Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Zooko Wilcox-O'Hearn: Zcash – An Open Financial System with Privacy
Episode Date: March 14, 2016For Zooko Wilcox-O’Hearn, part of the cypherpunk movement since the early 1990s, the vision of a decentralized financial system that has both openness and privacy has existed since long before Bitco...in. After many failed attempts, Bitcoin proved that that vision could be achievable. But Bitcoin also failed to deliver on the privacy features as blockchain analysis allows tracing movements and deanonymizing many users. Zooko joined us to discuss his project Zcash, a fully anonymous cryptocurrency that is scheduled to launch in July. Through Zcash’s use of ground-breaking Zero Knowledge Proofs (or zkSNARKs) the blockchain will leak no information about sender, recipients nor amounts. It was a fascinating discussion of the most anticipated launch of a cryptocurrency since Ethereum. Topics covered in this episode: Zooko’s long cypherpunk history How overconfidence derailed many cypherpunk projects Why Bitcoin’s privacy is broken and how Zcash provides true privacy The too-good-to-be-true Zcash team Why Zcash is based on a fork of Bitcoin How the initial parameter generation creates a potential security weakness Why Zcash believes in an evolutionary approach to designing cryptocurrency protocols Episode links: Zcash website Why Zcash - Project Announcement Zerocash: Decentralized Anonymous Payments from Bitcoin [PDF] EB116 - Eli Ben-Sasson: Zero Knowledge Proofs This episode is hosted by Brian Fabian Crain and Meher Roy. Show notes and listening options: epicenter.tv/122
Transcript
Discussion (0)
This is Epicenter Bitcoin episode 122 with guest Zucco Wilcox O'Hern.
This episode of Epicenter Bitcoin is brought to you by the G-Tech blockchain contest.
If you have an idea for a blockchain-related project, make sure you apply for your chance to win awards for 50,000 euros.
Go to epitherto-com slash G-Tech, that's G-T-E-C, to learn more about G-Tech and how you can apply.
And by Ledger.
Now accepting pre-orders for the all-new Ledger Blue Developer Edition, a Bluetooth and NFC,
touch screen hardware signing device.
Learn more about Ledger Blue at ledgerwalt.com
and use the discount code Epicenter to get 10% off your first order.
Welcome to Epicenter Bitcoin, the show
which talks about technologies, projects, and startups
driving decentralization, global blockchain and cryptocurrency revolution.
My name is Brian Fabian Crane.
And I'm Meher Roy.
Today we are continuing with our series
on ZKSNagel on Zero Knowledge Proof Technology.
and we are going to talk to Zuko Wilcox-O-Hern,
who is the founder and CEO of Z-Cash.
Z-Cash is trying to implement a fully private,
fully privacy-aware, open financial system
using Zero Knowledge-Proof technology.
So we are going to talk about how that will be built
and its consequences.
Before that, we'd like to have an introduction from Zucco.
So Zuko, can you tell us a bit about your background?
Hi there.
My background, when I was 19 years old, I discovered the Cypherpunks mailing list on this new thing I just discovered called the Internet.
And there I became exposed to all kinds of grandiose visions of how the combination of the Internet plus cryptography plus those two things becoming widely available.
to billions of people could have all kinds of fantastic consequences.
And I've been really fortunate in my life that I've gotten to spend almost my entire adult
life working on those things that I love.
And the development of Bitcoin was a breakthrough that a lot of the cyphabunks, including me,
had dreamed of from the beginning, where the beginning is like 1993 or so.
and couldn't figure out how to make that dream real until Satoshi came up with it.
And so that breakthrough about what's technically possible,
combined with the community of bitcoins who were motivated emotionally and politically
and morally motivated to invest in it and make it important to their lives,
that is what sort of revokely.
the whole cyphor punk revolution in my experience.
So I was in London recently and I was talking with Ian Grick there and we talked,
oh no, it was an Amsterdam, but anyway, we talked a little bit about the history as well of the cypherpunks
and he sort of had this view that, you know, there was all this excitement in the 90s and then a little bit it got lost for a while,
you know, until Bitcoin came. Was that your experience as well?
Absolutely. There were many years when I thought I was the last lonely cypherpunk.
There was the boom and bust cycles of the internet industry during those years.
And there was a widespread narrative that privacy is dead and no one cares.
And that's what, from my perspective, completely upended by the Bitcoin phenomenon.
So is Bitcoin something that when it came about, you were immediately like, yes, this is what we have been waiting for it.
This is amazing.
Or were you also, because a lot of people, you know, we've talked with, especially Cyphobunks, you know, we're initially quite skeptical.
And it was like, oh, this doesn't make any sense.
It's not going to work.
What was your reaction?
I was somewhat skeptical.
Those people, including me, were skeptical because we tried and tried and tried.
I struggled for maybe 12 or 14 years to come up with something like Bitcoin,
and I couldn't figure out any way to make it work.
And so when I very first saw it, I was skeptical because, for bad reasons, I misunderstood it.
I think that's common for a lot of people.
But I also thought it was a good stab in the right direction, right?
Like I think progress is made by a lot of variety of small mistakes on different people's parts.
So I liked it.
And I'm the author of one of the earliest blog posts to ever mention Bitcoin on the internet, probably.
And what I said about it in this tiny little like one paragraph blog post, well, I talked about why an open financial system would be.
be important if it could exist. And then I said, and here's Bitcoin, which is an actual attempt to
implement and deploy it. So that's one thing that I think goes a long way that is hard to appreciate
is that deploying a thing to users and having a feedback loop of users using it and changing what
it does and changing the way people use it, that's a completely
better way to learn than theory and analysis.
