Bankless - 49 - Moon Math: The Bull Case for Cryptography | Justin Drake

Starting point is 00:00:00 Welcome to Bankless, where we explore the frontier of internet money and internet finance. This is how to get started, how to get better, and how to front run the opportunity. I'm Ryan Sean Adams. I'm here with David Hoffman, and we're here to help you become more bankless. David, this is the type of episode we've not done on bankless before. What makes this one so special? You know, I don't think anyone has done an episode like this. Justin Drake, who is a cryptographic researcher at the EF, he loves cryptography, and that is one of the harder subjects to do a podcast about, especially when, you know, you and I, you're generally

Starting point is 00:00:51 non-technical, and Justin is extremely technical, yet he did a fantastic job breaking down cryptography so we could help understand how it's going to fill some of the chinks in the armor that we have in this cryptocurrency industry, right? So we use Uniswap as like the premier example of the the application that everyone knows and has probably engaged with, yet there are a few trust bottlenecks for engaging with Uniswap. Metamask is a trust bottleneck. The front end of the website is a trust bottleneck. And there's a number of other things that you are implicitly trusting when you use an application like Uniswap that aren't anything to do with the Uniswap, the protocol itself, but are still holes in the armor when it comes to trust. And so what this episode was about was how we are just at the

Starting point is 00:01:39 beginning of the crypto economic revolution. We start off this episode defining crypto economics. And Justin says, uh, talks about how, you know, originally the cypherpunk vision was all about a cryptography enabled world. Yet that was super ambitious and perhaps never going to happen. And therefore, the integration of economic assurances or assumptions with cryptographic assurances or assumptions is really powerful. And basically what this industry stands on. And we have so much left untapped potential in the realm of crypto economics that we have not yet applied to our daily interactions with the Ethereum blockchain, with the Bitcoin blockchain. So this is all about moon math.

Starting point is 00:02:22 What we can do with all of these crypto economic tools that we've developed, yet we have not yet applied. Justin is really bullish on the future of cryptographic, crypto economic tools for helping improve the trustlessness of these systems that we use on a day-to-day basis. Really a fantastic episode. I think one of my favorites. Part of the reason this is important, guys, is because Bankless is all about giving you mental models for how to think about crypto.

Starting point is 00:02:50 And ultimately, how to guide what you do in crypto, how you use it, your investments, what you do in your kind of daily life using Defi systems. And I think there are kind of two schools of thought about crypto that guide investing paradigms. One is sort of crypto is an economic movement, an emphasis on the money. Bitcoiners tend to be more that side. And the other is crypto is a software. It can evolve and change over time. Our episode recently, David, with Chris Dixon, more expressed that mentality. And you know what the truth is, is it's both of those things. It's not just money and it's not just software. It's software money. And you have to understand both sides of that coin in order to guide your investment decisions

Starting point is 00:03:37 and have the correct mental models for this industry. And this was a beautiful blend of, I think, those two things. It really showed the softwareness and the upgradeability and the enhancement potential of the software compute layer of crypto without sacrificing the economics piece of it, which is so important, crypto economics. It's both of these things together. In this episode, we talked about Justin's heuristics, his rules of thumb for engaging with crypto economics. He says that if cryptography doesn't do it, doesn't solve the problem,

Starting point is 00:04:12 you can therefore rely on crypto economics or add in economic assurances on top of your cryptography. But then he also says, if you can do it with just cryptography, you should do it with just cryptography. And that resonates with the protocol sync thesis. If we can relegate things to math, we totally should. That was one of my big takeaways. We end the conversation, this marathon of a conversation over two hours long, our longest episode yet. We end this conversation with a thought experiment about how cryptography is changing and things in this industry need to change with it. And Justin believes in apparently the industry or the academic study of cryptography points in this direction that quantum computing will come to eventually break

Starting point is 00:05:00 Bitcoin the blockchain and Ethereum the blockchain unless we can pivot and put in new tools, new security mechanisms that prevent quantum from computing from breaking these systems. We talk about Bitcoin's calcification and how it might not be able to pivot to a post quantum world. And in that world, we could actually create a scenario where BTC, the asset, separates from Bitcoin the blockchain and uploads itself to the blockchain that does have these new holes, these security holes as a result of quantum computing patched, which we think, of course, is going to be Ethereum 2.0. That is a fascinating conversation. Imagine a decoupling of BTC, the asset from Bitcoin, the blockchain, and then it exists entirely on a new blockchain. That was an

Starting point is 00:05:48 absolutely fascinating part of the conversation. As usual, guys, we have a full debriefing. where David and I go over our thoughts immediately after the episode. So if you're a premium subscriber to bankless, make sure you check that out. We will include a link as usual. Without further adieu, David, we should talk about our sponsors. Gemini is the world's most trusted cryptocurrency exchange. I've been a customer of Gemini since I first got back into crypto back in 2017 and it has been my main exchange of choice to make my crypto buys and sells. Gemini is available in all 50 states and over 50 countries worldwide. And on Gemini, there are markets for over 30 various crypto assets, including many of the hot defy tokens like Wi-Fi, Ave, Uni, and

Starting point is 00:06:35 also they are one of the few exchanges that has liquid dye markets. Having both the option of logging into the Gemini.com website or instead opening the Gemini mobile app has allowed me to be able to access any and all exchange and on or off-ramp services that I've needed to on a moment's notice. With instant deposits and fast withdrawals, I'm able to make my money do the things I want it to when I want it to. You can buy crypto safely and securely on Gemini with the peace of mind of knowing that your investments are insured and protected with industry leading cybersecurity. You can open up a free account in under three minutes at Gemini.com slash go bankless. And if you trade more than $100 within the first 30 days after sign up, you'll be gifted a free $15 bonus. them out, gemini.com slash go bankless. If you are looking for a product that connects your

Starting point is 00:07:27 fiat bank account with defy tokens and products, you need to download the Dharma mobile app. Dharma is a non-custodial smart contract wallet and comes with a bridge that connects you right into your bank account. Darma is the fastest and most efficient wallet between your fiat and your bank account and any token on uniswap or even any vault in year. With Dharma, you can get over $25,000 per week into the DeFi universe and you can do it non-custodially. If you or anyone you know is hot on Defy and you're trying to get your money into a defy investment, Dharma is the place to go. Signing up and going through KYC is an absolute breeze. It took me just under three minutes and after signing into my bank account via Plaid, I am now

Starting point is 00:08:13 just one transaction away from any token that Uniswap has to offer. Go to www.dh.dh. I-O, that's D-H-A-R-M-A-D-O, download the DARBA app and get yourself unbanked today. Bankless Nation, we are super excited to have on Justin Drake, who is a cryptographer. He's a researcher at the Ethereum Foundation. And to say he played a key role in the development of ETH II is probably an understatement. He's been a key force behind us. He's here to tell us all about how early we are in this crypto revolution, the advances that are coming in cryptography, that are about to change everything we think we know about cryptography, crypto, and this entire industry. Justin, how are you doing today, sir?

Starting point is 00:09:10 I am doing great guys. Thank you so much for having me. You know what? I've got to ask this before we get into the moon math and the really fun stuff. Heath launched in 2020. Wow. How does that feel, ETH2 launch? amazing. I mean, I've spent three years of my life dedicated to this, and it was a great reward. And

Starting point is 00:09:30 seeing that we have, you know, $3 billion, you know, staking and that we basically haven't had issues so far is pretty astounding. Justin, this is actually kind of a unique episode, I think, that's about to come out of the bankless podcast, because this is the first episode where you actually pitched the episode to us. And this is something that I would not have thought. about to be able to, or the skills or the knowledge to produce this sort of conversation. So I mean, I know that you are absolutely fired up to talk about what we are going to talk about. Maybe you could kind of give us the TLDR, the elevator pitch for what we are about to talk about and why you are so stoked about this conversation.

Starting point is 00:10:10 Yeah, for sure. I mean, I was inspired by you because you had this bullish Ethereum, you know, series, and I'm just so bullish Ethereum. And I just wanted to, you know, reflect on why am I so bullish? And, you know, one of the big reasons is that the fundamentals are so strong, right? The whole space is built on crypto-economics, which is, you know, part cryptography and part game theory and incentives. And, you know, the cryptography part in particular, we're at the very beginning. There's so much room to grow.

Starting point is 00:10:48 and it's a story that I think will unfold over many years, possibly even decades. And there's just so many reasons to believe that the reality we live in today is very, very primitive. And it may sound like we're moving to a world. When they describe, try and describe the future, it might sound like sci-fi, but I really do believe that we're moving towards that end goal.

Starting point is 00:11:17 So where does this conversation start? One of the lines that you put into the agenda was that, you know, with regards to cryptography and crypto-economics, we are just in the most primitive age, the stone age, where we have like, you know, the fire and the wheel. But so much of the world's inventions are ahead of us. Where does this conversation start? I think, you know, one interesting, you know, starting point, I think, is the cyphapunk movement, right? So they had this, amazing dream in the 80s, which is, can we try and rebuild all of society on really strong foundations and specifically cryptographic foundations? And people back then were really fired up, you know, for ideological reasons in a similar way that some people today in the crypto space are really fired up. But to a large extent, I think that dream kind of didn't pan out the way that people hoped. And, you know, we had a few decades of silence there. And then, you know, we had we had a few clues, you know, things like, like BitTorrent, which basically allowed us to to have really strong foundations in the sense that BitTorrent to a large extent is just cryptography plus, you know, peer-to-peer networking and plus even a little bit of incentivization the early days.

Starting point is 00:12:38 And then we had, you know, Satoshi's big breakthrough, Bitcoin, which to me is kind of the birth of crypto economics in a really big way. And now we're, I guess we're reaching a point where kind of this, you know, this point in the exponential curve where it's the inflection point. Everything happened quite slowly, but now we're going to see this explosion. you know, largely driven with Ethereum. Where does that inflection point come from? Like, what about the, what's different about Bitcoin and crypto-economics that we didn't have before? Why is, why is there this Cambrian explosion going on now? Yeah.

Starting point is 00:13:24 I mean, one of the big things, I guess, and it was the key innovation of Ethereum is, is programmability. So now we're in a position where Ethereum can, um, absorb all the innovation that we need to absorb to solve all these problems that we have. So in the crypto space, we're starting from the foundation. So we have to reinvent the whole stack. We're reinventing the wheel to a large extent. And so even though we have lots of superpowers, such as decentralization and trustlessness and things like that, we also have a lot of tradeoffs.

Starting point is 00:14:04 And, you know, the superpowers are so awesome that we're. happy to live with the trade-offs. But oftentimes, in fact, you know, almost all the time, I believe that these trade-offs that we have relative, for example, to existing services like centralized exchanges in the context of decentralized trading, I think we can basically fill in all the gaps that we have today and be at least as good as centralized services in every single respect. And in some key respects, there's totally outshine them. you know, by by a fact of 10 or 100 X. Can we talk about this idea of crypto economics for a second in the context of Bitcoin?

