Hashing It Out
Hashing It Out

Episode 51 · 2 years ago

Hashing It Out #51 - Blockstream - Andrew Poelstra

ABOUT THIS EPISODE

Today's episode Corey and Collin bring on Andrew Poelstra, a mathematician and Director of Research at Blockstream. The guys dive straight into ECDSA vs Schnorr signatures, its history, and their future in crypto systems. They talk about Mimble Wimble, and how it bled into upcoming massive improvements of the Bitcoin protocol. Lots of great stuff to sink your teeth into this episode so we go a bit longer than usual. Enjoy the show!

Links:

Donate:

  • https://donate.hashingitout.stream

Now, anjrywelcome to hatshing it outpaast, for we talk to the teck in the betters, bind blocke in introstructurand Beepinfo like that. One we dive into the weed to get at Wyand help builhis technology e probem. They pay on way, I'm looking and learn from theBeth on the business. He can join e a back to ashing out everybody, as alwayson your firest host Doctor Port, petty my trust. You Trust, Hes, Drustti,cohost, calling Tochet, say what'seve, everybody call. Can I be the first osnot today, maybe one day, oh man yeah, what's uper everybody calling how's itgoing, it's always a bringin, O great guesswere bringing the gate, t br great guests. Today we have Andrew Polstr, adirector of research, Er blockstream. He to talk to us about all things.Signatures and a couple lot of projects. WWe have quite a bit of interest in sowelcom. The show Andrew Won't you quickly for thus that don't know yougive a Qick production as to how you get started in the space and what youcurrently work on sure Um yethank you for having me onthe show. As you said, my name is Andrew. I am currently the director ofrefear Lockstram Um and I started in the big coin space in El I first tearda bicquone in twenty eleven, some sash do comminter was making some slashtokcome it. It was very wrong and naturally I have to go. Prove Rim wrongon the Internet of, as you do, on Saudi ar at wors M yeah. Exactly I mean is tat wouldn't work. If people didn't do that, so it was important that I didthat m. That led me to Bickin orgs that led me to IRC and that led me to thebiquin withered t e research town, where around twenty thirteen or so m Istarted now more seriously to bickwinwithers Um is an RC channelwhere the fairly low volume channel is full of basically independentresearchers or not everybody's. In Tepenen, there are people fromuniversities, thereare people from companies back in twenty thirteen. Itwas very much like an open light. It was just a bunch of random people,downloading cripto papers from the EPRIN archaive and reading them andspeculating on what how they might apply to diquint M, a big thing, thenin October, O thwsend and thirteen ther, the paper snarks for sea that had justbeen published. This is the first paper that hinted that maybe ahe snarks, hes,compacts, yer and allige proof might be practical Um. So there's a lot ofexcitement on big CINT withes there, um n, so ust. I hanging out on IC, Ilearned quite a bit about the quint from the other people hanging out.There Greg Maxwell, Peter Todd Mark Freedon, Boch, Um Um, like Peter Willa Um. Just all allthe people that we know in love today were hanging out there and that's how I got into it really about ayear after that, a group of people on Beqwuin with it for the most partpeople from whether it's decided to start a company called loxstream and uh,and I joined that initially, I was just doing kind of enginering work. Almostlike cectical writing work. Um, not like I. I helped write the twentyfourteen si chains, white paper and and then from there I treson into doinglike real crypto kind of work. Um I showed up initially I was justcontracting while I was working on y PhD, so I was doing some small stufflike that and when I stopped doing my PhD in Twenty Sixteen I dropped outbecause blockstream was sending me to a lot more conferences and helping mepublish a lot more papers than my phd was then then I joined boxgamg fulltimeand now I run the refugh department there, a I guess I bret of to now. YesYoure you're you're mathemetician. I guess youself identify a mathatician. Icould say your credincials back that up um a common rule. I just want to give thisout of the way 'cause. I think it's important and h someone lie. Yo Cons,explain why common rul and Cripto don't rull your own crypto. Why thatas a great that's a great rule, sothat dates back to probably the late eighties and ninetieson ewtnat on Sideok crypt. The reason for this rule is uh, historically, sobicqleen's, Kinda kind of weird and new in that that all the like signaturesand Veran allis proof and and all sor of Weird Um, petter oquipments and likeal of crazy stuff flying around historically um e, still reln,historically cryptomeant like encryption M and people would show upon Uthnat and they would just like...

...speculate wildly on, like maybe the NSA has broken or SA, or something like that, and they were going to come upwith heir own ecryption scheme. That was totally not broken and they woelddo it by lie just like piling together a whole bunch of random, Lik, xorandand and or destructive, but they were like Pilon exors and additions and justinvent a whole bunch of crazy mathematical operations that theythought would be impossible for anybody to undo. And, of course, when you justtile together a whole bunch of random mathematical operations. The result isnot going to be a secur encription Schame, like th t, that's kind of crazyto even think of that would be the case that you could think up a literally arandom equation and the result will be difficult to invert, but that's kind ofthe intuition that Peo have when they start working with totography is theyrLik, the stuff nused to look super random and if it looks really roundthem and like the people can't even guess where, where Um like, when algothm is used,what equation was used then? Surely they can'tendo it and, of course, inpractice, has just false Um. Similarly, people like to come up with heir ownhalfard hashing functions that couldn't be reversed. Um people would sometimeslike to like try to implement their own Um, like even they would take a realagorthm like AES or G E S or whatever they tried to influe e, implement itthemselves and Ow f the revult they would introduce like timing, attacks orside channels, or something like that. There's no ever writem library like I.I said that on the previous episode we just recently had and somebody's likeyeah, don't relel you're a Cryptiv, but that to me IAS like a pigger term,don't really ecriptive. I think like Aoga doing turnary like you know,chronography and stuff, like that. That's what I think of when I hear that,but I actually wouldn't do my own implementation, because I can't provethat it's correct to a high enoug degree of confidence, because I don'tknow all those attack fectors yeah exactly so. This is, I mean t, that's what theiting o means. Pacy is that Allnou, so you're a professional, chotographer, Umand unless there have been like so you need to be a professional chotographerW who who's aware of these kind of attacks and then you're resulting codeand needs to have many years of review from other professional chotographersexprests in the space and just manyeyes, and if you're eventing you're analgorithm like iota people. Did you probably need like over a decade ofacademic review of the Algorithm before you can even think about worrying aboutthe code um so that that's where this idigan comes from it? It's prettypretty old B t. It definitely still applies today as e scen. In this space,people are always trying to to h roll their own CRIPTO, invent new hashfunctions and mental sorts and new things, and then just to play it immediately aspart of their CYP currency and something so it fun to laugh at, like Iodaf were doing this with Housh funtione like. Obviously, this isridiculous, but I think something a lot of people don't appreciate is that anentire block chain system is basically one giant CRIPOLO system Um and whenyou take a cryptal currency and you try to like change the transactionstructure and change Um, the way that blocks are validaded and changed all sodifrit aspects of this. You are actually kind of still rolling your owncrypto Um, and this is this- can be just as angerous and Mbe. Let me give Ou an example and thana big on space of where we went wrong. Doing this Um, you be your listeners,maybe familiar with something called transaction malle ability if you can bereally big deal before Siguett m. The idea here is when you were creatingbickin transaction Um. You choose an impus, you crose, some O,plus you make the transaction, and then you tax some signatures onto there Um.There are two things that we call Malley abilty o. If Third Partymelleability is usually what people think about you produce e Traaction,somebody is able to tweat your signature somehow or like O, adding toyour signature or do something and as he result, the transaction ID has changed. The txid has changedbecause we have changed of signature, but as long as the attacker does thisin a way that doesn't invalidate the signature, then they um, then thetrandaction will still be valied and they can publish Tus. And this meansthat your a wallet maybe creates a transaction with a known, tfid andPulucie to the network and what gets into the blockchain is a transactionwith a different txid which might really confuse her wallet used toconfuse a lot of Wallace saucer in twenty eleven and twenty twelve. But amore serious problem with this is that if your wallet is trying to spendoutputs from the original transaction well in order to refer to an oldtransaction O, but you need to use a txid and if that changes out from underyou, then your new transaction just becomes invalid. And so, as a result,you basically couldn't use like you couldn't do things like lightningnetwork. I was extremely difficult to do things like a lightning network umwhich depend on the ability to spend transactions that have not yet beenburied deeply in the block chain,...

