that. So the way that it's different is that no node actually hasaccess to the real underline data if they did theto stay secret. So insteadwhat you do is Um. You take your data and you split it up in into Worcadshats, and you do this by you draw a randompolynonial of a particular complexity. It can beas complex as you like, and you pick a point on that Polonomrmeal, that everyone agrees by standard is where you're going to put the secret.So you'll say this is my random polenomule and at XI, Gozero Ban!That's my day. That's my secretwwere, where I neen teccepts, the the yoxis.That's the thing I actually want to keep sacred, and so what I'll do isI'll? Give every machine in the computation a point on the linesomewhere else on the line x was one 'caus, its two Soen and soand I'll give it as many points as there are neds and depending on the complexity of this,this polonomial will depend on how many of these nodes would have to colludeand get together in order to reconstruct the polonomial and and seewhat my secret was you've. Exacty, O escribed should be or secret sharing.It is socalsecure Multiplo docomputation uses um an Arbitrasecresaring out of them most commonly. Should me a secret cam and what's interesting about thingslike polononials Thoghas, that if you just hade them Togehr, add twodifferent pollen instongeter. You have actually added the points at x, gazere,even though you don't have the point, TAT isecozer. As so. Suddenly you cando addition and in a similar way, although somewhat more complicated, youcan do multiplication and you can multiply t these two polen onerstogether and without revealing. What's Ax Gazoro, you can still multiply itjust by working with the shares, and so once you have addition and amultiplication. If you do anything general, that's what you'referring toan the platform is like xeoknowledge transactions yeah. So so you can use this additionin multication technique to to build private keys, and you can um science transactions in in Sacret usingthis mechanism, where your privatekey...

...is just at that point that Xee Aziro. So how do you choose? How do Yo shoosnotes in the network, the de of Tus, busy young Todof,specific transaction or computation on a specific transaction? So that's wherethe the rent oken comes in Um, obviously, because the number of nodsesis inhant part of the security, you can't allow a potentially maliciousactor to just register as many NOWs as as they say fit, because that gets outof pand really quickly and you ow you comprpin kind of security, Gaantes ther.So by requiring this hundred thousand Grand Bond, you financially limit howmuch an actit could h register in terms of their dohmunts and from the stockmodsaid, esample a lodge group several hundredof them and which we're trying to push thatupto to one thousand. You do that deterministically, based oninformation that you see on the theom block Chan and very soon we're going Aomigrate that away so the relying on the eer N blockchaing. Instead, you werelying on random numbers produced by the network itself. ICESSE right now, Oranomniss is relyingupon t. The blocs flock ropogation of t of theThero Blotchin, eventually they' Lee over to something that's much morerandom, and I recently just found out that that that not as random ASEthought I won't say it depends on that. The desire of the node F of the minorsof the ther of watching and Theyre Abiliin O front run transactions basedon for randomness, that they'd like to se Grat that's Grat and the rendomissis used to sample Um dark mods, decide which of them are going to Bepiot t efconvutation Um. Until you have more than one thousanddotes UN tw have significantly more than one thousand notes Um. That brand is actually doesn't matterat all Um there's no reason for it, and until until you get above onethousand, then sudden. Okay, there is a reason to notice that random os, but it's notas trivill saying. Okay, if you minipulate the block hash to have thiskind of property, then you're instantly gon to Beati get yourself into Te,outhe, shod Theyareno. So as far as the jople be tie network, you have tofigure out how to get your specific ones all next to each other in this ranshuffling out with hem and still have a Valib locish. It's almost similar to ON it's similar. But it's the same idea in which definity uses it s speak andchaing to pick valitators on various things. Well, they don't have a BeacoChan. They actually just use bls trig signature girls to actually the theirtheirthern right. Tel. The BELAS SICITURES has basilike a Ballo th ecall like a validation tree, which is like a higher co order of Bl sececheresin a lot of ways, but in the end they use this as a random as a random. BeYes, t is just a lot of things for whatever block cads gopons on at's. Asimper whigh makes me wonder why? Why Shimir because Shimer's arecaticulation every single time? It's like you, pick a Polinon, mil it's aStaner Polyno mill for the whole thing, and then you determine a random cooffishint, which is going to be wide point which intersects on the accessaccess. And then, when you do your distribution, like everybody Lik, likefirs Ol, I think, like you're, supposed to determine what the polonomial is.Well, I guess not, so you could build a polyno mul within the secretcomputation at SOA. So one way to do this is M. everyone picks a randomnumber and they show me a secret saire for everyone else, and then they allgive their shairs to everyone, and then they all ad up all their shores. Andnow they have a share of a global random number that no one actuallyknows. Everyone knows their own local ranom number they produced and theyknow the global random numbers, the sum of all their local random numbers, butall they have to sort of that was shared to that sail. It seems likescale poorly that es really coo the RECEN A P s. What? If a single modedecides to go offline, it says, actually, you know what right whon yougoing to give half of you my shares and I'm not going to give anyone else. Myshare and that's going to completely screw you up. You have to go throughthis heavy consenses, patic, cold, T, try and understand who has what sharesand if you say, okay, everyone's going to participate and they don't. Then youhave this issue where you on have to...