Starting point is 00:14:46 Because I just want to make sure that that's clear to all of our listeners, right? So the cypherpunks were very much into cryptography and the revolution that it could bring, self-sovereign money, privacy, all of these things. But they were missing something. They were missing the economics part that made Bitcoin so special. and that made Satoshi's white paper so special. I'm not necessarily sure that that's completely intuitive to people. The sorts of things you can do when you blend not just cryptography,

Starting point is 00:15:20 but it's cryptography plus economics. It's both of those two things together that was the major innovation and discovery of Bitcoin. Can you talk about that for a minute? Yeah. One metaphor that I have is that cryptography is this very powerful, tool is a very powerful building block like the brick, right? You want to build a wall and you have the bricks. But if you have bricks alone, that's not going to work. You need something to glue the bricks together. You need the mortar. And the economic part kind of fills in the gap

Starting point is 00:15:54 and glues everything together so that you have a coherent system that breathes life. If you take cryptography alone, it's kind of somewhat dry and somewhat abstract. And once you bring in the economic part, which could be a relatively thin layer, but, you know, a critical layer, then then suddenly you have pieces of the puzzle that stick together to form a coherent system. Before Bitcoin, the cypherpunks were really trying to solve this problem for almost decades, right? And they innovated in many different ways. One of them was eagled. There was just a number of different like Bitcoin precursors that I think all relied, on pure cryptography, right? And it was that integration of economics that really was what allowed

Starting point is 00:16:44 Bitcoin and therefore this whole entire industry to flourish. Maybe you can talk about just the relationship between cryptography and economics and maybe tell our listeners like maybe when is it the better time to use cryptography and when is it the better time to use economics and how you think about balancing these two forces. So I think a lot of the previous solutions kind of kind of had partial decentralization. They used cryptography to the maximum extent possible, but they still had this somewhere in the system, some sort of central party. And that led to attacks, for example, by governments. Like one of the, I guess one of the big realizations is that cryptography alone, so let's look at the goals of cryptography. What is the goal of cryptography? It's basically

Starting point is 00:17:37 to take a trusted third party that does some sort of functionality and replace it by pure code or pure mathematics. And it turns out that there's some impossibility results. There's some things that you just fundamentally cannot do. And so what do you want to do is you want to relax the constraints a little bit. So you have this spectrum of trust, right? So on the one hand, you have very low trust technology like mathematics and then you can walk your way up you have cryptography physics and then maybe economics and then you know you have things that are very you know human um rooted in in human culture things like the legal system or the monetary system or even religious systems that are deep in in the narrative and you know you want to go as far as possible into the spectrum

Starting point is 00:18:28 but you want to be realistic right there's some things you just can't do with cryptography okay so So if we kind of turn it down a notch and include economics, then suddenly this is the inflection point where you can breathe life into the cryptography. And to be very specific, one problem that cryptography alone cannot solve is the double spend problem. So it's this idea that you need to have some sort of entity that can remember that you've spent something so that it can prevent you from spending it again. And that's this notion of state. and consensus. So cryptography, the way I think of it, it kind of solves stateless problems. So you can start with a state and then it will give you a valid state transition. It can prove to you that something's happened according to the rules or with possibly, you know, certain security

Starting point is 00:19:26 guarantees like privacy or whatever. But one thing that it cannot do is take this graph of of all the possible states and state transitions and collapse it down to one canonical one, which we call the truth. So basically what consensus does is that it anchors kind of, it's a little bit like a quantum analogy, right? So you have, in the world, in the quantum world, you have many different states that live in a superposition.

Starting point is 00:19:57 And you know, you kind of want to choose one, you want to collapse it to just one. And this is what consensus does. And in order to solve consensus, you need to move a little bit out of cryptography and dip your toe into things that are very economic. And more specifically, we have assumptions like the 51% assumption in Bitcoin or in Ethereum we could have the two-thirds assumption.

Starting point is 00:20:23 And we can talk about these assumptions in many different flavors. We have things like honesty assumptions where we just model the actors as always behaving, according to the rules, but we could also have, you know, maybe rationality assumptions. We can assume, and this is closer to the reality of things, where we can assume that, for example, two-thirds of the players are rational, you know, they're motivated by money. Monique is kind of interesting. It's like this one of the things that really transcends cultures and boundaries.

Starting point is 00:21:02 and you can use money kind of as one of the really strong layers as the basis, as the foundation for building society. Bitcoin is famously known as a string of signatures. In the white paper, like Satoshi called Bitcoins as like a very long string of signatures. And that's all cryptography. But what you're saying is that Bitcoin as a system is a, and determining what the correct string of signatures is, is determined by, social consensus and that that's and bitcoiners are famously saying like no there is no social consensus

Starting point is 00:21:38 to bitcoin there's only math but off a lot of coming things coming out of the Ethereum camp is like well at the end of the day crypto economics is always one part secured by the social layer so what you're saying is that the reason why everyone can come to consensus about what the correct string of blocks is is incentivized by economics particularly by the Bitcoin hard cap the Bs The C.C. Hardcap provides the economic incentive to and enables economic assurances. But in your description, Justin, you were saying that, you know, originally the Cypherpunks wanted everything to be run by cryptography. That was really hard. That was really ambitious, perhaps even impossible. And so therefore, we can compromise and instead of just relying on

Starting point is 00:22:24 only cryptographic assurances, we also integrate economic assurances or assumptions as well. But to me, in my mind, that indicates a priority or a tier, right? Where, you know, if we can do something with cryptography and without economics, we should perhaps do it with cryptography if we don't have to make that compromise. Is that a fair assumption? Yeah, exactly. So we do have this spectrum of trust that I call it. But, you know, I think you call it the protocol synchesis, right?

Starting point is 00:22:56 Like the heavy, dense stuff. it wants to go at the bottom it sinks to the bottom and that's the foundation for your stack yeah so that's exactly right when you relax things suddenly a whole world of opportunities appears and I have this kind of heuristic which is that if cryptography doesn't work try crypto economics and usually it will work and this is actually in the you know in research for FM2.0 this is kind of what helps us push forward like usually like the very first solution that we come up with is cryptoeconomic and we know yay you know it's possible to solve this and you know at least we have one solution

Starting point is 00:23:37 and then kind of the next step is okay can we improve upon this and then that brings me to my second heuristic which is that if you can do without crypto economics if you can do it purely with cryptography then that is going to be at least in the long run a superior solution And so that's what you want to be aiming for long term. That is one of the best mental models for understanding the protocol sync thesis that I've ever heard. And so I think this is already a super valuable conversation. Ryan and I have described the protocol synch thesis as like trust minimized, decentralized, you know, credibly neutral. But at the end of the day, what's going on is we're just boiling back down to that's what cryptography is.

Starting point is 00:24:20 And so the protocol sync thesis, I think could be restated. in systems that use cryptography more than they use economic or trust-based assumption. Right. And actually, you can look at this heuristic kind of in the fullest spectrum of things. So if you look at Uniswap, for example, you know, just to get started, just to get to the real world, it's made some compromises. You know, it relies on infura. It relies on the graph. It relies on all sorts of centralized providers. But you know over time you can kind of peel off these these layers that are higher trust and kind of shift everything to to the high trust realm and you know with lots of engineering lots of creativity

Starting point is 00:25:09 and research we will get there and you know there's some good reasons to believe that you know the the end goal is the moon right we will solve all our problems we have extremely powerful arsenal of tools that have been developed in theoretical cryptography, and those will make their way progressively through applied cryptography, and then, you know, the final boss, which is real world cryptography. So I don't think, we want to dive into this, Justin, because I don't think people fully understand the field of cryptography. So what we've basically done in kind of the past couple of decades is, you know, the past couple of

Starting point is 00:25:52 decades is we discovered this amazing thing called cryptography as as humanity. And then with Bitcoin, we blended cryptography with economics. And that gave us the ability to get a digital consensus on things. It was a huge unlock for humanity in that it helped us solve the double spend problem so we can have this marvelous thing we call digital scarcity, which was not previously a layer on the internet. So that's cryptography plus economics, digital. scarcity, right? And that is Bitcoin. And Ethereum, of course, made that sort of a general digital scarcity compute engine. But here's the thing. Cryptography is a changing field and an advancing field, right? So the cryptography that Bitcoin is based on was that built out in the like

Starting point is 00:26:43 1960s, 1970s, that sort of era of cryptography. Maybe we could tell us on that. But the exciting thing about this that I want our listeners to know is that cryptography is advancing too. In kind of a similar way where we had the compute revolution with Moore's Law, we had the ability to put more transistors on a chip, right? With these cryptography advances, we can almost put more trust on a chain, more consensus. It helps us, these cryptography advances help us scale consensus to all new levels. And it's a changing field. Can you talk about how crypto economics is just getting started because of these new cryptography functions? Right. One of the things that I'll say is that as I mentioned, there's these different flavors of cryptography, right? There's the theoretical

Starting point is 00:27:33 cryptography, which basically asks, can you do something yes or no? And, you know, usually the way you answer is if the answer is yes, then they'll try and give you a specific construction. If the answers, no, they'll give you an impossibility result telling you it's impossible to do. But oftentimes, if the answer is yes, the construction that they will give you as cryptographers is like, you know, pine the sky, it feels very distant from the real world. And for decades, you know, we've had theoretical cryptographers who are, you know, passionately in love with what they do, you know, it's very intellectually stimulating, but they're disconnected from reality. And it turns out that in theoretical

Starting point is 00:28:17 cryptography, we've made huge leaps and bounds. And actually this kind of, in a way, culminated this year 2020 with the discovery of what's called code obfuscation. So it's a very powerful cryptographic tool. And now we know how to do it on very standard cryptographic assumptions. And sorry, is this anything to do with the cryptocurrency industry, or is code obfuscation something that is purely out of the cryptographic domain? So code obfuscation is kind of this beacon of hope for, and it's kind of giving us a roadmap for

Starting point is 00:28:59 the next few years and decades. And in short, what it tells us is that everything that we could wish to do in cryptography, we can do it. And so it's basically, the zero to one moment where whatever you want to do, you can do it, unless there's some sort of impossibility result. But if you can do it, you can do it with code obfuscation. So at the very least, because we know how to do code obfuscation, we know how to do kind of the rest of cryptography. The term that we have is that we say that obfuscation is crypto-complete. This one building block gives us all the other building blocks, which is a really amazing thing. My mind goes to Turing completeness.

Starting point is 00:29:45 Is that an okay like metaphor? Yeah, so it's the same word complete. Turing completeness is basically, once you have a few basic instructions, you can run any program that could be run on a computer. And it's the same thing here where with code affluscation, you actually need two primitives. You need, once you have hash functions and an obfuscation, these two building blocks alone give you the rest of cryptography.

Starting point is 00:30:09 And so this is fulfilling, or so what this is, this answers is perhaps maybe the original cypherpun vision of, can the world be completely run on cryptography? And so if you're telling me that theoretical cryptography is quote unquote solved by code obfuscation, does that mean that the original cypherpong dream of a cryptography run universe is still in the cards? No, I don't think it's in the cards. And you know, you kind of have these things that you just can't do with

Starting point is 00:30:38 cryptography. And like, for me, the separating line is stateless versus stateful. So cryptography can do all the stateless stuff. And then once you combine it with one further ingredient, which is blockchains or consensus, which will give you this state, then you can do everything.

Starting point is 00:31:03 And by everything, I mean that you can basically simulate any trusted third party with just blockchains and math. I mean, when you, when you, just to give you a little bit of insight as to what code obfuscation is. So code obfuscation,

Starting point is 00:31:21 the idea is that you can have programs which hold secrets and these programs are public. So it's kind of this paradox where you have an open source program, but it holds the secrets in the program.

Starting point is 00:31:37 So the secret is kind of garbled and obfuscated. And when you think of a trusted third party, what is a trusted third party? Well, if you think of it as a human, for example, that's just like a brain with neurons. And you can model that as a computer running some sort of an OS, you know, taking in as inputs, you know, these digital signals, you know, for your eyes and whatnot. And then you can basically encode any, any rules that you'd want from this trusted third party into your program and instead of running it in kind of in on the brain you're going to run it in in pure in pure math. And you know, you can kind of another kind of analogy is is trusted hardware. Right. So you have these

Starting point is 00:32:26 distrusted kind of secure enclaves that are meant to run programs, but at the same time hold these secrets. It's like a hardware wallet. Right. So you have this the secret embedded in the hardware and the idea is that you're not meant to be able to extract. the secret. And yeah, you can encode whatever rules you want this trusted fed party to do or this trusted hardware to do in code and then you can compile it to just pure math with this code obfuscation technique in theory. So this is all theoretically possible, Justin. So what does it take for the theory to start to catch up to the practical? Like what is the cryptography

Starting point is 00:33:10 that lives today in in Bitcoin, right? And how is that caught up to the practical implementation of Bitcoin? Like I guess I'm wondering why we haven't seen the theoretical possibilities in practice yet. Right. The way I think of, you know, the progress of cryptography is like there's three big quantum leaps that need to happen for. So basically, you need to go from zero to one. Just say, yes, in theory, this is possible to build. And that's the realm of theoretical. cryptography. Then the next big step is basically what's called applied cryptography. And the idea here is that basically you want to look at the whole design space and look at all the different trade-offs and try and find constructions with all sorts of different properties that may

Starting point is 00:34:02 potentially be applicable at some point into the future. And then you have this final quantum step, which is real world cryptography. And the idea here is that you have someone with a very specific use case and they're going to pick one single design in this design space. And they want to make sure that it's good enough in every single property.

Starting point is 00:34:27 And so oftentimes there's a lot of legwork to do to basically just make sure that it's good enough across the board for use in the real world. And what Ethereum is, basically, it's a machine for turning applied cryptography into real world cryptography. And for a very long time, we haven't really had this massive, you know, force pulling cryptography out of the abstract and into the real world. And this is why cryptographers absolutely love blockchains. And kind of blockchain is eating crypto. You know, you go to a blockchain conference and it's like, sorry, you go to a cryptography conference and it's blockchain, blockchain everywhere.

