Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - David Vorick: On Skynet and Trusted Setups
Episode Date: May 22, 2020Today, half of the internet is built on top of Amazon S3. Although the cloud has allowed Internet applications to scale, centralized infrastructure means less control over one's own data. And when it ...goes down, so does half of the internet.Sia CEO David Vorick is back on the podcast to talk about a new product recently released by their team: Skynet. Skynet builds on Sia and enables web applications to be developed and deployed over a decentralized data storage infrastructure. David also shares his thoughts on Trusted Setups, why he thinks they're "busted," and how the crypto industry can create better and more secure Zero-Knowledge primitives.Topics covered in this episode:- What is Skynet and how it builds on Sia- Skynet compared to IPFS/Filecoin- The need for a decdentralized data marketplace- An example of how the Sia network works- What are trusted setups and how they are used- Threat models in trusted setups and what can happen when they break- The alternative to trusted setups and solutions for the futureEpisode links: - [Sia Website](https://sia.tech/)- [Sia Blog](https://blog.sia.tech/)- [Decentralization & Cutting-Edge Cryptography - Starkware Sessions Talk](https://www.youtube.com/watch?v=naw0HajYDxI)- [David Vorick on Twitter](https://twitter.com/davidvorick)- [Sia on Twitter](https://twitter.com/SiaTechHQ)- [Epicenter Virtual Meetup on May 29](https://epicenter.rocks/virtualmeetup)This episode is hosted by Sebastien Couture & Sunny Aggarwal. Show notes and listening options: [epicenter.tv/B005](https://epicenter.tv/B005)
Transcript
Discussion (0)
Hi, welcome to Epicenter. My name is Sibesigwitu. Today is a bonus episode. We're interviewing David Vorek, once again. He was on the podcast a couple of months ago to talk about SIA. Well, they recently launched SkyNet, which is a new product that builds on top of Scya and that adds a lot of functionality to their existing decentralized data storage network. And so we wanted to talk to David about that and understand what is SkyNet and how it improves on SIA.
But also I wanted to talk to David about something that we didn't get to discuss during our last interview with him, which is trusted setups.
So actually, I heard David speak for the first time in Tel Aviv at the Starkware Sessions conference.
And he gave a talk about trusted setups, which I thought was really interesting.
But we spent so much time talking about SIA in our last interview that we didn't get the cover of this at all.
So this was also an opportunity to sit down with him and talk to him about trusted setups.
why he thinks they're broken, and what kind of approach we should have in terms of ensuring that
zero knowledge setups and the zero knowledge infrastructure upon which, presumably the crypto will
rely on in the future, can be trusted. So there's lots of interesting ideas in this one, and I hope
you'll enjoy it. A little bit of housekeeping before the interview, we're going to do a virtual
meetup on May 29th. You know, it's been several months now that all of us have been in confinement,
We want to check up on how you guys are doing and see what you're up to these days and get the pulse for the types of things that you're interested in and just, yeah, have a chat.
So all of us will be there, Mehe, Sani, Brian, Federica and myself.
And you can come hang out with us in a Zoom call.
So it'll be on May 29th at 9 p.m. Central European time, 12 p.m. Pacific, 3 p.m. Eastern time.
and you can register for that at epicenter.orgs slash virtual meetup, and you'll get all the details and the calendar invite.
So coming and hang out with us, it'll be lots of fun.
And with that, here's our conversation with David Vorek.
We're here with David Vork.
David, thanks for joining us again on the podcast.
Hey, great to be here.
So we had you on just recently.
I can't exactly remember how long ago, but it was like two or three months ago.
And we talked about SIA and everything.
everything that you guys were building there in terms of decentralized file storage.
Since then, there's been some news recently.
You launched this new layer on top of SIA or this new platform.
We'll get into it in a moment called Skynet.
It's something that I'm personally really excited about because I'm kind of like excited
about the opportunity to store files online in a decentralized way,
in a trustless way that doesn't rely on companies like Dropbox and Google, etc.
So I think it's something that even like I'll start using personally.
So I'm really excited about that.
And we also wanted to get you on because last time we didn't really get the time to talk about it.
But, you know, I first encountered you when you gave a talk at Starkware sessions in Tel Aviv
where you were talking about trusted setups and how trusted setups are broken.
And this is something that I've been wanting to talk to you about since we did that interview.
And so, you know, we'll spend some time today talking about trusted setups and how
trust-stuffs are improving with things like Sonics and stuff like that. So thanks for joining us.
Yeah, glad to be here and excited to talk about both SkyNet and explore trusted setups more deeply.
So let's maybe start with SkyNet. So what is SkyNet? For those who heard the episode last time,
or maybe some of those who didn't, let's maybe just briefly recap on SIA and from there get into Skynet and how it improves on
on the existing SIE infrastructure?
Yeah, so Skynet is an application development platform.
And the ultimate goal of Skynet is to replace the cloud
as the primary way that people deploy applications.
And so, for example, today, like half the internet is built on top of Amazon S3.
When they go down, half the internet goes down.
And there are very good reasons.
The cloud offers many substantial advantages over,
a more decentralized, like host your own infrastructure approach.