So, Zuku, like, you are very active on Twitter and you tweet a lot every day and you tweet
very interesting stuff, which is, I think, I think, I think, I think very important for the
Bitcoin community as well, because you have such a big body of experience in this field.
And there was one of the tweets that I would like.
to read out and then ask you what what does it mean can you state it differently what does it
means one of those drunk tweets so hopefully not so so you tweet you tweeted one of these days
that and this was your exact tweet like i recognized that mistake i've worked on so many things
starting with digi cache where we thought we were so special that we couldn't lose at all
However, it's never enough.
We can always lose.
It's never enough.
It's never enough.
And we have to try harder.
So are you trying to send a message to the Bitcoin community?
And if so, what is it?
Yeah, I really feel that.
There's a thing that my community has made a mistake over and over that I've seen for two decades now,
which is a feeling of, yeah, inevitable success based on some argument.
Like you have a special feature that nobody else has.
And by you, I could mean either like a company that's making some product,
like DigiCash was a product.
It was a privacy preserving internet currency in the 90s.
And the narrative at DigiCash was that,
people would eventually need to transact on this new internet thing that people were starting to use more and more,
which at the time was pretty much a non-commercial world,
and that they would never be able to use credit cards and bank accounts and things like that for that purpose,
for various reasons, especially privacy,
because no one would ever be willing to risk their credit card number by typing it in to a web browser.
Therefore, DigiCash was the only game in town.
And that turned out absolutely wrong in practice, right?
And therefore, all of the science and product development and work that we did at DigiCash didn't reach people directly.
It may have had indirect effects by other people learning from it and so forth.
But that as a product and as a company was a failure.
And I've seen the same kind of thinking over the years in many different fields of this sort of cypherpunk privacy preserving individual empowering technology.
And it's based on a good reason that empowering individuals really is valuable and important.
And there are often not very many competitors that are also trying to empower individuals.
but it's not sufficient.
That doesn't make you win, right?
And I think at least whenever I wrote that tweet,
I wasn't drunk, by the way,
but whenever I wrote that tweet,
I was perceiving the Bitcoin community
or some specific people, I suppose,
I don't remember who,
as having that same overconfidence.
The Bitcoin is so special
and does something that nothing else does.
And therefore we can take our time,
to do it right or whatever other.
We don't have to worry too much about some aspects.
And I think that's really wrong.
What I meant by it that we have to try harder is mostly that we have to connect to more and
more users.
And by connect, we have to give them whatever it is that they really want that they can't get from
from anywhere else.
I completely agree.
And it's interesting, you know, having gotten into Bitcoin
In 2013, it's just sort of before it was all taking off at that time, I made that same mistake
in a way that, you know, I would see that a lot of, you know, the flaws of the existing
system and then you see this vision of a different world where everybody uses Bitcoin and everything
works so much better in many ways.
And it's really obvious to see that.
But sort of like how you get there isn't, it's not obvious at all.
But, you know, somehow a lot of people, including.
including myself at that time, you know, make the assumption that because the end destination is a, you know, consistent vision that's compelling,
therefore we must also get there and be on the way, which is completely wrong.
That's really well put. Yeah, it's such an inspiring vision, and it's good to have an inspiring vision, but it's not sufficient.
We have to try hard to get there, and we might fail, but hopefully we won't.
Okay, so now let's dive into Zcash.
First question is, why are you building Zcash and who are you building it with?
Yeah, starting from I was literally 19 years old, so more than half of my life ago,
I discovered the science papers of David Chom, the great cryptographer, who's the father of most of the crypto ideas that protect privacy on the internet.
And specifically his papers about privacy preserve.
money. And starting from then, my great inspiring vision that I thought was so wonderful
was an entire world of humans that were freed to collaborate and cooperate with one
another by an information system, namely the Internet, and a money system that allowed them
to find and organize with whoever wanted to work with them.
I thought that was so important because I think almost everything that we all value in life,
like having good relationships with our families and having education and peace and safety
and the opportunity to learn and accomplish new things and grow as people.
All of that depends on the economy,
depends on having opportunities provided by collaborating with other humans
productively.
So starting way back then, I thought that was the best, most important thing I could imagine.
And that thing is an open financial system with privacy and fungibility.
And then, but it wasn't possible.
It was a vision that there was no path to until Satoshi solved the open financial system part of it for the first time with Bitcoin.
And then the scientists who came up with zero coin and then zero cash added in privacy and fungibility on top of an open financial system, which is easy to say in one sentence, an open financial system with privacy and fungibility.
but it requires some real technological and cryptographic breakthroughs to actually make that real.
So that's why I'm working on Zcash.
I answer the question.
Yeah, it definitely does.
I mean, like with Zcash, it's like we have an open financial system and we have privacy.
It's like we have two things that are really that seem contradictory in a way.
You know, you need an open ledger so that we can validate it.
but we also want privacy and it seems like mutually contradictory
and it might have seemed so to Satoshi as well,
whoever he or she may be.
But it's like beautiful and interesting that this is actually possible
and that we are going to build it as a community
and we're going to popularize these kinds of systems.
That's an amazing thing.
Now, there was, but though a second part to the question,
it's like, who are you building this system with?
What's the team?
Oh, well, it's not just me.
The thing that I'm proudest of so far is in my experience as being CEO is recruiting the best people and keeping them on my team.