...start all over again an you. L Go backto GRANTEUR and regenerate the random number, and this is the Approachn t'ttaken by the other projects that we see using secure, multiplaty computationand is the approach that's generally taken in the literature in theliterature, secure, multiplaty, computations beingstudied heavily, but not really in the context of an actual Ezantin blockchaintype environment. Only in sort of academic environment, like let's saythe military way you more or less do have trusted notes, but you can'tnecessarily trust them Um, because that's kind of like the deminethat you're living in, but in the Boctonng case, liveliness, is, isabsolutely critical and allowing nodes to just go offline and have awholething collapse. Just really isn't biable, and so there's a consensis mechanism that youpeback off, and this is what we call hypodrip, which is more or less is thetenement concerns us o than this being slightly modified for our particularUsecase, and you pee back fron that leadership than that that Abilly Orelect leaders in the case of their faulty and on the multiple rounds ofVoding, to generate your random numbers, but still using the same otelinetechnique wherever on sort of pikes, er Rond an or ar shares it sends it to the leader and the leader, I guess ee's,a block proposes, which ones they are once used. But tenderment is kind of isdbs right.So you have to like say y. These are who we trust like ahead of time, there's asetup process and then there's a staking prosel tas bonded they're, allo bond on whatever the Gat, but like the class, all aemen is already bonded,so so every doct know that acts as a party in the multiplaty compty alsoacts as a party in the consensus for Um the ten minalgram. So why would they dothis? Why would they set up? Why would they want to diverse by the number ofof? I guess you call Hem compbalodatersreally they're kind of like I don't know like. I don't know what to call.What do they call like thise nodes in in the Ren doknuts they're dark noses,Ava, Soth, ctaly, hing, okay, they're in the dog. I get it. Okay, so thesstart dots. They would they would you know they would have a greatresponsibility to be. You know active and that you know there's like even ifyou like, you can gain a lot of information by controlling asignificant number of dark notes. Right I don' knowo. Unless I'm control theexact threshold, you don't get any information. So you don't actually getcloser to earning more information, the gray rit threshold. Well then, I getthat I mean yeah, but like the more notes you own the morelikelihood for every transaction, that you will get a to be able to do something with thattransaction that make sense Lov. That makes eer sense and- and so you have toreally make sure that Um your I was in cancerport a large numberof nose and so were pushing that threshold as best a we can to aboutabout a thousand. And if you have you have about that many nodes and you havea total pool or ten thousand and themecamment is only fundamentallysecure against a one third AV, a zerial threshold, and so is ou Underlinmultiplaty computation, so they condnot give out at the same time Um. If you,if you trust the tenament model, then you're inherently trusting the samemodel that that Ren uses and relistically. This is the same modelthat even changes like like dicoin support, CRAG Riden Ouo to agree withthis carticular line. Aatbut, the thresthold is only want it because of things like the SulichMineyn attackd, then thirty thro percent of the power in Um be CCORNING.If you attack it it's game over, you can you can do a double spend. So wl we have here is ittend to make or wht has been made adecentralized multiparte computation machine in which the modes don't reallyunderstand what they're computing yep. I mean they know what they'redoing they just don't know what they're doing it with so they know they'resiwning, a transaction. They just don't really know anything about thattransaction,...