Starting point is 00:35:15 And, you know, every time I email a cryptographer saying, hey, I read your paper, here's a few questions and, hey, maybe we'll, we're considering integrating this into Ethereum. You know, they come back super enthusiastic. You know, they love it because, you know, we're giving meaning to their work and we're kind of basically giving them this, this possibility. of taking it from the applied cryptography into the real world cryptography. And I guess going back to one of your recent podcasts with Chris Dixon, he was talking about how there's this virtuous cycle between the technology and the use case. As the use case grows, there's more demand for technology, there's more money, more attention, and that feeds back in to building more powerful technology, which then unlocks more and more use cases.

Starting point is 00:36:15 And we've seen this, for example, with computing, as you said, we've seen Moore's law, you know, 20 years ago, you know, you didn't have, you know, GPS in your pocket or you didn't have a camera. And, you know, all these little gadgets led to all sorts of new applications that we couldn't predict, like things like Uber. And over time, we're going to grow, our tool set of cryptographic gadgets.

Starting point is 00:36:39 And we're going to get, not only are we going to solve all the known problems that we have with decentralized applications, where we had to make a trade-off. For example, we had to trade off privacy, or we had to trade off scalability, or we had to trade off front-running, things like that. But my guess is that we're going to see totally new applications, which were basically impossible to predict. That's the thing I feel like Chris was saying in the podcast and that you're also echoing now is that, of course, these systems are digital scarcity engines and they produce monies. But they are also computers, right?

Starting point is 00:37:22 That can be fundamentally improved from one generation to the next. They can be upgraded. They can be enhanced. You can go from a Pentium processor to something. much more powerful. And these enhancements can bring about massive new eras of possibilities that weren't previously possible in the last generation of compute. I think what you're saying, Justin, is like Bitcoin, as it stands right now, and Ethereum

Starting point is 00:37:55 V2, this era of compute, is just scratching the surface on what these computers and this new era is capable of. That is exactly right. And we're actually seeing, it's actually the beginning in three different places. So when you think of the blockchain space, we basically have layer one, where we're cramming a lot of innovation into EF2 and we have a whole roadmap for deploying this. And I'm more than happy to talk about it. And then we have innovations at layer two and like the genius of layer two is that once you

Starting point is 00:38:34 have this so-called Turing completeness, once you have the virtual, if you're in virtual machine, and that's enough to do everything. You reach escape velocity. And so, you know, you're able to capture whatever comes to you. Like the EVM is a sponge for innovation. And then you have, you know, something where it's extremely early days today is all the auxiliary infrastructure, which I guess you could call layer three. You know, things like, you know, things like, block explorers or you know search or you know basic things like sinking like like infura and metamask like all of this is just so so primitive we're kind of still doing it the traditional web two way now then if you want to to you know if you want to build on ephemium you kind of as in

Starting point is 00:39:27 on the layer one a decentralized application you have this forcing function to make your decentralized the core, the smart contract, you know, decentralized. But then what often happens is that you, today you won't make the investment in all the extra layer three stuff because there's just there's too many auxiliary services. And it's not your your core focus. But over time, these technologies will get commoditized. And we'll reach a point where the,

Starting point is 00:40:02 whole ecosystem will be able to reap the benefits that they bring. Hey guys, there is so much left in this interview. Justin takes us through the user story of making a transaction on Uniswap. Uniswap as the model defy app. Justin discusses all of the trust points and weaknesses that are involved in this user process. And he gives the cryptographic solution for solving each chink in the armor along the way. We go through six different cryptographic mechanisms. And Justin explains to us how it can help create a defy-enabled world.

Starting point is 00:40:37 And then we finish up with one of the most interesting conversations I've heard in a long time, which is of the long-term fate of the Bitcoin blockchain and its destined collision course trajectory with the coming world of quantum computing, which threatens to break a number of the things that make Bitcoin Bitcoin. He illustrates a cryptographic-enabled two-way bridge for BTC the asset to escape Bitcoin the blockchain and upload itself to a, new host chain in which it also solves BTC's long-term economic security requirements, which it doesn't really have the budget for anyways, by simply hopping on to a new host blockchain which we could only presume would be Ethereum. There's so much crazy awesome stuff left in this episode. Don't go anywhere. We have to talk about some of these fantastic sponsors

Starting point is 00:41:21 that make this show possible. If you want to live a bankless life, you need to get a monolith defy visa card. Monolith is a one-two punch of both an Ethereum smart. contract wallet and an accompanying Visa card that lets you spend the money that you have in your Ethereum wallet everywhere where Visa is accepted. When you swipe your monolith visa card at the grocery store or at a restaurant, it actually makes a transaction on the Ethereum blockchain that spends some of the money you hold in your Monolith wallet. It's insanely cool and it's one of the best tools out there for living a bankless but still normal life. Monolith also offers on-ramp services for getting your Fiat money into the world of Defi.

Starting point is 00:42:02 So it's trivial to top up your monolith card if you ever need to, and your deposited money goes straight into your non-custodial wallet so your money is never held by a centralized intermediary. Because Monolith is native Ethereum infrastructure, the money you hold in your monolith wallet still has the power of Defi behind it. Swapping assets on uniswap or earning yield in defy is at your fingertips. Go to monolith.xyz and sign up to get your Monolith Visa card today. AVE is a borrowing and lending protocol on Ethereum and just recently released AVE version 2, which has a ton of cool new features that makes using AVE even more powerful. With AVE, you can leverage the full power of defy money Legos, yield, and composability all in one application.

Starting point is 00:42:51 On Avey, there are a ton of assets that you can deposit in order to gain yield, and all of those same assets can also be borrowed from the protocol if you have deposited collateral. Here you can see me getting a 200 USDC loan against my portfolio of a number of different defy tokens and ETH. I'll choose a variable interest rate because it's a lower rate than the stable interest rate option, but I could choose the stable interest rate option if I wanted to lock that interest rate in permanently. One of AVE's V2 features is the ability to swap collateral without having to withdraw your assets, trade them on Uniswap and then deposit them back into AVEA.

Starting point is 00:43:27 Avey does all of this for you all in one seamless transaction, so you don't have to repay loans in order to change the collateral you have backing them. Check out the power of AVE at AVE.com. That's A-A-A-V-E.com. You know, I've frequently spoken of this industry as one of the few bright shining spots that I can find in the world right now. There's not, it's pretty easy to find reasons to be pessimistic about the state of the world. Yet with Ethereum and Bitcoin and this whole entire revolution, it really is a shining spot

Starting point is 00:43:58 on the hill to be really optimistic about the future. And for some reason, I've always said that I think the future will be better because of things like Ethereum. And when people use the metaphor behind like Ready Player One where like there's infinite possibilities and in such a rich futuristic environment, that seems where we're going. But I've never actually been able to articulate how we get there. And I think that's what we're doing here in this conversation. The bridge between some crazy, awesome Ready Player One universe and the what we have today with Ethereum 1.0 and then also Ethereum 2.4.4.2.2.2.2.2. know the beacon chain, that gap seems to be able to be filled by some of what we are talking about

Starting point is 00:44:37 here. Before we get into that, you were talking about that cryptography as an academic study was kind of like locked in the classroom up until blockchain, right? Up until we had crypto-economics. And now it seems to be that with the advent of crypto and blockchain and Ethereum, we've actually been able to actually have a real world place for that academic study to manifest itself in the real world. Would you say that that manifestation is inside the EVM? And how does Ethereum just relate to the study of cryptography or cryptographers in general? Can you just expand on that relationship? Yeah. So I think we're going to see crypto everywhere, not just in the EVM. We're going to see it, you know, deep in the guts of the, you know, the consensus engine. So for example, in EF2,

Starting point is 00:45:28 We have five pieces of cryptography, right? We have BLS signatures, which basically allows you to have so-called aggregatable signatures. The idea of aggregatable signatures is you have 1,000 people signing a message. The naive way of verifying these messages, you verify them one by one, like a thousand times. And so if each message, let's say, takes one millisecond to verify, verifying 1,000 messages is going to cost you a whole second. And that's, you know, very expensive. The idea of aggregatable signatures is you can combine these 1,000 signatures into a single one and just verify this one. And that's the same as if you had verified all 1,000 individually.

Starting point is 00:46:13 And just to give you like a scale of the power of cryptography with just this one primitive. So if you look at all the other proof of stake systems, you know, they have 1,000 validators or less. we you know on on eF2 we have right now 60,000 validators and we could even we could support hundreds of thousands potentially even millions of validators and this has a real practical consequences like right now you know in order to stake you need 32 ether and you know we we tried really hard to bring this number down 32 ether but it's still you know today an insane amount of money is like for you know $40,000 or whatever. But before we had, you know, this,

Starting point is 00:46:57 this roadmap to use BLS signatures, we were going to go with 1,500 EF to stake, which is like $2 million or whatever. And that would be like a huge barrier to entry for decentralization. So, yeah, that's one of the primitives, very powerful primitive, aggregatable signatures. So that's a small example of how cryptography can scale. basically you just scaled decentralization with aggregated signatures just like that went from a two million dollar stake which would have been probably hundreds maybe thousands of lucky validators to now tens of thousands of validators just with that simple cryptographic primitive i want to get back to something you were saying because this is all relates justin is that um you were saying ethereum is is poised to capture this exponential of all of this cryptography progress this new era of computer

Starting point is 00:47:51 And you're talking about like the three layers, like there's a layer one, there's a layer two, layer three. All of those areas can kind of capture some of this innovation. But you know what I think is interesting is the question of why is Ethereum poised to capture this versus another crypto network, say a Bitcoin, is because of the layer zero. The layer zero is almost the social layer. It's kind of a layer that David and I operate on bankless. But you operate on in a sense, too, Justin. in that the Ethereum social contract is very much open.

Starting point is 00:48:27 It's very pragmatic. So it is very much open to these types of innovation. Some will criticize Ethereum for that. So we just had Lynn Alden on the podcast and she was talking about like, I like Bitcoin because it's a fully matured 100%. It's done. The project is done, right? It's solidified.

Starting point is 00:48:45 Whereas Ethereum, it's completely changing. But if this theory of compute, cryptography compute is right, you actually want some change because you want to incorporate these 10x, 100x gains, and it seems like Ethereum has that on the social layer. Is that part of the reason you say Ethereum is perfectly poised to capture some of this cryptography advancement? Absolutely. And I think you said it extremely well. Like this layer zero is absolutely critical.

Starting point is 00:49:14 And you're right. Like if we are living in an exponential world and, you know, we are, duh, you know, it's really obvious when you zoom out a little bit, then you know, you need to have some way of adapting to this world. And, you know, you can have like really clever tricks, you know, like the, like the, the, the theorem virtual machine where, you know, you just have this as soon as you reach the touring completeness, then then you're done. And, you know, you can get the best of both worlds. You can get both the kind of the solid layer one, which doesn't change very often. And, and kind of all the innovation that can be captured with programmability.

Starting point is 00:49:55 But going back to this layer zero, which is kind of the cultural thing, absolutely it resonates very strongly with me. You know, we in the firm culture, we have a culture of building, a culture of innovation, a culture of being at the bleeding edge and not only kind of passively observing the bleeding edge, but actively pushing it forward. And, you know, we have a culture of being you know, I guess trying to predict the future, like trying to be, you know, placing ourselves 10, 20 years into the future and thinking about, you know, long-term fundamentals, not just, you know, the present day. And for me, you know, being, you know, in this space for several years, you know, when I think back to the fundamentals of human motivation, what motivates humans?

Starting point is 00:50:49 Well, I think Ephraim has everything. So it has kind of the intellectual curiosity aspect. It has the ideological aspect where you want, you know, maybe it's to drive some change in society. It has the financial aspects. It has the explorer aspect where, you know, you're discovering uncharted territory. It has the entrepreneurial aspect. And, you know, it's just a huge amount of dopamine going on. just being in the space because you have much i feel it i feel it in this episode i feel the dopamine rush

Starting point is 00:51:26 as you're talking justin exactly yeah um i think and i'm i'm not seeing you know i am seeing so much you know dopamine in the in the in the whole space and you know the bright red spot for me is it is ethereum jason we're going to get into the topic of uniswap and how more cryptographic tools can and help, you know, kind of smooth out the rough edges around an application like Uniswap and all other applications on Ethereum that have chinks in the armor. Because while everyone loves Uniswap, because it's trustless and on-chain, there's plenty of supporting infrastructure that needs to go in in order to use Uniswap, like Inferra and Metamass. These are all central points that needs to be tackled by cryptography. Before we get to that conversation, however, I want to back up and talk

Starting point is 00:52:12 about some of these extra new tools in the tool belt, these new cryptographic mechanisms that previously weren't incorporated with, you know, just Bitcoin or Ethereum 1.0. You've stated that, you know, Bitcoin and Ethereum 1.0 and then also BitTorrent are just cryptographic hashes and signatures. And those are two tools, you know, the fire and the wheel, as you said, but there are many, many more tools in the tool belts. What new tools do we have that we didn't have when we first got Bitcoin or Ethereum 1.0 off the ground? Right. I mean, one tool that you guys might be familiar with, which is, you know, absolutely mind-blowing. And it's actually one of the reasons why I'm in Ethereum.

