0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/730 Thanks! 1 00:00:14,840 --> 00:00:17,869 So our last speaker for tonight 2 00:00:17,870 --> 00:00:20,419 is Sven Salberg, 3 00:00:20,420 --> 00:00:22,609 and he's going to talk about the 4 00:00:22,610 --> 00:00:24,649 cash anonymous cryptocurrency. 5 00:00:25,880 --> 00:00:28,129 The subtitle of this stock is Zero 6 00:00:28,130 --> 00:00:30,019 Knowledge, Succinct, Non Interactive 7 00:00:30,020 --> 00:00:32,029 Arguments of Knowledge for White People. 8 00:00:32,030 --> 00:00:34,189 If there are people who could memorize 9 00:00:34,190 --> 00:00:36,319 that and can repeat, you get karma 10 00:00:36,320 --> 00:00:37,320 points. 11 00:00:39,200 --> 00:00:41,809 Sven is a mathematician, 12 00:00:41,810 --> 00:00:43,729 a coder, a cryptographer. 13 00:00:43,730 --> 00:00:46,099 He also does functional programing 14 00:00:46,100 --> 00:00:48,319 in C, which probably 15 00:00:48,320 --> 00:00:50,029 makes him the person you might want to 16 00:00:50,030 --> 00:00:51,030 listen to. 17 00:00:51,800 --> 00:00:53,869 Plays a round of applause 18 00:00:53,870 --> 00:00:54,870 for. 19 00:01:02,310 --> 00:01:04,200 Thank you. Thanks for the introduction. 20 00:01:05,450 --> 00:01:07,319 Um, yeah, thank you all for coming. 21 00:01:08,850 --> 00:01:11,339 So the short version of the subtitle 22 00:01:11,340 --> 00:01:13,439 is A Zik Snarks for the Interested 23 00:01:13,440 --> 00:01:14,440 Layperson. 24 00:01:15,390 --> 00:01:17,369 Quick check. Has anybody from the 25 00:01:17,370 --> 00:01:20,489 audience heard the term XXX snark before? 26 00:01:20,490 --> 00:01:22,260 Oh, that's more than I expected. 27 00:01:23,290 --> 00:01:25,739 OK, um, 28 00:01:25,740 --> 00:01:27,390 so at the end of this talk, hopefully 29 00:01:28,620 --> 00:01:30,719 you will know how these things can 30 00:01:30,720 --> 00:01:33,389 be used to build a cryptocurrency 31 00:01:33,390 --> 00:01:35,549 that which is kind of like bitcoin 32 00:01:35,550 --> 00:01:37,979 but has better privacy 33 00:01:37,980 --> 00:01:40,469 and anonymity properties. 34 00:01:40,470 --> 00:01:42,719 Um, little 35 00:01:42,720 --> 00:01:44,699 disclaimer. I won't be able to explain to 36 00:01:44,700 --> 00:01:47,039 you how the XXX snarks work, 37 00:01:47,040 --> 00:01:49,109 so please don't 38 00:01:49,110 --> 00:01:51,389 be too disappointed by that. 39 00:01:51,390 --> 00:01:53,129 That will be another talk for next year 40 00:01:53,130 --> 00:01:54,239 maybe. 41 00:01:54,240 --> 00:01:55,469 All right. 42 00:01:55,470 --> 00:01:56,399 So let's start. 43 00:01:56,400 --> 00:01:57,569 Right. 44 00:01:57,570 --> 00:02:00,209 Um, zie cash 45 00:02:00,210 --> 00:02:03,329 is like I said, it's a cryptocurrency, 46 00:02:03,330 --> 00:02:05,279 uh, magic Internet money. 47 00:02:05,280 --> 00:02:07,709 Um, kind of like Bitcoin 48 00:02:07,710 --> 00:02:09,809 is, in fact based on the Bitcoin 49 00:02:09,810 --> 00:02:10,409 code base. 50 00:02:10,410 --> 00:02:12,899 So it's kind of like an old coin 51 00:02:12,900 --> 00:02:14,759 that you may have known. 52 00:02:14,760 --> 00:02:17,219 But other than a lot of other 53 00:02:17,220 --> 00:02:19,409 coins, it actually adds 54 00:02:19,410 --> 00:02:21,599 a substantial new 55 00:02:21,600 --> 00:02:23,190 feature to the protocol. 56 00:02:24,480 --> 00:02:26,609 And that is mainly a new type of 57 00:02:26,610 --> 00:02:29,129 transaction that is 58 00:02:29,130 --> 00:02:31,199 capable of shielding 59 00:02:31,200 --> 00:02:33,269 the sender, the receiver 60 00:02:33,270 --> 00:02:35,339 and the amount of money being 61 00:02:35,340 --> 00:02:36,789 transferred. 62 00:02:36,790 --> 00:02:38,909 Um, now this type 63 00:02:38,910 --> 00:02:40,979 of transaction leaves next to 64 00:02:40,980 --> 00:02:43,259 the regular Bitcoin type 65 00:02:43,260 --> 00:02:45,569 transaction. So you actually have two 66 00:02:45,570 --> 00:02:47,729 types of addresses, uh, 67 00:02:47,730 --> 00:02:50,009 ones. It's called a transparent address. 68 00:02:50,010 --> 00:02:52,259 It starts with a T and a new 69 00:02:52,260 --> 00:02:54,509 type of address that starts with a Z 70 00:02:54,510 --> 00:02:55,949 or Z, um, 71 00:02:57,030 --> 00:02:59,309 which gets used by the new type 72 00:02:59,310 --> 00:03:01,169 of transactions. 73 00:03:01,170 --> 00:03:03,779 And yes, like I already said, it uses 74 00:03:03,780 --> 00:03:06,059 these so-called Zeca snarks, which 75 00:03:06,060 --> 00:03:08,279 are relatively recent 76 00:03:08,280 --> 00:03:10,079 kind of mathematical magic. 