We have five engineers.
You can go to our ZDOTCash is our website.
ZDICASH is a pretty cool domain name.
And the team page on there shows all of the people currently contributing.
We have five engineers who are super great.
security hackers and crypto hackers.
They're really rare breed.
And we have all those scientists who invented those protocols,
including Ellie that you previously had on the program.
And I have to say that when we announced
the existence of Zcash a little while back,
my second favorite coverage of it in the press
was the fact that it was in the printed
of Wired because I started reading Wired when I was like 18 years old, you know,
when the first edition of Wired came out. And I was able to go down to my local supermarket and
take a photograph of the physical Dead Tree Edition of Wired with Zcash in it on the shelves there.
But my first favorite press coverage was a Bitcoin blogger who wrote a blog post saying there's
this new announcement of this thing called Zcash, but there's something fishy about it.
I think it might be a hoax announcement because the team is too good to be true.
I love that.
I feel the same way.
Yeah, that is amazing.
So how do you explain Zcash?
The first simple explanation is to say, well, you know about Bitcoin, right?
And the person you're explaining it to says, oh, yeah, I know all about Bitcoin.
It's an open ledger.
And the simplest explanation of Zcash is to say it's an encrypted open ledger.
So all of that data is there in a canonical, replicated global ledger,
but all the data is encrypted and can only be viewed by the right people.
That's the simple version.
And also let's also have the complex version because we did ZKS now.
So for our viewers, that are viewers,
viewing this episode first. You should
maybe
for this section you should go back
and check out our episode with
Ellie
Eli Ben Sasson who is a professor at
Technion and he explains the
fundamental primitive, the fundamental
cryptographic primitive that
Zcash uses and that's called a ZK
Snark. It's something like
in the 70s you had the invention
of public cryptography
that didn't exist before that, right?
And public cryptography created new
kinds of systems that like pioneers in the 60s couldn't have imagined. And our gen, our like
the thing that is coming in our lives, which is like public crypto, is this thing called a ZK
Snark. So you should go back and see what, what it is and it's needed for this podcast. But assuming
that that section is there and people, our reviewers understand what ZK Snarks are, like describe
how the ledger works using that terminology one layer deep.
Okay.
Yeah.
So for the purpose of this discussion,
SNARCs are also known as zero knowledge proofs,
are a way to prove some sort of computational fact about some data without revealing the data.
And so the way we're going to use it is that there's a fundamental,
like you said earlier, sort of fundamental contradiction between an open system and a privacy and
fungibility preserving system. And the simplistic description of Zcash is an encrypted open ledger.
If you're familiar with Bitcoin and cryptography, your eyes start narrowing and you say,
wait a second, you can't have an encrypted open ledger because
the miners and full nodes won't have any way to validate transactions.
So they won't be able to reject invalid transactions from the ledger.
So that's the fundamental problem that snarks are a solution to.
So a snark, since it can prove some facts about some encrypted data without revealing the encrypted data,
we can use it.
So the simple model that I use when talking to people is that Bitcoin is a open ledger of sender address, recipient address, and amount transferred.
So it's like a database with three columns, spreadsheet, three columns.
And Zcash is the same, except all three of those columns are encrypted.
And then it has a fourth column, which is the proof or the snark.
the proof is a proof that the other, the, the data inside the encryption in this row correctly satisfies some validity constraints.
And the constraints are the obvious thing that the cinder did have that money and hasn't double spent it to someone else already.
So that's one layer deeper.
It gets a lot more complicated the closer you go into the protocol.
But that explains, that's like accurate enough description of the zero cash protocol.
And it explains why snarks are a necessary component of it.
Let's take a short break to talk about the GTech blockchain contest.
Gtech, the German Tech Entrepreneurship Center is a new center in Berlin for entrepreneurship.
and they want to support exciting projects happening in this space.
So that's why they're running a blockchain contest together with RWE,
which is one of the largest energy companies in Europe and Globombus
and Foundation supporting entrepreneurship.
You can participate by submitting your idea for your project
and win up to $50,000 in free grant money.
That's equity for you.
Just take the money and do what you want with it.
Anybody can apply, whether you're an early stage startup
and perhaps you just have an idea, a blossoming idea,
or you can apply if you've already raised funding and are well on your way to becoming the next
multi-billion dollar company.
And anybody can apply whether you're in Berlin and Siberia, in Shanghai or in San Francisco.
There's no geographical restrictions.
And anybody who applies can win up to 12 months of free office space in Berlin, free mentoring,
legal support, et cetera.
Of course, that's totally optional.
If you want to stay in Siberia and work on your blockchain startup, you can also do that.
The application deadline is March 31st, so make sure you use.
submit your idea as soon as possible. You can learn more about the contest and apply by going
to Epiccent of Bitcoin.com slash G-TEC. That's G-TEC. And we hope you'll win. We hope you'll make it to
Berlin to collect your money and that we'll get to hang out in person. Now we would like to thank
G-TECK, R-W-E, and Globombus for their support of Epicenter Bitcoin.
So perhaps we could like walk through
walk through different perspectives, right?
Like in Bitcoin we have
like in order to describe Bitcoin what the way I would do it
is like I would put the
put the person I'm trying to explain it to in the shoes of a user
a shoes of a recipient
then the shoes of a miner and then the shoes of a full node owner
and then once he understands all the four perspectives
it's like, okay, okay, this is how the whole system connects, right?
So perhaps you could do the same for zero cash, right?
Well, it's mostly the same as Bitcoin, right?