But this comes with a bunch of tradeoffs,
one of the key ones being Amazon's in control,
and everyone's kind of dependent on the single point of failure.
And Skynet has been created as an answer to that.
And so what we want to do is enable developers to build the next YouTube,
the next Instagram, the next Snapchat,
and really with an emphasis on like social media
or the next file sharing app,
the next bit torrent on top of SkyNet.
And so SkyNet is this application layer that gives you the ability to store and retrieve data.
And that data can be application code.
It can be user accounts.
It can be friends lists.
And from that, you can build an entire rich, decentralized application ecosystem.
And so that's what we're really excited about.
We think it's the most powerful thing that's ever come out of the science.
team. So when we talked about SIA last time, you described it as a, you know, a distributed
or decentralized file storage network where people are providing storage space, storage capacity.
They're effectively renting it to the network and, you know, other users can rent that
storage space for a fee. They, they can store files there, retrieve those files. What does SkyNine's
bring to that? What are the, what's new about Skynet that, you know, we didn't have in the playing
kind of SIA infrastructure? And is it built on top of SIA or is it totally different?
So it's built on top of SIA. And really, it's not even like a layer two so much as it is
from a tech perspective, a small upgrade. What Skynet does is it allows people to download other
people's files. And so before Skynet on SIA, if you uploaded something to SIA, you actually couldn't
share it. The only person that could download it is you. And that, you know, it's good infrastructure and
it's great for certain use cases, but it's very limiting if you're talking about the future of the
internet. What Skynet does is it allows you to go and download any file that you have the encryption
keys to and that you have the link to. And so you can share files with other people and then
download them. So technologically, it's fairly simple. But what this allows you to do is build
really rich, complex applications on top that essentially, you know, at the end of the day,
most of the internet is just passing data around. And so now that Skynet has the ability, or SIA,
has the ability to pass data around between users, we can build essentially the rest of the
internet. So just to maybe put this in context of,
of like comparing it to another project that, you know, many people might also be familiar with, which is IPFS.
So, you know, I think you could say that the IPFS, or the entire protocol labs stack, had a similar goal.
But you guys sort of approached it from different starting points where the protocol labs team built IPFS first, which is the CDN, the content delivery network.
And they're in this, like, you know, I don't know, five year long.
I don't know how long it's been so far,
but file coin is supposed to be this
like sort of economic
incentivization layer. Meanwhile, what you guys
did was you sort of built the economic
incentivization layer first, which is what
SIA blockchain was,
and then now you've built on
the CDN system where
like you have the content addressing and
you know, basically a network where
do you guys use like similar sort of like
DFT that IPFS uses
or do you use sort of a different technology underlying?
Yeah.
So the technology, and I love the way that you put that,
I think that's completely right.
IPFS slash Filecoin did content first, storage second.
And we did storage first, content second,
or incentivization first and distribution second.
And to us, I think that the storage layer is where all of the key constraints are.
And so I think it's much better.
And I think we did the right approach,
because that's where you're most constrained,
and that's where you have to make the most difficult decisions.
And so we built this super optimized storage layer,
and now we can build an optimized delivery layer on top of that.
So to answer your question about the technologies,
they're completely different.
Skynet has this laser focus on performance,
because our goal is to replace the centralized web,
and that's not going to happen unless the user experience is comparable or superior.
And that means that we have to be able to deliver content to users as fast or faster than, say, in Akamai or a Netflix, who have these really elaborate centralized constructions to get data to users quickly.
And the problem with the Dht is that you have to talk to multiple servers, often bouncing around quite a bit in order to discover where a piece of content is and then download it.
And that bouncing around takes a lot of time.
So on SkyNet and on SIA, everything is point to point.
When you get a file link, you immediately have a constant time way,
just a single hop way to go and fetch that file from a host.
And so the reason that we're so different is because we have this heavy, heavy emphasis on performance
and making sure that we can be superior to the centralized web.
Right. So do you use the SIA blockchain?
So I guess one of the reasons that IPFS has to do this like DHD thing is because they don't have a, you know, a centralized state in the form of a blockchain.
But you guys do.
Is that how you kind of get around it?
Yeah.
So the key thing that the blockchain does with SIA is it enforce that hosts have to hold on to the data.
To get the speeds, we essentially just do a lot of lookup tricks.
And we also use like hinting so that the link that you receive.
has a couple of hints in it that say you should try looking here.
And oftentimes you can get longer form links that just say outright.
Like this file is stored at these IP addresses, which again allows you to.
So there's, we have more metadata associated with our files and how we do lookups.
But that metadata allows us to be extremely fast.
And so, but that metadata isn't stored on chain.
No, it's not.
In the time that everyone's been waiting for file going to come out,
instead, what's popped up in its place now is a bunch of sort of centralized providers
who sort of provide pinning services.
So, for example, I've used pinata before.
And why does this like Skynet vision need a marketplace inbuilt
rather than just allowing sort of a marketplace to arise, match on top of it,
sort of with providers.
So I think that I would say that I'm pretty unhappy with the pinning model of IPFS.
If you want to be fully independent on IPFS, basically the only way to do that is to self-host.
