Bitcoin Q&A: Privacy, Inflation Risks, and Censorship Resistance

"Can you elaborate in detail how
zero-knowledge proofs work?" Not in detail, but I can explain the general
concept of what a zero-knowledge proof is. It is about proving that a certain condition is true
without knowing the inputs to that condition. For example, proving that the [input and
output] amounts in the transaction add up. The amount that you [received] and the amount
you're spending are the same, [without revealing it]. If you subtract the outputs from the inputs,
the result [should be] equal to zero. That type of zero-knowledge
proof is called a range proof. You can do homomorphic encryption using
mathematical proofs, where you are applying… encryption to the values and then doing simple
arithmetic with these values, without decrypting them, without [anyone else] knowing them. So you are able to verify the truth of a statement,
such as 'no new coins were created in this transaction,' without actually knowing how many
coins were used in the transaction.

A follow-up question: "How could you
create a zero-knowledge proof transaction?" "It seems to be computationally complicated and not
time efficient." That is true. Zero-knowledge proofs… are computationally complicated and
not particularly efficient in time or in size. One of the big problems with various types of
zero-knowledge proofs, including range proofs, is the fact that they produce a very large amount of data
in order to [make it possible] to validate these proofs.

Zero-knowledge proof transactions in
these systems can be ten times larger. This has been holding back to the technology.
Most of the development in zero-knowledge proofs… [has been focused on] expressing them in less space,
using less data to communicate the proof. The great innovations from that space are about
compressing the proofs so they are more viable, to create transaction sizes which are
reasonable and can be propagated. It is not efficient [in terms of]
computation, space, and time. It is not intended to be.

That is the trade-off. In order
to get robust privacy, you lose some of the efficiency. [AUDIENCE] Hello. I have been
aware of you since last year. You seem to be a person who really likes Bitcoin,
the blockchain, and all the benefits they might give. But I want you to try to play devil's advocate.
You might have received this question before. What could be the biggest danger to Bitcoin,
thrown in by the banks or international governments? Could they maybe throw Bitcoin off its original course,
in being decentralized and a force for the individual? [ANDREAS] I am asked that question quite often,
so I can answer very directly and simply. I think the biggest weakness that Bitcoin has, is that
the base layer blockchain is insufficiently private. It does not have strong enough
privacy and anonymity guarantees. If you are trying to build a currency on top,
that threatens the currency's fungibility. First of all, fungibility is a great word.
I really like saying it.

It sounds so much fun. [Hearing] it is not even half as much fun as saying it. You should try. There is an 'F,' an 'N,' and a 'G.'
Fungibility. It is a lot of fun to say. The problem is, [most people]
don't know what it means. Allow me to ask, how many people
here know what 'fungibility' means? About half the audience. That is great.
It is an economic term. Fungibility means… In a system of money, it is important that you
are not able to distinguish between units. If I am holding a 1,000 yuan paper bill.
I haven't actually touched Korean money yet. I have only used debit cards.
Imagine I am holding a 1,000 yuan bill. If I go to a store and I give it to a storekeeper
[in exchange] for something [worth] 1,000 yuan, probably something very small, they
[can't] say, "No. I don't like this [yuan bill]." "Do you have any other yuan bills?
Not this one." I could ask why.

"I don't know. The serial number ends
in a number three. I don't like that." "I want [a bill with a serial number] that doesn't end
in a three. Do you have another?" They can't do that. In fact, it is illegal to do that. They must accept [my]
thousand yuan bill as being the same as any other. They can't say, "The corners are a bit
creased. [This is only worth] 950 yuan." If you had that kind of situation, it would be a problem.
How do we know? Because it has happened before. In Roman times, when they had coins… Have you
noticed that the metal coins in almost every country… it has little [grooves] around the outside.
Do you know why those [grooves] are there? So [people] don't shave them.