The miners and full nodes in Zcash are,
ideally they're validating all the transactions.
The miners are also adding proof of work on top of the transactions
and getting a reward from the,
monetary-based distribution schedule.
This is all the same in Bitcoin and Zcash.
So the difference from the point of view of a minor,
well, for one thing, we're going to change the proof before.
I can get to that later if you want.
But the other thing is, the main thing is that the miners are also,
as part of the validity checks,
are checking the zero knowledge proofs that are attached
to each private transaction.
So that's the only difference from the point of view of a minor.
Does that make sense?
Yeah.
And so what about a full note?
It's the same except if you have the private keys that give you access to transactions,
then you can detect that some of these encrypted transactions are money for you.
So that means you have to check every single transaction, right,
if there's some money in there for you.
And also, for example, you know, if you have a, you know, it's easy for, you know, you have, let's say you have some web wallet.
And the web wallet, of course, knows, you know, what are the private keys, what are the addresses that you own?
And, you know, you can.
Just let me interrupt.
Does a web wallet mean you're a dumb, like, web browser and you're relying on some third-party service to hold your private keys?
It could be either, I guess.
So it could be something like, you know, blockchain or info where it's like key, private keys are in your browser encrypted, right?
But it knows what public keys you have.
It can ping an API and know, okay, here's a balance.
So this isn't possible, right?
So this is what they call a light client.
Right, yeah.
Yeah, or an SPV client.
They might call it.
Or it can even be simple.
I mean, if your blockchain or info, it's not even a light client, right?
It's just because it doesn't do SPV proofs.
So even you can just ask an API.
Yeah, there are different sort of levels of delegation of vulnerability to a third party,
the different kind of more or less like clients could use.
I don't know for sure all of the consequences of Zcash's privacy for like clients.
Maybe some of the other members of my team have, I know some of the other members of my team have,
thought more carefully about like clients that I have at this point.
So for example, let's say, so for convenience, let's like imagine, like you said, a spreadsheet, right?
So a spreadsheet has three rows.
The first row is the, is the public key or address.
So, you know, it would be like Zucco's address, Brian's address, Mayer's address, and so on.
The second row has the value.
Generally, in Bitcoin, you would imagine it as having value, right?
You mean column, right?
Yeah, see, if it's a spreadsheet in that way out.
Yeah, fine.
So, column.
So the second column has value.
And with Bitcoin, the way, so if I want to send money to Brian,
what needs to happen is in this spreadsheet,
let's say I'm sending five Bitcoins to Brian.
Then from the row corresponding to my address,
five should be subtracted.
And then it needs to be added, like plus five to the row
in which corresponds to Brian's address, right?
And so to do this, I create a transaction,
which is essentially a way of me saying to the Bitcoin network,
hey, subtract five from mine and add five to Brian's row,
and then I sign it with my private key.
Now, when I do this signature,
some node can actually check my signature,
and because it has this spreadsheet, open spreadsheet,
it can go and say, okay, Meher has enough balance,
like enough money to make this transaction.
So let's subtract from him and add from Brian.
Now in zero cash, what you're saying is this spreadsheet looks a bit different.
So there is the account number and there's the amount, but it's encrypted.
So there's one row corresponding to Meher's account and amount,
but that's encrypted.
So the node or the minor doesn't know how much is the actual value.
And similarly, the row for Brian is like that.
So I need to create a transaction and the miner needs a way of knowing that I have enough money.
And is this the part that ZK Snark just solving?
Yes, that's what the snarks are for is to make it so the miner can reject a transaction from someone if that person doesn't.
if their private key doesn't actually control enough money to make this transaction.
So it would be, I think it would be too much detail to go down another level of detail
and talk about the actual layout of the values in the crypto protocol.
But the effect of it is the fourth column in that ledger is a proof which,
because of the amazing properties of zero knowledge proofs,
we know that, so we don't know the sender address,
the recipient address, or the value transferred.
But we do know that nobody could have created this here proof
in the fourth column.
I'm holding my hand out over here.
Nobody could have created the proof that comes with the other.
encrypted values unless they have a secret key which controls sufficient value to cover the amount
that's getting decremented.
So basically like a zero cash transaction, like if I look at a zero cash transaction, this could
be anybody in the world sending money to anyone else in the world.
And it could be a billion dollars or a 50 cents and it all looks the same to me or it looks
similar to me. It looks garbled. Right. And that's a good example of the difference between Zcash and the other
privacy technologies that are for adding privacy to open ledgers. There's a lot of them with different
kind of tradeoffs. But Zcash is the only one that is sort of universal. Like all of the information
has been hidden through encryption. Well, almost all. Like as much as much as you, as much as
you could do with cryptography is done by this in terms of omitting information from leaking into the
public blockchain. And just as you say, that means that the sort of bundle of transactions or key
holders that your actions are mixed in in the crowd with is everyone. It's like the biggest
possible crowd. It's all users of the system. Now, there is still some information that can leak
in terms of timing and in terms of blockchain, like how up to date you are on the blockchain.
Okay? But that's sort of inevitable because of the fact that time passes and blockchain
synchronization takes time. So by which I mean to say, if you make a transaction and then someone
else joins the network later and buys some Zcash and they make a transaction, someone can tell
the difference between those because they happen to different times, right? So there is information
that just about the times that transactions happen. So if you're like chain analysis and you're
looking at the Zcash blockchain, I don't think it's a very interesting visualization. It's just a
sequence of timestamps of when a transaction occurred. So just briefly,
So with blockchains and with Bitcoin, there's a whole range of things that people are excited about it.