And so IPFS in some senses is like synonymous with self-posting and in other senses is like
you find a provider to host for you. And neither of those situations, well, so finding a provider
defeats the point of decentralization.
Now you're dependent on them
and you're straight back to the AWS model.
Self-hosting is challenging
because it's difficult to keep servers up.
You have all these costs associated with it
and it's just a headache.
If you want to have any reliable amount of uptime,
most everyday users
don't have the ability to get four-nines of uptime
on a self-hosted service.
But we want, you know, the 15-year-old
in his parents' house to be able to launch
in application that has 100% uptime without having any reliance on like an S3.
And so having this like built in essentially SIA acts as a decentralized pinning service
allows you to put files on Skynet and then log off shut off your computer and not worry about it
and know that that file is getting you know as as close as possible to 100% uptime with no work
and no stress on your end as the creator or the distributor.
Yeah, that was always one of my, the issues that I took with IPFS is,
and maybe this gets addressed in Filecoin and the layers on top,
but was it this, you know, you have to actively pin your files to make them available in perpetuity.
It's an active thing that one does in order to make their files available.
And then if you want to have redundancy,
if you want to have those files available in different places,
places, well, you need to do that as well.
You know, I mean, and again, maybe Fyloch coin takes on some of that burden.
But in SIA, you know, you upload the files and while the files get, you know, distributed
automatically, they get, there's redundancy built in, correct?
Yep, correct.
Okay.
Interesting.
Yeah.
I think I really like that approach.
So I've got like now like kind of a personal question about this because this is something
that I would like to use myself.
So I have a self-hosted cloud infrastructure, right?
So I have a computer in my house that is hosting my file services, my email,
and that's my in-home cloud system.
Now, in order to back that up off-site,
I do an off-site backup to a computer that's somewhere else,
similar setup.
But I was thinking what I could do is just instead of doing that sync,
every day to that other computer,
that other computer could just be
a SIA or Skynet host,
the entirety of that hard drive,
could be on the Skynet network.
And then instead of sending my files there
from my cloud here,
I just send it to the SIA network, right?
And I'm backed up, I'm redundant,
and I'm also contributed to the network
with that other computer that was only meant for me,
but it's now like serving the common good.
Is that like a sort of setup
that one could use?
Yeah.
And as far as I understand your needs,
I think that's something you could set up this weekend.
That's the, you know,
the sign network's at a point where it can do both of those things.
All right.
Well, there might be an extra 6 terabytes of data on site this weekend.
I mean, what's interesting about this is, you know,
I think that almost this product comes 10 years too late.
Because, you know, 10 years ago, if you'll remember,
you know, you would buy a Mac, and then you would have that backing up to, you know, your time machine, right? And then the best practice was to have, you know, two backups, like one local backup and one off-site backup. What people do, well, they would set up other computers if they had places to set those up, or they would pay for a service like Backblaze, for example, where they would effectively backup their time machine backups. So they would have three at all times. And I think that now that people are just so used to Cloud BackBash,
backups and even, it's not even cloud backups. It's just, you know, cloud storage in the form of Google Drive or Dropbox where everything's like ubiquitously in the cloud. You know, going back to something like this here in terms of the, not in terms of like decentralized aspect, but the user experience of like backing up your files is like kind of like going back to something that we had previously. So yeah, I'm curious what you think about like how people like what's the likelihood that, you know, people utilize this for their own cloud backup?
Yeah, so the way we're approaching Skynet is really from the developer end.
For example, you could build a decentralized Dropbox on top of Skynet that functions just like Dropbox,
or you could build a decentralized Google Docs.
And actually, you have a little bit more power than Google Docs does.
So you might be able to build something even the next thing that has an even better user experience
and makes the cloud feel like the personal backup.
up. So definitely at least our energy as a team is being focused on this forward direction and asking
how can we take what users are used to and using Skynet's infrastructure, power that up to the next
level rather than, you know, it's for because we really want to see this stuff go mainstream,
it's really important to us that the user experience is only better than what consumers are
already used to. And so I think certainly, uh, your back,
backup use case is something we can support.
But what we're most excited about is like just replacing Dropbox and Google Drive outright
with something equivalent or superior in user experience.
It's just easy and just works.
So with this goal of replacing the internet, with the Skynet architecture, I can see how I would
create a replacement Dropbox or a Google Doc or something replacement.
because what you're essentially doing is using Skynet as a storage backend,
and then you're using code that is client side.
But a lot of the internet is based on sort of a server side architecture.
Let's say Sebastian wants to create an email, move his entire email inbox into this
decentralized internet rather than on his own machine.
where would he run the sort of email server
that you know running the SMTP server and all of that?
Yeah, the SMTP server, yeah.
So if you want integration with the traditional email system,
that's not something we've looked into yet.
And so I'm not sure exactly how the SMTP server would work.
But like what, so one thing that you can always do in Skynet is you can reach out to,
We call them curators, but essentially these like third party per app services that just sit there and run some sort of protocol.
And so you could tell people like, hey, if you have a message to send me, send it to this third party or these like five third parties that have 100% up time.
But that would be for strangers.
So for friends, it's actually pretty simple.
I would just client side, right, if I want to send you an email, Sonny and we're friends, I would just have a folder on my system that says Sunny.
you know, messages for Sunny.