77 00:03:10,080 --> 00:03:11,759 As I like to say. 78 00:03:11,760 --> 00:03:13,919 I think the earliest 2010 is the 79 00:03:13,920 --> 00:03:16,019 earliest citation 80 00:03:16,020 --> 00:03:18,599 from the Z cache spec. 81 00:03:18,600 --> 00:03:19,859 Um, yeah. 82 00:03:19,860 --> 00:03:22,049 Uh, for a little bit of history, the 83 00:03:22,050 --> 00:03:24,089 cache is a is an evolution basically of 84 00:03:24,090 --> 00:03:26,319 two academic proposals, one called 85 00:03:26,320 --> 00:03:28,619 zero coin, which was still 86 00:03:28,620 --> 00:03:31,109 pretty different from Z cache 87 00:03:31,110 --> 00:03:32,699 and the other is called zero cache. 88 00:03:34,080 --> 00:03:36,869 And that is already almost 89 00:03:36,870 --> 00:03:38,129 like C cache. 90 00:03:38,130 --> 00:03:40,589 Um, so you could consider 91 00:03:40,590 --> 00:03:42,869 Z cache a um, an 92 00:03:42,870 --> 00:03:45,059 implementation of zero cache with 93 00:03:45,060 --> 00:03:47,859 some refinements and improvements. 94 00:03:47,860 --> 00:03:50,309 Um, now, uh, 95 00:03:50,310 --> 00:03:52,409 the or a number of 96 00:03:52,410 --> 00:03:54,509 the inventors of zero cache and 97 00:03:54,510 --> 00:03:55,859 a number of other people have formed a 98 00:03:55,860 --> 00:03:58,019 company in order to 99 00:03:58,020 --> 00:03:59,549 actually um. 100 00:03:59,550 --> 00:04:01,499 Yeah. Get this, get the system off the 101 00:04:01,500 --> 00:04:03,899 ground as its own 102 00:04:03,900 --> 00:04:05,099 alt coin. 103 00:04:05,100 --> 00:04:07,409 And I'm told they are also 104 00:04:07,410 --> 00:04:09,119 in the process of forming a nonprofit 105 00:04:09,120 --> 00:04:11,309 foundation to govern, uh, 106 00:04:11,310 --> 00:04:13,799 the future development or something. 107 00:04:13,800 --> 00:04:15,689 Um, a little disclaimer. 108 00:04:15,690 --> 00:04:17,458 I am not affiliated with any of these 109 00:04:17,459 --> 00:04:18,419 entities. 110 00:04:18,420 --> 00:04:20,578 I'm just interested bystander who happens 111 00:04:20,579 --> 00:04:22,949 to think you can explain 112 00:04:22,950 --> 00:04:24,659 this stuff a little bit. 113 00:04:24,660 --> 00:04:25,660 Uh. 114 00:04:27,460 --> 00:04:28,460 So 115 00:04:29,740 --> 00:04:32,319 because we don't have so much time, 116 00:04:32,320 --> 00:04:34,389 this talk is going to focus entirely 117 00:04:34,390 --> 00:04:36,969 on the technical aspects, um, 118 00:04:36,970 --> 00:04:38,229 there are also other interesting 119 00:04:38,230 --> 00:04:41,739 questions, but I just want to explain, 120 00:04:41,740 --> 00:04:45,219 how does the system work in the abstract? 121 00:04:45,220 --> 00:04:47,109 What do the transactions look like? 122 00:04:47,110 --> 00:04:48,549 What exactly is being hidden? 123 00:04:48,550 --> 00:04:49,929 What isn't hidden maybe? 124 00:04:51,100 --> 00:04:53,919 And how can you how can you verify 125 00:04:53,920 --> 00:04:56,049 even the validity of a transaction 126 00:04:56,050 --> 00:04:58,809 if you know almost nothing about it? 127 00:04:58,810 --> 00:04:59,789 Um, yeah. 128 00:04:59,790 --> 00:05:02,079 And lastly, it'll then become 129 00:05:02,080 --> 00:05:03,670 clear whether snarks come in. 130 00:05:05,800 --> 00:05:07,949 So if you know Bitcoin, this is, uh, 131 00:05:07,950 --> 00:05:10,029 just to recap, this is a Bitcoin 132 00:05:10,030 --> 00:05:11,709 transaction. 133 00:05:11,710 --> 00:05:12,710 Um. 134 00:05:14,340 --> 00:05:15,749 Oh, sorry. 135 00:05:15,750 --> 00:05:18,179 So imagine Bitcoin, 136 00:05:18,180 --> 00:05:20,249 I don't want to go into a block chain 137 00:05:20,250 --> 00:05:22,199 or any of that here because we don't need 138 00:05:22,200 --> 00:05:24,329 to please imagine Bitcoin just as 139 00:05:24,330 --> 00:05:26,219 a long list of transactions that is 140 00:05:26,220 --> 00:05:27,629 publicly verified. 141 00:05:27,630 --> 00:05:29,849 That is entirely enough 142 00:05:29,850 --> 00:05:31,919 for this talk because 143 00:05:31,920 --> 00:05:34,409 the Bitcoin system is basically 144 00:05:34,410 --> 00:05:36,809 transferred over for the transparent 145 00:05:36,810 --> 00:05:37,789 world. 146 00:05:37,790 --> 00:05:40,019 Um, we can just focus 147 00:05:40,020 --> 00:05:42,659 on an individual transaction. 148 00:05:42,660 --> 00:05:44,759 OK, so this is one 149 00:05:44,760 --> 00:05:46,889 single Bitcoin transaction of 150 00:05:46,890 --> 00:05:48,959 which you have a long list in 151 00:05:48,960 --> 00:05:51,419 the world, and each such 152 00:05:51,420 --> 00:05:53,669 transaction takes a number of input 153 00:05:53,670 --> 00:05:56,129 amounts from previous transactions 154 00:05:56,130 --> 00:05:58,619 and then declares a number of outputs, 155 00:05:58,620 --> 00:06:01,649 um, amounts to 156 00:06:01,650 --> 00:06:03,969 some receiver addresses. 