Starting point is 00:52:52 Like I was very attracted to these so-called snarks. And, you know, today it's almost as if snarks are commoditized. You know, they've become boring, which is amazing, right? We've gone from mind-blowing technology, you know, five years ago to something which is, you know, boring and deployed in the real world. So Snarks, as you probably know, is basically allows you to take arbitrary computation and squeeze it down, the, squeeze down the validity of this computation down to tiny proof, which is constant size. So, you know, you can have, you know, a program and you can have some input. And then, you know, the program could take many, many, you know, minutes or seconds or whatever, days and years. to run and then it finally will produce an output and basically you can prove that the output is valid

Starting point is 00:53:49 so it corresponds to the input and the program and you can verify that in in constant time so and that's scale right so if if it takes you know years to compute something we could put it at the base layer of ethereum but that would be a terrible idea because then ethereum would take years to to compute that, especially on a distributed network. And so if we can compress down what is needed to put into the base layer, that scales things, right? And is that basically the underlying pattern for all of these new tools? No, so there's like there's very different vectors, like different tools do totally different things. And you're right on the topic of scalability.

Starting point is 00:54:31 Basically, you should think of the blockchain as being this very weak verifier. So it can verify cryptographic tools, but it has. very limited computational resources. On the other hand, the real world, kind of the external world outside of blockchain, is a very, very powerful prover. We have huge and huge amounts of computational power. And basically, we can leverage this extra computational power to squeeze things down, to compress it, a little bit like, you know, compressing a file, I guess, to its minimal form. And it turns out that for computation, the minimal form is basically zero or very close. to zero and then you feed that small amount of information on the blockchain and that's yeah

Starting point is 00:55:16 that's how you get scalability in terms of other directions just to give you a little bit of of of a flavor so one that i'm that i'm quite excited and it it's it's actually very reminiscent of proof of work is is cryptography which is related to time so and I call it crypto physics. So it's kind of cryptography meets physics. So in the world of Bitcoin,

Starting point is 00:55:49 we have a proof of work. And what is proof of work? It's basically a proof of energy expenditure. So it's like this really cool thing where cryptography, which is like, you know, very abstract mathematics suddenly meets reality

Starting point is 00:56:04 through energy consumption. And it turns out that we can do a similar thing, with time. So we can have cryptography meet time. And the way that it works is through computation. So if you think of proof of work as being massively parallel computation to connect with energy, it turns out that it's the dual for time. So by dual, I mean inherently sequential. So if you have a piece of computation that needs to operate one step at a time and it can't jump ahead some steps, kind of you need the result from the previous step in order to move to the next step.

Starting point is 00:56:41 Well, if every step is going to take some amount of time, you know, a few nanoseconds or whatever it is, then you can string these steps and you can use inherently sequential computation to mimic time. And that will give you some really cool, you know, cryptographic primitives. Like, for example, one is what's called time lock encryption. So you can have a message and you can encrypt it for some amount of time, let's say one minute, and after one minute, kind of automagically, it decrypts itself. So that's kind of a really mind-blowing cryptographic primitive, and it turns out that it could be used, for example, in the context of Uniswap to remove front running, right? So Uniswap, we have this problem right now, which is that if you,

Starting point is 00:57:30 because you're trading in, you know, in public daylight and everyone can see your trades and anyone can place trades ahead of you and behind you just by playing with the gas price, you can get front run. And so one way to saw front running, which is really cool is you, when you make a trade, you will encrypt it for a very small amount of time. you broadcast it, it gets included on-chain, and then once it's on-chain, it kind of automatically gets decrypted. And that makes it impossible to front-run because the front-runners don't know what they're front-running. That is insanely cool. I want to get into the details about the time element, because to my understanding, if you're doing a computation that takes time, can you throw more

Starting point is 00:58:22 computation at it and speed up the time that it takes? Or is it actually locked into some sort of time unit that we were familiar with. Like, this will take, you know, five seconds and it will always take five seconds or five minutes and it will always take, you know, five minutes. How does that time element work? So basically you want to, you want your, your time lock encryption where the delay is based on inherently sequential. And what does inherently sequential mean? It means that even if you own, like, all the computing power in the universe, that's not going to help you. Like, you're going to need to do step by step and it's going to take time to do the whole computation. And one way to think of it is, for example, a hash chain, right? So you start with some sort of number and then you just hash that

Starting point is 00:59:11 and then you hash that. So you're repeatedly hashing in a sequential manner, not in a parallel manner, but in a sequential manner. And, you know, the idea of hash is that the output of a hash is meant to be some random looking number, right? So you can't predict random looking numbers. So your only way forward is just to keep on hashing and you can't parallelize it, you can't get speedups. One of the things you can do on the other hand is that you can try and design very specialized hardware that will do the inherently sequential computation, you know, faster than using, let's say, a CPU which is not optimized for this particular operation. And so one of the kind of the crazy projects that we have at the Deaffirman Foundation is to try and build the best possible hardware that humanity can build for this inherently sequential computation up to like a small margin of error and then distribute this hardware to the whole world.

Starting point is 01:00:18 And that will give you basically a very decent way of mapping computation and time. Is that the VDF project that you just described, Justin? Okay, so some folks might be familiar with that. So you just described Snarks, which gives us a way to compress trust, essentially, increase transactions per second, trusted transactions per second. And then you just describe sort of a time lock sort of tool that gives us almost an alternative to proof of work in some ways. Because just like it's very difficult to get energy in the real world, no one knows how to time travels. We can't go back in time.

Starting point is 01:01:01 So that could be a very strong base primitive for lots of other things once we have certainty of a given timestamp. What else is there out here? I mean, just to give a small note on the time thing. So it turns out that when you have this notion of time in cryptography, you can do perfect randomness, unbiasedable randomness. So, you know, when you think of, you know, Ethereum as a computer, it can do everything. Well, I can do many things.

Starting point is 01:01:31 But one of the things they couldn't do, which is super basic, is randomness. Right. And that's one of, I think, one of the reasons why we don't have, you know, things like lotteries. Like we could have a billion dollar lottery on Ethereum. the only missing ingredient is that we don't know how to do good randomness. And it turns out that there's a very deep connection between time and randomness. Okay, moving on.

Starting point is 01:01:55 So in terms of other primitives, one that is, you know, quite cool. And it follows actually, it's quite related to the snark is zero knowledge. Right. So zero knowledge is this idea where you're doing computation and this computation involves secrets. And you don't, you want to prove that the computation was done properly, but you don't want to reveal the secrets. And it turns out that once you have the snarks, where the S, by the way, stands for succinct, you're almost, you're more than half the way there in terms of zero knowledge. And the reason is that if you have your computation and it compresses everything to a tiny amount of data. So your amount of leakage, kind of information theoretically, is very, very small.

Starting point is 01:02:52 You know, to start with because your proof is tiny. So, you know, if you started with lots and lots of secrets, the most you could leak is like a small portion of your secrets. But it turns out that you can easily get zero knowledge from Snarks. So this is one of these these very powerful things. And if you think of it in the context of defy and Uniswap, it basically solves privacy. And this is a big deal for defy, right? Like can we really have large, you know, players, large institutional players,

Starting point is 01:03:31 or even the retail, you know, participate in a big way on defy where every single transaction is for the public to, you know, to analyze. and see it just won't work, right? So we, you know, privacy is a necessary step. It's coming. And we have the tools to address that. And I guess in the context of Uniswap, you know, we have, we have this on-chain privacy aspect where not only can we,

Starting point is 01:04:07 can we match what the centralized exchanges do, right? So in the context of a centralized exchange, you don't tell anyone, you know, all you see is kind of the order book and the trades, but you don't know who's making the trades or who's adding orders to the order book. So, but the one tradeoff is that you have to share who you are with the exchange. So not only can we match this in the sense that the,

Starting point is 01:04:31 all the public information is only the trades and the order book, but we can go beyond that, we can be in a position where not even the exchange is aware of who's doing the trades. So, Justin, are there any other tools that we should talk about before we actually go into the uniswap deep dive? We're kind of blending these conversations as it is anyways. You know, there's actually so many tools out there. So let me try and pick, you know, two. So one, which is really awesome, is this idea of fully homomorphic encryption. The idea here is, it's kind of off-chain privacy. So if zero knowledge,

Starting point is 01:05:06 solve the the on-chain privacy what about off-chain privacy so on off-chain privacy you have a different problem right so you you're as a user you're you're you're very constrained right you're using Defi on your phone or on your browser you know you're not running a data center with and so what you do is you're relying on a service provider and you're basically making API queries you you're you're sending them information and they're giving you And every time you make a query, you're basically leaking the query. So for example, if you do a Google search and you, you know, you type in some rather, you

Starting point is 01:05:47 know, personal information, then Google will know that. And it turns out that this, there's this magical primitive called fully homomorphic encryption, FHE, which allows, and this is mind blowing, which allows a service provider to respond to the query, any query, without knowing what the query is. So imagine Google being able to, you know, give you like the top 10, you know, hits on, on whatever query you make without being able to know what the query is. Yeah, that is absolutely insane. And I think the need for that in these days is pretty obvious with all the topics of surveillance and surveillance capitalism going on. I think that applies to so much of what, you know, modern society talks about as some of the problems that we are trying to solve in, in today's society.

Starting point is 01:06:40 Right. And, you know, if I were to, you know, make this a little bit more concrete in the context of Uniswarp, so we have, you know, a service called the graph, which is basically back-end infrastructure to Uniswarp. And what it does is that it gives you kind of all the the trading metrics and whatnot. So you can say, okay, give me. information about the if die pair between this date and this date and it will you know will pull in all the information and and display to you on the screen so you can make kind of an informed trading decision but you know you're also using other services like in furor for example or that also have like similar similar kind of API query points and you know when you're leaking this information you know you could potentially you know these service providers could potentially link kind of addresses to like epharm addresses to IP addresses

Starting point is 01:07:38 and they could, you know, even further anonymize you beyond what you're already leaking on chain. So we've gone through a number of different cool new tools and applied them to Uniswap. And so I kind of want to actually formalize that conversation. Justin, when you see people interacting with Uniswap, what are like the low hanging fruits that maybe people don't think that they are actually trusting, you know, centralized choke points, centralized, you know, points of trust, and which are these tools applied to help remove trust from that whole process? What should come first in this conversation? Right. So one actually, which I haven't mentioned, which is low-hanging fruit in several ways,

Starting point is 01:08:20 is this idea of custody, right? So just to just to zoom out a little bit, custody, I think, is a big reason why we're having this ball run right now. You know, it's kind of like a technical detail hidden in the background. But what has happened is that over the last few years, custodians such as exchanges, but also other custodians, have built really high-grade custody of crypto assets. So what does it mean to custody crypto assets? It simply means being able to secure a private key. And so what they've done is that they've designed systems

Starting point is 01:09:03 where the private key is split into multiple shares. And then these keys can be kind of can work together, kind of somewhat recombined, but not really, to compute the output of a function, and this function is the signing function. So basically it's, you know, custody has been sold for large financial players. And I think we're going to see custody being solved again for retail.

Starting point is 01:09:37 And for retail specifically, it's kind of surprising to me that this hasn't happened yet. But basically, if you have funds on Metamask, you know, on your desktop, on your laptop, on your laptop, they're pretty vulnerable. And the reason why they're pretty vulnerable is that there's any number of ways in which an attacker can get your funds. And one of the reasons why it's scary is because not only are you as an individual vulnerable, but the whole space is vulnerable. So it's kind of a systemic risk where from one day to another, you know, everyone using MetaMas could lose their funds, which would be, you know, devastating. It could be like a $1 billion hack.