Il to keep behind the transaction and then walk me through the process of. I wantto send Diccoin to the theorium start me off with crafting the appropriate biccorntransaction and interacting with the Renvimapi to get it to so adres. Anatherium Su so and Aso e describe Gran pm a little more to me because I'm notQu, I'm retty sure he just did like. Is it an actual of thm like BM is B it hasits language or like? Is this something that yeah so soin Sono t does have itstopits? It does have its own instructions, Um, O Oram it it's notgenerally programm we! Yet we aregto make that a possibility were still kindof assessing the viability of state and all this kind of other questions. Whenyou you enable so general compute models M and elsosesingwhether, wewantit to be in a turn complete, but but Rendiam is ultimately hust group ofdark nodes that do these computations and they have this instruction sear,which defines their computation for them and right now they just have abunch of intrinsic programs that are inherent to the VND that it understands,but it will be m something more programmable later on, okay, cool and we call that collection of thedonors Brandam and we call wren the REINDM clas te SETF standards built ontop of it about how to make this interropability most usable and mostseamless, Um yeas ther'. The point about how youactually do this is when you send pequit o the TheorinBlock. Can the first thing you have is an address that on the boctrain thatyou want to be sending this transaction to Um, and you may also have some extrawhat you call Palo data that you want to sand along with that which givessome context for why you're sending it? So are you senling this because youwant to interact with detects? Are you saying this because you want tointeract with some kind of locking up contract? It's an arbitrary data, PAITLOOD ISIS!This are you referring to the therium Danapalet or is Thi something yeah othe rnday apartment listens the n data paylods, for example. If if I'm sendingit to a Tex, then not just the big point that I want to send, I want tosend you know like a a maximum price that I'm willing to to day o the thingthat I'm trying to buy. I want to send the the Zcash address. Let's say that Iwant the Fone to be sent back to there are these kinds of properties and they're always going to be application specific. So this Mary load is isarbitrary. You take the adress, you want to sendit to you, take the hash o the payload. You take the public key of the BRENBMand from this Udoterministica legenerate, a dicoinadress specialbioinadress that only ren the amcan withdraw beqet from, and you don't eet, to ontrackwith annywane. To do this, you just need to know that data that you have Um and you cangenerate this- this unique address and you send you be coins to thatunitogress and then you notify Brandabat. You say:Hey Renvon, here's the place on a theoym. I want it to be sent Tou hereis the day to pay load. You obviously know Youre public key andRovim takes that in each note individually, without needing to, Iguess, communicate with each other. It's not interactive, yet they can also detomously generate thatbinaddress and verify that there is actually a big coin there I there is, they then go ahead and theyengage in the multi party computation that we just talked about to generate asignature that can be used to mit Bi coinanatherium and they give that signature back to the Uson. They say: here's thesignature that you need and it's a signature that is bound to that Dat.So when you put onto the tem smart contract that governs the theory andversion of Bigcoin M, you have this, this Paloa etached to it or hash of thePalo. You have the two address embedded in it and obviously have the amount and so becaue I sees that verifies thesignature of verifies an it does in fact come from Zerendian public key,which is which is known by everyone and...

...if it is and that all checks out, thenit mints. This bicoin sends it to the two address and you're, often you're away y you're going to need smart contractson a theory O morder. For this to operate correctly. BESTG and we've we've deployed thosesmall contracts onto Atherin to its testnet at Thi stage, all more quersions about this later,but I g gone ateveryone uses the same. The same setof contracts for Mintin Minting Hiis, mostly like a partof the of the Rin infrostructure, is your kind of fingers in all the bloctchains that you enable within the Renvim g. As your asure, as yourdocumentas says, the interoperability linger yes, that's Gorrect, and then this o then Thi smart contractthat you actually want to interact with that two address would typically be theaddress of of a smart contract or an adapter around an existing smartcontract. So you could sendus to an adapter for UNISATHAT. You could buildwithout Mo ofind t NI system at all Um and that contract would receive the receive th. The becoin would receivethe PALOAD would analyze the Paler to see what day is in. He could verify thesignare itself, and then it would do something like forward that benquainedimmediately on to to the decks and the decks would give it back immediately.Um To say an ask you twenty representation of Ozcash for Bicoin inthis example and then immediately that contract would burn that in theAssociated Zcash smalt contractor. So now, you've got this single fventransaction in the CONMENCE begoing Sensi to an Adat. The adapter sends itto UNISWEA Audifo bsents back the trade token and the dactor immediately burnsthat this is sort of one immediatetransaction. There's no no interactivity here isjust kind of like to submit the transaction, and you done and renbiumwill observe that Um. That B, so can sort of keep a log of everything that'shappening in the theory men and get notified when, when he sees I bon orcan rely on some other thitpoty explositly poking at me, like, I thinkHo missed this Ben of en. Please Checke, nup it'll see it and with that burnevent, you want to associate a Um a two address on the origin chain. So it'snot like a normal bune where you just kind of like it disappears out ofexistence. You associate an address on the SASYCASHON. This example so that the adapted Burns it withthertwo address Brendan sees that and if it uh agrees that you k this is all Oll, fineand good ou ow. The number O confirmations thatit needs us has past. It will engage in a Multipli ocomputation to release theburned amount Zcash to the associated address at's, quite a bit trying to think of kind of games youcan play with this in terms of like maybe like, like Frieni toloat mixeres lot of theTimes. What people will do as they they do a bunch of mixing and then look atthe boos and outputs the try and match who's senting. What to whom a IPRA E wosend. I think old mixers used to work this way. They've got around it but,like say a mixure takes in ten inputs and Il puts ten and mix themall up and then I'll put sennup with IC. Do as you basically just flood te themixer and see like when you get. When you getnine out of ten, you can. You can make forensicanalysis and basically figureout who the other person was and and who ankinddemystified that type of Ogim trying to think. If there's any type of things like this, you could dowithin forthen within rens that to try and gain extra knowledge about. What'sgoing on in terms of what's the surrounding infrastructure, Oer and say,for instance, you've done your job correct and...

