[AUDIENCE] Thanks for the talk, inspirational as always! I was wondering if you had any thoughts or comments
on the Edward Snowden interview? I'm sure you saw it. [ANDREAS] When was this one? [AUDIENCE] I'm not sure which one, but his comment
related to public ledgers being the biggest security flaw. [ANDREAS] Yes, transactions on open
public blockchains are [transparent]. However, they are not associated with identities directly. The identifiers are not IP addresses,
email addresses, or human identifiers. Bitcoin addresses cannot easily be correlated,
but we [need to] improve the privacy of the system. There is a lot of research being done already
to add layers of encryption, [to improve] fungibility, so that you can't trace transactions
from one [person] to another.
There are a few cryptocurrencies specialising
in privacy and doing advanced research. There are also some research projects
to improve the privacy of Bitcoin. Snowden is right [that Bitcoin or any open public
blockchain should not become] very broadly used, under adversarial conditions, with [the completely
transparent nature of] the blockchain today. That would be a privacy nightmare, just as the internet
going mainstream without encryption on the IP layer… was a mistake that has been exploited
very effectively by intelligence agencies. But I think we will add those encryption features
and make the system more private. Keep in mind, you must also consider
what you are comparing it with.
A great deal of the world [has adopted plastic cards]. Cash is being abolished in countries around the world; some European countries are still [mostly] cash
(Germany), others are now all digital (Sweden). I think over 95% of all transactions
[in Sweden] are using a plastic card. Every single one of those transactions is under full
surveillance, not just by one intelligence agency… but you can assume by [many],
simultaneously and surreptitiously. We already have a digital money future,
which is a totalitarian surveillance nightmare… that gives enormous power to a few people. We have an alternative; the public blockchain isn't in
a good state today, but we can make it more private. I would tie my horse to that one. "Re-anonymising UTXOs." K.J. asks, "My UTXO set is
tied to my personal identity, since I have been buying… from Coinbase after Mt Gox blew up [in 2014]." "Specifically, more than 80% of my cryptocurrency
holdings are wrapped up in a single UTXO." "What would be the recommended process
for splitting and obfuscating that UTXO, in order to separate it from my identity? Thanks." First of all, what is a UTXO?
UTXO stands for "unspent transaction output." That may sound like gibberish to you, but basically
a UTXO is the result of a bitcoin transaction, which [makes] an amount available to spend, but
hasn't been spent yet, as an output of a transaction.
A UTXO is a spendable amount that an address controls.
[Almost all] transactions create these UTXO. What K.J. said is, all or most of his
cryptocurrency in a chunk of UTXO. Because that came from Coinbase,
[that chunk of UTXO] is tied to his identity. Coinbase knows who he is and
has information about his identity; they presumably provide that information to various
analytics companies, who can track identities… and see [which addresses belong to who]. They know all of this bitcoin belows to K.J., who is asking how to make it [less] obvious to all of
these tracking companies that this is "my" [bitcoin].
First, an important disclaimer: in some countries,
trying to obfuscate your identity in that way is illegal, so you need to understand the regulations in the
country where you are. I don't know [where] K.J. is. In other countries, it is a gray area.
In the U.S., for example, it is not clear… whether using anonymisation services to
obfuscate the source or destination of funds… is allowed for private individuals. It is certainly not allowed for regulated institutions, who
must subscribe to regulations like KYC / AML, CTR, etc.
But if this is legal in your jurisdiction and you
are interested in the technology behind it… This is a key issue of privacy, the fact that [these]
blockchains are transparent and auditable by anyone… means that unless you take some basic precautions, you
could be creating problems for your [financial] privacy. What if you want the same modicum of privacy as
with cash, that humans had for thousands of years, when transacting in the first peer-to-peer currencies? There are a number of tools to do
that through various forms of mixing, whereby you collaboratively do a transaction with others,
putting all of your inputs into a single transaction…
With multiple outputs, so that it is not
obvious who is making which output… even though you can trace all of the coins going in. You don't know who they are going out to, which
makes it difficult for analytics companies to track you. This type of transaction with multiple
participants is called a CoinJoin, invented back in [August 2013] by Greg Maxwell,
and has since developed quite a bit. There are a number of software packages
that allow you to participate in a CoinJoin.