Starting point is 01:10:17 So if you think, for example, of if there's... like a remote code execution vulnerability in the browser, which happens very frequently, or your operating system has a remote code execution vulnerability. Or maybe there's some sort of malicious employee within Metamask or malicious employee within the Google Play Store or the Apple Play Store that will, you know, push forward a malicious update or malicious code. You know, you're extremely vulnerable. And so what you want to be doing in the context of custody for retail is very simple. It's just 2FA. We have that for exchanges, but we don't have that for decentralized exchanges. So what is 2FA is very simple is you take your private key, you split it

Starting point is 01:11:00 into two parts, one part on your laptop, let's say, the other part on your phone. And then you need an attacker would need to hack both your phone and the desktop in order to get the two. And like the best way to do 2FA in a decentralized fashion is using a notion called MPC, multi-party computation. And the idea here is that you have multiple parties, each with secrets, that want to compute the output of a function. And in this case, the two parties are your two devices. So while there's one human, the two parties in question are like your computer and your phone, or maybe, you know, maybe you want to be even more secure in like your computer, your iPad and your phone and, you know, maybe something else. And so when I ever like log into Apple, Apple says,

Starting point is 01:11:49 hey, is this actually you type in this code? Perhaps there's some sort of mechanism where, you know, my phone and my computer are both doing a little bit of computation to produce that private key. And then there's some sort of relay of communication between these two devices. So even if there's a malicious person inside of Metamask or who got a bug on my computer, it's isolated. Is all of this correct? Yeah, that's absolutely right.

Starting point is 01:12:11 And the great news is that this can be, you know, largely transparent to the user. For example, you know, your phone, so you can, you can, you can, you can. going to trade on your laptop, right, because you have a big screen and your phone just going to be sitting there in the background. And you can give it some rules, which you say, like, if I'm only trading, let's say, you know, $100 or less, you know, within a day, then just automatically sign it. And only if certain rules trigger, then, you know, just send me a notification and I just need to tap yes, and then it's done. Where are those rules housed? Those aren't rules built into Ethereum. That is off-chain rules. Where are those rules?

Starting point is 01:12:49 stored. Yeah, so this is basically an opportunity. I think a low-hanging fruit opportunity for someone in the ecosystem to go build this. And it's basically, they would build apps, an app, which runs on your phone, where you can, you know, just tell it what kind of rules. And I think things like wallet like Argent try to do this to an extent, projects like Zango do this to an extent as well. Yeah, I mean, as Vitalik says, you know, I think there's, there's a lot of opportunity and not only security, but also the U-X of security, just pushing this forward. I want to underscore how important custody is, in particular self-custody. That is the thing that keeps this entire money system economy decentralized, right? I mean, we chose the name bankless

Starting point is 01:13:40 for this movement because we want to do more without banks. And the way banks centralized, historically has been primarily through custody. Even with gold, gold is inherently a decentralized store of value money technology, but it's very hard to defend and protect your gold, isn't it? That's why it accrues, or to move it, these sorts of things. That's why it accrues in banks. And then once it's centralized in banks, you lose that decentralization, you lose that self-sovereignty. So what we're talking about here is applied cryptography, basically.

Starting point is 01:14:19 If we can make private key management easy, if we can incorporate, you know, social, the ability to store things socially or across multiple devices and have a great user experience, then we don't need crypto banks to the extent that we need them now, which is a great thing for the decentralization of this movement and our ability to go bankless. That's how cryptography plus economics leads to an incredibly powerful tool for good for the world. Absolutely. Yeah. And there's like no fundamental reasons for not having both security and UX. It's just a matter of time. Justin, when is this coming? Like, why haven't we seen it yet? And when is this coming? I think this is this, this one in particular is a low-hanging fruit. And I, you know, I really want to see it in 2021. And I'm more than happy to talk to people who, you know, are in this space. And, you know, want some ideas about how to actually deliver on that. It's low-hanging fruit.

Starting point is 01:15:21 And part of it is because all the heavy-lifting cryptographic work has already been done for these institutional players that are now custodying billions of dollars and have allowed for these more regulated institutions to come in. Okay, so Justin, let's continue with the union. Unoswop case study. And again, we're just using Uniswap because everyone is familiar with it. We're not picking on it in any particular way. Let's say we solve the multi-party computation issue for private key management. We've got that solved. Our metamask is now secure. What is the next

Starting point is 01:15:58 low-hanging fruit that is a vulnerability that you see people engaging with when they currently engage with Uniswap in its current state? Okay. Another one, which I think is coming soon, and it's actually, you know, Uniswap have really done their best to push this forward. is this idea of authenticating the front end. So when you're downloading a website, how do you know you're downloading the right thing? And it's actually shocking how brittle the Web 2 infrastructure is. Like you have this notion of a registrar,

Starting point is 01:16:31 which will custody your DNS domain name. They get hacked, they can do whatever they want with your DNS. Or even if there's some sort of rogue employee within, and that's happened many times. There's a whole infrastructure around SSL certificate and these so-called certificate authorities. And basically we can remove all this trust with IPFS and ENS. And this is just plain old, you know, hashes and signatures, but it's kind of on the off-chain side of things.

Starting point is 01:17:06 And, you know, we're already starting to see browsers, you know, do the integration with ENS and IPFS like Opera. and brave. And, you know, this is just a relatively kind of incremental and slow rollout, but it's happening much faster than I expected. So what does that do for the end user? Does that just mean that there is a www.w. You know, Uniswap IPFS URL that I can go to that is always persistently available

Starting point is 01:17:38 so long as I have the internet connection? Yeah, so what that gives you is anti-fishing. right so someone you know like the uniswap front end is extremely valuable to an attacker they they get hold of it for some period of time they can fish maybe tens of thousands of people into basically signing the wrong transaction on their metamask and just losing their money um so you know they could they could you know for example offerize right you know with ERC20 is you have this authorization step that you have to do and then you can trade. You know, they could authorize, you know, all their funds to the wrong contract. Instead of authorizing it to the Uniswap to some sort of road contract and that will, you know,

Starting point is 01:18:24 potentially allow them to steal all their money. So this is, this really is a security thing, not a liveliness thing. And so if I remember correctly, Uniswap does have a IPFS website. Do you know if that's true? Yeah, yeah. So they push, you know, their website to IPFS. Should we be using that one instead? Or does that one not have all of the solutions that what we are talking about right here?

Starting point is 01:18:49 Yeah. The problem is that there's still intermediaries. And more specifically, there's cloud flare. So Uniswap has actually done a great job in what I call kind of assumption consolidation, right? You want to try and minimize the number of parties that you're trusting. And what they're doing is that they're using Cloudflare as both. both the registrar who controls the URL and as the IPFS gateway. So the gateway is kind of this bridge between the old Web 2 world and the Web 3 world.

Starting point is 01:19:22 And it's a very thin layer of infrastructure, which is not necessary for some browsers like Brave and opera. But it's still required for the more mainstream browsers like Google Chrome. What you're talking about here too is not only anti-fishing, but there's a criticism that the user interface of Uniswap is a centralization vector, and a third party could just shut down the interface, and then it shuts down not smart contracts ability to use Uniswap, but user's ability to use Uniswap. And if it's persisted... Specifically the non-technical users, right?

Starting point is 01:20:05 And if it's persisted to IPFS, and you have an EMS, and you have an EMS, domain name behind that and CloudFair starts using that. By the way, we saw a press release this week that CloudFair was looking at how to incorporate more IPFS and ENS inside of its content delivery network. I'm not sure if that's totally related. But it feels like what this means is you could have unstoppable user interfaces, basically, that are always available. Yes.

Starting point is 01:20:35 And like this has real practical implications for millions of people. people. Like, if you think, for example, of, and this is, this is a topic which really grinds me the wrong way is, you know, is sanctions. Like, for some reason, right, the U.S. government thinks it's all powerful and they can impose sanctions on other countries. And then you have millions of people suffering in these countries. And like, it turns out, and this is unfortunate that, that, you know, and there was some sort of mini controversy on Twitter that the Unisop. front end just doesn't work in some countries like Iran or Cuba or whatever. And, you know, it's very unfortunate and I think it's linked to the fact that, you know, at the end of the day, there is a legal entity behind Uniswap that is based in the US and they have to comply with sanctions. If we were to have this, you know, really good native integrations, then suddenly we're opening up this technology to some of the people in the world who need to, the most that are under these these sanctions.

Starting point is 01:21:42 Okay, so we've solved the custody issue with multi-party computation and using multiple devices. We've solved the persistent front-end accessibility using things like IPFS. What's next on the low-hanging fruit? Where should we go next? Okay. I think another really cool one is this idea of sync. So basically, you're on your phone or on your browser.

Starting point is 01:22:09 you haven't been connected to the Ethereum blockchain in some amount of time. So you're out of sync, right? And what you want to do is basically sync up. And the piece of infrastructure that is very common here is called Infura. And basically you can go to Infura and tell me, okay, what is the head and sync up? And this is bad for several reasons. The first reason is liveness. Infura goes down and half of defy the front ends go down not ideal

Starting point is 01:22:43 But there's maybe an even even worse problem than that Which is around Infura being malicious and feeding you wrong data So it tells you that you know this is the real state of aphira But actually it's something completely different And this kind of goes back to the whole you know fishing thing Where it's like you know you have slightly different attacks going going on.

Starting point is 01:23:10 But basically they can trick users, especially the less sophisticated users, into doing really bad things, including losing their funds. So one possible attack on Uniswap if Enfura is compromised is that Infura could tell you that you've made a trade

Starting point is 01:23:30 when actually you didn't do the trade. Like, you know, your slippage protection kicked in and, you know, you actually didn't do the trade. So you think you had, or you think you're in a position when actually you're not. Or, you know, vice versa. It could tell you, oh, your trade didn't go through because of slippage protection. So you try again.

Starting point is 01:23:51 You know, you redo the trade. And it turns out you're now overexposed because you've made the trade twice. And, you know, for Uniswap, I guess that's not too bad. But, you know, for some applications, it's devastating if Infura happens to be compromised. And so the technology that basically solved this, which is very cool, is one like clients. But so that's infrastructure that we can provide at the layer one, making the layer one friendly to like clients. And then another one which is very cryptographic heavy, but we've made big, big strides in the recent months even, is this idea of increments. verifiable computation.

Starting point is 01:24:38 And the idea here is it's a snark where you can kind of always keep on building on it. So you have, imagine the tip or what's called the head of Ethereum. Every time there's a new block, the state progresses. And so you can imagine that for every single block, there's an associated proof that proof that proves that not only is this state transition valid, but all the previous state transitions all the way back to Genesis are valid. And you can do that for like clients in such a way that the sinking process is kind of instantaneous. You only have to download this one snark and it will tell you that, you know, this is the valid chain. And you don't have to trust, you know,

Starting point is 01:25:34 an entity like in Fuhrer for both lifeness and for safety. So is this using that same sort of principle of compressing computation using cryptography down to the bare minimum? And that makes it really easy to say, say, I don't know what block number we're at in Ethereum right now, like some 10, 20 million, I don't know. But, you know, 10, 20 million blocks takes a long time to download. It takes days to download. But what you're saying with this like-client mechanism is you can just download the

Starting point is 01:26:01 latest block and then you're trusting whoever you're downloading it from, but in that latest block there is a header that can verify every single block in all of history. So in that instantaneous moment, you get a complete verification that you are actually indeed communicating with the Ethereum blockchain. Was that correct? Yes. Not only are you communicating with the correct blockchain, but also from there onwards, every query that you make to the Ethereum, for example, if you want to read some state in the blockchain, all of that is authenticated and improbably secure. So Infura is a very common criticism from people outside of Ethereum because people say,

Starting point is 01:26:40 quote unquote, Ethereum is centralized around Infira. Is this the direct counter argument for saying like, well, even if that's true, this light client innovation is the thing that's going to solve that. Is that what this is? Yeah. So admittedly, the EF1 design is horrible for like clients. It's not like client friendly. It is possible to do it in theory, but it just in practice is very, very messy.

Starting point is 01:27:01 In EF2, we have made a huge effort to make EF2 the beacon chain like client-friendly. And it's extremely, it beats Bitcoin by an order of magnitude in terms of like client-friendliness. And Bitcoin is extremely like-client-friendly. And then you can, on top of that, you can have this kind of optional layer of infrastructure, which is the incremental, incremental verifiable computation that I was talking about, that compresses kind of these relatively lightweight proofs, but that still grow with the amount of time. So if you've been disconnected for two weeks,

Starting point is 01:27:38 it's going to be 14 times greater than if you were disconnected for just one day. But you can compress these two weeks down to a single proof or any amount of time down to a single proof using this incremental or verifiable computation. Okay, so we've solved custodianship with multi-party computation. We've solved sinking and being able to trust what is the correct blockchain with light clients. What was the first one? We also solved front running.