...the Renvim is a is a black box andthere's that there's no tay to associate with their boots and outputs.But you can still do friends now forensic analysis or the thingseverything outside of it. That's interacting with it to try and guessright yea if I was Gog, have actally talked about the Priviy aspected thisyet so so this is completely public. Lik mean you can completely associateyou. You can see a big coin, um transaction go to Rensiam and you cansee the associated transaction ment on on the block chain and all theasociated Meditatio, because one of the pieces, N Medidata, is actually thetransaction Hash. So it's actually very intentionally auditable in the publicform in the private form. I guess there they're two uh ways to break it down the first one is if the origin changes,inherently private, so, for example, Manaro was ECASH. If the coin isinherently private, then Rendiam can use the same, secure multipartycomputation to ensure that it' minting the appropriate amount of M LEAC cashones witherhim without actually knowing what that amount is. I can stil verifythat. I don't know how much we've Minte it, but we've definitely mentoe theright amount and it comments it straight into something like an oustaircontract where it can stay secret and then the SSA conjuct can mint or canburn that away. You can release zacashing very much the same way thatwe discussed but um by relying on secure multiplaycomputation. You canverify all the amounts and all the addresses, even if you don't know whatthey actually are. So you can maintain that that security. The only danger isthat when you move it through, something like a theorm ifhem doesn'thave private addresses. So wo have to use more like a a mixer type approach, to send thesefunds around once Aon etherium, but that crossing the bridge remainscompletely itso. I'm still in Cor. Kindo jumped ahead from where I currntyam. Let me dial at pet so he's getting right into the security stuff, umprivacy et Cetera, et CETA. I'm I'm kind of looking at this like okay, I Ikinda can garner what you're getting at from some of this, but I'm trying tofirst I'll cook, fo th, the main primary key innovation here, but umstarting with you, know things I don't get, which isrihtlet's just put a badgerry wall and like Ren, is on the other side of bothwalls. Okay, I'm going to start unlet's Yu say Istart with Picwin. Okay, miner. I don't care M. I want to from a userexperience perspective- and you might have mentioned this, but it probablywent right through my ears. We use e PERSPI experience. expective. I want tosend money to M. I was thin fuck it Um. So I want to Selt I totherm, so I gookay. What do I do as a bicoin owner to send money to etherium? And how do Iknow as an ethereum owner of the bitqintoken? I can retrieve with onehundred percent, certainly or as close to as possible Um the funds that I haveon my token side back to bigcoin when I need it ithat's, where I'm kind of like do, Isend money to a particular address indicin. How do I know what thataddress is what Hik, the owner of that address from what I gather is. Is Theyaddress itself sounded like it? Maybe I misunderstood this. It was produced bythe Shimir secret chair portion. No, no! So the address that you deposit youaccording to is it's actually bi conscript and it's just lilk fromdeterministically known inputs, which is just like. Who are you selling themoney to want to hear him okay, and is there any palet associated with that,but you that you will be sending when you do? Okay, er, pretty O, saying oyour private key that no one else can own but they're in vim. So what you?What you're doing is by submitting a transaction or request for atransaction of therb, and please forcorect me if I'm wrong? U Not! Thisis what I've understood so far. You are th, the Renvm is taking ththose inputs, which is your request for...