...because, basically, if a teoaction doesnot hit the chain, you can't have any assurance of what I aid tid will be o.You count referred back to it, so you cant spenithoputs, Um and th, even ifsomehow you manage to come up with a transaction structure that does notallow random third parties to treak it to atpatting and stuff um ther feel this problem. Whats calledthe First Party Mel Ability, and this I would argue, with actually more of aproblem Um in practice, because it's very difficult to fix um without wellSigwa, Fixi it and I'l I'll talk about that on a second B. Well, first party,Mali ability is suppose that you have some coins controlled by amultisignature. You mean multiple parties to sign. It then um every time somebody odds their ownsignature to the transaction that causes a TF eed to change, becauseadding the signature changes. I fe relaation of the transaction, and thismeans that if you're writing a multi figature wallet with different parties,you cannot possibly spend your change until it've been buried in a batching.Give you as an individual figner, have no ability to control the tid, and infact, if you're not signing last, you can't even predict the txd Um. So soyou have to worry. L E nomially about random third part channing, yourtransaction, but all of your counter signers might be changing, ther,fixature Lono and changing t, txid, and so other e ul it s just. It was reallydifficult to do anything interesting with Bicoin, because as soon as you hadmore than one finer involved, you had this first Party maleability problemand you couldn't change Mont Action, ofit each other, so the sixor. This, ofcourse, is Segue, segregated witness Um, where the witness theate, whichincludes signatures like this, is simply moved out of a part of thetransaction that goes into the TSID indoing another part of the transactionUm, and I should emphasize that the whole trasaction is still like a fulltransaction. The witness is e still part of the transaction. They need tobe there for it to be valid. It's all committed in the block all that goodstuff. Um people worry. Sometimes they hear about SEGRT witnt. I they worrythat we're like pulling the transaction in the part or somehow moving stuff umwe're not what were what Siwat changed. Was it made? The signatures no longercontribute to the transaction ID SEVAR oesors that a're doing yeah exactly, and so this means nowwith Ciguette, you create a multisignenure. Will you don't multisignatures? Ovacan, you don't care about what your other fin is. Do allthey're going to do WIS AD witnesses and if they change any of the nongwitness data, they'll invaliate your signature, so you don't have to worryout about it being a valid transaction Um. So like as soon as you sign, youknow the Tsid, and you know it's not going to change so the so to bring thisway back to the conversation about rolling your own cryptoe Um. The reasonthat just happened was t Satoshi and designing the BI coing transactionformat was thinking of Um. was connecting transactions to eachother by txid and he thought well, I need a signature m like some sort ofdigital fignature lit C ds, a or whatever Um actall Ye Atho way thesetransactions wel o o. She should have done if he cared about the exactcivilization, ith signature or whether the signature was there, but setoeneeded to use o something called this strong signature. Okay and- and this isa term of art from academic Crypto, a signature is something that nobody canproduce a forgery of, even if you give them like signatures, but he he he's agame that defined the forgery for a fixture. Is You H, say or a challenger,and you have some adversary trying to forge. You give the Challenger a publickey, the challenger Replys, with a series of messages he wants you to signand you just have to keep giving them Ala, signtures on thos messages andthen, finally, if the Challenger can come up with a signature on a differentmessage than they win at the forgery, okay, Wha, a strong signature is: Is there weto find a four dree nor h an you sa that one more time 'cause at my brainerY, all the different messages where you kindof lost me like aor, so so what a?What a signature? What it means to be a secure signature is, is impossible foranybody to produce a forgery, okay, Um, and we need to define the word for derykind of carefully Okno a naive Wai. To do this, maybe is to say, well Pos. Ifyou give somebody a public key, then they can't come up with a fignature onsome message right. If all they have, I, the public e intuitavly, that's whatthat's! What a forgery is right but t a problem here. This is actuallyiota. Signature, they'r secure under this way the intoni signature. Youactuay need a bit more and and Um to week, ther iota signatures are notsecure because, as soon as an adversary sees more than one signature on theblock chain, they learn parts of the secret key and then they can produceforge signatures using those parts of the secret key okay. It meems that Ilytetot that the Hash give information about the sigrature scheme. Exactly so,if we want to have a signature scheme...

...that wed prove secure, we need tosomehow define what and iota attacker does as a forgery. So instead you say:Okay! Well, I'm going to give the attacker a public key and a series ofsignatures and even F attacker can't come up this forgery. Even if e Seriosignature is then Um, then okay, they'e not secure and mean actually strengthenus, even more wit hat the attacker choose which Messag we want to sign,and the only rule we have is that the forger is not supposed to the the Forgdoesn't count if the attacker signs the same message as one of the Ones Thorequested. Of course, that makes sense right. I mean you can't just give youont, O be or own signatures back right Y, but but they're still a subtlety here,and this of this is kind of the total lesson Bo not rolling on cryptoseverything that we wrd and subtle. This actually does allow a kind of forgerywere supposed. The attacker takes one of your signatures, tweiks of signature,but doesn't change the message and hands it back to you under the model I just describe. Thisdoesn't count to the forgery, so it's allowed and that's exactly whattransaction malley ability was. The attacker t takes the transaption, hetakes t a signature and he can tweek the sicnature in some way, so I stillvalid its still signing exactly the same transaction, but now with adifferent signature, and so, if you are trying to refer totransactions by their txid, the way to fe ds by hashing up the transaction,you actually care about the exact signature. You don't only care aboutwhat the sigent youre signing, but you care about the signature itself, andthat means that you need this primitive called the strong signature rather thanjust a regular digital signature. So EDSSA was not enough because it was nota strong signature, UM and expemed to be this ceaking protes 'cause, that's apart where I'm kind of like my mind's bt 'cause. I didn't know that that waseven I thought my design must things wouldn't allow that and that, if youTwak the signature, it's a totally different, tignature m t you're, sayingthat there's, there's Basicaly avolidity collision possibility canactually determine lik a formula which will by chance,maybe maybe it was like thirty percent chance. TAT will actually come up witha possible collusion and all they have to do is take thse, collisions and say.Okay, I found one and then actually it's a it's a complee Itidin en afortree. As you said, it's like a it AIT's a twee. What was the word forit? N, it's just not a for it's S, aMallieto signature, IAM, not a matspotician. So how do you prove thatsomething doesn't Hav, that's property. You know what I mean okay, so this thisis cool Um. So first let me describe the issue with ECDSA, um or or one ofthe issues so um, so they were kind of two issues that they brought up. Um Onewas thes mal signature thing where, like multisignatures are inherently notstrong. That's what I'm talking about, because you've have multiple partiesand, like each party can individually change their part of the signature O.of course, there are many different valip signatures. If each party has heability to contribute part to it, um, but the more interesting thing is a ecdsa being a signature, but not a strong signature issue and I'm going toget a little bit technigal here, Um and then then I'll I'll pull out Um. So in elithic curve atography there isa notion of addition for ELT curvepoints, um they're, a notion ofnegation for eliptic curb points. So if you add a point to is negative, you getthis sort of zero point. You call it the point on infinity, zero, aninfinity or, or you know, just no taion right Um. So if you ad a point to hisnegation, you get the point on dfinity and the difference between a point andestigation. If you were to PLO this on a graph or something is that the pointinistigation both have the same excordinate but different ie cordinates,the excordinate stays the same and in the ecds a fguture verificationequation. The only thing that gets checked is the excoordinate of thefinal point to outh a verifier. Take the sitoring mestogs mix them upcomputer points and check only the extra efficion and what this means isan attacker can take a signature. Stick a minos sign. Instead of the Ser twotwovalues, s NR, they stick a Mino Fignin in front of the L and then they have adifferent Vallo signature, and if the verifier was checking the whole finalpoint, they would see that this no longer works. Bessons theyre onlychecking to excoordinate um they they, the xwon, hasn't changed. Soit's still valid um SOT. Then your second question: If howcould you prove that something hase? Nothing like this Um? And this is really that's such a coolquestion? I'm not sure I I'm going to time myself 'cause. I think I couldtalk for an hour and not really communicate. I'm just going to trygoing to try. I Saere happy to run along as you are Um. So what you do is you...