Starting point is 01:28:11 Yes. And so where do we go next? What's the next lowest hanging fruit? These are some of the biggest problems that people, I think, appropriately critique Ethereum in its current state for. Yet what you are saying is that we have the cryptographic tool to solve all of these problems. Where should we go next?

Starting point is 01:28:27 What's the next lowest low-hanging fruit? Yeah, I mean, you mentioned people criticizing. And, you know, very often when, you know, Hayden, you know, makes a tweet, you have, like, the, you know, maxi-trolls that come down. And then they try to list all the downside. So what I've done is I've gone on Twitter and I've tried to find every single criticism of Uniswap. And every single one so far can be sold with cryptography, which is amazing. So we talked about also on-chain privacy, off-chain privacy. One which is cool is this idea of composability, right?

Starting point is 01:29:05 Like one of the big power of defies that you have these money Legos and you can compose them together. Well, it turns out that before Money Legos, we had cryptographic Legos. And specifically, we have a framework in cryptography called Universal Composability, the same composability. word. And the universal, what that means is that you can, if you have a primitive which fits within this framework, then you can compose it with any other cryptographic primitive and you're guaranteed that it's not going to break, which is very much unlike DFI nowadays where you take two money Legos, you put them together and then there's an explosion some of the time. And so I'm, this is a little bit more, you know, nebulous and a bit more of a

Starting point is 01:29:54 kind of open research, but I think there's an opportunity out there for someone to come up with a similar universal composability framework, which is generalized to crypto economics, not just cryptography, so that we can have very strong assurances that if you're going to build your money Lego, it's never going to blow up and it's going to play nice with the other money Legos. So the word compartmentalization comes to mind, where we, We have all these defy money Legos, and while they can be composed together, in their current form, when we compose them together, they start to meld into the same thing. Yet what I think you're saying is that we can still have those same benefits, but we can

Starting point is 01:30:37 actually compartmentalize each Money Lego to be kind of in its own ecosystem. So that, and as a result of that, the composability accidental interactions that create explosions can be controlled. I'm still a little bit unsure as to how that control comes from. Maybe you could expand on that. How do we get stronger assurances that when we combine two money Legos that were accidentally not creating TNT? Right.

Starting point is 01:31:05 So one of the features of composability is that you kind of naively have this exponential explosion of complexity. You start with one body. There's this famous problem in physics. which is like the three body problem. You start with one body and two body and three body, and then the complexity just blows up. I mean, it's kind of similar with these money Legos.

Starting point is 01:31:31 Like you have one money Lego that's all fine and good. Now you have two, complexity has increased. Now you have three and it's kind of Melchavs law, right? Which is like it's quadratic. Like for every node can talk to every other node and then you have this quadratic thing going on. And really the genius of universe, or composability is that if you prove local properties,

Starting point is 01:31:57 if you're one money Lego, you prove that it has certain properties kind of locally, then that gives you global guarantees about the whole system, the whole universe if you were to compose them. So basically it's a way to limit complexity and facilitate the security analysis. You just need to analyze one money Lego at a time, as opposed to analyzing the whole system

Starting point is 01:32:24 which could have all sorts of weird, complicated, emergent behavior that is impossible and chaotic. What's a theoretical problem that this solves? Maybe you could give us an example that our listeners and myself could relate to. Yeah, I mean, you could think, for example, you know, we've seen one money Lego, which is flash loans, right? you compose it with let's say uniswap which is going which is going to be you know some some use as a price oracle and then there's like a third defy money lego which is like you know

Starting point is 01:33:01 synthetics right the way you build a synthetic is you use the oracle so individually each of these defy apps is secure but when you put the three together the oracle the synthetic and the flash loan, you get an explosion. And then how does this solution prevent that from happening? Or prevent something from blowing up? Right. So basically, and this is kind of an open problem, but the reason why I'm optimistic is that we have a solution for pure cryptography.

Starting point is 01:33:34 Like the open problem is basically to come up with a set of properties for money Legos, which will tell you that if you adhere, to an interface to an API for these Legos, which have certain properties, then you'll have like a universal, universal composable Oracle, for example. And that will be kind of secure regardless of if you have some sort of, you know, flash loan infrastructure. Yes, this is maybe the most nebulous kind of idea, but I think it's a good challenge for someone listening.

Starting point is 01:34:13 So what you guys can't see here, or you can if you're watching this on YouTube, is, oh, actually, no, you can't. But we will share this. This is a spreadsheet that Justin put together of objections that are in place. I think, like, you know, definitely you've heard some of these. If you've been on Twitter, if you've been in the crypto circles of Ethereum is centralized around in Fuera, no one's going to be their own bank and use private keys. You know, it's impossible to download and sync a number. note all of these things. Justin is going through this line by line, row by row and talking about how cryptography solves this. We will actually share this spreadsheet, Justin, assuming it's

Starting point is 01:34:53 okay with you that we share the spreadsheet. Okay, we will. We'll share the spreadsheet in the show notes so you can see what we were working from. What haven't we covered still, Justin? What's next? Okay. There's at least two. So one of them is latency, right? So, When you're making a trade on Uniswarp, you know, it could take several seconds for your trade to go on chain. And, you know, we've made huge leap and bounds, right? So we have, for example, Bitcoin where the average block time is 10 minutes. And if one, you know, the average block time is only 15 seconds. But there is this one caveat where because it's proof of work, sometimes it's like one minute, sometimes it's one second.

Starting point is 01:35:40 and this variance really hurts user experience. So we have, you know, in EF2, we're making kind of another big breakthrough forward is that we have these fixed duration slots. So there's like this 12 second slots. And so you have much more control over the duration. But 12 seconds is still in eternity, right? You want hundreds of milliseconds

Starting point is 01:36:04 because that's the speed at which the internet operates. And the good news is, is that in EF2 and in with sharding, we're gonna be able to get this kind of latency. And the trick that we have here is what's called staggering. So we have these 64 shards, right? This is where transactions go on chain in the shards. And what we can do is instead of having all 64 shards

Starting point is 01:36:39 be aligned in time, we can stagger them a little bit by, let's say, 200 milliseconds each. So shard zero kind of will have a block every 12 seconds, and then shard one will have a block every 12 seconds plus 200 milliseconds relative to block zero. And then basically if you stagger all your shards, then basically every 200 milliseconds, you have an opportunity to include your data on the,

Starting point is 01:37:10 the EF2 system. So you will be able to get a kind of uniswap latencies like down by a huge amount, down to basically internet level latencies. So that's just a really clever mechanism for keeping the throughput the same because we can't increase throughput that turns into centralization. But since we have 64 shards, we have some optionality with the timing of these shards.

Starting point is 01:37:40 So that actually gives Ethereum the L1 some, maybe it's an illusion, maybe it's not. Maybe it's actually more of a special trick up the sleeve. But having a base layer blockchain with 200 millisecond block times, perceived block times is pretty powerful. That's a U.X that has been hounding this entire industry since Genesis. Yeah, it's a really cute trick. And it's one of the advantages of sharding in the sense that you have different

Starting point is 01:38:08 people working on different shots at any given point in time. And so basically you can just assign tasks at, you can schedule everything so that, as you said, the perceived latency is very, very small. You know, one of the, the problems with this, with this idea is that it's, it's potentially not crypto economically incentive aligned. And the reason is that when, When you're building a block, you have various incentives to either publish your block early or to publish late. So, you know, one incentive to publish early, for example, is that it gives your block more time to propagate through the network.

Starting point is 01:38:54 One incentive to publish your block late maybe is so that you have more time for transactions to come in and then you have more transaction fees. And so one of the tools that we're considering using is these these. VDFs. So the VDS, remember, they link cryptography and time. And they basically allow us to limit the extent by which a block proposer can play around, can manipulate when the block comes out. So you're kind of forcing it into a very specific schedule for broadcasting and creating these blocks. That's absolutely insane. Justin, you said you had two more. Do you have another one for us before we move on to what I think will be the most mind-expanding part of this entire episode? Yeah. So I think I think this is a great segue over the last one. So one of the criticisms of the Bitcoin Maxis is that

Starting point is 01:39:53 Uniswap is great and all, but the only thing you can trade there is ERC 20 shitcoins. And they're correct to an extent. Like, you know, they will say, oh, you can't even trade Bitcoin really because the only thing that you have is like shitcoin and fight Bitcoin, which is rap Bitcoin. And it turns out that with very fancy technology, you can build, you can have Bitcoin, the real deal, the native Bitcoin, totally trustless, can live on Ethereum using pure cryptography. And Justin, when you say the native Bitcoin, you're talking about a, Bitcoin that is tokenized on Ethereum that has the same trust assurances as native Bitcoin on the

Starting point is 01:40:40 Bitcoin network. And I know our listeners will be familiar with the differences there. That's what you're talking about, though, right? That's exactly right. Yeah. So. And maybe you could also talk about the comparison between a system like that and TBTC and how a native token is actually an improvement upon something like TBTC. Yeah, it seems like TBDC uses the, the crypto, the economic part, to supplement for the cryptography that it's not doing. Exactly, yes. So this fits in, you know, the heuristic that I said before. Like, if cryptography doesn't work or it's too difficult, try cryptoconomics.

Starting point is 01:41:16 And that's exactly what TBTC has done. The problem with TBTC is that it's too collateral intensive. So basically, the idea of TBTC is that you're going to create a Bitcoin synthetic. And the way that you do synthetics is with over. collateralization. And so if, you know, if you want to have, you know, $10 billion of Bitcoin on, on Ethereum, you're going to need, you know, $15 billion of ether, and it just doesn't scale. It's, or at least it's, it's extremely expensive. And then you have, you have another,

Starting point is 01:41:58 you know, very interesting project called RenBTC, where there they actually use, you know, multi-party computation. But they also have a very important economic aspect where they have this rent token. And it turns out that if an attacker buys out a majority of the rent tokens and participates in these MPCs, then they can basically break the system. And so it's a very similar consideration where for RenBTC, you know, for RenBTC, the market cap of Wren needs to be at least as large as the as the tokens that are being you know bridged over from from from Bitcoin over to refer him so that also doesn't doesn't

Starting point is 01:42:47 scale very well and then you know just to go through all the the interesting I guess versions of BTC we also have the wrapped BTC and rap BTC is basically like a centralized custodian specifically BitGo which is which is which is which is which is which is which is stress it and that's that's obviously not ideal so it turns out that if you if you use code obfuscation which is this very powerful technique that I was talking about earlier then you can do a really cool trick so just to give a little bit of context the the the Bitcoin blockchain is kind of stuck in the Stone Age if we kind of kind of extend this metaphor in the sense that the only thing that the Bitcoin scripts can do, the only thing they understand is hashes and signatures.

Starting point is 01:43:40 And this is kind of unfortunate because you, in order to build a two-way bridge between Bitcoin and Ethereum, which is trustless, you want the Bitcoin blockchain to be aware of the Ethereum blockchain. So the process, basically, of having these bridges is like a four-way process. So you have your Bitcoin, your BTC on Bitcoin, you're going to lock them on Bitcoin. The Ethereum blockchain sees that they're locked and then it's going to mint an equivalent token on Ethereum. And then once you've had enough playing with your BTC on Ethereum, you're going to burn the tokenized version of Bitcoin.

Starting point is 01:44:27 And then, and this is the hardest step, you want the Bitcoin blockchain to see the Ethereum blockchain and see that they have been burnt so that you can unlock them on the Bitcoin side and kind of redeem them one for one in a trustless manner. But the problem is, how can you make the Bitcoin blockchain aware of Ethereum using just signatures and hashes? And it turns out that with code obfuscation, you can do a generic snark to signature reducer. So what does that mean? it means that you can take any snark and instead of verifying the snark the usual way, which involves advanced cryptography that the Bitcoin blockchain just doesn't have the capability, you can distill it to just a signature.