157 00:06:03,970 --> 00:06:06,119 And in order for this transaction to be 158 00:06:06,120 --> 00:06:08,549 valid, you needs 159 00:06:08,550 --> 00:06:09,839 most of all. 160 00:06:09,840 --> 00:06:12,029 Well, these two things you need 161 00:06:12,030 --> 00:06:13,859 to show that you actually have authority 162 00:06:13,860 --> 00:06:16,289 to spend the inputs and you need to 163 00:06:16,290 --> 00:06:18,419 make sure that, well, the input 164 00:06:18,420 --> 00:06:20,699 amounts balance with the output amounts 165 00:06:20,700 --> 00:06:22,259 right now. 166 00:06:24,150 --> 00:06:27,029 Uh, like I've already alluded to with 167 00:06:27,030 --> 00:06:29,069 that, the picture looks almost exactly 168 00:06:29,070 --> 00:06:31,259 the same, except there is a new block at 169 00:06:31,260 --> 00:06:33,119 the end of the transaction that adds 170 00:06:33,120 --> 00:06:35,529 some, um, things called joint 171 00:06:35,530 --> 00:06:36,869 splits. 172 00:06:36,870 --> 00:06:39,029 And, um, yeah. 173 00:06:39,030 --> 00:06:41,339 What these are and how you can 174 00:06:42,480 --> 00:06:44,699 verify and prove their validity 175 00:06:44,700 --> 00:06:46,019 is the main topic. 176 00:06:48,060 --> 00:06:49,889 So let's jump right in. 177 00:06:49,890 --> 00:06:52,079 What does a joint split, a joint split 178 00:06:52,080 --> 00:06:53,219 look like? 179 00:06:53,220 --> 00:06:55,439 So as a as 180 00:06:55,440 --> 00:06:58,179 a major difference from Bitcoin 181 00:06:58,180 --> 00:07:00,749 value in these new cash transactions, 182 00:07:00,750 --> 00:07:02,759 it's actually transferred in the form of 183 00:07:02,760 --> 00:07:04,289 virtual coins. 184 00:07:04,290 --> 00:07:05,999 That's kind of ironic because Bitcoin, 185 00:07:06,000 --> 00:07:07,589 despite the name, doesn't actually 186 00:07:07,590 --> 00:07:10,199 contain any sort of coin concept 187 00:07:10,200 --> 00:07:11,369 anywhere. 188 00:07:11,370 --> 00:07:13,469 Um, here we 189 00:07:13,470 --> 00:07:14,470 have that. 190 00:07:16,140 --> 00:07:18,359 And you can see from the picture 191 00:07:18,360 --> 00:07:20,609 the, uh, that each joint split 192 00:07:20,610 --> 00:07:22,829 takes two coins as inputs and 193 00:07:22,830 --> 00:07:25,739 it generates two coins as outputs. 194 00:07:25,740 --> 00:07:27,659 So the input coins are consumed and no 195 00:07:27,660 --> 00:07:29,939 longer valid at the end and two new 196 00:07:29,940 --> 00:07:33,239 coins come into existence. 197 00:07:33,240 --> 00:07:35,429 So why to um, just 198 00:07:35,430 --> 00:07:38,249 really quickly? That's because 199 00:07:38,250 --> 00:07:40,679 that is general enough for any thing. 200 00:07:40,680 --> 00:07:42,419 If you just want to consume one coin, you 201 00:07:42,420 --> 00:07:43,739 said the other two zero. 202 00:07:43,740 --> 00:07:45,299 If you just want to produce one, you said 203 00:07:45,300 --> 00:07:46,319 the other to zero. 204 00:07:46,320 --> 00:07:48,599 And if you want to consume more or create 205 00:07:48,600 --> 00:07:50,729 more, you just combine multiple 206 00:07:50,730 --> 00:07:52,619 of these joint splits in the same 207 00:07:52,620 --> 00:07:53,879 transaction. 208 00:07:53,880 --> 00:07:56,369 OK, um, 209 00:07:56,370 --> 00:07:58,589 and now the important part, 210 00:07:58,590 --> 00:08:00,839 each such virtual coin has a 211 00:08:00,840 --> 00:08:03,089 well, what's called a not plaintext. 212 00:08:03,090 --> 00:08:05,699 That is basically a tuple of values 213 00:08:05,700 --> 00:08:07,859 that contains 214 00:08:07,860 --> 00:08:10,499 the information about that 215 00:08:10,500 --> 00:08:12,659 coin, namely its owner, its 216 00:08:12,660 --> 00:08:15,599 value and some technical 217 00:08:15,600 --> 00:08:18,299 technical values that will get back to 218 00:08:18,300 --> 00:08:20,479 me. And this stuff is 219 00:08:20,480 --> 00:08:21,989 is kept secret. 220 00:08:21,990 --> 00:08:23,939 It is known by the owner of the coin, but 221 00:08:23,940 --> 00:08:25,319 nobody else. 222 00:08:25,320 --> 00:08:27,419 The only things that are published 223 00:08:27,420 --> 00:08:29,759 actually in the block 224 00:08:29,760 --> 00:08:32,129 chain in the as part of the joint split 225 00:08:32,130 --> 00:08:34,379 statement, are these 226 00:08:34,380 --> 00:08:36,479 so-called modifiers on the left here 227 00:08:36,480 --> 00:08:39,538 and commitments on the right. 228 00:08:39,539 --> 00:08:42,719 Don't worry so much about what those are 229 00:08:42,720 --> 00:08:44,879 for the moment, but these 230 00:08:44,880 --> 00:08:47,009 are just numbers that are uniquely 231 00:08:47,010 --> 00:08:49,259 derived from the, 232 00:08:49,260 --> 00:08:51,119 uh, from the coin, from the coin 233 00:08:51,120 --> 00:08:52,739 plaintext. 