...so they're a complainant that goes intoa digital fignatures tat, a Hash that you before you actually sellingsomething d. You take a Sha to hash of your message of your transaction orwhatever, and then the signature itself is some elderback municilation. Whereyou mix up that Hash, you treat as a number you max that, in with yoursecret key, you mix it in with your secret nons, which is this extra numberyou have to make up and you get o this thing called the signature, and so when we are proving things inacademic cripto papers, the way we model Hashes is by something called arandom Oracle, where we imagine that, rather than the everybody having thefunction is shot to lying around that they putem they, they just compute,it's very difficult to reason about. Instead, the way we model it is thateverybody has to queery and Oracle. Give some data to the ORACL and Toricel will reply with a uniformly random ouput W to continued that, ifyou ever give the Oracle the same thing twice, the orcwl give the same uput thearicle is pretending to be the SHATOO function, but rather than being thereal shou to function where you can take it apart, a d and look at all theans and xors and stuff here, we're just imaging an idealized mathematical,uniformly random function, instancoto by an Orcl, okay, Um, and the way thatyou would prove that a signature is a strong signature. Is You play? You have this challenger and thisadversary plthe game that I described? The challenger gives the adversary ofpublic key the challenge, the advers area, a bunch of signatures on messagesthat it chooses and then finally, the adversary has to come up with somethingthe WAO proved. Security is that the Challenger himself has anotherchallenger okay, and then we try to try to play this through. So the SuperChallenger here. What the Super Challenger wants is a break of theeliptic Ur of the screet log problem. Okay, H, what that is is if somebodygives you a random curepoint, try to find interpret thot of the public e tryto find the secret key of corresponding to that curpoint. Okay Um, the idea is,there should be Hert, so there the CRYPTO game. Here I give you auniformly random public key and if you can give me the secret key, then you'vewon the game. Okay, so the Super Challenger IVS, the challenger, auniformly rendom publicy. The challengeer gives the adversary thepublic key An said. Yeah. This is the public. You need to force signaturethem. Okay, the adversary comes back and says. Okay,I need you just signd this message now the callengers kind of in trouble hereright. The Challenger needs to somehow produce a signature with this key, butthe challenger doesn't even know the secret key right caus that that's hisjob as the figure out the secet k. The challenge are the Super Challenger, theChallenger O, the Challenger Dog. I can figure o t the SEC. The SuperChallenger wants to see it Sowe're going to forget te pepe calendar he'sjusthe's Ust. The person who wants to see the Secai exactly so he's justsitting there he's not going to be involved, he's EST waiting for a secretkey to come out of the rest. So we can forget it what Um. So what the Challenger can do? Thechallengeis kind of in trouble here Ho's supposed to reply with a ValiSature on this key that he does not Know Tho Secret Kee you so its n o what he can do if he can um make up a signature like uniformaly,randomly make up a signature and then bacompute what he needs the Hash. Themessage has to be in order for that thinking, oe sould t be valid, and so what the Challenger does when,given a signature Queri, it makes up a random signature and then thechallenger also gets to bethe random aracle. Okay, the Challenger also getsto choose te Ranop, so the Challenger does this: This computation determineswhat he needs: A random moracalop that to be for the Signas to be valid andthat SA there you go. Here's my signature, okay- and this is ACA-There's a lot of subtle stuff going on here. So in order for this t work, theadversary has to be unable to distinguish the random moracle oat fromuniformly random Um, and we I mean that that's kind of thefettleth. So you need to argue that, even though the Challenger is doing,this slight of hand is like back computing, this value, it still needsto look ounifomly around them and it turns out the Scnore say: Ike, Ashnor,signature verification equation, allows that to none the left happen, so thechallengeer does. This is able to B to answer all of these queries this way,Um and then. Finally, the adversary comesup with a forgery, and here 's a weird thing: what the Challenger is going todo with work the adversary? Okay, so everyone, here's, not a person. I On'thear actually a program Righ, that's just that's just how the form of ovemworks. The adversary is going to the challengees going to fort the adversaryand when the adversary chooses a message to forge onthat's the point of the fork. So then the challenger Um receive a rando.Orical query find me the Hash of this...

...message that I escape you and it givesa different Hash, a different result to both sides of the fork. Okay and the adversary. No Noe e porkeach Avesa come up was the signature Al right and if the adversarysuccessful, it will come up with a valid forge signature on both sides.The challenger takes these two sintures, and now he can use the fact that thetwo secnatures use the same key use the same secret nots, but they signdifferent message Hasses, and this is something some of your. Your listenersmay have heard of this idea. Never reused, nonciv. The idea of theChallenger by forcing the adversary to reuse, nonsis has now leaked to secretkey Orle e Secretky, and so the Challenger uses a double non attack.Steels the secet key turns around and give it back to. The Super Challengersays Ha ther an on Um for then the adversary's fault, for using the samelike how? How do you tatepart that in reality, Toto Lik it works very welland that the adversary itself would have? Why would they used to say notslike? I don't understand that exactly that's an awesome question, so t edifference between Schnor and ecds, a that makes us possible for Snore andimpossible for you todoa thing is that inch snor the nons goes into the Hash.So once the adversary chooses a hash to be figning, the adversary's choice ofnons has already fixed, so the atmothary chooses his non before hegets. Forked right got it yea'. I thout always worked. I I was kind ofsurprised that Y C D sa doesn't do that. It seems almost obviously when you athat's the question. Is there any way for eliptic curve crortocraphy to dothat so, based on the way the mattlike WAV WAYLAS on the? So what you need for, for you said- and you just set this timebounders here in order for the forking to work, you need to fource theaversary to commit to his nons and the way you do, that is by putting the noninto a house function, Um and then in your proof you say: Oh as soon as thehouse function is queried on Anount, then then we do. The fork is basicallywhat happens Um, so the difference between ECDSA andCSNOR here is it easy to if they kind of use, a separate hash for the messageand a separate house for the not, except that the other has to the noto,not a real hash, what's actually done as it takes nont as Ritden as acurpoint and extracts the excordinate, and the reason this is done isbasically to evade a pattent mishnor put tha tha Ko Shnor, put on the SnoreSignature Oger than in nineteen inety, one this as entirely a pattent evasion,trick Um. But as a consequence, you count a this consequence of of justinterpreting it of a point Um and then just only getting the excordinate iswhere we get this pulfy minus thing from and B using the excornit is noteasy to reating about mathematically like you can actually prove, if d f asecure if you model that out of a random moracle, and you make a coupleof other unrealistic assumptions. But the fact is that extracting theexcordinate from a point is not a remotely random operation to do so, ifit ot a proof that really mounts to reality in any way versus in t e Scnorecase were modeling Shato, he ranamoracle, Um and Shawtoo. As far aswe're aware, um we've never seen any like deviations from uniform randoness.If you just Eo tot you hand Yeh like I had. I have too many questions, I'm not aCIPOGRAPHER, but I've been kind of like observing this mace for so long thatnow I've developed these lik questions. That probably are very obvious andbasic. But how do we know that CHATU's even random, like how do we prove thatbasic? Like it's outnos uniform, really random LIK got that'yeah go ahead. Soso that's that's a really good question and I'm not going to give you an Aunserthat you're happy with it. Maybe you and your listeners are going to be likemuch more suspicious of cutography, but basically here's a deal um in general. It seems tconceptuallyimpossible to do that. Like imagine, I am pretending, like I'm, trying toprove the shot youi AEM by like. If you give me some message, I either give youa uniforly random result or I give you the reold a shot to, and you can'tdistinguish them. That's KINDOF like how a chrotographer would think aboutproving something as unifullng around them. Thi. Of course, D. Okay, good tht, that's hat I figured, but I didn't have ro the day. H had a sumthion Lik,I onits I e. How would you know his Randam ore? Not butthatthere is attackson Hashes that the Hash itself isn't evenly distributed to the point whereyou know you can' actually create, like you know, right, Foth thereare, twoquestions here: one is about distinguishing randomness from not ranmfrom the other about the distributionist. So the way that youwould, inter the ther way that you would distinguish the way that youapproved that Sha to is gin no foe randommis. Through this C I descrate m.where you give me some input, I give you uniform randon es, or I give you ashot Tou, but that ecause, you ecause,...

...you can just run shot to yourself onyour own computer and see whether what I gave you is Sha to or not so in thatsense like it's totally, not random. It's totally predictable because itcomes out of a public albothem that somebody published and like anybody canimplement themselves. So how WIS that random EDALL. So instead, what we do is Um yeah, 'cause Yeu get cluster is whatI'm trying to say is like it P. Yo can actually get clutstered, O or evaluesthat are Ou, know relatively close, better, have given very gittlerelatively close input. It just doesn't seem to me, like you know what I meanye ye. So there are a couple of touristics that we use when evaluatingthe strength of PAS function. One is thi sort of avalanche effect where, ifyou give me some challenge and you're going t e the callenge with one bitslipped on average about half of the bit, so the house should be flipd likeevery little change. You do should completely change. The Housh is theidea here, um and then more generally, you can lookat feeding saying to a house friction if anybody can come up with a sequenceof values that are not like chosen, based on the put at a house functionthat still manage to cluster like if somebody can find a whole bunch ofvalues that all have to very similar things, withat like grinding throughand like just like picking them by brew forth, then that would indicate thatthe house function is broken Um. So the herristic is basically that if somebodycan find a computationally cheap program, Imeaning one isn't doing xvenential amount of Work Leke as to do twice asmuch work for every additional bit. It's traing to grind. Can you somehowget a non uniform sequence m? Oh o the Shatoo function. So, for example, ifyou take, if you imagine just generating all the interers in a Roa,take the halh zero. The Hasher one has o two Hash at three Hash, O four andsoon and feed that into a standard, random number genera distribution testto see weather its uniform to see whether like half of the bit org oneand like a quarter of the pairs or one one and a quarter of zero one and aquarter or whatever Um. The results will hass any any BERAGE OFRANDOM OS steft to you, throout, okay, and it turns out the same as true asnear as we can tell for any sequence of numbers that is cheap, togenerate Um.So if you, you can like define ta sequence of number- that if you want tomake sure the top bit of your Hashes to be is zero. You can do that, but you'vegot to throw out half of your numbers basically, and the only way to choosethe ones to throw out is by actually doing the Hash. So the idea is that forevery bit you want to grind. You have to do twice as much work, and soactually the herristic and describing this is kind. o Cool is actually theproof of Workoutcrom the big coin. USOS MHM. The idea here is that is the onlyway to find a haush value. That' send some very small target. Maybe it needsto have like eighty bits or Zeros, and the only way to do that is by doingeighty bits of work by doing two to the eighty work and just trying to to theeighty different Hashes, and in fact that is what the bipoinnetwork is doing and as far as anybody is aware, there is no more efficientway to do mining ill, be ten to just like choose some fequence. Just likekeep counting through that sequence and keep hashing the result of of thesequence just hash over and over and over, and if anybody could find a Um,some sequence that would result in like smaller houshes on average, likesomehow would skew the numbers, then that would be a deviation from uniformrandoms. It would also be an optimization to biec proof of work, andwe would hear about that either in either by directly by them, publishingit and being good citizens, or maybe somebody just secretly use it, and thenthey get a house power advantage because hasshing is cheaper for themthan anybody else. So when so, I guess I could have shortcutted this wholeramgling outer and say the reason that we consider Sha too, to be uniformlyrandom is because the most efficient way to do showtoo proof of work thatanyone found is s just hash over and over and over. It's UEALY AO. He Joa,because it was so. I guess it was important to be the most uniforatrandom and basically, the entirety of all proof of work and Bikcoin has beentrying to prove that wrong. Unsuccessfully Yeh Bigo Yoran, my ownblock, Tanis canes, nd Fi. I guess it too long. Didin read, wecould probably blame all of our a lot of our cripography was and the factthat doctor store was an asshale and tried to paten something yeah yeah. I Iagree with every part of that Um you' still workin other professor, I meanyou can go viitim. I consider doing that sometimes, and I really wonderwhat he thinks today about all of this W I've said a lot of pretty mean thingsabout him: Tolhe cress before and Ya, never reached out to me. I don't knowif he's aware of it or not, but certainly throughout the nineties. Hewas very active on various meilingless m arguing that cdsa infringe thispatent and in fact people should be paying then royalty even for UCDSA. Sothis wasn't just like an accidental...