And when you open up your email client,
you're actually going to scrape my account or my files, essentially.
You're going to look for that folder,
and you're going to pull all the emails that I've written to you.
And so you're going to be able to see, you know,
whether it's emails or texts or whatever,
or whether it's like an RSS feed,
it's content I've published and you're subscribed to receive that content.
We can do that entirely client side.
And then so you really only need these like curator services
to connect people who have never met before or who aren't friends.
And so these curator services exist as discovery.
And without them, you know, it's hard to find people through normal means.
But even without them, you know, you can still talk to all your friends.
You can find the friends of your friends.
And then you can get this like nice big web and connect to everyone eventually.
But this then does require sort of a massive re-architecting of how a lot of the web
works. And, you know, I get this feeling that, you know, the web trends seem to be that we're
moving towards more server side things, even things that aren't web, like, you know, even look
at gaming, for example, like server side rendering for, like, you know, gaming is becoming
more and more popular. And so do you see that there will be a reversal of this trend?
Or if not, so you've created Amazon S3. Now, where are we going to get the Amazon, I don't know,
Lambda or something, where's the compute layer?
Yeah, so I think the compute layer is, I'll call that unsolved for the moment, just because
from a cryptographic perspective, it's difficult to get verifiable computation.
And so it's difficult for me to send a job to an open marketplace of untrusted people and then
trust that the results I get back was computed honestly.
So for that, you really do want a trusted party, you know, like Amazon.
But I think for the majority of applications that people use every day,
possibly gaming aside, you don't actually need that much compute power.
If you think about all the compute that goes into curating a YouTube-like application,
that can entirely bottle down to something a client-side computer can do.
And so I do think that the advantages of Skynet will drive a lot more client-side thinking
in client-side development.
And then another huge advantage
to thinking about doing things
client-side is infrastructure costs.
If the user who's running your application
is also the one doing the compute
to keep the application alive,
you're not running servers yourself.
You're not paying for it yourself.
And that's actually a point
that we haven't touched on yet for Skynet,
which is that as a developer,
when I put an application out onto Skynet
and people start using it,
if I have 10 million users tomorrow,
my bandwidth bills are zero as the developer.
My storage bills are zero because the users are the ones who are paying for all the infrastructure costs.
And so that means that I don't need to be a startup in order to compete.
And this is especially powerful in video content.
Most YouTube competitors die because they don't get to a scale where they can monetize their users and pay for their bandwidth bills.
the bandwidth bills just crush them out of the gate.
Skynet solves that problem for developers.
It's a, even though you have to rethink how you build applications,
you don't lose much power and you gain the ability to not have to worry about infrastructure anymore.
Yeah, this is something that, to touch on what Sunny was saying about, like,
decentralized compute power, I think that as much as I love this idea and I think it's really cool,
I think one of the things that doesn't play in your favor here
is the fact that in order to grow this network of nodes
and to grow the size of the storage on the network
in order to power this decentralized web,
you need a lot of individuals
and infrastructure providers
to rent their storage space in the system.
If you want that to remain decentralized,
if you want to be decentralized,
you presumably you want to have like lots of individuals and like hobbyists putting their storage space on the on the network. But the reality is that increasingly people don't have storage space in their home anymore. Like, you know, how many people have it four terabyte hard drive in their house nowadays? Like virtually none. You know, it's a most people now rely on the cloud entirely. And embedded devices while are very, it's very difficult to utilize the storage space there. So it'd be interesting to see like what kind of, what will the constellation of
storage providers look like? And do people sort of make businesses out of that, right? Much like
you have Bitcoin miners, well, you have SIA service providers that are providing like storage
to the network somehow. Yeah, this is something we've thought about a lot. And I think you hit the nail
on the head. Where the, where the end game is for this is like Bitcoin mining, you're going to have
professionals and maybe even like LLCs that get set up to provide infrastructure to Skynet and to
the SIE network. It's not going to be people at home. One advantage that data has over Bitcoin
mining is that location and bandwidth and hardware is not fungible. In Bitcoin mining, if you set up
a data center in the middle of nowhere, Siberia, that mining power is still mining power and is still
valuable. But on a storage network that emphasizes latency, someone in California is going to be
serving different users than someone in the UK than someone in Hong Kong. And so you have this
natural decentralizing pressure just from the fact that people in different locations are going
to want different data centers from each other. And so I think that that's probably what's going
to allow Sai to be decentralized even in light of economies of scale that happen when you start to make
these bigger farms. Yeah. Well, I'm probably going to spend some time this weekend fiddling with this. So I might
reach out to you if I have any questions.
if you don't mind.
Awesome.
Yeah, feel free.
And yeah, I would love to also document some of that process of onboarding Skynet for my own cloud backup.
So let's move on to the trusted setup question then.
So, you know, we've talked about trusted setups in the context of the show before.
Recently, we had like the guys from Aztec on the podcast to talk about how they, you know,
did the multi-party computation to set up the Azte.
ZKP smart contract.
I forgot exactly the way it's called
the Aztec Engine, I think.
So, yeah, let's maybe dive into this
and you've given talks
at a number of places
in describing your distrust
in trusted setups.