Starting point is 01:45:20 Basically, what the program does is that it's going to verify the snark internally. So the obfuscated code will verify the snark. And there's a secret key inside the program, which is obfuscary. Remember, that's the superpower of code of confiscation, is that it has a secret inside it. And then it's going to use this secret to sign off on the fact that the statement that is being proved by the snark is correct. And then now that you have this snark to signature reducer,

Starting point is 01:45:53 you can take the signature and put it on the Bitcoin blockchain, which it will understand because it's just a plain old signature. And that is sufficient for Bitcoin to be aware of the Ethereum blockchain. Basically, you can build a snark which tells you this is the state of Ethereum right now. This is a proof that this is the valid state, you know, going back to the previous discussion around incremental, incremental verify computation. This is the state of the Ethereum blockchain. And now you can verify it. And now you can close the loop and build a totally trustless Bitcoin on Ethereum.

Starting point is 01:46:32 A two-way bridge between Bitcoin and Ethereum is the gold standard that I didn't know was possible. And so what you're saying is that it is theoretically proven to be possible. It's just that we need to actually apply the cryptography. How big of a challenge do you think that is to actually get something like this up and running? Like where are we now and where do we need to be to get this to actually work? Yeah. So going back to the three big stages of cryptography, you have theoretical applied and then real world. we're just basically leaving the theoretical.

Starting point is 01:47:05 We've answered positively the answer, can we do this? But, you know, it's kind of comical how far away we are from practicality. Like right now, if you were to try and use these techniques of code obfuscation, you'd have a program which would run, you know, for longer than the age of the universe. It's like it's so impractical that it's laughable. But it's actually, you know, not so laughable in the sense that this is the journey that cryptographic primitives take. So if you look at snarks, for example, snarks, you know, were kind of sold theoretically 30 years ago.

Starting point is 01:47:44 And back then they were, they were comically impractical. And, you know, over time with lots of dedication and research and development, we now have snarks which are extremely, extremely fast and practical. And so my kind of with my optimistic hat on, you know, in this exponential world, I'm very hopeful that, you know, in

Starting point is 01:48:11 20 years, you know, maybe 30 years, we will have this primitive and it will be practical. And one of the interesting things is that it actually allows us to run the EVM on Bitcoin, which is kind of an interesting consequence. But yeah, we will still be, I guess, by the one megabyte block limit.

Starting point is 01:48:32 Yes, we will. For eternity, I think. So the mental model I've had with this is, is we've experienced Moore's Law's growth in computation, and that has scaled computation. And it seems to be that the optimistic case for a cryptography-run universe is that we get comparable levels of growth in that scale and computation, but we get it scaled in efficiency in cryptography. And so if we do see that like more,

Starting point is 01:48:59 law level growth in cryptography's ability to scale computation and compress it, then that's actually how we do get that two-way Bitcoin to Ethereum Bridge. Is that the right perception to take, Justin? Yeah, yeah, I think so. I mean, in, you know, in the real world with transistors, we have Moore's law, which is maybe like a doubling of the transistor density every, every year or so. In cryptography, it's, it's much, much faster. You have a primitive, like, Snarks or I.O. and it's more like, you know, you have a hundred X improvement or a thousand X improvement every year. You know, you started so far away, you know, like you're astronomically far away. But, but, you know, over a decade, if every year you're improved by a factor of thousand, then eventually you'll get there.

Starting point is 01:49:48 This is because it's software changes primarily. We're not talking about, like, you know, physics constraints as we were with Moore's law. Exactly. It's pure software. And even more abstractly, it's like these cryptographic protocols and mathematical tricks and whatnot. So Justin, say we have this two-way bridge. We've solved that problem. Let's talk about the incentive to actually get BTC onto Ethereum. And I think people kind of forget that there's two different versions of Bitcoin. There's BTC, the assets. And then there's Bitcoin. the blockchain in the same way that there's ether the asset and Ethereum the blockchain, yet there's just this obfuscation with Bitcoin because it's the same name. But there's actually two different things going on here. So after we established this two-way bridge, Justin, maybe you could illustrate why people

Starting point is 01:50:40 would migrate their BTC, the asset from the Bitcoin blockchain to the Ethereum blockchain. Right. So, you know, as you said, there's two Bitcoins. There's Bitcoin with a capital B, which is the blockchain, and Bitcoin with a lowercase B, which is the asset. And just for the sake of clarity, when I'm going to, when I refer to the asset, I'll actually say BTC.

Starting point is 01:51:03 So we have Bitcoin the blockchain and BTC the asset. And I guess there's, you know, in the short term, there's various kind of reasons to, to migrate BTC onto Ethereum. You know, for example, to make use of yield, you know, in the context of DFI yield farming.

Starting point is 01:51:23 But I actually believe, that long term, if you look at a few, you know, megatrans that, you know, we can dig in. I actually don't see a future, you know, in 20 to 30 years for Bitcoin, the blockchain. I think that there's going to be what I call like a decoupling of the asset and the blockchain. The asset is going to outgrow its shell. The shell is kind of going to create. track and break. And there's going to be an uploading of the BTC, the asset onto Ethereum. And when the Bitcoin blockchain does break for reasons that we should go into,

Starting point is 01:52:12 then at that point we can declare, you know, any BTC on the broken Bitcoin to be, you know, burnt, lost forever, which is great for. scarcity. And then, you know, we can then declare Ethereum as the new, more secure, more friendly home for BTCD. What you're talking about is back to your comment about state. You're just migrating state here to a better computer. Yes. I mean, the important thing here is that we need to do it in a trustless and scalable way. Unfortunately, none of the existing solutions, you know, for tokenizing BTC allow for that. But in the future, we, we'll be able to. But in the future, we'll we will have this, you know, migration process, which is aligned with the values and culture of Bitcoin.

Starting point is 01:53:05 And I think, I'm hoping, I think that in 20 to 30 years, it will be, it will be obvious. And it's actually a win-win for everyone, both both the Bitcoiners and, I guess, the Ethereum. Yeah, not for the miners, though. The miners tend to lose for some reason in both camps. Justin, why do you say that the Bitcoin blockchain is destined to die? What is these megatrends that's going on in cryptography that would indicate that the Bitcoin blockchain has a countdown timer on its lifespan? Right.

Starting point is 01:53:38 So I guess there's this kind of three big reason. The first one is kind of a bit nebulous, which is that the Bitcoin blockchain is ossifying, or I should say is already ossified. And I guess culturally speaking, it has this maximum viable ossification. It will be as ossified as it can be. And we've talked about this. It's somewhat at odds with the greater macro picture of an exponential world. And if you go back to the root of ossification, it means becoming a bone.

Starting point is 01:54:15 And I think, you know, the way I picture it is that Bitcoin is becoming strong. and stronger, you know, there's layers and layers of bones, but the environment, the context is adding more and more pressure. At some point in time, it's just the bones just going to go crack. Now, what are these kind of external pressures? There's kind of two flavors. Like, the first one is around quantum computing. So we have this kind of quantum megatrend, which just changes the rule yet again of computation, right? If, if blockchain is an innovation, computing quantum is as well. And there is some non-trivial intersection between which in blockchain and quantum, which we need to take into account seriously. And then the other kind of big megatrend, I guess,

Starting point is 01:55:05 is the flip side of the 21 million Bitcoin limit, whereby, and this kind of moves us away from cryptography into the economic aspect of crypto-economics, whereby it's been shown that basically the incentive alignment disappears once you only rely on fees as opposed to subsidy. So with the 21 million limit, the block subsidy goes to zero. You're left with only fees. And this is problematic because Basically, the main issue is that fees can be stolen in the sense that if I'm a Bitcoin miner, I build a block with transactions. Today, you're kind of expecting all the other miners once I find a block to build on top of my block. And they have an incentive to do this because there's this baseline inflation in terms of the reward. But if you have no inflation, actually the thing that a rational miner would do,

Starting point is 01:56:15 is that it would not build on your block. Instead, it would steal all the transactions that pays fees and then try and build and fork off, basically. And then and so you have a team from Stanford, which basically analyzed this and built, you know, models and they wrote a paper, basically explaining why it's an unstable kind of crypto economic equilibrium to only rely on transaction fees. We made this argument a number of times on bank lists, the second argument that you're making. And I think one of the interesting things about it is Bitcoin is memed as digital gold.

Starting point is 01:56:57 And there's an element of truth to that meme in that it helps somebody wrap their mind around the concept of digital scarcity. So that makes sense, right? But one major difference that always seems to be overlooked is that the fact that gold in the physical form does not have to pay for its security with transaction fees. It paid for its security costs in like the supernova of a star. It's a chemical element, right? And it doesn't have to, its security is not dependent on some sort of transaction fee for me to give a bar of gold to David, right? Whereas Bitcoin totally is. And in fact, that's the model. It's getting away from its, you know, issuance meme as creating the security, which is its core strength and moving to this, this, this,

Starting point is 01:57:45 transaction fee, that makes it not very much like gold. And I do also agree this will become more apparent to people. The breakdown of that digital gold meme will become more apparent to people as time goes on and block subsidy every four years gets diminished and cut further. But what does that mean? Bitcoin is left with. It kind of means it's left with what its core strength arguably is right now, it's a, it's a, it's a, it's kind of a property ledger, right? And I don't mean, like when I say meme, I actually don't mean that in a condescending way. Like I have, uh, David and I, I think have high reverence for memes, right? Like money is a meme at some, some level. It's a social coordination tool. But, um, it's a, exactly. It's a, it's a very different Bitcoin than the

Starting point is 01:58:34 future that I think many Bitcoiners imagine today. That, that that's kind of the future. That's kind of the future that you're painting. Well, I actually don't think it's that different in a way because I think a significant portion of Bitcoiners love BTCD asset, but they hate the blockchain. Like the blockchain is like a... They don't even use it. It's a necessary evil. Like, the real purpose of Bitcoin is all about the assets. So I think we're fairly aligned here, right? we're giving Bitcoiners the opportunity to take their precious BTC and like house it in a very secure and friendly environment and kind of a little bit like a butterfly, I guess, you know, it comes out of the cocoon and then it finds emancipation as a butterfly starting from a caterpillar.

Starting point is 01:59:30 So this is an economic argument. This is talking about crypto economics. However, what's new to me in this conversation is that there is also a purely cryptographic argument that the continuation of the Bitcoin blockchain might not be able to continue as trends in cryptography improve. Can you, let's just rehash that part of the conversation, because that's the novel part of the conversation to me. And then we can actually go into perhaps the migration process from BTC on Bitcoin to BTC on Ethereum. Yeah. So there's actually three different ways in which quantum potentially affects, you know, a Bitcoin. So the first one is the most well-known.

Starting point is 02:00:12 So in quantum, you have this algorithm called Schor's algorithm. And it allows you to do things like factoring large numbers. But it also breaks the cryptography on Bitcoin, which is basically based on elliptic curve, the discrete log problem. Anyway, long story short, is that quantum breaks the cryptography. in Bitcoin. And what that means, there's actually like an economic consequence, which is that all the lost coins, at least the lost coins for which the publicly has been made public. And Peter Wooller, who is one of the core Bitcoin developers, did some statistics. And he found in 2019, I believe,

Starting point is 02:00:57 that 37% of the Bitcoin supply was kind of, kind of, liable to these kinds of quantum attacks. So basically the public key is public as opposed to just the address, which is the hash of the public key. And with that information, a quantum computer, large enough quantum computer could basically find the private key and then spend the funds. And this is bad for the same reason that the Tao was bad and it led to a fork. Right. The Tao basically was, oh God, we have an attacker who is now in control of 10 or 15 percent, I forget exactly of the supply, that's just not going to work. And so, you know, imagine having an attacker with, you know, even 10% of the Bitcoin supply.

Starting point is 02:01:46 You know, if Bitcoin is a multi-trillion dollar asset, that that's just untenable. And so it ruins the credible neutrality of the asset because some attacker got their hands on Bitcoins that wasn't theirs in an illegitimate way. Yes, exactly. You have basically, you have a flood of Bitcoin. which pollutes all the rest. And so we have assurances that this is a possible thing and likely to happen in maybe the next 30 years. Is that about right?