But one of them has also been actually the aspect of transparency.
So, you know, many people have been excited about, for example, the idea of, let's say, a nonprofit that is purely Bitcoin can, you know, run their accounting fully public.
Everybody can inspect it.
Or one can also imagine a lot of other scenarios where, you know, I make a payment and I want to.
approve to some other party that I made that payment. Does CCash remove all of these possibilities,
or can I selectively approve to other parties certain things about transactions I've sent or received?
Yeah, absolutely. It wouldn't even be possible, really, with cryptography to, I don't think it would
be possible to make a system where you couldn't prove things to other parties, because
you have secrets controlled by your client software. And if you, you have secrets controlled by your client software.
and if you reveal those secrets or some cryptographic derivative of those secrets to another party, that can serve as a proof to the other party.
So this is a part of the Zcash design, which is not finished, at least not as well sketched out as I would like it to be.
There are different levels or kinds of being able to selectively reveal information to other people.
In the current Zcash design as it's currently running on our Alpha TestNet, you can reveal specific transactions, and anybody that you reveal them to is able to look at them in the blockchain and verify the clear text contents, right?
Because every row in this encrypted ledger is encrypted with a separate encryption key, right?
And so if you reveal the decryption key to one of those rows to someone else, that allows them to see that transaction in the ledger.
Makes sense?
So that's sufficient, I think, for like the proof of payment use case and maybe a lot of use cases.
The overall term for this kind of thing that we use is selective transparency.
Like Bitcoin is mandatory transparency all the time.
And if you want to get privacy, you can try to kind of claw some back with various techniques.
But you're starting with everything being transparent all the time.
And it's a common misunderstanding for people to think that Zcash is the opposite.
And it's everything confidential all the time.
Instead, Zcash is selective transparency where you can reveal the specific things to specific
people. And revealing those things, of course, doesn't create any vulnerabilities that, you know,
I can prove I got this money, but then also it means that the other person can steal my money.
There's nothing like that. Right. So in the current version of Zcash, you can reveal specific
transaction, the history, the past, the current existence of a specific transaction in the blockchain
without giving away any other of your authority to control your own money or other information
of your history.
I'd be interested in people's feedback about a possible future extension to Zcash that we've
sketched out a lot of the cryptography of it, but we're probably not going to put it into
Zcash 1.0 for mostly for engineering timeline reasons.
And that would be what we call a view key, which is a thing you can give to someone to reveal all of the transactions associated with a specific payment address.
The thing that I'm wondering about is, are there use cases that are important?
Like I imagine you said the nonprofit example earlier, where you want to prove to the world that, like you want to show the world an accounting of all of the donations you're received.
or and or you might want to show the world
in accounting of what you're spending it on.
Or maybe only one of those two.
And similarly, like a company or a business partnership
or a nonprofit, a nonprofit organization has a treasurer,
and that's the only person who's authorized
to spend the club's money, right?
But all of the members of like the board of directors
or whatever of that club are authorized to
view whatever the treasurer does do with the money, right?
So that would be a use case for what I call a view key,
which is where the treasurer would have the spending key,
and we give to all of the members of the board of directors a copy of the view key.
And with the view key, they could tell all of the transactions that that spending key has done.
But that's not currently in the current protocol for Zcash.
but I and I can't tell if the thing that is current the kind of selective transparency that is currently in the Zcash protocol is good enough for the use cases that's the kind where you can selectively refill specific transactions see the difference yeah yeah I can see the difference I mean it's something we've wanted to circle back to briefly later is the sort of application of you know Zcash in other areas but or you know technologies like that
that, but I can especially see when you start getting into like more complex smart contract
type things that, you know, the selective revealing of information is going to be really
critical. So having a lot of capabilities there will probably be extremely valuable.
Yeah, that's what it feels like to me too. It feels like it kind of feels like to me that
with the right selective transparency functionality, that Zcash is.
is a superset of Bitcoin's functionality.
Because the canonical shared source of truth property
in Bitcoin, it's also an Ethereum,
but Bitcoin is the pioneer of it.
Having a shared source of truth is a novel
and potentially really valuable, powerful tool.
And it feels like to me there's an even more general purpose
and more powerful tool that could exist.
which is the shared source of truth blockchain,
but you can only see the subset of it
that you're allowed to see,
given the view keys that you can peer through
to look at the blockchain.
So I'm very interested in that use case.
And that's probably,
like we're going to ship Zcash 1.0 very soon,
and it's going to have the aforementioned limited form
of selective transparency.
I didn't want to get a,
into too much detail, but there's also a possibility in Zcatch 1.0 to share a key that reveal,
I think, I could be wrong, but I'm like 95% sure at this point that there's a way to
share a view key, a kind of view key that reveals all of your incoming transactions,
but not your outgoing ones.
and also only the ones that, yeah, that's basically the fact.
So I think, I'd be interested in your and other people's feedback on this.
I think the notion of a shared canonical global source of truth with overlapping controls
over who can see which subsets of the truth is potentially really important.
And what we're about to ship in Zcash 1.0 is sort of the first step, which it solves at least part of that.
But I'd be really interested in whether that's good enough for specific use cases.
Yeah, I mean, so if you look at the smart contracts, so I, you know, I work for ERIS.
So there's a lot of, you know, thinking of smart contracts and, you know, how one can implement complex processes there.
And there, that's, I think, really critical because the privacy,
selective revealing thing is really complex and it's going to be really important.