234 00:08:52,740 --> 00:08:55,119 Um, and yeah, the 235 00:08:55,120 --> 00:08:57,569 fires are always used when spending 236 00:08:57,570 --> 00:08:59,219 the coin and the commitments are always 237 00:08:59,220 --> 00:09:01,409 used to create the to bring 238 00:09:01,410 --> 00:09:03,479 the coin into existence. 239 00:09:03,480 --> 00:09:05,549 Um, so since these numbers 240 00:09:05,550 --> 00:09:07,739 are different and they 241 00:09:07,740 --> 00:09:09,389 are actually derived in such a way that 242 00:09:09,390 --> 00:09:12,449 they cannot be matched to each other, 243 00:09:12,450 --> 00:09:15,059 you can't immediately trace 244 00:09:15,060 --> 00:09:17,369 a transaction, right. 245 00:09:17,370 --> 00:09:18,370 Mm. 246 00:09:19,830 --> 00:09:21,989 And this 247 00:09:21,990 --> 00:09:24,149 is called a nullifier simply because 248 00:09:24,150 --> 00:09:26,579 it's not it is a value that essentially 249 00:09:26,580 --> 00:09:29,069 nullifies the coin, right? 250 00:09:29,070 --> 00:09:30,629 It gets consumed after that. 251 00:09:30,630 --> 00:09:32,519 It is no longer a valid coin. 252 00:09:32,520 --> 00:09:34,619 And the way this works is really simple. 253 00:09:34,620 --> 00:09:37,229 I can explain this on this picture. 254 00:09:37,230 --> 00:09:39,059 Each node in the network 255 00:09:40,500 --> 00:09:42,989 simply keeps a list of all the nullifier 256 00:09:42,990 --> 00:09:44,999 as it has ever seen, and it keeps a list 257 00:09:45,000 --> 00:09:47,639 of all the commitments it has ever seen. 258 00:09:47,640 --> 00:09:49,709 And when a new joint split comes in, 259 00:09:49,710 --> 00:09:50,759 it's simply checks. 260 00:09:50,760 --> 00:09:52,439 The nullifier is against the list. 261 00:09:52,440 --> 00:09:54,989 It is already seen and 262 00:09:54,990 --> 00:09:57,359 only if it is nowhere in there. 263 00:09:57,360 --> 00:09:59,279 This is a coin that's still valid. 264 00:09:59,280 --> 00:10:00,479 So that's really simple. 265 00:10:00,480 --> 00:10:02,849 This is double spending protection. 266 00:10:02,850 --> 00:10:05,309 Very important, obviously, 267 00:10:05,310 --> 00:10:07,529 but that doesn't require any magic yet. 268 00:10:08,820 --> 00:10:10,200 What requires magic is, 269 00:10:11,670 --> 00:10:14,279 well, checking that 270 00:10:15,510 --> 00:10:17,579 I don't pull these numbers out of 271 00:10:17,580 --> 00:10:19,559 thin air, that they actually correspond 272 00:10:19,560 --> 00:10:21,299 to actual coins and that everything 273 00:10:21,300 --> 00:10:23,669 balances out. The values need to balance. 274 00:10:23,670 --> 00:10:25,229 I actually need to be the owner of the 275 00:10:25,230 --> 00:10:26,789 coins and so on. 276 00:10:26,790 --> 00:10:28,889 And explaining how that works 277 00:10:30,060 --> 00:10:31,619 is the rest of the talk. 278 00:10:34,690 --> 00:10:36,249 So this is what the joint split looks 279 00:10:36,250 --> 00:10:38,319 like and less of a picturesque 280 00:10:38,320 --> 00:10:39,879 form, more of a formal form. 281 00:10:39,880 --> 00:10:42,039 This is actually from the paper with 282 00:10:42,040 --> 00:10:43,870 slight adaptations for readability. 283 00:10:45,460 --> 00:10:47,679 You can see there are a number of number 284 00:10:47,680 --> 00:10:49,839 of values. We are not interested in most 285 00:10:49,840 --> 00:10:51,039 of them. 286 00:10:51,040 --> 00:10:53,469 But you can see the two modifiers 287 00:10:53,470 --> 00:10:55,749 here for the input coins 288 00:10:55,750 --> 00:10:57,459 and you see the commitments for the 289 00:10:57,460 --> 00:10:59,559 output coins and then you see a value 290 00:10:59,560 --> 00:11:00,560 called R t. 291 00:11:02,170 --> 00:11:04,269 That's a that 292 00:11:04,270 --> 00:11:06,879 is a number that uniquely identifies 293 00:11:06,880 --> 00:11:09,579 the set of commitments in existence 294 00:11:09,580 --> 00:11:10,779 at that moment. 295 00:11:10,780 --> 00:11:12,879 So it establishes the context 296 00:11:12,880 --> 00:11:14,649 for the nullifier as for instance, 297 00:11:16,270 --> 00:11:17,949 if you know what a Merkle tree is, this 298 00:11:17,950 --> 00:11:19,959 is actually the root of a Merkl hash 299 00:11:19,960 --> 00:11:21,039 tree. 300 00:11:21,040 --> 00:11:23,359 If you don't know what a Mercal tree is, 301 00:11:23,360 --> 00:11:24,249 don't worry. 302 00:11:24,250 --> 00:11:26,889 Simply think of it as a 303 00:11:26,890 --> 00:11:28,989 well, like I said, a unique a number 304 00:11:28,990 --> 00:11:31,239 that uniquely identifies the set of coins 305 00:11:31,240 --> 00:11:32,240 in existence. 