Starting point is 02:02:15 Yeah, 30 years is the very conservative estimate that is usually given. Like everything moves exponentially, including quantum. And we have an equivalent of Moore's law for quantum computers. And so far it's very much on track. And basically, you know, every year we're going to get better and better quantum computers. and in 20 to 30 years, assuming this law remains, then, you know, we'll be able to break the crypto. And it's kind of interesting because the time scales, like 20 to 30 years, align with the economic argument that I put before, right? Like in 20 to 30 years, like one of the reasons

Starting point is 02:02:54 why the first economic argument didn't kick in is because even though the the inflation reduces by by two every four years. The price more than increases by two every four years. But if you look over very long time scales, you can't have an asset which just grows exponentially forever. Like exponentials do end. And in 30 years, over 99.9% like just about over that will be mine. And like one of the other things is that

Starting point is 02:03:30 basically the ratio of the security budget and the asset should be just totally out of whack. You know, you're going to have, you know, like a fact of one to a thousand. And so it's, it just doesn't, that doesn't make sense there. Justin, is this quantum problem, not a problem for Ethereum? It is. It is. Absolutely. And I think Ethereum will go through the, the same migration process that I'm, that I'm, that I guess I'm happy to describe, but maybe before describing this migration process,

Starting point is 02:04:06 I should kind of flesh out the other two quantum attacks that are relevant to Bitcoin. Okay, so the other basically two attacks are based on what's called Grover's algorithm. And this actually affects proof of work. So in, you know, very, famously Satoshi wrote one CPE, one vote, right? And what he meant by that is that your computational power is going to be linear with the number of transistors that you have and the amount of

Starting point is 02:04:42 energy that you're spending. So you can kind of think of it as one transistor, one vote or one jewel, one vote. It turns out that in quantum computing, you have these really non-obvious effects where you have a superposition of things and you have quantum entanglement. And these very cool kind of quantum effects mean that you actually don't have this linear rule, one transistor, one vote. Instead, you have more like you have this quadratic effect where if you run a computation, for n steps, your computational power is kind of actually more like n squared as opposed to n. And so what that means has two consequences.

Starting point is 02:05:36 The first one is that at some point in time, it's possible that, you know, the very first person who's able to make proof of work on a quantum computer be more efficient, economically efficient than using traditional computers will have such a large advantage that for some period of time, they will totally dominate the proof of work. So, you know, it could be the NSA, for example, that, you know, for a period of one year, because they have the only quantum computer in the world that can do that, will be able to totally control the Bitcoin blockchain. So that's kind of like a short-term attack.

Starting point is 02:06:21 But what happens with proof of work is that, you know, there's a difficulty adjustment, right? And so the difficulty will adjust, and then other people will start getting quantum computers, and then you enter this new steady state and all is good, right? It's only a temporary attack. But actually, that's not the case. So it turns out that there's a paper from this year,

Starting point is 02:06:45 which was titled something like, on the insecurity of quantum Bitcoin mining, which basically made a very similar point, to the to the to the to the to the to the to the first one around the the the instability of the the the Bitcoin mining when you have when you rely only on fees so it turns out that this this quadratic effect makes the the chain even more unstable because of these these because it just changes the the the nature of mining so yeah Satoshi you know quite understandably couldn't predict and forecast

Starting point is 02:07:24 and kind of think through all the consequences of proof of work, you know, 40 years into the future. But yeah, it's a possible future whereby in 30 years, mining will be truly, truly messed up. So this episode is centered around the combination of cryptography and economics, which creates crypto-economics. And when you can't use cryptography, you use crypto-economics to fill those gaps. But what you're saying, Justin,

Starting point is 02:07:54 that Bitcoin over the long term has both flaws in cryptography and in economics that no one could have predicted at Genesis, but now that we are 12 years into this revolution, we actually do see things on the horizon that we don't actually have the problems for and without a migration plan, without being able to pivot. And your concern is that, you know, the Bitcoin blockchain is trying to become as ossified as possible when there are still obstacles that we can see. down the road. And so that has always been my, like, why my interest is always on Ethereum is that there's no way that we understood the power of crypto economics, the first blockchain, the first crypto economic system that this industry ever invented, which was Bitcoin. And so I'm much more

Starting point is 02:08:39 interested in the system that comes after we understand that there is so much untapped potential in crypto economics. So earlier you said that Ethereum 1 and also is also Ethereum 2 perhaps, has the same problem that Bitcoin does, yet it hasn't ossified yet. It has a migration plan. Maybe we can talk about what that migration plan looks like for both Bitcoin and Ethereum 1.0 into a future that does not fall to these cryptographic attacks or economic failures. Right. So I guess the migration plan is in two steps.

Starting point is 02:09:16 The first one is you want to upgrade your cryptography to be so-called post-quantum secure. And, you know, that's something where a lot of progress is being made, a lot of enthusiasm. And, you know, we have, this is something that's essentially been solved, at least at the theoretical level. Because we know how to do quantum secure snarks, you know, for example, the stocks from stockware, that quantum secure. And then when you have that, you can do a very, very large part of the cryptography needed. for for for for for for for blockchains so that's step one and that's that's just you know an engineering update the other thing that we need to do is more of an economic or social updates which is that we need to find a way to bail out to to discard um the the the lost coins

Starting point is 02:10:15 because they're liability um so we need to have a mechanism to say okay these coins are lost and we're just going to forget about them. And my suggestion is as followed. And I think it's kind of optimal in the sense that it gives people the most time to migrate. Right. It's kind of awkward if you're going to say, okay, in one year, we're just going to call any coin that hasn't migrated lost, because that would be extremely controversial. But what is much less controversial is anything that is, anything that is. is forced to us by technology.

Starting point is 02:10:56 So basically there's going to be a breaking point and anything that hasn't migrated after the breaking point, well, obviously, is lost. And so what I suggest building is basically this two-way bridge between Bitcoin and Ethereum that I was talking about, 100% trustless. And then there's a little kind of feature, which I call kind of a quantum canary and a quantum bond.

Starting point is 02:11:22 Okay, so what is the canary? The canary in the coal mine, the canary in the coal mine is able to sniff out kind of as an early detector, something bad. And this quantum canary would be able to sniff out that quantum computers are here today. Maybe not quantum computers large enough to break, you know, the cryptography, but it's kind of an early sign. and then this quantum canary would basically trigger a bomb which would destroy the bridge and once the bomb has detonated and the bridge has collapsed anything that remains in the old world is considered lost and anything that has migrated has now found is now in the canonical home

Starting point is 02:12:13 and one thing that you can do is you can incentivize you can attach a bounty to this canary. So whoever is the first one to present proof to the blockchain that quantum computers are real and are a threat, they can receive a very generous bounty for doing so. And so this is the formalization of the separation between BTC, the asset and Bitcoin the blockchain, where the Bitcoin blockchain is actually forgotten, yet BTC, the asset is able to remain. And Justin, I want to get your question on this. A lot of bitcoins might listen to this and throw up a flag saying, you know, we don't want that. Like, we don't like Ethereum.

Starting point is 02:12:57 We don't want our Bitcoins on Ethereum. But yet, is this an option regardless of consensus? Like, do we need consensus behind, you know, a majority of BTC holding individuals for this to work? Or is this something that we can build and establish anyways without needing to have some sort of consensus among stakeholders? Yeah, I think it's a little bit. between the two. So we can have Bitcoin the asset in a very native way come on Ethereum and many other blockchain. So in the way, Bitcoin will not just live on Ethereum, but they will probably live on many different blockchains. And so, you know, there is a social aspect where, you know, I think that

Starting point is 02:13:47 whichever blockchain has the most Bitcoin, you know, these native Bitcoins, will hold a claim for being the new home. But, you know, in a way, they won't be, you know, yeah. So basically we need to be able to define some sort of canonical home. And the reason is that when you have Bitcoin on multiple blockchains, if the consensus of that blockchain blows up,

Starting point is 02:14:17 then you want to basically preserve the integrity of the assets. So you want to have some sort of root notion of trust. And that will have to be determined socially. But I think if you have a good shot, if it holds most of the tokenized Bitcoin, it has very high-grade security consensus. It has a shot as being deemed a new home for BTC. It very much strikes me that we've been talking a lot about,

Starting point is 02:14:46 like difference between Bitcoin and Ethereum is kind of ossification, right? But there's also the layer at which you ossify, right? And one of the challenges maybe is that Bitcoin has kind of ossified its layer one, when really the thing it needs to ossify more is its layer zero. Because the social contract around Bitcoin as a fixed cap asset, store of value reserve, the Bitcoin movement can remain ossified in sort of in spirit, in soul, in social contract, but it can move its body. And its body being kind of the layer one, the network, is sort of a rickety old computer. It's aging really fast.

Starting point is 02:15:34 It's aging really fast. And so what you're talking about is some, you know, a connection that maybe some bitcoinsers haven't made yet is like ossify your layer zero. ossify your social contract and your meme layer. But you don't have to ossify layer one or layer two or layer three because this is compute technology. And we've just entered this new era. And there are going to be waves of innovation that provide 10x, 100x improvements.

Starting point is 02:16:02 So why in the world would you ossify your layer one? And that seems to be the more the pragmatic approach that Ethereum is taking. And I do actually see an Ethereum some more ossification around these. these core values in layer zero, which is exciting to see. But now with Ethereum, we have kind of layer one that we can continue iterating on and improving, so much so that we're creating a whole other network, this ETH two thing that lives in parallel, and we're taking the layer zero and we're migrating it over. It seems to be a very winning strategy. And I guess this is why, Justin, this episode fits very much into our ETH bull thesis.

Starting point is 02:16:43 series of episodes here. Yeah, I agree. It makes sense for Bitcoiners to solidify their layer zero and get ready, at least psychologically speaking, to consider options on layer one. But I think they've also already solidified their layer zero, or at least they're in the process of doing it. Like, we hear people on Twitter or whatever

Starting point is 02:17:09 saying that anything that doesn't have the Twitter, million limit is not Bitcoin. And they will use very, very strong language. And I think it's being ingrained in the DNA of what it means to be Bitcoin. And I think that's perfectly fine. But there are tradeoffs to that mentality. There's like an other, there's a flip side to the coin. And in a way Bitcoin can get the best of both worlds.

Starting point is 02:17:41 Bitcoin can get the best of both worlds. It can not only have this amazing scarcity, which is with the 21 million limit, but it can also, and even for free, kind of latch onto the security guarantees that Ethereum will provide with a very different model, which is the minimum viable issuance, enough to provide security, but minimal to keep basically the economic waste to a small amount. It does seem to be the best of both worlds. It really is up to the social layer of Bitcoin to say if they actually want that or not. And I guess at any point bias could be included in this conversation,

Starting point is 02:18:32 but it would seem to be that it would be in Bitcoin's best interest to not go down with the ship. and admit that Ethereum might be a great new host to upload BTC the asset too. Because as we all know, Bitcoiners love BTC, the asset, and the Bitcoin blockchain is more of an afterthought. Justin, this episode has been absolutely fantastic. In addition to talking about the obstacles and optionality between Bitcoin and Ethereum, we talked a ton about the power of cryptography. And at least with the bankless thesis, banklessness is about power to the individual. and cryptography has always been about putting power back into the hands of the individual.

Starting point is 02:19:13 And my own Twitter handle, Trustless States, talks about the state of being trustless, which cryptography is inherently involved with. We would have never been able to produce this episode without your help and without your amazing agenda that you helped put together for us. Thank you so much for coming on the Bankless podcast and showing us in showcasing the future of cryptography and what can it can do for the average individual and what this crypto economic revolution can do for the world for returning sovereignty back to the individual. Justin, thank you for coming on the Bankless podcast. Guys, thank you so much. It's been an honor. Bankless is one of

Starting point is 02:19:53 my favorites. That is awesome to hear. Okay, guys, action items. We are going to include a spreadsheet to the research that we referenced as Justin was going through those cryptography solutions and kind of the problems that we solved. We'll include that as a link in the action items in the show notes. Check that out if you want the detail. Justin also mentioned some research papers, so we're going to ping him after this show and see if we can get links to a few of those. Finally, Bull Market. David, what do we need in the Bull Market? We need five-star reviews. If you thought that this episode was interesting and informative, and you think other people should listen to it. I think other people should listen to it. We need five-star. reviews to get bankless to the top of the iTunes podcast charts.

Starting point is 02:20:39 We're trying to scrape our ways to the top of business and investing categories. We are not yet in the top 50. I don't even believe Ryan we're in the top 75. So it's up to the bankless nation to give us those five-star reviews so we can get to the top of the iTunes podcast charts. Your likes on YouTube help as well if you're watching it that way. Guys, risks and disclaimers, ETH is risky. So is Bitcoin.

Starting point is 02:21:01 All of crypto is risky. You could lose what you put in. We are headed west though. This is the frontier. It's the frontier of cryptography as well. It's not for everyone, but we're glad you're with us on the bankless journey. Thanks a lot.

Bankless - 49 - Moon Math: The Bull Case for Cryptography | Justin Drake

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.