...a transaction somewhere, creating aprivate key and then generating the associated addresses wit. With thatprivate key, an saying, send money here. We can move it from this at thislocation, so you could do it that way, but we don't do it that yeah it sounslike they're using more hn escript en yeah t at has costly. There has to bethes communication with BUN VM s well to generate this key and we want Omidioize hat. So there's actually one master the key M and you can generatebiqinscripts that can only be redeemed by that masterki Asoeverythingeverything flows through a single, a single intitude, yeaeverythings flows through that single master key. So the Public K Associatwith that would just become a matter of fact and you just hartcoated int yourapplication and so there' still this intention that you know a e userisgoing to be interacting with some kind of you know we appl or visial intoface,like usually in order to do the thing that they're doing thatinterface could generate the big coin address. That said well, based on thefact that I know you want to send this Tnia, I know what the UNIORP adaptoraddresses. That's Iown, constant, you've told me the amount and theAssociated Palar data. For example, you know what price you want so withouttalking to Renbiam al ND without Ol anyone I can generate this. This biqoine dress and I can just show that on the screen to Yo as he user, so theuser says I want these details for my my exchange and they seeve teqinagressand they can validate that be Quan odressed with third parties with whatthey like wold may introduce explicit support for that Um. They they canbalidate that they don't trust the website once they've validated it ifthey so choose to do so. They just send big coints to it and that's it. That'sall they have to do and then Rendiam will we'll see thatdeposit um either the WED appl token say: Pay Just check out that daddress,please um or in the case of a fully you know, nomiddleman kind of processed. The user can chose to poppendium themselves Um and the that whole pricess that wetalked about kicks off, so the user really only has to from thebig coints side of things, Send Thet Becoijusttoo INADDRESSD TAT given tothem that they can verify independently on any number of websites or whereverthey so choose. So what my question is like Ou said,there's and Youve probably also already said this just immediately, but mybrain didn't pick it up again. There's a master address for the the the scrapsright so, where where's that master dress held how's it created. Who Doesanybody actually own that, or is that liter? It can't be literallydengenerateevery schol time crack. I gess once to the beginning of old time a o all ti anand, if somebody compromises that can they compromise the terror system. Ifsomeone compromiss that, then they would compmie enti system. So you wouldbecause it's just a normal private key that would get that private kn thatRaorit were done, but assuming it was done in a trustless set up compromisingthat as the equivalent of compromising anyone's Prev, but was it don a a trustfel set up waswhat I would didn't understand. So is that part of the set of process? Ithought that was like part of getting the script up there process whatwhapn,I mean this is part of how we'regoing to have to Po Nstrap the network and sowe'll besthup the network by having more semitrusted Mol to begin with whywe can attain a lodge a sufficiently large number of dark modes from justanywhere oe. Once we hit that that threshold we will generate the MOSTER,Ke and it'll be generated by you know,hundreds if not a thousand members of public people who have registered theirdark nodes. UNUNLESS you owned. Two thirds of those noses at that time andyou could you could up that fhreshold, because for this beginning of all timegeneration you would happily take needing to repeat the compedation overand over again in the case that you suffered livelinest problems right,sory rig. Ninety percent of of all those noteswould have to be colluding in order for something to go wrong. Yeah and- andthat's that's kind of a it's. A trusted setup basically, is what you're sayingis that when the network is first initialize, there is a trusted set upfor the entire network going forward, O col trust it set up, because they aretrust, las trusted. As the network...

...itself yeah, it's okay, yeah there yougo imet' yeah, I guess Yeahokay, it's a set up. That's not necessarily trustedset up, but it is. It is a set up process. It's a boustarp process. I gotyou. Okay, cool and you know that's hat that's uncommon in the assystent plate.When you want to throw up, you know: Um Prof Authority Network, for instance,like those you have to have a trust right. You have to have Somebo SOMagreed upon information which you used in order to actually establish a trust. U A trustless connection between allthe notes and that wre and even Hasit, like completely trustl P, you get whatI'm saying like that's, not uncommon. Um The boots shop, your network, thatway that makes perfect sense Um in there's. No is there a way for youto kind of guarantee the setup was done well or is there like, like or maybeeven like, as the network grows, like kind of like automatically as part ofthe protocol, Um throwgh out the old master key and make a new one everyonce in a while, or something like that is this you can you can absolutelythrow out the muste key and increding to one ever now, and then we considerdoing that once every time, so the whole system proceeds an epoch whereyou ranom shop or your Dakno, on which ones ware involve, and at that time youcould sort of like reshare the key back out. It's the same key though we haveconated it at that moment, generating to completey, Muki and folding. All thefunds Um, it's not a huge issue and I guess we've strayed away from it for now, butUm. The only issue with that is that every EPOC you're going to lose the gaspes a tastes to send that thatbicoin from the first master Keet to the second master key and Somea you're,not a wont to Une. Take it anymore, because you've lost a little bit ofthat Um that maintenance cost and you don'twant to introduce a maintenance cost. Monetheran whereis like OK, if you holdthe dequinent ath for a year, suddenly becomes a point: No, no, no! No Nine dacoin. That's insanely hard to