I think you've called them busted setups
at some occasions.
So, you know,
what is a trusted setup and
why do you think they're broken?
Yeah.
So, you know, I want to frame this
conversation in the context of like, I think people usually don't think about the threat model
of trusted setups in the right way. And when I hear people talking about like, oh, you know,
XYZ would have had to have happened in order for this trusted setup to be broken, that's just
the wrong way to think about it. And when they think about, you know, what happens if this trusted
setup gets broken? You know, what does society stand to lose? They just think about it in the wrong way.
And so I think that we're going to try and take a very zoomed-out approach in our analysis of trusted setup.
But before we dive into it, like, what even is a trusted setup?
So a trusted setup is a cryptographic construction that requires several collaborating people to build something.
And if all of them are dishonest and acting in conspiracy, right, if they all collude together, they can back-neutral.
door the system. And so Zcash is my favorite example. I think it's super clean. Basically,
Zcash has a trusted setup where a bunch of people work together to build this secret or this
object that we have to use in our proofs. And if all of those people who work together collude
and they all told each other, you know, they're part of the puzzle, then that group as a group can print
money. And so they can print an unlimited amount of money in Zcash and no one would ever know,
except maybe seeing that there are too many coins flying around. So the idea with a trusted setup
is that, you know, and I think the original Zcash ceremony had five or six participants.
So it's like these five people, six, yeah. Six. So these six people will work together to build this
object. And as long as at least one of the six people destroys their piece of the
puzzle, then the whole trusted setup is safe. And nobody can steal anything. But if all six people
collude, they retain their piece of the puzzle, they share it with each other and build this,
essentially this back door, then they can print for themselves as much money as they want.
If you put it in other terms, the participants in the trusted setup, and correct me if I'm wrong
here, they're generating, collectively generating a private key and then destroying that private key and
what's left is a public key that goes into the setup of the zero knowledge circuit or whatever
construction, right? Like what's left is basically a public key for which there is no private
key. And if everybody colludes and had that private key, then in that instance, they could back
throw the system. Yeah. I think that's a good way to think about it. Okay. And so when you talked
about the threat model and people looking at it the wrong way, and you know, just for, in all fairness,
is like since that ZCAS trusted setup,
there's basically been like a new setup now
where many more people are involved
and we can get into that.
But what is the framework
through which people view
the type of trusted setup
that traditionally has been done
and why are their assumptions
about the threat model wrong?
Yeah.
So I think I want to start
by focusing on actually what's at stake.
because I think people often underestimate what's at stake.
So when you do a trusted setup,
what you're building is a cryptographic primitive.
It's like a building block to build a greater system.
And the goal of all of these systems, right,
at least in cryptocurrency,
like what we want as an industry is mainstream adoption, right?
We want a billion people or even five billion people
using these systems that are built out of the building blocks we're making today.
And so when we make,
make something like a trusted setup, if that gets accepted, if that particular trusted setup
gets accepted into, say, like the cryptocurrency canon, and then cryptocurrency goes mainstream,
you could have systems that depend on this building block in very surprising ways.
Because, you know, things will use each other, and then you get Zcash, and then things start to
depend on Zcash, and they assume Zcash is private, and they build other stuff.
And as you continue, you know, making the ecosystem more complex and elaborate and as things keep building on top of each other, you could end up in a situation where a single broken, trusted setup in the whole ecosystem could have this like massive systemic cascade of vulnerabilities and attackers isn't just defeating Zcash.
They're defeating, you know, oracles and they're defeating, you know, who knows.
people use building blocks in surprising ways.
And so, like, the first thing I want to hone in on is really, like,
these cryptographic primitives that we build are likely to be used in elaborate ways
that kind of go beyond how we understand them today.
And 10 or 15 years down the line, if we accept a primitive today,
we might find that that primitive is a key building block in, like,
you know, nearly every major application that's used mainstream.
And so I frame this from the perspective of like, you know, what do we have to lose?
Potentially, a broken cryptographic primitive could wipe out the whole ecosystem.
And for example, like if quantum computers came in and broke ECDSA, yeah, that would wipe out the whole ecosystem.
And so we, as an ecosystem, we want to be really careful with the cryptographic primitives that we collectively decide to trust and decide to build things on top of.
because that's going to cascade very poorly if it ends up being broken.
And from the perspective of an attacker, the risk reward, the reward is extremely high.
So if you do manage to break a trusted setup, you could potentially print yourself a trillion
dollars, you know, or you could manipulate the ecosystem to earn a trillion dollars, right?
So I think that, you know, one of the first places people miss the mark is just in how important
these primitives are.
I mean, so if we come back to this idea that essentially what you're doing is you're creating
a public key for which you're trying to prove that there is no private key.
Yep.
I don't know how conceivable this is, but couldn't we construct protocols around which we agree
that some random number is generated by like random occurrences and that that random number
would be the public key and effectively where we just construct a random number?
That's what we're looking for.
We're looking for a random number, essentially.
Yeah, so I believe it depends on the protocol.
And a lot of protocols that come out that defeat trusted setup,
like that, you know, when a cryptographer finds a way to change a protocol
into no longer needing a trusted setup,
it's because they found a completely trustable way to create a random number.