So, yeah, I think this is.
Because when you add smart contracts, it's really important because then you need to delegate to,
it seems like to me that if you have, if you're using smart contracts,
then you need to give computer programs the ability to view certain subsets of
the blockchain's source of truth, right?
And I think it's really important when designing such systems
that you're able to give computer programs the ability to view what they need to view
without thereby giving them the ability to view other stuff.
Because if they get unnecessary excess authority to penetrate confidentiality,
then that can be exploited.
that makes sense
yeah yeah that definitely makes sense
I mean yeah it looks like
it does look like a super set of
of of of of Bitcoin
today's magic word
is privacy
that's P-R-I-V-A-C-Y
head over to let's talk
Bitcoin.com to sign in
enter the magic word
and claim your part of the listener
reward
of the performance characteristics of this system.
So let's say I want to spend some Zcash, right?
And I want to send you some Zcash.
How much time does it take for me to create a transaction?
And how much time does it take for the miner
to verify that my transaction is correct?
The current alpha code that we have running on a test net,
it takes like about a minute or two of CPU time
to generate a new privacy preserving spend.
and only like a few milliseconds, I think, to verify.
The latter part is really good performance,
and that's really important because all the full nodes
and miners have to be doing all those verifications all the time.
The former part is pretty bad
because it takes a whole minute or two on like a laptop,
64-bit high-powered supercomputer or CPU.
It also takes a ton of RAM, like probably more,
more than four gigabytes of RAM, I think.
We haven't measured it yet precisely to generate a new spend.
So that is totally prohibitive for certain use cases, like generating a new spend on your
smartphone, for starters.
And anything that's got a real low latency requirement where you get incoming money
that you receive and then like a millisecond later, you need to spend that money to someone
else right away. So that's totally impossible with the current protocol. But there might be ways
around it because if you can receive, if you have a buffer of money, you can spend it using a
privacy preserving payment so that there's no linkage between where it came to you,
then you can privately spend it to like a new address, right?
So there's no linkage in the blockchain between where you got it and that new address
that it's currently controls it.
And then you could do a non-private spend of it directly from that address.
This is the thing that we haven't talked about in this podcast, but Zcash contains,
all of the Bitcoin protocol.
It's a clone of the Bitcoin code base,
and it's a superset of the Bitcoin Protocol.
It's the Bitcoin Protocol plus the privacy preserving spend.
So that's the only one, the new transaction,
is the only one that has better privacy properties.
Everything we talked about the encrypted ledger
is only when we're talking about the privacy preserving spend transactions.
Make sense?
So you have the option of doing a privacy-preserving transaction, but you also have the option of not doing one.
Right.
And just doing a regular transaction that would be as fast and it's easy to generate as a Bitcoin transaction.
Exactly.
And you get exactly the same privacy properties as you got from Bitcoin with those kinds.
But potentially better because the existence of the privacy-preserving transactions means
that they break the links of the chain of transaction history.
Makes sense?
So if you're looking at like one of those chain analysis views,
if there's a series of globally transparent transactions
that don't use the privacy feature, you can see them.
So if you're looking at, if you had some kind of visualizer,
like chain analysis, and you pointed at the Zcash blockchain,
you would be able to see chains of transactions
of anybody who, of any series of transactions that use the global,
globally transparent protocol.
But whenever that transaction term,
that chain terminates in a privacy preserving protocol,
one of the Zcash spends,
then you don't know, like, where else in the whole blockchain it went.
Right?
So that it really, except Modulo, those timing issues I brought up earlier,
it really protects the privacy of the whole,
and the fungibility of the whole system,
even though there are short chains of globally visible transactions.
So the main reason, there's several really good reasons
why we're keeping the globally transparent protocol in there.
One is backward compatibility.
If you are running a product or service
or hacking something on top of Bitcoin right now,
you can switch or add Zcash as a back end.
And it's all the same.
Everything continues to work the same as it did before.
And the other is that there's a bunch of functionality in the Bitcoin,
or the globally transparent protocol that we can't do with the privacy preserving spins,
like multi-signature transactions, right?
Those are really, really important in Bitcoin.
There's a lot of really cool things being built with multi-signature transactions.
And so Zcash can do multi-signature transactions.
to your transactions using the globally transparent subset of the protocol.
But when you want to do a privacy preserving spend, you can't do multi-signature.
You can just do a direct payment.
So, okay, that seems like a very, very interesting point.
So before we go on, like, so I just translating what you said right now in another language,
it's like, if I suppose, let's say I own 100 Bitcoin and every month, I,
I realistically spend two or three
most of the money I don't spend.
So what I could do is
keep most of my 100 Bitcoin in the privacy
part of the ledger
and at the beginning of the month
bring out, say, the three I want to spend
in the public part
and I can spend these three
like normal Bitcoin, very fast transactions,
etc. And if there's some balance
left over after the month, like let's say
that's 0.2 Bitcoin left over,
I could then put it back into the
privacy section, private section of the ledger as well. So somebody can't figure out that I actually
own a hundred Bitcoin. Well, that's correct. That's what I said. I do want to emphasize that
we don't know for sure that kind of puts when you use Zcash like that, it kind of moves you a little
closer to those lesser privacy solutions out there where it seems like it should be pretty safe,
but exactly how safe it would be would depend on how smart your attacker was and how much they knew about you, right?