Probably the most current ones
are JoinMarket [and Wasabi Wallet]. There are other ways to obfuscate your ownership,
but if you buy from a regulated institution… that has Know Your Customer (KYC) regulations, that
has your identity, you are revealing ownership [of coins]. If you wanted to buy cryptocurrency anonymously,
you should have bought it with cash. It is very difficult, after a multi-year entanglement
[with] your identity, to pull back that breach of privacy. It is now known you have cryptocurrency. Even if
you obfuscate, people will assume you still have it. They just won't know which address [belongs to you].
It is not ideal, but there you are. If it is legal in your jurisdiction, you can
look into some of these [techniques], but be careful that you understand what you are doing,
because this may put you in some very deep, hot water. "Schnorr signatures and UTXO consolidation." Mark says, "I am excited about how Schnorr signatures
can improve privacy for multi-signature transactions… by summing up the keys so that it looks
like an ordinary, single payer transaction." "But how does this look with UTXO consolidation?" "Does Schnorr also provide increased privacy for
the individual? What would a UTXO consolidation…
With Schnorr signatures look like
in a blockchain explorer?" No, Mark. As far as I understand, you can't simply
use signature aggregation to do UTXO consolidation. The problem with UTXO consolidation isn't signatures,
although we could apply a single signature across… a lot of UTXO. The problem in that case is, you are bringing all of
the UTXO together as inputs in one transaction, which therefore associates them. You could construct that transaction to look more
as if it was a CoinJoin with multiple participants, sending outputs in multiple directions, and also
encrypt the values, that would be useful for privacy. But with Schnorr signatures on their own, I don't see how
that would provide increased privacy for the individual.
[AUDIENCE] I own a company called
ZPX, based out of Singapore and India. I first learned from your book about how bitcoin
is not anonymous but actually pseudonymous, that this [will] be a permanent
record of every transaction. You have these [privacy] coins
like Zcash, Monero, Grin, and Beam. What do you think the end state might look like?
Will governments let them exist in any form, or will they become extremely heavy-
handed given the [privacy] aspect? [ANDREAS] If governments could not let these things
exist, they would have already not let them exist. But there are some cautionary tales.
We [must] be clear
on what the risks are and what challenges are ahead. We are poking a $150 trillion bear with a stick.
At some point, it will turn around and take a swipe. If you think it has, it hasn't yet. Not at all.
Here is a little tidbit that will make you worry. E-gold existed longer than bitcoin
before [the U.S. government shut it down. With decentralized systems, it is not that they can't
necessarily disrupt or shut down one instance. They probably can given enough investment,
terror tactics, heavy-handed totalitarianism, drag-you-away-in-the-middle-of-the-night
and beat-you-up-with-a-rubber-hose tactics, which a lot of governments are absolutely
happy to apply in order to maintain power. But I think people who are beginning to
understand this technology know, if they do that, they will encourage a game of whack-a-mole and
become the trigger that causes punctuated evolution. There is not a strong enough reason to
develop privacy technology right now, because no one is really trying to stomp on it yet.
The moment someone tries to stomp on it,
all the incentives and money flows [will come]… to create a far more anonymous, stealthy, and evasive
system that responds to the threats which just arose. It is like a [directed] evolutionary system
with independent units that can be modified. It will evolve to adjust to the environmental niche.
Right now, the environmental niche is benign. If it starts turning malignant, then the
system evolves in response to the threat. Because [these are ideas] based on mathematics,
there may be hundreds or thousands [of coins]. They will evolve. If you step on one, more pop up.
They are designed to avoid you stepping on them. Because now they need to. Totalitarian governments [understand] this. If you step on Bitcoin [when it is a teddy bear],
you may end up with a highly localised, super stealthy system [using code] written
by dissidents within your very own country.
As I like to say, Bitcoin is a gecko right now.