And so that is a technique that gets used.
But in the cases where we still have trusted setup,
it's because the only way that we could think of to get this object, this public key,
which I think is kind of a, you know, at the very lowest layer,
ends up being a weak abstraction or a leaky abstraction.
You have this complex object that you have to build that has to have certain properties.
And in a lot of these protocols,
the only way that we know to give it the properties that we require
is to allow or allow a set of colluding individuals,
to make a private key.
Yeah, here's an example that I just came up with off the top of my head.
Imagine what we wanted to do was come up with a random number that was the product of six primes.
We can't just guess random numbers because we'd basically never ever get to six primes.
But if we had six people each choose a prime and then we did some MPC to multiply them
together and then we end up with a number that's six primes, but we don't want it to be that
anyone can figure out what the six underlying primes were. That's just an example of why it's not
as simple as just creating any old random number. It's usually some sort of random number with
specific properties. Oh, okay. See, that's where my understanding of this falls apart.
See, I thought it was just generating some random number, but it's a random number that also needs
to have some predefined properties. Yeah, some algebra.
structure that we then exploit to construct proofs of zero knowledge proofs, essentially.
So one of the things you talked about in your talk was that we should be looking at trusted
setups from a more macroscopic view in the sense of not thinking about how to break any one
specific trusted setup, but rather getting, let's say there's a thousand trusted setups,
and the goal is to get one broken trusted setup accepted by the community.
So can you explain some of your thinking on this?
Yeah.
So this ties right back into kind of how it opened up,
is thinking in terms of what's at stake.
If as a community, we adopt a culture of accepting trusted setups.
And so we end up with multiple cryptographic primitives that are trusted setups
in our ecosystem, in our set of building blocks that we build the ecosystem out of,
you only need one of them to be busted in order for the whole ecosystem to experience these
trillion-dollar, you know, I'll just call it like the trillion-dollar vulnerability.
Someone can insert a trillion-dollar back door not by breaking every trusted setup,
but they only have to create a single trusted setup that's broken.
that the community accepts as secure.
And this comes down to a social problem,
as much as it is a technical problem.
The question is not, is everything secure?
The question is, how do I convince the community
that something which is not secure is in fact secure?
And so the more as a community we embrace trusted setup
and the more it becomes normalized for a new team
to come up with a trusted setup protocol and launch a new system that depends on this new
trusted setup, the easier it will be for someone to slip something through the cracks.
And so that's really the key reason that I take the stance.
No trusted setup should be tolerated ever because as soon as you start to draw the line like,
well, maybe X is okay and maybe Y is okay, you've given breathing room for an attacker,
to use social techniques and politicking and social manipulation
to move that bar like, well, what if we just move the bar a little bit left?
And then they know that if they just need like two centimeters to the left
and they can slip in a broken trusted setup.
And so I think the only way to protect against this kind of social engineering
is to just completely shut it down
and make it so that trusted setup is just outright not acceptable
within the broader community.
because otherwise I do think you'll end up, you'll end up with attackers who have enough wiggle room to try and insert a trillion dollar back door.
And of course, if we're talking about a trillion dollar back door, your attackers are going to be the NSA.
Your attackers are going to be, you know, the Russian Secret Service and the Chinese Secret Service.
And you're going to have well-funded, you know, groups with 10, 20, 50-year time horizons who are just spending all day every day with a bunch of PhDs asking,
the question, how do we convince the world that our broken thing is actually not broken?
What resonates here is a similar problem that we have with the root CA system where
the trust in the root CA system is only like the trust that you have in the most malicious
actor, like not the root CA, but like the delegated CAs that can issue certificates at will,
you know, and like there are hundreds of these. And so similarly here, you are putting your
trust in the least trustworthy trusted setup.
That's right.
And similar to the CA system, you don't know which one is the least trustworthy, right?
And so you have 100 of these things.
You don't know how much attention has gone into all 100 or you have a thousand, or, you know, however many.
And you don't know which one needs the most scrutiny.
So it's kind of like, you know, you don't have an issue with the Zcash trusted setup,
but you have an issue with the fact that, okay, first there was a Zcash one.
Then there was like Aztec one.
Now loop ring did a trust set up.
And as we get more and more trust setups,
the chance that one of them is broken just increases.
And sort of like a slippery slope there.
Isn't this sort of analogous to the slippery slope of,
let's say blockchains as a whole, right?
You know, we convinced people to take their money
and put it on these like crazy decentralized systems.
And, okay, Bitcoin, first one, great.
Then we had like, you know, we had more chains.
Like, we had Saya come up.
And then, you know, maybe we had something like Ethereum, which is, you know, maybe, you know,
Ethereum's initial setup was a little bit less trustless than Bitcoin's was.
Isn't that also just sort of a, you could say like, you know, the unknown properties of
a trusted setup are pretty similar to the unknown properties of a code base because, like,
you know, 99.99% of users don't audit code bases when they use them.
So what makes this different?
Yeah, that's a great question.
And there's one super important.
key difference, which is that with something like, let's say, Ethereum, your confidence in the
system can grow over time. And so even if it's initially not very well audited, as Ethereum
grows from $100 million system to a billion dollar system to a trillion dollar system, it gets
increasing scrutiny. Problems get identified and fixed, or if the problems can't be fixed,
that Ethereum can be abandoned.