Because if there's somebody who's like targeting you, like there's a criminal that's planning to extort you or rob you or something,
if they know stuff about you, like if they can tell what times of day you connect to the internet or what kinds of things you like to buy with your money or other information,
they might be able to correlate that with the transaction information that's revealed by the hybrid usage that you just described.
Okay.
So it's not, earlier I said that Zcash offers sort of the maximal possible privacy that cryptography can provide.
And that is true if the only thing you ever do with it is the privacy protecting spends.
Right.
then you're putting as little information as possible about your behavior into the blockchain.
But because, like you said, like you asked about the performance, the current implementation
and the protocol itself has these performance consequences, which may preclude using privacy
protective spins on like all devices or in all use cases, plus which everybody might need
multi-signature transactions sometimes. And so we can't do those with privacy protecting spins right
now. So it's more complicated in terms of the safety analysis.
Let's take a short break so we can go to Paris. I stopped into La Maison du Bitcoin, situated in
the heart of Paris's startup scene, and I met with Eric Larchaveg, Ledger CEO, to talk about
the Larger Nano. The Ledger Nano is a Bitcoin hardware wallet based on a secure element.
It is on a USB form factor that you plug directly inside your computer, and it will be a Bitcoin.
will manage all your private keys.
The signature of transactions will be done inside the secure element,
thus never revealing the private keys to the host computer.
It is compatible with our own ledger wallet Chrome app,
which you can also use for multi-signature with copay or coin kite,
and a large range of third-party applications such as mycelium,
electron, green bits, green address, and so on.
The nano also exists as a cool bracelet wearable,
so you can always wear proudly your bitcoins on your wrist.
The Ledger Nano is an easy-to-use hardware storage option,
which doesn't compromise on security.
If you want to get a secure setup for storing your Bitcoins,
go to ledgerwalt.com and use the offer code Epicenter to get 10% off your order.
We'd like to thank Ledger for their support of Epicenter Bitcoin.
So let's move on to a couple of comments.
kind of questions like questions people have about zero cash these are like kind of
challenges to the system so one of the one of the questions is that like for
for viewers like for people who have been in the Bitcoin space for a long time
they might remember that in 2010 very early days of Bitcoin there was an event
where a guy figured out how he could create billions of new Bitcoin like he
could easily cross a 21 million limit this was because
he could create a transactions that the miner would accept as valid and that transactions
would end up creating new bitcoins and then Satoshi at that time and Gavin figured out that
such a thing could exist like this person told them so and they changed the protocol to
not allow that kind of transaction to go through so so this wasn't the case of an implementation
bug where somebody could create bitcoins because the rules of the system were not let's say
as proper as they should be.
Now, in something like
Zero Cash, if there's an
implementation bug like that,
then the attacker could create coins
and those coins would be
completely private. So nobody would be able to even know
that new coins were created.
Like if I were to, like,
Zcash was released and I figured
out an implementation bug like that
and I created new coins
and I could basically keep on creating
them all my life and live
live a good life just on that, but the other people suffer inflation.
So this kind of seems to lead to the expectations that like zero cash has to be very,
very well engineered and almost be like bulletproof against these kinds of things.
Do you think there's some other way by which you could address this doubt?
That's a really, really good question.
That's one of the things that I'm most concerned about.
Now, for starters, Zcash is really, really well engineered.
We started with by cloning the most recent or a recent version of Bitcoin Core.
And that, and the reason we did that is because Bitcoin Core has been running in production for so many years, right?
And bugs like that, of which there have been more than one security.
of various kinds have been found and fixed.
And a lot of people have studied it and audited it.
And we have higher confidence that there aren't a lot more such flaws in Bitcoin's code base.
Likewise with the code that we're adding to do the privacy preserving transactions, we're being extremely careful.
Like I said at the beginning, my team is absolutely world-class experts at this kind of work.
And that doesn't mean that we don't make mistakes.
But we're doing a really, really good job
of being careful about things that risk
inserting bugs like that.
But that's not really very satisfying to me.
I don't like having sort of all of our eggs
in the prevention basket and none in the detection
and correction side.
But doing it like that, having no good detection of that kind of bug is, it seems like kind of an sort of an inevitable consequence of the strong privacy properties.
Anything that had such good privacy might also have such problems with public validation of the correctness.
Not said, we have some ideas. Actually, I recently.
blogged about some of these ideas.
We have some ideas of how we could extend Zcash in the future, possibly.
It might not work out.
It's one of those forefronts of science that you can't know in advance what is going
to turn out to be possible.
But it might be possible to do some kind of privacy preserving auditing of the size of
the monetary base that would probably reduce the privacy of in the, well, probably
not the fungibility. We'll probably reduce the privacy of the currency a little tiny bit, but very little.
And in return, we might be able to get better assurance that there hasn't been that kind of
counterfeiting of currency. It's definitely not planned for Zcash 1.0, right?
Our plan for Zcash 1.0 is just the simplest thing that could get privacy preserving payments into the world
in a real live blockchain as soon as possible.
but I am definitely concerned about that topic and so I might prioritize it if Zcash 1.0 is successful enough
that people want to use it and that it's valuable then I might prioritize trying to further strengthen it
and add that kind of sort of belt and suspenders extra defenses.
Well, Zuko, just before we started the episode, you mentioned, you talked a little bit about the sort of culture and the need to be open for change.
Can you share a little bit about how you and C-Cash looks at that?
Now, I'm not slagging the Bitcoin people.
I want to emphasize, as I've made clear all along, Bitcoin is wonderful, both as a technology and as a community.
and the Bitcoin devs and Bitcoin companies are my close collaborators and Cyphra Punk fellow travelers all along.