But every time you step on it, Bitcoin evolves. One day, it will be a komodo dragon.
When you try to step on it, it will bite your foot off. "Won't Bitcoin's confidential transactions be censored?" "In light of the advent of Schnorr signatures and
Confidential Transactions (CT), I would like to ask… if this trend has the potential to make KYC-compliant
companies enforce a policy of not accepting… certain types of bitcoin transactions." "Japanese exchanges were recently
pushed to drop all privacy coins." "Such companies may go as far as to not accept any
transaction that has been tainted or obfuscated, by hiding the amount or mixing
[outputs], at any point in the past." "Unlike current AML policies, such a rule
won't require [as much] blockchain forensics…
In order to establish [a coin's] ancestry." "[They may] merely require businesses to track the UTXO
set and tag any output with at least one tainted input." "Of course, the tainted base will theoretically
keep growing, but such a policy would introduce… a strong incentive for customers to stay way from
tainted coins and, by extension, privacy technology." "How do you expect this all to play out?" This is a very good question…
And also an astute reading of the incentives and
challenges with implementing privacy technology. There are some spectacular developers
and cryptographers in this space… whose driving principles and cypherpunk
ethos is to preserve privacy and anonymity, specifically for political purposes because this is
a fundamental human right that must be defended. We are so lucky to have individuals like that.
There are so many across the cryptocurrency space. Not just in Bitcoin but across
the entire cryptocurrency space. With Schnorr signatures, Confidential Transactions,
and other [developments] related to privacy, one of the key inventors in the space is Greg Maxwell,
who has a lifelong dedication to privacy technology… and cyberpunk ethos. He has been working with very talented mathematicians,
cryptographers, and software engineers, people like Andrew Poelstra and Pieter Wuille,
to build some very interesting [schemes]. I am probably forgetting some names
that deserve [to be mentioned]. Again, there are some incredible implementations
coming out with other privacy-focused coins. The implementation of zk-SNARKs
and zero-knowledge proofs such as… Bulletproofs, which originally came from some Bitcoin
developers and was implemented in Monero recently, reducing feels while increasing security. Two inventions that aren't talked about much, which
I talked about recently, are Taproot and Graftroot.
This is a fantastic idea from Greg Maxwell. [With] Taproot and Graftroot, we could create a transaction that looks like
pay-to-public-key-hash (P2PKH) on the surface, or a simple payment to a public key,
like most other bitcoin transactions. However, what is impossible to
tell from the transaction [data]… is [whether] that public key is a single key from
a private key, or the composite key [of multiple keys], created either for a multi-sig or (even better)
is the basis for a complex merklised script, [maybe] with clauses underneath for Lightning payment
channels with timelocks, a multi-party signature, or a CoinJoin with multiple participants and outputs. The fantastic thing about this is, you can take
all of these privacy-preserving complex scripts, including Confidential Transactions, and then
make them look like a simple public key payment.
Taproot and Graftroot together do that, they make
the privacy-preserving transactions indistinguishable, even against an determined adversary trying to
distinguish them from normal payments. They allow you to hide the little gems of privacy
inside the chaff of everyday transactions, so that… it is impossible to single out the private transactions
and censor them, which of course could be a problem. If people [using private transactions] are a small
subset [of the network], only do them occassionally, and they can be distinguished,
that defeats the entire purpose. Taproot and Graftroot are so important to this
implementation that the developers working on… Confidential Transactions and Schnorr signatures
have decided to delay those and sequence them, such that Taproot and Graftroot
are launched at the same time. [That allows] people who decide to use the
privacy-enhanced transactions are protected; they can use them in a way that is indistinguishable
from regular transactions, which is a critical decision.
That decision was made just a few months ago. It is why we are seeing a delay in the implementation
of Schnorr signatures and Confidential Transactions, and why we will see the entire package of updates,
with Taproot and Graftroot, launched simultaneously. This will allow people to both preserve their privacy
and not be outed for using that privacy. A really good strategic choice, in my opinion. I believe Pieter Wuille and Greg Maxwell were
the strongest proponents of doing it in that order..