Back in the days when
money was actually made of something valuable… like silver or gold, if the coins had a smooth edge,
then you could shave off a tiny bit and [still spend it]. You could keep the shavings. [But after shaving]
enough coins, eventually someone will notice. "Why is this coin banana-shaped? Is this part of
the lunar cycle, because it looks like a half-moon." "Where is the rest of the coin?" They started putting those ridges
around coins as an anti-theft [feature]. If you shave it, it will be visible, because the
ridges are symmetrical. It would be very obvious… if you cut new ridges into the coin. So that is
why they have little ridges around the edge. In Roman times, coins had started trading for different
values depending on how [much] they were shaved. It would be like having a thousand yuan bill
and someone will only give you 876 yuan for it. "That one looks pretty good.

I will give you 923 yuan." The problem is, if [the same unit of] money starts
[varying in value], it will stop working as money. If each piece of money has a different value from the
one [printed on it], a slight discount depending on… whether it has been tainted or shaved, then you
have a problem. That is what fungibility is about. There is another funny situation.
I don't know if you heard this statistic, but every single dollar bill you have ever
touched has cocaine and / or ecoli on it.

Eww, yeah… Every dollar bill you touch has cocaine on it, because
[people] roll it up and use it as a straw to ingest cocaine. Eventually, you [will get] this dollar bill;
it will touch the other dollar bills in your pocket. They will get a bit of cocaine on them.
When you give it someone [else], it will touch their bills. So everything has cocaine on it.
What if you had all dollar bills tested? They actually suggested doing this in the 1980s. "Let's test the dollar bills. If they have
cocaine on them, we won't accept them." Soon they realized that this was a very
bad idea because it would cause chaos. Can you imagine if every shopkeeper
needed to test [the money people gave them]? "Oh, sorry, this has too much cocaine on it. I won't take it.
This one [doesn't have too much on it]. I will take it." What would happen is, people would pay more
for the clean ones and less for the dirty ones.

You have a real problem because
the value of money will vary a lot. Not just 2% or 3%, but even 20%. That is already
happening in Bitcoin today. You can buy bitcoin… that just came straight out of a new block, fresh
from the oven, still smelling of hashes. [Laughter] Right from a coinbase [transaction].
They sell those [above market price], higher than bitcoin which has
touched other people's wallets. The reason is, you can trace bitcoin
from transaction to transaction. If you receive bitcoin from someone
who received it from another person, and that person received it from another person,
who stole it from Mt. Gox, an exchange will say, "Dirty!" "No thank you." They [may] shut down
your account. That is a big problem. If you start doing that across all money in
circulation, you will end up breaking money.

It will stop working. The whole point of money is
that you have a universally recognizable, verifiable… [unit] with one value. It is [the measurement of value]. That is its purpose.
If the unit starts having different values, it doesn't work. [Lack of] fungibility is a big problem.
How does fungibility relate to privacy? They relate in a very simple way. If the money has strong
privacy and anonymity, you can't trace where it's been. The money becomes perfectly fungible.
Every unit is the same as every other unit. You can't differentiate between them. You can't have
problems where exchanges say, "We can't accept this." "Not this one," "yes this one."
Where they trade for different prices. Today, we don't have perfect fungibility in Bitcoin.
There is [more] fungibility in some other blockchains, privacy-focused ones like Zcash and Monero. I would like to see privacy improvements in Bitcoin.
This is a very specific attack vector for governments.

They could start circulating black lists. "Any coin
which has touched one of the following address is bad." Then they will [force] the exchanges
block any [black listed] transactions. They will set a limit. "If it is change, and has
touched [a bad address] in less than six hops, then you can't accept it." That would cause very serious problems in Bitcoin. Of course, it would also cause the immediate
implementation of strong privacy and anonymity. When you are working in a dynamic system and
there is a threat or attack like that from the government, the system will respond and evolve
defenses against that particular attack. We don't have strong privacy today
because Bitcoin isn't being attacked enough. This applies to all cryptocurrencies. If cryptocurrencies
started being attacked [due to the lack of] privacy, two things will happen. 1) Privacy will become very valuable.
Any cryptocurrencies with strong privacy… will become much more valuable,
because everybody will the private ones. 2) Every cryptocurrency that doesn't have
privacy now, will in the very next release.