do, and very weird and subvertal of contractexpectations. For example. U Imagine a CDP m where the clateral was slowlydecaying, ofe time. That would be not very effective that actually bsanother question. I have right now then Um, it's not exactly on the one becauseyou're paying the gas fsor c. You know the gas trasactaly Pe's associated withsending Um. You know becoing from a Dressa a bit quite from a dressb oncethe old masterdoke antes a new one um by the way, if there's any messup inthat process, all a tesowoul suck, but let's say big UINE- gets attacked in atin that point. Some chain, that's not relevant to you, suddenly gets ATTACDor hase some sort of way of manipulating, for whatever reason, anthat that's also possible attack factor which could be held at Faul for TherenNetwork for having that standardized epoch based transaction, where youwould trade things, there's a lot of considerations around M that particularscenario. But I do see like a security model where you know you're changingthese addresses not every day but, like you know, every so often makes a lot ofsense to me, because that would make sure that you know that the masternodcan't somehow be master address camp my out, but because you're chewing thattransfer you would be pulling out the transaction fees of the poll of moneythat already exists in the in th in the in the actual. What's it called theactual master address? Which means you, you leaking just like sub pennies on aier yeah, but it's still ihit' Evet, so technically los it yeah. The ones whomwe did consider was an optional masterky movement, so you say most onceper month the docmors will be willing to move from one noste CETO, a walletthat most and they won't initiate, is by themselves. But anyone can promptthem to do it by sending themthat extra money, so I say Haren Vim. I wouldreally love it. Personally, it's been a month. I'm a little bit worried. Wewent from three hundred dock notes to...

...three thousand doc notes in the lastmonth. So getting a newmaster Iese seems to make sense to me, and it's also a reasonable way verifythat that he hasn't been compromised because a malicious advirsary wouldn'twillingly. Let this ones move right, and you know what I ase to be anotheralterative there is, is y, there's cost running. These kind of notes, likethere's, got to be an incensive model built around running these uds right.So why not donate to the network and like by having those donations go intothe actual address in a donation pocket? It pays the network too. So wheneverthe Masch yknoit actually switches over, it's like you're, saying: Oh, it'switched over guess what we're going to withraw our funds and this his theamount of participation we have in e network register wit the system sobecause you you registered Um. You know this amount of of actual validation orI guess dark no time you get return on your investmentthrough the donations because it reached the threshold of the donations.You get this much and the rest all GOS transaction ffuse to pay out moving master addresses on every singlechain that we are currently interfacing with. Yes, we haven't thought aboutlike a continuing donation thing. We thought more like just at this moment o time I reckon themustle. What t should be moved so I'm going to send you I'm oin to send BranVm, ten thousand sats and say: Hey? Can you please rejorant the master Kad'sbeen a month and the Red Arkenrs Beit Ten thousand sats great, with tenthousand cents up from our one to one pag we're going to transition to thenew master key and to spend ten thousand cents doing that, and then heywee backs to what I went to on pig, Gotcha, cool, so m? I'm here M. I thinkit's obvious to say, like the obvious first usecase of this is a dex in whichthe funds are controlled by a network of computers, doing multipartycomputation that own naxt, the actual keys, Ta Control on the Fund, pretty much right, yeah, basically, andhave they have a true dexn, that's controlled by L, Ke that has to thatthe funds are controlled by a large number of people, so the security ofthose fonds is relatively safe and, along with like the ability to movethose funds in an interactive manner, at least for the time I move mea, you can change the keys.The MASTERCAS, Oh yeah, work estore. So let me let me ask you a pretty prettypretty bold question here. What sucks about Ren 'cause? It sounds really kind of goodat on the surface, but it's really hard to Finli get with the detail and tslike what do I need with fix what he? What is like right now go ahead. Yeah Imean I asked it a very boldway, attentinally 'cause, I wouldn't know Li.I Tos voke kind of like an emotional, an Engagio Asomo, where it's like yeah.These are the things e Wy. U really need to fix like, but these are whythey're sovable and that's what I really want to hear like what? Whatlike esecializechanges are not a new topic of discussion. People really wantthem, but there's a lot of bears entries around them and it's very hardto find those baryto entries at one hour, conversation Um over the Internet with with somebodywho who's whois deep in the space, but like it's hard to find what thoseactual problems are with every system. You know what I mean, so I want to knowwhat are your specific areas of research and why do you think they'resolvable Um with Ho estotiing anyone that shies away from that line ofquestioning in this space, especially in any security, Arientid, um,environment just immediately doen't know what they're doing. I think if youdon't know how to answer what is the limitations of you system? What are therisks? What do you need to get better at Um? You haven't really thought aboutyour system. Well enough, Orl, you have but you're not willing to talk about it,which Eans You'e not being honest. I geve Thi Alf with Tyo investors,whoever so yeah. Of course there are proemswith Um Withran a lot of them. I can talk about some ofthe ones in the past B'cause. It kind of, I guess, paints big more than apicture, and I can give context to the current protems. When we first slightedout, we had no idea how to achieve Um. WWe Didn't really consider theinteropability the side of things we. We were happy with with ATTOMAC swopsfor the time being, and we were just trying to develop that that prives thyaspect, which is why we were looking...