306 00:11:33,420 --> 00:11:35,769 And then lastly, the interesting 307 00:11:35,770 --> 00:11:37,899 and most important part away at the end 308 00:11:37,900 --> 00:11:40,209 here, that little PI is a so-called proof 309 00:11:40,210 --> 00:11:42,309 of validity. And that is just a simple 310 00:11:42,310 --> 00:11:44,859 number that 311 00:11:44,860 --> 00:11:47,679 somehow with some process 312 00:11:47,680 --> 00:11:50,379 is supposed to convince us that this 313 00:11:50,380 --> 00:11:52,779 transaction is valid 314 00:11:52,780 --> 00:11:55,359 and conforms to all the things we, 315 00:11:55,360 --> 00:11:55,959 uh. 316 00:11:55,960 --> 00:11:58,359 Well, we all the 317 00:11:58,360 --> 00:12:00,459 conditions we expect from a 318 00:12:00,460 --> 00:12:01,690 valid transactions 319 00:12:03,070 --> 00:12:04,390 transaction and 320 00:12:07,360 --> 00:12:09,459 to kind of motivate how that could 321 00:12:09,460 --> 00:12:11,589 work without going into too much detail 322 00:12:11,590 --> 00:12:12,590 right now. 323 00:12:13,890 --> 00:12:15,959 Imagine if if I could 324 00:12:15,960 --> 00:12:18,539 convince somebody that I simply 325 00:12:18,540 --> 00:12:21,419 know the note plaintext 326 00:12:21,420 --> 00:12:23,699 for four notes, the two input 327 00:12:23,700 --> 00:12:25,889 notes and the two output notes, 328 00:12:25,890 --> 00:12:27,779 if I can convince somebody that I have 329 00:12:27,780 --> 00:12:30,239 these plain texts and 330 00:12:30,240 --> 00:12:32,309 that these two nullifier 331 00:12:32,310 --> 00:12:34,529 values do correspond to 332 00:12:34,530 --> 00:12:36,629 the two input points, and these 333 00:12:36,630 --> 00:12:38,729 two commitments do correspond to the two 334 00:12:38,730 --> 00:12:41,099 output coins and the values balance 335 00:12:41,100 --> 00:12:43,379 out and the two input coins actually 336 00:12:43,380 --> 00:12:45,620 exist in this country here. 337 00:12:46,920 --> 00:12:49,079 Then this is this is 338 00:12:49,080 --> 00:12:51,539 right. This is already intuitively. 339 00:12:53,100 --> 00:12:55,109 Yeah. This this is convincing of some 340 00:12:55,110 --> 00:12:56,369 sort. 341 00:12:56,370 --> 00:12:58,439 And that is basically the game plan 342 00:12:58,440 --> 00:12:59,440 for us. 343 00:13:00,360 --> 00:13:02,489 And to make 344 00:13:02,490 --> 00:13:05,279 that more more precise 345 00:13:05,280 --> 00:13:07,559 will be the will be will 346 00:13:07,560 --> 00:13:08,560 be our job. 347 00:13:09,420 --> 00:13:12,089 Now, really quickly, the titular 348 00:13:12,090 --> 00:13:13,230 Zik snarks, 349 00:13:15,330 --> 00:13:16,799 it's already been introduced. 350 00:13:16,800 --> 00:13:19,349 What it stands for is a zero knowledge, 351 00:13:19,350 --> 00:13:21,869 succinct, non interactive argument 352 00:13:21,870 --> 00:13:22,919 of knowledge. 353 00:13:22,920 --> 00:13:24,989 So this is the black this black 354 00:13:24,990 --> 00:13:27,209 box lets us do what 355 00:13:27,210 --> 00:13:29,459 I just alluded to, 356 00:13:29,460 --> 00:13:32,009 perform that proof that we know 357 00:13:32,010 --> 00:13:34,439 these are not plain texts 358 00:13:34,440 --> 00:13:35,440 and that they 359 00:13:36,690 --> 00:13:37,690 also 360 00:13:40,770 --> 00:13:42,869 satisfy our requirements. 361 00:13:42,870 --> 00:13:45,089 And this is the abstract API, really 362 00:13:45,090 --> 00:13:47,369 simplified of a Zik Snarks 363 00:13:47,370 --> 00:13:48,689 system. 364 00:13:48,690 --> 00:13:50,699 And maybe a little caveat. 365 00:13:50,700 --> 00:13:52,469 There are multiple constructions of Zucca 366 00:13:52,470 --> 00:13:55,529 snarks, not a single single one, 367 00:13:55,530 --> 00:13:58,429 but so we're talking about 368 00:13:58,430 --> 00:14:01,319 the one that is used in Zeca as cash. 369 00:14:01,320 --> 00:14:03,119 So at first there is a one time set up 370 00:14:03,120 --> 00:14:04,950 procedure. This is, by the way, 371 00:14:06,870 --> 00:14:09,329 a concept for the of some interest, 372 00:14:09,330 --> 00:14:11,549 but we also don't have time for that 373 00:14:11,550 --> 00:14:13,949 one. This was actually done 374 00:14:13,950 --> 00:14:16,109 a week prior to the launch of the 375 00:14:16,110 --> 00:14:17,819 cache, this set up procedure. 376 00:14:17,820 --> 00:14:19,889 And it's a very interesting story, if 377 00:14:19,890 --> 00:14:22,049 you want to read it. 378 00:14:22,050 --> 00:14:24,119 There are several people involved in 379 00:14:24,120 --> 00:14:26,099 there and they have written accounts on 380 00:14:26,100 --> 00:14:27,449 how it all went. 381 00:14:27,450 --> 00:14:28,979 So that's really that's really 382 00:14:28,980 --> 00:14:30,509 interesting. But we have to skip it, 383 00:14:30,510 --> 00:14:32,369 unfortunately. 