...thing or university processove oranything like that, like he deliberately paminted his signaturealagoritm with the intention of making money off of oyalts and he activelypursued making this royalties m and in the end he didn't make a dime, becausenist defined the ECDFA albritm to Ivade this patent and no court ever held thatthat this actually was in violation of the shnor patent. Sothe results of the ditnoris didn't get used until the patternt expired in twothousand and eight Um, and then the first use after that. I'm aware ofthree years later, um at to fo five nineteen came out in twenty eleven thatwas Daniel, Benstein's sicenture algrithm. That's basically Schnor witha couple of extra hardening steps, h applied to it Um. So nobody, nobodyused the pan. Nobody used narsingtures from their invention, Ian Ninetde andeighty nine, until at two Fi, five nineteen and twenty eleven twenty twoyears, basically Um and unfortunately twenty two years that contained theircuaint inception, which forced to Quan to use you s a tin, i'me. Seeing a lotof that stuff. Still there's a lot of pattens, especially one of the ArisRECEARC. I I kiudt of really interested in was air, correcting codes andthere're just so much work done in that that areonly just now.Finally, coming out of them coming out of the coming out of Patten.So yeah I mean it's, it's tragic, but yeah anyway, we'rl go we're Gong overall this stuff. That's pretty you know. I think it's IT'S FASCINATING! Honestly. I cantalk to you about about the Taer, so I think we need to get insome of theblock. BUXORSO UM UM. What's happer what Happeno ask thatquestion? No, that s that's a great quee, a taprdis a proposal for Bickuin for a new type of bionop. So today, biinoputs areH. labeled with what's called T A witnessprogram. This is just like the script that describes under what conditionsare you allowed to spend t acquaints um o you have something caled it witnessprogram. The winness program might h describe like public keys that youneede signatures for, or it might describe timelocks and might just tryHash creamages, like whatever, like whatever crazy stuff you're doing. Um You have everybic oin up at isdescribed by such a program Um and to spend the Juston hough coins. You haveto satify the program. So what top PROPOSAE is to have a new version ofthe other wootness program where, rather than having the program, be ahash of a bunch of Biuin, scrip opcodes describing a program? The program willjust be a public key okay and to spend the coins. You need to produce asignature with this public Ashnor signanture was this public kin, and thethinking here is that the majority of all the coin transactions are ones inwhich a single user is finding to spend that qoint theyre just producing asignature anyway and actually they're. The different type of of output. Um Ehad to already have a shortcut for this in in biquin Um and so we're proposingto make all outputs use this kind of shorcut, except using schnor signaturesinstead of CD, and the cool thing here is that smore signature is enable avery efficient multiparty, computation ore, very simple, multi pardycomputition that multiple participants h produce a single signature with ajoint key that they all join. They control and you can actually o betterthan that. You can do thresholds. You can have a key that, like ten people,doiny control, but any six of them are able to Rodu a signature for orwhatever, and the idea is that for most coins on the network, even onethat are not controlled by a single signer outhing, a boring old wallet Umare controlled by a thick set of counterparties. So, for example, if youuse the blockstream green wallet Um, I believe there is all the coiers erecontrolled by a two of two so unid to sign and bloxmuse o sign and there'salso ther emergency claus where, after a couple of weeks or something if ourservice is down, then the coins are are entirely controlled by the UVER. So theidea is that the Um, the user, has well Hous C costyother coins an that Um. If the service goes down of Servin e working orsomething they have the ability to get their coins back, but under normaloperations they have split custody between themselves and Blox Stream, andwhat Boxtin will do is is boxin wll find anything acceptable spends. So youhave this Um. Basically, you have the protection ofhaving box team holding half the key for you slt. If your phone get stolen,you can contact us and- and we will stop finding stuff Um, but you stillhave fule custdyof the qoints, but but what I want to talk about here and thefact that what's happening on the network is there is this output thattoday uses this witness program that...

...describes the to person? Multisignature Um under normal situations, um both the user's wallet on theirphone and the block jam signing serer both of them agree to just sign thecoins and so from the Blo from the blockchangs perspective. Well, Lachanedoesn't really care that there are two participants. It doesn't care thatthere's this time, locked backo thing or anything like that. Um All theblockinn care s about is that whoever supposed to all the wrigt those coinsmoving whoever I agree that the quent should move, and so this combination Oof Schnor signatures Um using allowing a very efficientmultisignature or social tigature construction and the fact that undermost situations Um, there are a set of counter parties who jointtley controlsome coins, and normally they all agree to just move. The coins means that youcan have these coins controlled by a key, an a signature, and that will workfor, like ninety nine point. Nine percent of hes cases Um and so, and soyou get all these usecases covered for the much more efficiently and much moreprivately, because Tias on the block chain is one one key one segnatureregard of how many parties ire involved, but you maybe think Lik wha, I s anytear an it, could have any sort of construction. You want rights, youcould have basically multi parties that are required to do another multipartysignature and they could all build up to one in ultiatey result an one pecialsignatures actually can be. You know, barbied on Changs, that correct Y,exactly you're gind O, like any arbitrary structure of Keith Um and theor and threshold F of different Partian, my multiple layers down and you canconstruct a protocol. That's fairly simple or I guess the complexity of theprotocol grow with complexity of of your policy Um that produces a singlesignature. So that's great except well: Segin Turethey're, not the only thing that people use the the quin script for the peoplethey R eving the blockchain for, of course, people are also using like Halepreimages, which use for atomic flops and lightning channels, and importantly,people also use this toal called timelocks, and that's how you can getassurance as a user of some complicated contract that if something goes wrong,if your counterparty goes away it block in fold or turned the evil o orwhatever, that you will still get the coins and your Wallet Back. You US havethis time lack here, and so here is a cool thing. The toppro does it. It makes the observation th underordinary circumstances. These timelock Claus is never used, and so what tapperdoes? Is it how teway to actually commit to the timelocks to a time lockan some extra script and some extra quai or whatever, to hide a commitmentto that script inside of the public hy itself? In a way that causes it will cause?Look you to change of course, so it will cause a secret key to change, butin a way that makes the key still signable. So if you were using capperdfor something like the Green Wallet, then you there would be a simgle key that isjoinly controlled by blockstream and the outas wallet, and that key wouldhave a commitment, hiding and and what would be committed to is a timelock andanother key that they us their controls by themselves, okay and under ordinarysoagain. I'm sorry that that's really a complexester for me. Could you say onemore time: STIRT Yel, Cort Um. Let me maybe start by describing this keycommitment thing B, cause I'm handwaving around that Um. So acommitment in cryptography is just some sort of usually it's like a hash orsomething that is both binding and hiding, and I'm oingto focus I'm binding right now. So what binding means is that is impossible forsomebody once they come up with a commitment to decide that they actuallywanted to have committed to some other data. So I'm thinking of a numberbetween one of ten, I can give you the half of my number and at sa I'd, giveyou the half my number plus som some randomness, so that you couldn't justtry all the houshes and then Um, and then you can guess what my numberis, and you can be assured that I have to tell you the number that I I hash togive you like. Nas, you gess the number and I'm like no you're wrong or yes,you're right and then I'll tell you my number and I'll tell you whatever ranif I put in there and the point of having a commitment is that I can'tchange that: Okay Wetl the commitment couss it tyces Yep and then the factthat it's hiding Ta, you can't just look at it and, like guess t o number,is us hy looking at it, but that's what Oro Tin I'm not lying to you it. Thisis the exactly Um. So for caproute we discovered away, we discovered a schemeUm. This is a scheme called pay to contract that I believe, originateswith Timo Hankey and M. He's a cryppographer in the biuin space he'sebeen around forever. I think in like twenty thirteen, where you take aneleptic curvepoint, and you add to that point, another point which is a hash ofthe original point and an also some exta data, and in doing so your finalpoint is actually a commitment. The...