This is probably why governments haven't tried to attack
in that way. They like the fact that they can track them. They know that if they attack in a very obvious way,
they [won't be] able to track them [for much longer], because they will [add more] privacy [features]. "Privacy coins like Monero and Zcash are
invaluable to people in authoritarian regimes… who need to protect their wealth from
government confiscation and inflation." "I wonder if the new implementations of
MimbleWimble, such as Grin and Beam, will be a better option than the existing
privacy coins such as Monero or Zcash." "MimbleWimble is a much smaller and more efficient
blockchain, which can store more transactions." "Can you see it displacing the current
top privacy coins over time?" I don't know. MimbleWimble has different trade-offs in
terms of security, efficiency, and scalability. I would like to see this experimentation continue
across all the privacy coins, because then we will…

gold ingots golden treasure 47047

See how different trade-offs and techniques
can be used, what their pros and cons are. In the future, we can see more of those privacy
techniques combined through cross-pollination… between the research and development teams. Techniques invented in one place
[could then be] used in another. One of the wonderful [aspects] about working in the
broad open-source ecosystem of open blockchains. An invention main in one place can be used
anywhere else. It is not encumbered by patents. Even if it is, under open-source, that doesn't
really matter. We will see a lot of cross-pollination. Whether Grin and Beam displace the current
[top] privacy coins over time, I don't know. It depends what you mean by "displace." If you mean larger market capitalisation,
I don't think those metrics are meaningful. The question is, do these new technologies offer
more choices for people living under conditions… where privacy is absolutely essential? I think they do. This isn't a zero-sum competition.
Grin and Beam can both thrive and grow together, as well as with the other privacy coins. I am hoping to see these and more privacy
coins develop and explore other areas. That is the only way we learn.

Of course, not all of them
will survive, succeed, or flourish. That is okay too. These experiments are not about winning,
but offering choice, exploring different avenues. "Could you comment on the Zcash inflation
vulnerability that was recently exposed, and whether this has implications for the
feasibility of base layer privacy on Bitcoin?" "Many Bitcoin proponents believe that the fixed supply
of bitcoin is one of its greatest value propositions." "Is there a risk that obfuscating the base layer
for privacy reasons would make it less auditable… and [increase] the risk of inflation bugs
that go unnoticed for quite a long time?" "In the case of zk-SNARKs,
the vulnerability existed for eight months." "If I understand correctly, there is
no way to know if it was exploited." "Would it not be reckless to deploy nascent cryptography
on the network, given that second-layer solutions..

May prove to be sufficient?" This is a great question about the
balance of privacy technologies, the risk that privacy technologies
introduced in the form of an inflation bug. Let's explore this a bit better and
explain what happened in this case. One of the important privacy [techniques] is
the ability to encrypt amounts in a transaction, so they can't see how much money is being
moved, but you can still audits the amount. There are zero-knowledge proofs of various forms.
Zero-knowledge proofs are where you can prove… that something is true without
knowing the specific details. For example, within a transaction, you have
inputs on one side and outputs on the other side. A transaction is valid if the total of inputs minus the total
of outputs is greater than or equal to zero, with fees.

Fees are the leftover. If there are no fees,
then zero, but that is unlikely today. But let's say the total on each side of
the equation should balance [out to zero]. You should effectively have double-entry bookkeeping.
You shouldn't be able to spend more than you have. If the amounts are encrypted,
how do you know that they [balance out]? That is where the zero-knowledge proof comes in.
You can use mathematics, basic arithmetic, on two values that are encrypted
so as to not reveal their values. You can [use] a range proof, as it is called, where you
could show that the encrypted values of the inputs… minus the encrypted values of the outputs,
is within a range greater than or equal to zero.