And so, like, essentially as Ethereum scales, scrutiny scales,
and we can identify and fix things or, you know,
we can identify that there's a problem.
And that's super important.
In a trusted setup, you never have the ability to improve confidence.
And in fact, as the thing grows, confidence actually decreases over time.
Because, you know, the Aztec protocol, the Aztec trusted setup is one thing.
Today, it happened recently.
we can go and interview the people.
If Aztec is the thing,
if Aztec's trusted setup
becomes a building block
that has 5 billion users on it,
thinking of it from the perspective
of like, you know,
an enterprise in South Africa
that's jumping on and using the Aztec protocol.
It's like, who are these guys that,
you know, this ritual thing happened six years ago
and it's like some weird crypto
and weren't they like all anarchists
and kind of crazy anyway.
And so trusted setup only loses confidence over time,
whereas blockchains and codebases,
those things are all auditable,
and they gain confidence over time.
And so I think that is a super key difference.
And I wouldn't want a trillion dollars on Ethereum today.
I would want Ethereum to go through much more scrutiny
before it gets to a trillion dollars.
But it's possible to put it through that scrutiny
With a trusted setup, it's not possible to add more scrutiny to the trusted setup.
Once you have the object, the damage is done and it's hidden.
What about sort of open trusted setups and also more general purpose trusted setup?
So these were two goals of the sapling trusted setup.
So when Zcash switched from Sprout to sapling, sapling sort of had two parts to it.
The first part was to create some generic trusted setup thing.
And that was used as an input to part two, which was used to create the Zcash specific circuit.
But the point of it was that the result of the first part, if anyone else wants to create their own trusted setup for their own application, they could reuse that first part.
And they made that first part extremely open.
Like they had, I don't actually remember the numbers, but I know I participated in it.
and why don't we just like dedicate a lot of energy to creating one sort of master,
super open trusted setup with tens of thousands of people participating and then just use that
as the basis for everything.
Yeah.
So we really have to go back to our malice hat, which is like, let's say I'm NIST and I get a,
you know, a national security letter from the NSA.
and I'm tasked with creating a broken trusted setup
that is the one true trusted setup,
you know, the one trusted setup that everyone uses.
First of all, because I'm NIST,
I have a lot more swing than Zcash.
And then second of all,
I'm going to be asking all of these social questions,
like, how can I make it look like 10,000 people participated
when in fact they didn't?
You know, are there things that I can do to make
Sonny believe that he participated in the trusted setup when in fact he was using
you know code that was that was just streaming the results of his participation to our servers
and is he going to catch that what you know what underhanded techniques do I have available
and I think the upper bound on the amount of creativity that you can have for an attack like this
is extremely high.
The number of underhanded strategies that you can use
to create something that looks and feels secure,
but in fact isn't, I think is super high.
And so even these kind of universal setup ideas
I really don't like because I feel like,
if we try and say, okay, we'll get to one universal setup,
you'll have bad actors like the Chinese government
and the US government and the Russian government
saying like, okay, but the universal setup will be ours, not whatever this crazy crypto community
came up with.
And again, this is a social game.
It's a political battle of how do we move the minds of the mainstream to accept, you know,
which single trusted setup do the minds of the mainstream gravitate towards?
And again, I think that's a battle that we don't want to wage and that even that battle all by
itself is too risky and that we have to fall back to just no trusted setup. We just shouldn't
have trusted setup. So what's the alternative? I mean, we talked briefly at the beginning
of the show about Sonics. What's the alternative to trusted setups? What are these rolling trusted
setups or continuous setups? And how are the security assumptions different here than for a trusted
setup? I think my favorite solution to this is just to treat all trusted setups is broken and
throw them away and not use them and look for other things.
And so when someone invents a trusted setup ritual or a trusted setup technique,
it's interesting insofar as it teaches us new math and new cryptography and gives us maybe
ideas and tools that may eventually lead to a non-trusted setup.
And for example, Snarks, which are all trusted setup at the moment, have a competitor called
Starks, which has no trusted setup.
And so that's very exciting to me because now a lot of these applications,
which, you know, if you take a very sharp, no trusted setup ever line, you lose the ability
to do a Zcash. Starks are a mathematical innovation that bring back the ability to do Zcash in the
absence of a trusted setup. And so, you know, I think my favorite way to go here is to treat
all trusted setup systems as your kind of academic value. It's not that they're like,
waste of time and waste of space. It's just they're not something you can use in production.
They're an intellectual stepping stone to something better. To answer your question about Sonic,
that one was one I struggled with because it almost sounds good enough. It's very close to good
enough. And the problem with Sonic is that once you, or what I'll say is these rolling trusted
setup. So just to give the listeners a definition, a rolling trusted setup means that any time a new
person can join the ritual and add, you know, their secret to the object. And then as long as
you're secure, as long as you do it safely, you know that nobody else can break the system anymore.