...point its self become the commitment tothis exta data and also to riginal point. But it's just a point is a cool thing:it's still a public key. It started a public te and now it's t e public key.The only difference is that has been tweaked in a way that is actually abinding commitment to some extra data. Okay, an so actually that'Syeahko. That remindsme oftome for some reason, because when you do that kind of stuff with that,it's like you're, adding the sea and the sea is actually yeah aldebrakley.It's I it's pretty similar Um, and so this pay to contract construction isactually used in practice. Um. The way that I am aware of it being used is inbox tins liquid, which is a sidechain. It's a federative site chain. Um It sit's an independent block team, but you can move bi coint on to it and off F it,and when the BIK coings e moved on they're, basically in costogy um of asorton participant wit, eleven of fifteen participants need to assignmove the coins back Um and the way that you transfer coins is that you actuallytake the keys that belong to the Federation members and you do this, paythe contract, construction, all the coins and what you're committing toyou're. Turning all F, the Federation keys into a commitment to basically aproxy address to like a proxy biquinop Um that nobody can see like in the end.What hits a block you know just so much of keyt and then to claim your coins onthe liquid chain. You provide a reference to your transaction and alsoreveal what you committed to you reveal you say: Hey here's! My proxy addresshere's my proxy witness program, I should say- and here's a witness for it,so I secetly committed to my own public key and heare the signature for thatpublic, Ey and so basically you're spending the coins on the liquidnetwork except the coin to referencing, or not old, liquid coins or actualltheold bickling coins and the witness programer satisfying is not the bigclain witness program. But it's a secret alternate witness program thatyou hid inside the liquid o Pogroun using pay a contract allright, and thenI apologize for like I I'm waving my hands in here. I I this is only sound.Of course. I apolly do this. I was difficult to Follot, but the idea is,you can take a program and you can commit to an altenate program in it.That's the way Yuse for liquid, and so what Cappard is? Is it's a proposal touse that technique ombicuin itself? So, ordinarily, we have a public key and aslong as all participants in your contractid bree, they can just join theproduce of signature and just spend the coins using that. If anything goeswrong. If you need to use a timewalk, if you need to reveal the house promuch, if you need to do any like weird additional things, then you have theability to reveal your altenate program and blockame verifiers, because thecommitment is binding can check that. You really are revealing the correctprogram, and then you reveal a witness to that program. Just the way that youdo today M it's just like an alternate I's. Basically, an old school Bickin utthat you've committed to inside of this new school toperd open with a couplewith a couple of little differences for efficiency in privacy. But that'sessentially what's happerit is: Is this ability to hide to have apublic key um that, under normal circumstances, isindistinguishable from any other public key? If indistinguishable that there isa complicated contract, eside is Isin if they've a contract inside it'sinsinguishable? How many finers are involved is indistinguishable. Whatkind of threshold te Werd policy of Finan Inwell in all one key onesignature and using this pat a contract trick, you still have assurance thatthe block chain will enforce whatever extra rules that you might need enforceunder different circumstances. Sothey uh want to try. Ato Recap this inLayman's terms. Currently we do this in a variety ofways, using the coin script or we're not capable of doing it. The goal, theoverending overgin goal of using things like Snor, Sunteres and Tapro Um, is tomove a lot of the complexirty off chain and make everything on chain. Basicallylook the same with the ability to prove that what happened off Chan happenedcorrectly, Yep, exactly that's exactly right, Umand so I've talked about how so I I describe kind of two ways for doingthat. One is, if you have a lot of keys, then you just directy produce thesignature and all the block Chansee, the signature that great Um. The otherthing I described was a commitment scheme where, if you, if you need touse the Blockinan four script, you reveal the script and then then youjust do it normally, but at least you don't have to reveal it normally. Sothat's also a way to move stuff to lets. You move uncommon things off, chaine,um or or rather, unless you move things that aren't used off the chain, andthen you only put the things that You'e actuall the youth on the chain. That'sthe whole conversation we had previously about mercalized AFSEXinsectories I's, like you, have all these particular options of what youcould do m in terms of the SIGNA scheme. But when actually you act when you,when the deed goes down and everyone...

...sign something, you only show the paththat was use and not all of the other pasts that could have happened, and sothat way, all that stuff doesn't have to live in a block chain. You get a lotof privacy and a lot in a lot of like information saving on the BlartenitcelfYep. That's exactly right and actually taprt includes moust m. So I've beentalking about m the publiccommitting to like an old school output, mhm what itactually commit to as a masterd. Okay, it commits to a mircle tall, thedifferent ultinates bidiny metth. You can have at many alternates hat youwant and you only have to reveal the one to the idea toy beautiful. Actually,it's like you have this th, this arbitrarily complex shit that exists tripe, then y Tikabout think about it. I always think about it in term of a tree, because weall know mircle trees and things like that and mo when people Ta Blackatintend to have an idea on the visualization of a Birle Tran and theleaf of all of this smircle traite. Depending on how complex it is and howmany layers deep it is you wend up with, like all of those possible variationsof paths you can take to get to something that happened in reality andwhat you're doing is you're picking one of those paths and only showing thatthing and throwing the rest away. But every single one of those pathstheoretically is valid in the siganature Schem, but what you actuallyend up with it's a very suscint sicature at the very end of the blockchain. It doesn't take up too much face, but but gives you an odd of autotraialaimprovability that what happened happened correctly. Ye Th, THAT'S EXA! That's a perfectsummer- and this is is this because Iunderstand I. I clearly understand why and care so much about short incers,because it enables thes sis of things its. The reason why, like we didn't do this earliers,because it just hadn't been thought up yet 'cause, everyone soked phoosophocuson thecdsa mariage. Well, they needed saguit forthis too right right, ever yeverything's harder withoutciguette, certainly like without ciguet. We were like stuck on like how can wespend outputs that haven't already been committed in the Batchin Reallyas? Wewere e Wai. We couldn't do anything yeah like Inprincipale, so now that weknow on to do all this stuff, we can actually go back and we could probablyfigure out how to do it with the fcds a awe. We know how it's just much morecomgeting t a lot more code and a lot more crypta assumptions an and so forth.We could probably even do this all without Seguitt Um, although why wouldwe now that we have a cigarette but like without having that in front of us,we were kindo like stalled out out the starting line I mean like we couldn't.It was just difficult to think past h these, like really fundamental, likethese basic problems that needed to be solved before we could do much ofanything else. Um there's a Cyi there for you, and I think this may be somebody whomay be naive or even not naive. What would be thinking how wis this not newCRYPTA? How is this not rolling your own crypto? Oh, that's, a greatquestion Um. So, as I um I was like hinted out earlier in thisconversation like changing the blockchain Um, a blachain, inself e, awhole cryptlo system and, like top proud, is definitely EC. An theintegration of Tappr in Bikin is absolutely a whole crypao system, andso the different. So ultimately, this is rolling our ownCrypto, but ultimately somebody has to roll new crypto. Like we say, don'troll your oncriptl mean like as an individual as somebody who does nothave experchieved, who does not have a lot of review cycles who does not have like whose product, like hasn't beenreviewed by the the witer community in the chrotography industry and so forth,like if you're just going to invent something and just doplay it withoutany review without any overkite. Without anything, then you're going tobe in trouble, but hoptely somebody does create newchroptography right. Like people invent new encryption schemes, people inventnew signature temes, and these go through enormous standardo bodies. Theyget published an academic literature, they go through Pur view they gothrough competitions, people try to attack them. People put a lot of money,writing on them and all this kind of stuff like that,and so when we propose things for the Bi Qein network like this, we have togo through all of that, so the Um, so first of all, topper, is provablysecure hit. You can come up with an academic proof that, if somebody could,for example, spend topper coins without either signing with the keys, inneed orum or revealing a script in I how to sign that script and ask be the ricescript. Then they could break. Let the curb Di tee lag problem. You canformally prove the Thath trum Um. In addition, if Um users are generatingone of these multifingures I've described where they all joined, theycome together to produce a signature, they would probably use a cryptosystemlike music, which has like quite a long paper associates t with tha that's gonethrough a purerview Um and the implementation of he code verifyingthis. This is all part of the SEBTWO TT fift Ka one library, which is part ofvicklincorp Um. So now we're in to...