But there's a way in which the Ethereum culture has differed from the Bitcoin culture,
and I really like the way Ethereum's doing it, and I want to emulate that,
which is that the Bitcoin sort of ideal has sort of centered around getting everything right the first time
and then never changing the rules again.
And there's a lot of good reason for that because changing the rules introduces uncertainty, which can distort people's economic decision making.
And if the rules are mutable, then there can be harmful politics in which people try to change the rules for bad reasons, for their own self-interest or whatever.
But Ethereum has adopted a different culture, which I totally approve of, which is that these are early days and none of us know what we're doing.
The science is in its infancy.
And in five years, we're going to know so much more about what's possible and what's impossible
scientifically.
We're going to know so much more about what people value, how people use these things, whether
people use these things.
And so the Ethereum culture, from my perspective, and I'm no expert.
I could be totally wrong.
But it seems to me that the Ethereum people have sort of an informal social concept.
that we're going to be upgrading this year after year, and the new thing could turn out to be radically different from the old thing.
And culturally, we all accept that within Ethereum.
Now, the risks of damaging economic consequences or political exploitation are two, those risks can be, I think,
those risks can be controlled because there's no coercion in the system.
You can't force anyone else to adopt your new thing.
And so the only way you can get an economically meaningful new thing deployed is to get a mass.
It doesn't have to be everyone, but it has to be a lot of people for it to be economically
valuable to anyone.
And you have to get all those people on board.
They have to voluntarily consensually opt into using your new thing.
And so to me, that's the most important defense against a upgrading, evolving system being exploited for someone's illicit game.
So in Zcash, what we're intending to do is communicate to our users that we're the evolving kind of project.
And if you're the get it right and never change it kind of people, that's okay too.
You can just pick one of ours and keep it and you don't have to upgrade to the next one.
But I'm hoping to get a large mass of people who want to continually upgrade their economic system with better and better features,
because there's a lot out there in the future that we want to add and improve.
Yeah, I mean, it stays that.
I myself kind of had had the feeling that the whole crypto space,
kind of Bitcoin, cryptocurrency people,
they're divided into like two camps of people that want like contradictory things.
And the problem is that both of them till today are focused completely on Bitcoin.
There's the one camp that just wants, you know, something like digital gold,
like something that exists and doesn't change and that's it.
And then there's people I can, I identify,
with and I'm part of that camp which is like this technology is going to need 20 years to come into
society and and there's going to be like loads of iterations on the way and maybe maybe just the
thing that comes into society is will be built by somebody who hasn't even been born yet so
yeah so so the idea that we have we should fear hard forks is to me it's a strange idea I mean like
are all pioneers do, like, us not hard-forking and, like, not hard-foking because people like
me who are running nodes won't do and, you know, pseudo-app get upgrade. It seems a bit,
a bit strange to me. But, you know, like, the community is part of, like, there are these two
pieces to it. And I think Ethereum really does it really well. And I'm really happy to hear
that even Zcash would want to be in that direction.
me interrupt. I mentioned early on that I think there's so much to learn from the experience of the
empirical observations of real-life deployment. And that's why Zcash is almost identical to Bitcoin.
There are a hundred beautiful ideas, some of which some of us are the authors of, for experimental
new cryptocurrency concepts. And we, with great reluctance, decided we're not going to
going to do any of those in Zcash. We're just going to do Bitcoin plus privacy because just because nothing
else has the empirical evidence of having worked in the wild under attack for years and years.
But there's some new empirical evidence coming along, which is the Ethereum is working, right?
And so that's really, really valuable to me to be able to learn from two projects, which do
various things differently from one another, and they're both working to varying degrees.
So that encourages me to follow some of the Ethereum development model and governance model.
Well, Zuka, so we're at the end of our episode.
No, I want to keep going.
I know.
I know us too.
So we have like a whole lot of other topics that we wanted to talk about.
But fortunately, we'll have Zuka back on when, you know, hopefully not too far future.
When Zcash launches, with that, that is one question we do have to ask before we wrap up.
What is the timeline here?
When do you expect Zcash 1.0 to launch?
Okay.
I'm going to swallow and take a deep breath.
July.
July.
Okay.
Excellent.
So we'll have you on latest by July, perhaps a little bit before that.
So we can talk about a whole lot of economic aspects around the currency.
some of the governance stuff
you've talked about maybe how you can
actually make sure that CECASH keeps evolving,
how that's exactly going to work,
also proof of work,
how you're approaching that.
There's a lot of topics we want to talk about
and perhaps there'll be also some
new things on the technology level
that we can dive into.
So this was a fantastic episode
and I really look forward to coming back
and going even deeper into the topic.
Thank you so much.
I think this is a really exciting project and hopefully it's going to be one that we can keep coming back to.
Great. Thank you very much. I look forward to the next edition.
Okay, perfect. Well, so thanks so much for a listener for listening. So we put out these episodes every Monday.
If you want to listen to them, you can get them in any podcast app you use or you can watch videos on YouTube at youtube.com slash epistence and Bitcoin.
And we're also part of the Let's So Bitcoin Network.
So check out some of their other shows at let's talk bitcoin.com.
And if you want to, you can leave us a review on iTunes or somewhere else
and just email us and show it at episode of Bitcoin.com.
And we'll send you one of those t-shirts plus stickers.
We have some stickers now.
So that as well.
So thanks so much.
And we look forward to being back next week.
Don't know.
Thank you.