...into a secure multiparty computation,is how can you match orders in a Dek, privately and Um in developing that it became veryapparent that there were two major issues. One was the user experience atthe actual end product and the other was the Tomma swatts, just suck thatthey're so slow, and they have this. This um interactive fault problem orthe Free Action Problem where you can justdecide nor texicute after after thefact, and so we spent a lot of time deting into this N, and it's actuallykind of funny that that we spent quite an amount of time looking at other possible ways to forceatomics swats to happen and and the reason for that was. We were aware thatwe could use secure, multipoty, computation, T O whold keys in theory,but we weren't happy with the INPLEMENTATIONS available. We wenthappy with where the research was that, in terms of telling people- okay, whatyou could have a hundred percent corruption threshold,but single note going offline stops it stops. Everything is all over mean thatthat's not feasible, even in an honest network, led alone, adishonest network, and so we began like researching veryheavily into what can we do with secure multiplid e compersation to changes?How can we make it make it better and we Hav this Eurekamoment, where we sortof stabaalcoss a new technique that we thought well, hey this obs, exactlywhat we need o Solv Um gives us our liveliess threshold back.It keeps the desentins thresholds within the same realm as as thoseprovided by other chains, and so we we began to transition to solving thisincrorporabbility problem in that way. But this this user problem stillexisted. So so we beput DHISCONSTRAING ON OURSELVES TO SAY: L It has to be, ithas to be USABL. It has to be friendly. So these are the two like mainrestrictions that I see or the main problems that that weencountered and and most of the pomems that wecontinue in Ecount to fall into one of these two buckets so in that firstbocket with user experience, Um Wi, specificallytrying to design the whole system around this idea of universal logging,which has be talked about on the theoryum anytem community. Quite a bit,this idea of allowing a trustless Olbeit, um ISS. You Call permissioned third partyto submit transactions on your behalf and pay. He gas fees and in exchange,extract some value from that, and so this is what part makes up part of therent standard or we're trying to make part of the rent standard, which is as the user. With with my becoinsending miht aquaint to thes decks. I probably don't have the Theori, but Imean that's why a Beli naximos et say that's Tryig, Ibesta finds his decash. I don't want to go, get e Cin it defeate the wholepoint may even worse. Maybe I fon of cuse might be acuointed by UH. If I need to eat gass to do that, thatkind of defeats the whole point Um so building trying to build this in such away that some third party can consubmit to transact in to a theor oninyourbehalth pay the gas fes on your behalf and in exchange wit that take a little bitof the bit coin. That was minted and sent out about that INS. High processthat you can say, thes service, thats being provided andand they're taking Um you knothey' they're, getting rewarderfor t service in their pobody trying to get back erfect. I trying tomake sure that that it's compatible with as many usecases that exist right nowand in uwsecases. Don't e desttriht. Now that we may not even think of yetis a really challenging process, and it's one that requires a lot ofcollaboration with other projects and one that requires, although a brainpower from as many different people as possible, and so that's something thatwe're undergoing at the moment is we have these fundamentals and we've demonstrated some coaltechnology. We'v demonstrated these...