384 00:14:32,370 --> 00:14:34,829 And then we have this proof procedure 385 00:14:34,830 --> 00:14:36,899 that we give some some 386 00:14:36,900 --> 00:14:39,929 inputs in our case, the note plaintext, 387 00:14:39,930 --> 00:14:42,209 and it generates this little PPI value 388 00:14:42,210 --> 00:14:44,429 that we can put into the verify 389 00:14:44,430 --> 00:14:46,769 procedure, notably 390 00:14:46,770 --> 00:14:48,179 without the inputs. 391 00:14:48,180 --> 00:14:51,449 And if that returns 392 00:14:51,450 --> 00:14:53,519 true, we should be 393 00:14:53,520 --> 00:14:56,009 convinced that 394 00:14:56,010 --> 00:14:58,169 the approver knows 395 00:14:58,170 --> 00:15:00,419 this inputs such that it satisfies 396 00:15:00,420 --> 00:15:02,549 the statement that we set the whole 397 00:15:02,550 --> 00:15:04,649 thing up for and that you just 398 00:15:04,650 --> 00:15:07,289 put into a lip snark. 399 00:15:07,290 --> 00:15:09,809 It is literally on GitHub 400 00:15:09,810 --> 00:15:10,810 and 401 00:15:12,120 --> 00:15:13,769 and your system works, 402 00:15:15,000 --> 00:15:16,169 hopefully. All right. 403 00:15:18,360 --> 00:15:20,549 So to make 404 00:15:20,550 --> 00:15:22,619 this all concrete, the so-called 405 00:15:22,620 --> 00:15:24,839 joint split statement, this is the 406 00:15:24,840 --> 00:15:27,059 the collection of the collection 407 00:15:27,060 --> 00:15:29,489 of conditions for validity 408 00:15:29,490 --> 00:15:30,419 of a transaction. 409 00:15:30,420 --> 00:15:32,819 So it is actually basically what I 410 00:15:32,820 --> 00:15:35,099 already said, the approver 411 00:15:35,100 --> 00:15:37,260 knows for notes 412 00:15:38,280 --> 00:15:40,049 that satisfy these things. 413 00:15:40,050 --> 00:15:42,269 Each note consists of four values. 414 00:15:42,270 --> 00:15:44,369 That is the address of the owner, the 415 00:15:44,370 --> 00:15:46,529 value of the node pseudo 416 00:15:46,530 --> 00:15:48,209 random number called row. 417 00:15:48,210 --> 00:15:50,339 Another random number called are these 418 00:15:50,340 --> 00:15:52,349 are of technical interest will kind of 419 00:15:52,350 --> 00:15:53,979 gloss over that. 420 00:15:53,980 --> 00:15:56,579 And these should satisfy 421 00:15:56,580 --> 00:15:58,439 the statement that the input nodes appear 422 00:15:58,440 --> 00:16:00,509 somewhere in our Merkl tree of 423 00:16:00,510 --> 00:16:01,979 existing notes. 424 00:16:01,980 --> 00:16:04,319 The of the modifiers 425 00:16:04,320 --> 00:16:05,760 correspond to the inputs, the, 426 00:16:06,930 --> 00:16:08,099 the commitments correspond to the 427 00:16:08,100 --> 00:16:10,079 outputs, the values ballons. 428 00:16:10,080 --> 00:16:12,209 And we also have spend authority for 429 00:16:12,210 --> 00:16:14,489 the inputs and then non malleability 430 00:16:14,490 --> 00:16:17,309 and uniqueness of role are 431 00:16:17,310 --> 00:16:19,469 more technical, not malleability 432 00:16:19,470 --> 00:16:21,719 means that this disjoined 433 00:16:21,720 --> 00:16:23,879 split, this proof is uniquely 434 00:16:23,880 --> 00:16:25,919 tied to this particular joint split and 435 00:16:25,920 --> 00:16:28,199 uniqueness of role is similar 436 00:16:28,200 --> 00:16:30,329 for the for the pseudo 437 00:16:30,330 --> 00:16:32,429 random number that has to be actually 438 00:16:32,430 --> 00:16:33,430 pseudo random. 439 00:16:34,530 --> 00:16:36,770 All right, so sorry, 440 00:16:37,980 --> 00:16:39,209 let's go back for one second, 441 00:16:41,400 --> 00:16:43,169 how do we encode this in a form that the 442 00:16:43,170 --> 00:16:45,419 Zech Snarks system can actually 443 00:16:45,420 --> 00:16:46,799 make sense of it? 444 00:16:46,800 --> 00:16:48,869 So if any if there are any programmers in 445 00:16:48,870 --> 00:16:50,999 the audience, you 446 00:16:51,000 --> 00:16:53,459 know how to encode lots of things in 447 00:16:53,460 --> 00:16:54,539 some sorts of code 448 00:16:56,250 --> 00:16:58,739 in this picture on the next slide should 449 00:16:58,740 --> 00:17:00,809 probably look familiar to many. 450 00:17:00,810 --> 00:17:03,119 This is a boolean logic 451 00:17:03,120 --> 00:17:05,409 or a circuit diagram of a boolean 452 00:17:05,410 --> 00:17:07,889 circuit and that computes 453 00:17:07,890 --> 00:17:10,078 some logical function. 