...implementation you eel. So here iswhere we need like community review. We need the industry to look at this. Weneed the bionn Communiy to look at this. We need professional, chrotographeselectative and because the bigclein project is so high profile were able toget review from academics and engineers and NST players because of moneywridingon it. We get review from attackrs, which is very nice Um. I heard T it's. I mean it's worth a lot,certainly if, if people can't attack it even when they have such an incentive,Um and then also big coin, move very slowly relative to other H, rpecurrency systems, we spent a lot of time doing this kind of keyway andreview cycles and stuff like this. And then it's one final thing. The truth isactually like. CAPR is conceptoally, pretty simple. I it all hinges on thisPato contact construction, which has been around for I guess, six years insome form or another which we've used oxim an liquid inproduction. If you canbreak thast, you can steal all the coins in liquid Um and you um basically is like a lot of review frommany different players, Um with many different motivations and n many yearsavout. It is a short answer both for the cryptic system itself and we alsolike aconemic papers Ik. They go see, preview and then also for theinplementation Um, so ultimately caueg open. This is rulingour own Cryptol, but here our own cripto kind of the industryes owncrypto N E, a lot of people involved in making sure that this is workingbecause, like you said, there's a lot of money on it. So so Pilgo antackersthemselves don't want their money stolen. It's also built on age, old,primitence, yeah yeah, so the prupecs ses ai kind of existed, like you saidso I mean, but this kindo leads me to aother. Have so many questions for youdo like I gon O hit. I like I'm frustrated because there's no way we'regoing to get through all of them but like like, I want to know like hy sidechannels, aren't a thing yet like in any roway like of not such. U Sitchans Ornatin yeah liketheresthere's, so many things that Li e, like I read about, and I just want tohear it from the Horse's mouth and I don't think I can do that like rightnow, but there is one topic I absolutely feel like. I need to coverand siter already on the talk of covering your cripto want to talk aboutmimple, Wimble Ser, and I want to talk about Tis relation to lightning networkand maybe using it as in t using nimblelimbl as sort of anotherlincitomic on splot mechanism between dicclan and membel wimbal through thelighting network. All these things, I've seen you talk about like it issuper interesting and I just was wondering if maybe coan talk about whatNimble Wimble is briefly and then talk about why it's important to the tickine fer. He starts her bfore Ye Start Um Weh, we highlighted a show. You did onthe Manero monitor quite a while ago, with Mike Um. Oh Yeah Net work I'mgoing to have that in the show not to Beo, listen to it's about an o, maybean hour hour and a half long episode of you describing what member Wimbl is indetail and it's a wonderful description. But here give U Ashort overview weeen.I just I disencourage iseners to go. Listen to that if they're curious,moreormore, oh yeah, so t then have a very short n over you, like maybe oneor two minutes, then of what member one lis Um. So back in Twend y fifteen. This will beshort even though I'm starting four years from the past Um Greag mashelldeveloped a thing called confidential transactions, along with Adam back andand Peter Wille. In and myself and a few others Um confidencees oactionswhil the scheme for replacing all of the inputs. An oupus amounts intransactions with these hi hiding, binding commitments, e special kind ofcommitments called Petertin Uiments, even ot Hashes or leptic curpointsthey're, not eliptic, cur points like they pa tha contracting, that they'rejust a different kind of tredment, Um leavetheir Homo what are callehomomorphic comminments, meaning that valitators can add up all thecommitments on the impotside of a transaction to get a new commitment andtwill as be a commitment to the sum of the the IMPOVILUS. So you doesn't knowwhat this son is, but they can still get accuited to. They can aut up allthe oputs and then they can compare the two commenments and then they will knowwhat the input value equals. The up it value, even if they don't know what theamounts are. And so this was developed by a Greag Maxwell for ELEMASALFA,which is what the sicentat later became liquid, or that that liquid was based on, Ishould say, m, and then it was picked up by a whole bunch of other likeManero, for example, and and a whole bunch of other things so mimbl Wimbledoes. Is it takes this confinitionalaction thing? It throwsaway all of the extra scrip stuff, all this tap groot stuff, all thosebicoinscript. All these multifignatures and Hash premiges in Blah Blah blathrows it all away SOS how about the blinding factor? That's used in thesepettis increments. What if we use that ass a secret key, and we use the factthat only if you know the blinding factor are you able to make a validtransaction and that's going to be our transaction authorization? So,basically, if it's possible to make a transaction to balance, you must haveowned the inputs, as I thinking onderline, membewible...

...and so the result of the Blocchein,where basically, there is no separate cryptic system for all the rivingpayments, its basically. If the transactionly existed, it must havebeen all the wife because nobody else could have crated a transaction, andthis has some nice properties in that, if you have a transaction spending, anold transactions outputs. The validation equation for this is Hafiant sum, of wit, the Tur points where that output that was spent a per of onthe positive sight of the equation when it was created and on the negative sideof the equation when he was spent, and you can liteally just delete itentirely, it doesn't matter if the same thing appears on both sides of anequation can just remove it and the Equationis still valid so thi me, Thavalitators can basically cut out all of the intermediate steps, OtseTandoactions, and to prevent various like theyre they're, various attacks onthe Nou schime that I just described where, basically, somebody can come upwith a fake output that is like the negative of somebody else at they'llput in an steal their coins by by constructing their opustic castleout.So the way this is prevented in Miboli is that there is this extra h n, notreally an output. The thing called a Kolonel which is attached to every trandactionS. R is not attached ll, it just needs to be beside the transaction and makesthe transaction balance, and what this kernel is is is actually amultisignature key of all the particimants in a transaction, and I Iwould take way too long to explain like how exactly this is accomplished. Butbasically you have this extra public key and for the transaction to be valid,you need not only that it balances that inputs, minis, outputs, minus a colonel,equal zero. You also need a signature with the Kolonel and this sositionorsignature and the colonel is secretly as two thing this both a commitment tozero and it's also a public key belonging jointly to all of theparticipants in the transaction. Okay and this, and as long as the e, there is asignature with that key, an means that everybody involved intrsaction,although IED it. So then you can throw that on the block Chin and then in themimbl Wimbo block chain, validators an just download. They don't Easeto Downanall the transaction data. They only need to download the unspent outputs,'cause Oere, the only iutputs that haven't been cancelled by othertransactions, and they also use download the set of kerinels instead ofsignatures. Okay- and this makes validation much more efficient Um,because the only thing that you need to check our signature is is possible towhat's Lat's call bat to verify these fignatures. You can verify them muchfaster than verifying individual fignatures, Um and there's there's justless stuff to check and then all figured downloading a way lest data,and so what's s this is cool. It's all verycool and you get quite a bit of privacy by this use of confidentialtransactions, but Um ther's, a problem here, which is, I started by gettingrid of all of the stripsystm and all the otheratations and stuff, and so animmediate question. somebodyis going to ask is wait. If I don't have a SCIRTsystem, I don't have time walks, I don't have pass premages. How am Igoing to do atomic slops? How am I going to D lating like how am I goingto do any of that Um? So it turns out walktime R are not toodifficult to kind of have on to the blocchin Um. The HACN EMIWO HASF preemages are much harder 'cause. The idea behind a Housh challenge is that youwant. If somebody spend some cloins, you want them to be forced to revealthe preymuce to a hash to watchin and then the other party, you can see theprimage on the blacking and they use that to like Um like feed into adifferent payment channel or whatever you're doing like create anothertransaction. They. Basically they use the block. Ou K, ow the communicationlayer, um to communicate a secret and and make different, transacts and beatomic. You can't do this in memowible, because you're deleting all of thetraction DA and there's no like way you can hack that, on I mean there's noevidence that certain that output existed or didn't exist m once they'vebeen spent, which means of an output Hasn'n housed for umages requirementlike thats, just Jiston, the Blain cant enforce it 'cause the Blockcan cat tellwhether the opet even existed okay, so it seemed to be for a while thatmembowimbo was basically dead on arrival. It's cool you've got thisgreat superscalal layer. One Block: Can that completely undermines any Adilityeyou later to so you get you'r like canact or whatever you get from havingMivle Wimble. But then you count have your hundred c Yourtelan, exeen,lightening Lik just sucks, and I got so myself and a few other peoplegot to thinking about this like? Is there any way that we could somehow getthese house treamages on Mimbewimble, and this is cool because of Ayo go toTII right back into Tappord, and I found a way through something called anadopter signature and the way this works? Very briefly is that Um, if two parties are jurently producingthesare signature, so they have a key that represents both an ee doing a twoof two Um signature. Then there are two phesist. First, the twoparties um provide their nosense to...