...processes, but before you can besomething that's main ready if you Wann't called that requires a Wlat ofcallaboration with these other projects to say if you're GOINGTO use this.What's what's The posetas you want for youruses, Um and hopefully, if you gild a system, Thar's compatible witheverything will use case is available. Today, then chances are you've, gotsomething that's going to be compatible moving forward Um. The second challenge is this one: Iguess it's more compretely in the Relm of of Security and privacy. So, firstobviously you know we have to get all these contracts. oudited. That's youknow it's a baseline. It's obvious, the second challengers, how you ordered asystem. That's never been built before m. There isn't a network like the onethat we have there's a lot of people that are experts in the space of Secumultiplody, computation, a making, perview research and and verify that itworks. But what about the actual thing thatyou've built? If there's a bug in it, then if everythingl notice running thisone piece of software? Suddenly every single note is vulnerable and thismight be a surfice of attack M, so insowing that he, the implementationhas n issues is, is inmainally possible. I don't believe that anyone claims theR implementation is bug freezs, telling the truth Um, so the only otherapproachis to implement it in as many different ways as possible as manydifferent teams as possible so going to other development houses and saying Eis,the speck his an example. Implementation in go, let's say, buildit again: Georgiand CIPOSPAS builded in rust, Um God dunkbuildit in Python, Ino form. That's I love pyathons, not but yeah, Yore N. I forgot you guts meNgineis, Um and Um, hopefully, because it's spilt bydifferent people or different subsorts of people, obviously is's overlapping.U W collaboration, Um and different languages that the bugs that come uparen't going to be the same um that even if there is a bug vunability inthe goincometation. If that's one of five th implementations, then maybetwenty percent of noses are affected and you can patch that as quickly asyou can and in the meantime, not the Bezan contrastal of notes, a compomist. So these are the like. I guess the kindof challenges that we're facing in and I guess the final one that haven'ttouched on much publicly o all is: is governmence honey, govern Rendian andhow you get it to except updates how d you get it to except new chains Um. I don't think there is an answer, yetdon't think anyone in this disentialized space has come up with asolid, proven mechanisn for Governmenc, and I think that's because Provingovernence is something that takes on. I mean it's clearly yo just ake, it witHoug, twitter, right, yeahatgod, hopefully not Um, and so for the beginning of the project. Bran is Gongto maintain governance over M over the platform Um, which is not ideal, but Imean ther, isn't a more sensible option and the we'll try and move that to m amore community base effort with the projects involved in the space and then once someone pros agovernman's model, we will adopt it. I E up to a certain you know: ValueValue, control right. It's got to be proven, ITD be efficient with a certainthreshold of value like the Likethis, like mart contract security right, thespar contract is secure s. How much money is held yeah. They don't really know it. Felike it's. Basically Li E. IT's it's worked for this long with this muchvalue, and so based on that were willing to take the chance to say it's,Withi safe and a similar type bag. UNDIFFERENT circumscance a I don't knowa as, like you said, there's a tremendous amount, sto be answered, butit's definitely interesting of what...

...you've built. Where do people go tolearn more and get involved in he conversation. If they're interested FISWO OPN ME website, Um chack out, hecontent there Um we're about to release a whole set of docks, Um Thel epublicthat people can sort of go through and and com in on and and get to know theplatform and in a bit more than Ehty grity. But right now the best places iseither Jup on ontwidow or redit telegram ae the big three that run m ecommunity exists around specifcally. I Tel coming in ask questions Um. We werun a very tight ship in our community and all kinds of questions acceptable.If you want to come in and and criticize the hell ofaorour systemgreat, please please do the more people that that ask thesequestions. These hard questions will help us. If we can't answer thosequestions- and we know we have a problem, but we often do answer thosequestions. ND and other people in our community are well versed in in thesetopics and and they can also help out and and give you feedback and it's or oway you can come to get help setting UPF a Dokmak. If you want to all right a was agt I' looking forwardto can of so when this goes. I want you no more and I'd steal, skeptical on allthe things, but at least I have a solid base to say like Oh, this isn'tbullshit THAs'ss, there's something here right and I I think that's what Iwanted to get out of this interview. Um. I like the foundations of how this isbuilt, although it's like there's a lot to be done to to do all the things youwant to do, but it's definitely worth trying in this particular fashion. Yeah I mean that hype risn Thats, I prase well step. I ain'tBullshit, Oh yeah metus. I Ra oh ti efore. We Liv in woocime to the black chain space folks,where it's definite, not bullshit is high Cras, I'm more critical of peoplewho just praise it without question Y. It's indicative that they're. NotThinking about t we any moon is the question. Thatthat will get rithat's great exaudence for listening.If you're interested go checked about we' wit, there wll put the website andrelevant lengts in tat the description, and if you also like this episode, sendus some money on our donate button. Thatill also be in the description andshare this with your friends. Click light cit the Wik all the buttons andtell everybody on twitter. We are hashing it out pod. I am at Corpettiontiter Colin O Fat Callin Cruchet at Collin Cus to cu a long hi. What reyour Terer, iamzilo N, psedl, W NJ o TAT tat. We wogro that as well an teneshow not so ex join a an Siin excite es God, O e Agrettak.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)