454 00:17:10,079 --> 00:17:12,239 This is just a stupid toy example, 455 00:17:12,240 --> 00:17:14,219 of course, that takes some inputs on the 456 00:17:14,220 --> 00:17:16,559 left. Then these boolean values 457 00:17:16,560 --> 00:17:18,328 run along. These wires are combined by 458 00:17:18,329 --> 00:17:21,209 these gates here and you get some output 459 00:17:21,210 --> 00:17:23,399 value to the right. 460 00:17:23,400 --> 00:17:25,559 Um, now, 461 00:17:25,560 --> 00:17:27,598 you know, this is this is enough to do 462 00:17:27,599 --> 00:17:29,249 all the things in your computer. 463 00:17:29,250 --> 00:17:31,319 So this could be intuitive as a way 464 00:17:31,320 --> 00:17:32,999 of encoding things. 465 00:17:33,000 --> 00:17:34,979 However, it turns out booleans are 466 00:17:34,980 --> 00:17:37,019 mathematically not that nice because 467 00:17:37,020 --> 00:17:38,939 everything immediately collapses to zero 468 00:17:38,940 --> 00:17:41,069 or one. So what does snarks 469 00:17:41,070 --> 00:17:43,799 and Zarkasih actually use is a 470 00:17:43,800 --> 00:17:45,899 variant call, an arithmetic circuit 471 00:17:45,900 --> 00:17:48,209 where the values along the 472 00:17:48,210 --> 00:17:50,699 wires are actual 473 00:17:50,700 --> 00:17:53,039 football numbers and 474 00:17:53,040 --> 00:17:55,859 the gates perform the 475 00:17:55,860 --> 00:17:58,289 arithmetic, basic operations of addition 476 00:17:58,290 --> 00:17:59,939 or multiplication. 477 00:17:59,940 --> 00:18:03,029 So this is another toy example 478 00:18:03,030 --> 00:18:05,519 as a circuit for adding two numbers 479 00:18:05,520 --> 00:18:07,979 and squaring them and then multiplying 480 00:18:07,980 --> 00:18:08,980 by a certain number. 481 00:18:10,440 --> 00:18:12,419 And as it turns out, we can use these 482 00:18:12,420 --> 00:18:14,159 arithmetic circuits also to represent 483 00:18:14,160 --> 00:18:15,269 boolean operations. 484 00:18:15,270 --> 00:18:18,239 This is just this this is multiplication. 485 00:18:18,240 --> 00:18:20,339 And if you consider the inputs 486 00:18:20,340 --> 00:18:22,709 restricted simply to the set of values, 487 00:18:22,710 --> 00:18:24,869 zero or one, the output is also 488 00:18:24,870 --> 00:18:27,149 zero or one. And it this one, if and only 489 00:18:27,150 --> 00:18:29,279 if both inputs are 490 00:18:29,280 --> 00:18:29,819 one. 491 00:18:29,820 --> 00:18:32,849 So that's that's Boolean and 492 00:18:32,850 --> 00:18:35,249 here's Boolean not that's the function 493 00:18:35,250 --> 00:18:36,329 one minus X 494 00:18:37,470 --> 00:18:40,219 that is zero if X is one and it's one 495 00:18:40,220 --> 00:18:41,220 zero. 496 00:18:41,700 --> 00:18:43,859 So we can, we can do a lot with these 497 00:18:43,860 --> 00:18:46,199 circuits. We can encode all kinds of 498 00:18:46,200 --> 00:18:48,449 well. Expressions or functions in 499 00:18:48,450 --> 00:18:50,609 them. But what we 500 00:18:50,610 --> 00:18:52,799 have in our joint split statement 501 00:18:52,800 --> 00:18:54,029 are actually conditions. 502 00:18:54,030 --> 00:18:55,949 Right. Things like this value has to 503 00:18:55,950 --> 00:18:58,049 equal that value, although some of that 504 00:18:58,050 --> 00:18:59,069 value ourselves. 505 00:19:00,850 --> 00:19:02,189 How do we get there? 506 00:19:02,190 --> 00:19:03,959 And for that, we need to introduce the 507 00:19:03,960 --> 00:19:05,549 concept of satisfy ability. 508 00:19:06,780 --> 00:19:09,119 So, again, 509 00:19:09,120 --> 00:19:10,409 this arithmetic circuit 510 00:19:12,420 --> 00:19:14,519 we call it satisfies liable if we can 511 00:19:14,520 --> 00:19:17,069 find an assignment for the input values 512 00:19:17,070 --> 00:19:19,199 here such that the output becomes 513 00:19:19,200 --> 00:19:21,509 zero y zero, 514 00:19:21,510 --> 00:19:23,729 because that immediately 515 00:19:23,730 --> 00:19:25,799 leads us to satisfy ability of 516 00:19:25,800 --> 00:19:26,800 equations. 517 00:19:27,570 --> 00:19:28,949 So consider maybe 518 00:19:30,330 --> 00:19:32,159 this equation at the top here. 519 00:19:32,160 --> 00:19:34,709 If we want to know whether 520 00:19:34,710 --> 00:19:36,839 this is satisfied by some assignment to 521 00:19:36,840 --> 00:19:37,849 X, Y and Z. 522 00:19:39,300 --> 00:19:42,059 Well, to your high school math, 523 00:19:42,060 --> 00:19:44,009 instead of talking about equality, talk 524 00:19:44,010 --> 00:19:46,559 about the two sides being equal. 525 00:19:46,560 --> 00:19:48,659 Talk about the difference between the two 526 00:19:48,660 --> 00:19:49,919 sides being zero. 527 00:19:49,920 --> 00:19:52,200 So just transform it like this. 528 00:19:53,520 --> 00:19:55,409 Build an arithmetic circuit to represent 529 00:19:55,410 --> 00:19:57,509 the left side and then 530 00:19:57,510 --> 00:19:59,279 talk about satisfy the ability of that 531 00:19:59,280 --> 00:20:01,559 circuit so that this 532 00:20:01,560 --> 00:20:03,179 left hand side becomes zero. 533 00:20:03,180 --> 00:20:05,279 And then you know that these 534 00:20:05,280 --> 00:20:06,280 values 535 00:20:07,350 --> 00:20:09,479 satisfy that equation. 