...each other, and then they sum up thosenoses and produce a message. Hash M. So Y, you remember back from when I wasbreaking Snore segnature at the begining O vess. You have to give thenounce before you get the Housh Um same principal here. Both parties hade toshare their nounces, and then each party is individually able to computethe Hash and then Ech Parti Produc to the natural signature using that Hash.So the two two stages too round of interaction Um and actually there needsto be three rounds. There needs to be a precommittet to the Nouncese for forreason that I don't have time to go into, but the simplest version is thistwo version thing um which um where, where just you add upthe nonses, you got a hash, then you're out of the Sigratis, and so whatsomebody can do t th. Let's make us more country m the OB that you and Iare doing um hear you either ant o. You can geet you Um, I'm going to do allthe cool stuff. You and I are doing how ae you. Let me I callis you outo here talking to me,go to call him, I'm just I'm Je Sumper, I'm the Super Challenger. For now, allright there you go yeah, Um, meand coll, so we're doing a truos two finture.What I'm going to do is so coinconto give me his not I'm going to giveCallin my nots, and now we can. We can computer house and now for us tocomplete the signature. We both have to provide our own signatures that use aspecific message and the sceciffic nuns cause. If we change either of those,then the MESTA has changes and our signutures won't be volidly like atthis point. We are committed to everything and in particular the finalfigature I produce give unique only one possible fignature call into the noate,but 'vse only one possible signature and similar. We have only one possiblesignature that Callingco beefe okay, so at this point I can think of a secret.I can encrypt that secret to the signature or vicer. I can encrypt mysignature to the secret and I'm going to give that to Callm, and I can dothis in a way that calling can very easily verify o what I Moni' going tochoose. A Secret K, INA public Y, I'm going to give Callin the public key andso the Secre, then I'm going to reveal of the secret KEA correspondives. Sonow I give call on this encrypted fignaturething: ihave encrypted a signature, I'm encriptie secret to the SEGATOR, usingthe public key and all the other data that call an has aveil. He cantuyverify that I've done this, that what I gave him really a a valid signature,except that I encrypted some other crap into Im and so now call and can provide me a signature.And maybe this is a seond Suron, O transaction, giving me my money tenay!I could validate that. I coan do that, like I couldbaliate that the signature,maybe I misunderstood- that you give me a signature, I could validate that you,it's a BALANC signature except you ad at gem, random, crap yeah. Exactly so.If Lik o be the SI the signature, you can olidate that and so here's the coolpart Um. If I give you a signature, you can Olda the signature. Of coursethat's the nature of signatures. If I give you a signature plus some randomsecret key, then you take the validation equation for the signatureand add the public key to the validation equation and there's yourthere as your validation equition for an ACRYPI signature. It' is just oSimbl ohokay Yep Um. So so you can check this, and so now you find thetransaction to give me Yqui. Okay, you give me the sicnature and now for me toactually take my coins. I need to contribute my signature, of course.Otherwise I boxing won't accept it. So I do that I can treat ut my signature.I canbine it with Youor that publishit to the block Chaim Blah Blahah. Now youcalling can look at the blocking take the seconture from the chain. You cansubtrack off your contribution. You can subtract off the encrypted blob that Igave you and youill be left with a secret, and so what this means is that the onlyway I was able to take my coins was by revealing a se to you a specific secret to you that you werethen able to go use another potocal. This am so I've gotten this hashcreamige trick. That's used for atomic flop and I've embedded that inside of asignature, and now it works with Nimbl Wimble, because miniom will bell havesignatures on the kernels. Does that mean that so that that,basically you the naval scripting on Limbl ohols? Basically, what what I'mhearing then is because, if you're able to do just as the topic, slops andbasically it' anything, they can have that system set up, you know compatiblewith it. You can actually maybe goin through several routes,actually have like a scripting system built into mimbal limbs that correctthe coer so t it was on. It was kind of like, like a barrier from what Iunderstand on that yet oin is that you couldn't do any sort of scripting atall those far contractsed at all or anything like that, and so, but that somds like since youcould go through this brout to get to Bickclin, you can basically do.SCRIPTING is thatcorrect, basically you're somewhat limited in thescripting. You can do, although I'm goingno double back and Talk Abou Autyo,something you can do that you can't do with tecoin script. But, yes, you havethe ability to do multithings like inherently, and then you also got theseHash creamages Um. You O. You really do need time lock to do anything useful,but you can kind o have timelocks onto...

...the Milei blackin. Like I mean you dohave a chain of blocks, you can count them. You can use theme as a clock. Youcan Y, you can make that work M, but the hause Trea muces rea, the heardpart and we've eenabled tastramages, and so even able forme, descripting, Um,and so here is where things Um. So this was actually the last time that I wasreally seriously involved in any membowin wol project rby Fitch, becauseonce I realized I could do this with signatures. I said: Wait a minute. Ican do that on big Cuin, though I don't like all this cool mbiimthat's great,but I have this whole new scripting paradime, it's super private, Um and sewere efficient, and I can just see that I'm Bicklin- and so then later when Iwas talking to gred computer and we came up with taprod. This was part ofthe motivation for TAPR. This was a motivation for having outputs it bydefault. I spent only with signatures. Is that actually you don't need thescript even when you're doing cool skip stuff, you only eee it for timelocks,if you're doing Hashloc, if you're doing multifigature, if you're doingwhatever you don't need the script, you only need the sinture usingscripulesscripts or using these adoptor sinutures sciposcripts is sort of whatI call this whole family of h, of different things: Becauo marketing termyeah, it's a mercuting term, Um and- and so this is. This is a large part ofthe motivation for Tarout being designed to optimize the signing withhe signature path. Er Sos the Alternate Palst. Is it actually the signing ofthe signature path? Let you do all fere cool stuff, and but why did that? Takeyou off of emblem. 'CAUSE MEMBIBL has other feature pirts T's. It's IT'S A lot smaller of a Yaba of of achain. It's it's private like so are y like do you still thinktha wol has a purpose, or is this like Tapr Gonta replace that? Oh certainlyso, so let me Um so first off as a refeacher, my feeling, like memo's,done like no there's, no more fun problems, Um, so th, that's e, puestiony part of my motivation. There's no more fun problems, Tis solv Um, but theother thing is that the value ad for creating these skipts of scripts andfor then the've alls supporting a oftthar that needs to be written andallsors of stuff, like that, the value at Te Bikuin is much greater becauseaccain for SL had like no privacy tech along these lines. Today, bigons alsoused by many more people an a much more like far more contaxt than a far widercontext M, which means that the kind of supporting solt or in infrastructure weneed to make these sciploscripts of reality. Um can be created ondicquintand I have a much higher chance of being created, Um and having a kind ofreview and robust Divin and quality assurance that we need for criasystem,like this you're going to get that from the dickling community. ITWOULD be verydifficult to get such things from people implementing memboon, wll chainsor even Minera, or something like that, because these products tend to be muchsmaller. They tend to be much more focused on implementing novel privacy,Tech Um at the expense, possibly of going through the Year of e reviewcycles, D, NQA and all of this stuff. Um th their job like the the job andthe ethos of these chains, is very much like Te's get cool privacy check in thehand of yeute now, and they aren't necessarily soconcerned. Um like for them like for big plain, if there'sa failure that causes like an inflation bug or something in a chain or causetoscoins to be stealable, that's it it's gameover for Biuinis, probably gameover for every other crypocrancy, whereas with these smaller chains thatare doing more experimental, stuff kind of the nature of the chain. Is thatthey're, pretty experimental and so you'd ve expect a certain increaseddegree of risk Um and then also because they take a much smaller proportion ofthe market share and of the mindshare it's less catastrophic when theyencounter problems, they're generally able to react more quickly, Um and thenth, there's typically just much less of a loss if these sort of things happenUm. So what this means is that is cool if you're doing, if you're, developingnew stuff and you're like following new problems, then is oftem to work withthese chains because th they will help you get something that can be deployedand that s something that's actually out there and my feeling aboutMimowimble is that all of the problems that are at that stage are Kindof likesolved. Like other people are solving, them are like there's no like open.Well, there's no open research, things that I'm looking tha that are unsolvedin member Wimble M. Instead, what I want to do is bring the skip toScripttech. I want to make this reel. I want to make it robust. I want to makeit something that people can put a lot of value on and have very highassurance, hif something's not going to roal wrong and they'll lose hoir money.I want this to be something that the lightning network can use, and to dothat, I can just focus on Tig coin anlet's. Take that for a second, so'cause it'sis, t least. I know that we're running really late but, like Ihave this other outstanding question I think, is massively important to theecosystem that we're in and that the only strong, the strongest competitor Iwould say to in that it took an...

...alternate philosophy and has hadmassive success. deslite some of the deilures in in the space. The big coinis is is a theory and so Um. I was wondering, if maybeyou can give some insight on your thoughts on the value of a therium in aworld where scriples scripts are powerful and easily executed like do you believethat this is something that would um make big cooin more attractive, becauseit is a long tested, secure block, chained system with a strong history ofbeing a good store of value? Now it woill be a good way to actually do somecompute off chain and Barefid Enchan is this is thit going to be in any waylike? Do you still see value in what the thereum groups doing so, the there are basically two things aregoodly, one thing that you can do with Etheriams scripting system that you cando. I mean O, say two things that you can do, anytherin that you cannot do inBiqin. One thing is etrium EBM relax with a bunch of the restrictions bicinhas on like the side of the numbers. You can operate with hrough like awhole bunch of Lik, weird revorse limits in bicin script. They don'treally have a reason to be there. Theyre, just like consensus for anhistoricor reason they want up there and that that kind of ties your hands,but in terms of pure functionality. The only thing that VM can do that bigcoinscripts cannot do in principle, is teqincannot. Look at the transactiondyou're, creating you account o reason about the destination of your of yourmoney. It can't reason about the input amount, acant reason about thelpemounts and so for a lot of more interesting contracts. You are unableto do this on Diccoin, at least in the same way as you might do it n etherium,without crating, like giant trees of offcane transaction and like trying touse those to h a and like signing individual transaction and trying touse those signatures to simulate control over your transaction. So itmay Beo er like escro, but not necessarily lending is that Whi. Isthat what I'm understanding base o? What you said? No, I'm not going to commit t tlotiwould have to think I would have to think harder um about exactly where thelimitations are Um, but in general and so script of scripts Um potentially help a lot with this,because skipescips in general include all sorts of stuff Li. I mention likerevealing a secret to you by producing a signature. If I instead create like an ultimateunfaction or um like there may be some very elaborate thing I could do for youand I could produce some some witness or some output that I've done that andI could encrypt that and then I could provide to you a veraknoledge proofthat the secret I'm ofvealing to you with my signature is the encryption keyto a valid winness to thi other alternate program. So I can doarbitrary, O very general things with scriplos scripts. You can also dosomething Ti scriploscrips. You cannot do on Bigcinori, theran Um, for example,and I don't Um okay. I I've already said too much, butum here is an example that I want to give so my friend Pedro Marino fanchis,who coalthered a paper on Scripli scripts, where he formulized it andtofind the security model and and really like he's O scriploscip. I wrotelike the easy, Ol r said, like you can add stuff and then, if encrypted,that's all I did and he really like ran with it. Um He's got a a scheme thatwill let you do some other stuff, but that we'll see you in the next H, H,few months or years or whatever, well, that you do, for example, or not okay.What does that mean? I can say o right now, I'm Biclen, I can say you cannottake these coins unless you reveal a secret and the black chain will requirethat you put the secret on the chain. What I can't do I say you can takethese coins Um, I'm sorry! If you reveal a secret, then I can take yourcoins. You can do something like that. That seems that seems a fair bit.Hardes t do this not, and the reason is that the block chain Um can't reallyenforce a negation of something inherent right. Um. Let me try to think of of a concreteexample Um. Basically, if you can imagine having a coin where wewant to spend it, where, like I need to sign and call an need to not find, Ican imagine writing a scripting big oin. That does that, and the thing is thatOt adtly enforce that Collin doesn't find. It just mean that if you signedthis transaction, I'm going to throw away, I signature and then publish itto the chain right, so the chain can't actually enforce iththau sicind SuDoen't exist. Okay Um, all I can do is enforce it. The figatre dovent up hearon the chain, which is much less useful m. So with scrips of scripts. You canactually enforce not like this Um. I can have call in encrypt some data tome to his signature and then, if he...