And so you can have this thing where, you know, as we grow and as we scale our trusted setup
from a thousand users to a million users to a billion users and that company in South Africa
is thinking about joining this primitive, that company in Africa could just participate in the
trusted setup. And now it doesn't matter that it started from this random crazy crypto group. It's like,
well, we participated in ourselves. We trust it because we know we did it right. And so that's very
compelling, except for one caveat, which is that every proof that was generated early on is suspect
and can't be trusted. And so every time you evolve the trusted setup, you still have proofs
floating around that are suspect. And also, I just go back to, like, how clever would, you know,
25 PhDs thinking about ways to social engineer a broken Sonic into the world? How clever would they get?
And I don't know, because I don't have that brain power. And so that makes me wary. It's like,
this feels like something where I could be outsmarted. And so even with Sonic, that puts me at my limit.
I can't come up with a plausible story that makes me feel happy that I could, with enough resources, break Sonic.
I'm not confident that a bunch of people working together who are way smarter than I am couldn't come up with a way to break it.
And so even with things like Sonic, I default to saying we just can't do trusted setup because I don't feel like we've proven that the attack surface is small enough that someone like the NSA couldn't hit it.
So what's the way for then?
If we are to leverage Zcash and other zero knowledge proof, cryptocurrencies and things like Aztec and the ability to transact anonymously and even perhaps, you know, do computations anonymously, it all comes down to trust, right?
Like you have to trust that someone or something built this primitive.
So what is the solution in your view?
Yeah, so I think that zero knowledge systems and just cryptography in general has made an enormous amount of practical progress in the past two years.
Just as an example, in 2014, 2015, I was kind of making this decision as a technologist.
Do I focus my energy on cryptography or do I focus my energy on game theory?
And I chose to go the game theory mechanism design like incentivization route because that felt like there was more innovation.
available. But cryptography has surprised me immensely with all the crazy creative things that have
come up. Starks are relatively recent. And there are more papers coming out that are starting to
suggest that Starks are not even close to as good as we can do and that we can do much better with
no trusted setup. And so I think that really, I think we just have to wait a little bit. And cryptography,
especially in 2019, showed that there is so much room for improvement and so many exciting new,
mathematical ideas being created, that I think that we will have the answer to,
how do you make a good Zcash? How do you make a good Aztec? How do you make a good VDF?
How do you get random numbers without trusted setup? And I think that, you know,
three, five years from now, we'll have great answers to all of those questions and that we
won't need trusted setup and that we can do everything that we want to do today, five years from
now, using much safer cryptography.
Cool.
So to wrap up, I have two questions.
One is, do you use like Zcash or anything like that?
Yeah, I was going to say, I don't.
I'm actually pretty strict about what protocols I engage in.
Or like if I do use something like, say, Zcash or Ethereum,
I try to minimize my exposure to a couple of minutes.
And so I get the currency and then I trade it out as fast as possible.
So yeah, generally no.
I'm curious.
Why is that?
Yeah, I think that the systemic risk of most of these platforms is just grossly underestimated.
So, like, recently, DFI has had a lot of black swans.
In my opinion, they're not black swans at all.
It's something we can expect to happen quite frequently just because these protocols have not been designed to be as robust as everyone thinks they are.
And so I want to minimize my exposure to being on a platform that has all of its money drained suddenly and unexpectedly.
because I think a lot of these things that are out there today
are eventually going to get taken for the entire market cap of the thing.
And then, so to wrap up, to bring it all back,
is there anywhere in the Skynet or Scya architecture
where you anticipate using Zer Knowledge Proofs eventually?
I mean, so the dream would be to get SIAs to be fully anonymous,
which is a little bit out of reach right now.
But you can imagine leveraging the hosts to set up onion routing circuits.
We have a bunch of techniques we've generated that we've come up with in-house
that would allow us to emulate Tor with hopefully better privacy
and massively better latency, close to centralized web latencies,
with privacy that's superior to Tor.
But then the coin situation still ends up being a problem
because if you're paying people and you're using traceable money, that's not anonymous.
And so definitely on the SIA platform, we would like to get to a point where the whole thing is anonymous.
And I think, you know, that's probably not going to happen in the next three to five years.
We're waiting for more cryptography to come out, more techniques to come out.
And also just for the platform in general to be more mature.
But yeah, we do hope to use a lot of this stuff in the future, especially Starks and related technologies.
I'm very excited about, and I hope that we get to employ them at some point.
Cool.
Thanks a lot, David.
And thanks for coming back on and sharing these updates about Skynet and also sharing your thoughts about trusted setups.
Absolutely.
It's always great to be with you guys.
Thank you.
Thank you for joining us on this week's episode.
We release new episodes every week.
You can find and subscribe to the show on iTunes, Spotify, YouTube, SoundCloud, or wherever you're
to podcasts. And if you have a Google home or Alexa device, you can tell it to listen to the latest
episode of the Epicenter podcast. Go to epicenter.tv slash subscribe for a full list of places where you
can watch and listen. And while you're there, be sure to sign up for the newsletter, so you get
new episodes in your inbox as they're released. If you want to interact with us, guests or other
podcast listeners, you can follow us on Twitter. And please leave us a review on iTunes. It helps people
find the show, and we're always happy to read them. So thanks so much, and we look forward to being back
next week.
I'm a lot.