You don't know what the input number is,
you don't know what the output number is, but you can do the arithmetic and say,
"inputs minus outputs is greater than zero." That is it. That is what a range proof is. If there is an inflation bug in there, you could create
bitcoin on the output side and increase the supply. You are essentially generating currency from nothing,
introducing supply in a way that can't be detected. Because the values are encrypted,
they will still validate in the long term. This is a very serious bug.

Fortunately, in the
case of Zcash, there hasn't been much [adoption]. It is still very experimental. This is a great lesson for
Bitcoin and creates a fundamental challenge for privacy. If you introduce privacy in the base layer of
a [coin] with very strict monetary characteristics, what if there is an inflation bug in the range proofs? This is one of the criticisms levied against zero-
knowledge proofs, zk-SNARKs [in the case of Zcash].

This is relatively new cryptography.
As a result, it hasn't been broadly tested yet. It has been extensively peer reviewed, but it hasn't
been broadly test and it is quite complex stuff. In this case, there was a bug identified in the
equations of the whitepaper describing zk-SNARKs. No one noticed it for eight months. The question here is, what about adding Bulletproofs,
which are used in confidential transactions? Currently, they are implemented only in test
networks for Bitcoin and sidechains like Liquid. [Should we] add that technology to
Bitcoin's base layer to improve privacy? Is it too early to add that? I don't know. Is the risk
too great that it might introduce an inflation bug? I think the argument that you can [fix privacy] sufficiently
with second-layer solutions isn't absolutely true. I think it is much better to apply
privacy solutions in the base layer.

It is very difficult to maintain privacy on the second layer
if the base layer can be monitored and surveilled. However, this is a [major] consideration,
a real trade-off in cryptocurrency design. For the fundamental trade-offs that exist in engineering
cryptocurrencies, there are no perfect solutions. Everything involves [sacrificing] a bit in
one area in order to gain in another area. You can't be the best at everything.
We will see this debate happen very strongly. That is the reason it will be difficult to introduce
privacy technologies in the base layer of Bitcoin.

I hope that we will, even if there is a small risk of
an exploitable inflation bug that could go undetected… and cause problems with the supply of bitcoin. In the long run, the risk of not having sufficient privacy
in the base layer is greater than the risk of inflation; with maturity, I think they will
not go undetected for very long. This is a very difficult risk analysis and
I am not confident about [my] opinion [on this]. I am leaning more towards privacy at the moment,
but I could be persuaded otherwise. I'm not certain or fixed in my opinion. I would like to hear
a broader debate and understand how big the risk is. I understand the risk of not having privacy
in the base layer. To me, that is a clear risk. It involves undermining the fungibility of bitcoin.
[It would be easier] to introduce legislation…

That makes it very difficult for anyone
other than criminals to use bitcoin. Blacklists, whitelists, tracking addresses.
Compliance with [financial] surveillance. This will make it impossible for normal businesses
and [individuals] to use cryptocurrency. That is a real risk that I understand and can quantify. On the other side of this equation is
a risk that I don't understand [as well]. I don't know how big the risk of an inflation bug is. We
know now that it is not zero-risk, because it happened. How big is it? How repeatable is that bug?
How many other bugs could possibly exist? I don't know. I'm not qualified to know,
because I am not a cryptographer.

I don't understand range proofs to
that degree. I can't evaluate that risk. This is the broader debate
we will have in this community. It is an interesting glimpse into the very
important and serious trade-offs that exist. Maybe the risk of inflation is much
greater than the risk of not having privacy. Maybe we need to work on moving
privacy to the second layer.

I don't know. I could be persuaded either way at this point.
We will find out. This is a very interesting debate. It will not play out just in Bitcoin, but in every
cryptocurrency which have the same challenges, of protecting privacy and the integrity of the currency..

You May Also Like