...ever produces that signature, then Ican just docritidata and then maybe that data allows me to sign reece.Another signature to like take his point or something like that. They donots like this so page as going to how ome some upcoming research describinghow to do this and doing some other things thet're much more general andvery exciting. But I don't want to steal this thunder. So I'M NOCKED! UI'm just going to like vaguely hint he's, got cool stuff, coming wellalowof people to discover that Nice little teit of information naturally and TNATbroadtasted too much outhat Sothprogra and talk about I, but then yes and he should um so but other than that. My feelingonthering more generally, is that it is just a fractical of bad design choices.So the theory intating language is designed to be ter, AING, completeright. So another word for Turan, complete that we use and computerscience wis IST undecidable. If they're inscripting is designed to beundecidable and when you say it that way, even without knowing whatindecidable means M is clear, thi that probably not a good thing. I that'sprobably a very bad thing for smart contracts and in fact it is what thatmeans. Is that if it's impossible for me to write a program which givhen somearbitrary evm scripts will tell you what it does I'll tell you how manyreverss it takes? Wie'll tell you what, if UN time is, will guarantee you thatit will do some arbitrary thing that I I want to assure you off is basicallyimpossible, because, but your in completeness means is that when you tryto do these kinds of general analysis, then you you run into kind of fundamentalmathematical limitations. You run into a halting problem. Basically Eah. Weactually ran into a lot O. we've got a lot of conversations with people onformal verification and basically anybody's ever trying to do folparification on Ebm. They have to actually select a subset of the Languaof the EBIMBIKETHECON Sayn. This is, this is the only stuff that will everbe formerly gerifiable, and if it has anything other than thes, then youcan't you can't really prove it exactly right, yeah and I actually, I have aproject for Bicuan that does thos called miniscipts, which I don't havetime, I'm just going to hint at that Google itor or find another pod cast orsomething I don't have time to go into that, but basically thevun desin BM wasdesigned to like basically to make form of arification impossible and then eventhe Languageis that conpile, the evm like solidity and serpent were basedoff of languages like javascripts ore. Python themselves are undecidable andwhich are written in this imperative. Like Extif, you just execute thatexecute that kind of method that undermines the ability to formalverification, whereas what you, as a user want, is to say these coins cannotbe moved except under these conditions is basically the way that you describea smart contract in in English m. What you acuallthe impement on the blockchain in Ebm nd, even with biquinscript, O the biquin script, Hal somelimitations that prevent it. That, like has no onebounded, looks and stuff Um.What you're saying is like deer, Mr evm blind idiot gob to u execute thefollowing instructions. Move this thing there and move that there check. ThiSignature interpret this Os. The bullyan moved out over there Blah BlahBlah, and your hope is the that sequence of blind, like mechanistic Umoperations, will somehow result in your coins only being moved under theconditions you want and like tee. Just fundamentally, two completely differentmodes of thinking about programs and tering completeness makes it impossibleto transfer between the two motes M, so tha that' sort, ofthe theoreticalproblems with BM, but then there's a practical problem with M, which isevery single contract. Hav. This own data store every contract is a is a twohundred and fifty six but hash of his program code and as its own data store.It's data store, is a sout, a Housh table of Um, of data to to mapincs soother result to execute and is Theriam smart contract out of the valid ator.You need to do a whole ton of random acxof sic ups and this halh table ofHash tables of of data Um, and this is extremely expensiwll. It requires anenormous amount of space on disk if you maintain, like a full t like equivalentto tx in NEC on a therait's like a terribite or something it's incrediblyexpensive to verify Um and as a result, you actually can't really verify theutarium chain on commodity hardware. You need to buy a top of the linecomputer and you need to let it to nothing except verify the eteram change,and if you do so, there's a good chance. I you're going to run it the bugs ingeft or it s, usually guess usually paroty's a bit more reliable Um, andthen you file Geto thessues and the people and the response its like. Oh, Iguess IBO. I guess nobody has tried to Valit t the chain recently M andthere's just alitany of gihub issues to this effect because nobody's reallyvallaging the chain and the standard advice. If your Guet nol get stuck ifto restart the note and restarting the node means you contact the miners, youdownload a recent snapshot of the...

Getharians Ta and you just blindlytrust that estate and the move forward. So a the consequence of these antiscaleability anti verification decisions that they've made you have ablock chain that people can't verify the arch. I Ave know that you're,referring to the winterbite plus Lod Y, referring to is keeping the state andmemory at all times in history. The full note keeps the current state inhistory and all transactions, so it said Nothingquite itit adifference in there. So that is a fully Velifi. That's a fully verified note.It runs through all t all the computation associated with a ire blockchain from the genisist block, which is not keeping it all in memory and thereis lookup absolutely yeah. That's very that's a good distinction. I shouldn'thave I've tried to to equivatcos Um so th the course Mons tome. Like an arcable note, ineserium, it is over a terrabit in Diccuan, that'sprobably two hundred and fifty almost three hundred gigabytes, Um Coeno, afull note anytaring, where you only have e recent state, a, I think, isonly a couple hundred gigs hundred and twenty tha, two hundred uh hundred andtwenty to two hundred okay and Ren. I don't know why T' a the way they storeit like the DB, okay and then the equivaent on bikwin would be just t eutxose Um, which is something like thirty or feaigs. Those are the correct comparisons,absolutely ah Butit's, not its not a terri lit versus like forty gigs oranything like that m. This terrabite is almost never needed, except for Um, except for like Dopin thingisis' reesesyeah, exact basical. He need I for Chanelofic. You don't need that tovalidate an you, actually, don't even need it to boost strap. Necessarily,you can justuse the original blocks for that and t let PDL people replay thewhole state. Well, I think that's t we couldprobably discuss the INS and out o Pore designe decisions, Soan so forth, and but why don't we rate out there and m? I will definitely be looking forward toinviting you back on to seeing some of these more things. You've alluded toand in the future or one of your coworkers in the process wrap it up. How do people reach out,learn more Um, discover up blockroms doing and all this cool stuff? So the easiest way to find me is on IRC,which I know it's not very easy for most people, but my nick there isanditosi Um altenately. You can find me on Github as Apolstra and follow mydevelopment, and you can also probably find a lot of my colleagues there, O Miget Habre Post Um, you Commir se, Stak ore, you taling, like freedow networkor W wheree you hanging out its basically Alfrino Um. I was on acouple of channels on F D C, but I closed them. 'CAUSE recent LBECAUSE.They were too low volume um I am on the Mazilla. No I'm not se. Mazilla isshutting down ther IRFC faver for the rough porgen language, so I'm no longeron there Um. You can find me on get hub. You can emal me Anddreu Upwokdo, notcomUm and then keep an eye on the blockstreamd blog block coms, flashlock me finure, that's a real eural Um and you can see some post artagedresearch th os are the cool ones, othey're the ones th yeah research, theones that talk about what I'm working on and what my colleagues like Rusfelland Peter, are working on as well M and even a nonresearch post ir pretty coolUm, icon, H, other cool ones and also orwork in lightening. You can find hout on er research as well, so ot, Sani andOse that enjoy the show clock like stripe. Share it o your friendinsurance witter. You can find me a Corpeti on Twinter at Colin Cuchetontwitter and the pottasts at the a Hashingen outpod and go to sh. Go to the website. Thebit coinpot cast dtcom o can find us insight there joing the slack duing.The Conversation Find Andrew thanks for coming on. I really enjoyed thisconversation and I definitely look forward Al in all o these coolinnovations and um novel ways of doing things moreefficiently and more complex, andtyour epor too, and mean I know youput a lot into thi base to Breet Licon, an screener eperca Co thanks Fem, my anthank you guys. Wis Wi have a lot of fun.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (108)