536 00:20:09,480 --> 00:20:11,039 And Zeca snarks, 537 00:20:12,270 --> 00:20:14,159 not just allow you to prove, well, 538 00:20:14,160 --> 00:20:16,349 satisfy ability itself, and that is 539 00:20:16,350 --> 00:20:17,579 existence of any 540 00:20:18,630 --> 00:20:20,939 of any assignment that satisfies it. 541 00:20:20,940 --> 00:20:23,219 But it allows 542 00:20:23,220 --> 00:20:25,289 us to prove knowledge of the part 543 00:20:25,290 --> 00:20:27,209 of the actual assignment. 544 00:20:27,210 --> 00:20:27,689 Right. 545 00:20:27,690 --> 00:20:30,689 So our note plaintext. 546 00:20:31,770 --> 00:20:34,139 So this is kind of our game plan. 547 00:20:34,140 --> 00:20:36,239 You can you can you probably have a 548 00:20:36,240 --> 00:20:36,779 picture. 549 00:20:36,780 --> 00:20:39,149 Now, our plan is 550 00:20:39,150 --> 00:20:41,309 to encode the joint split statement that 551 00:20:41,310 --> 00:20:43,769 you've seen in 552 00:20:43,770 --> 00:20:45,929 formal equations and 553 00:20:45,930 --> 00:20:48,149 such, then turn all those into 554 00:20:48,150 --> 00:20:50,429 an arithmetic circuit, plug that into 555 00:20:50,430 --> 00:20:52,679 our lips, snark, 556 00:20:52,680 --> 00:20:54,599 and use it to prove knowledge of the 557 00:20:54,600 --> 00:20:56,849 notes such that the circuit is satisfied. 558 00:20:59,340 --> 00:21:01,349 Now, if we want to 559 00:21:02,700 --> 00:21:04,829 think back, what 560 00:21:04,830 --> 00:21:06,509 what is it actually that we have to 561 00:21:06,510 --> 00:21:07,409 encode and the joints. 562 00:21:07,410 --> 00:21:09,929 But what are the ingredients? 563 00:21:09,930 --> 00:21:12,269 I said something about a hash stream, 564 00:21:12,270 --> 00:21:14,369 the these commitments involved, 565 00:21:14,370 --> 00:21:15,929 and I mentioned the pseudo random 566 00:21:15,930 --> 00:21:16,379 function. 567 00:21:16,380 --> 00:21:17,829 And finally, for the balance, we need to 568 00:21:17,830 --> 00:21:18,830 regular arithmetic. 569 00:21:20,550 --> 00:21:22,679 So the first three of these 570 00:21:22,680 --> 00:21:24,779 are actually all instantiated with 571 00:21:24,780 --> 00:21:27,029 a hash function that, you know, Shahd, 572 00:21:27,030 --> 00:21:28,030 two, five, six. 573 00:21:29,100 --> 00:21:31,169 So we basically just need to build an 574 00:21:31,170 --> 00:21:32,999 arithmetic circuit for Shata five, six 575 00:21:33,000 --> 00:21:34,949 and then the rest. As variations of that 576 00:21:36,960 --> 00:21:39,929 shot, five, six, if you've ever seen 577 00:21:39,930 --> 00:21:42,239 a description of it, contains 578 00:21:42,240 --> 00:21:44,649 lots of binary operations, arithmetic 579 00:21:44,650 --> 00:21:47,249 on binary numbers, and 580 00:21:47,250 --> 00:21:49,719 so the Z cache implementation 581 00:21:49,720 --> 00:21:51,959 or zero cache actually chooses 582 00:21:51,960 --> 00:21:54,089 the route of representing all the 583 00:21:54,090 --> 00:21:56,639 numbers natively as binary. 584 00:21:56,640 --> 00:21:58,649 So if you have, say, a thirty two bit 585 00:21:58,650 --> 00:22:00,929 number, you take thirty two wires, each 586 00:22:00,930 --> 00:22:03,749 of them carrying only a zero or one. 587 00:22:03,750 --> 00:22:06,329 And only if you need the actual direct 588 00:22:06,330 --> 00:22:07,889 representation, let's say for your 589 00:22:07,890 --> 00:22:10,079 balance arithmetic, you convert that 590 00:22:10,080 --> 00:22:12,239 with an automatic circuit that simply 591 00:22:12,240 --> 00:22:14,759 computes the value of 592 00:22:14,760 --> 00:22:17,039 the binary representation 593 00:22:17,040 --> 00:22:19,749 with the regular formula there. 594 00:22:19,750 --> 00:22:21,899 You can also go back with 595 00:22:21,900 --> 00:22:24,089 us with a little trick that I don't 596 00:22:24,090 --> 00:22:25,769 want to get into. 597 00:22:25,770 --> 00:22:27,389 So not so as not to confuse. 598 00:22:27,390 --> 00:22:29,039 And you can also do a thing like, well, 599 00:22:29,040 --> 00:22:31,139 bit shifting or other permutations 600 00:22:31,140 --> 00:22:33,809 of the bits simply by, well, 601 00:22:33,810 --> 00:22:36,329 commuting, the wiring and the 602 00:22:36,330 --> 00:22:37,409 correct way. 603 00:22:37,410 --> 00:22:40,109 So this will be a big shift by two 604 00:22:40,110 --> 00:22:42,479 and you get the get the values in 605 00:22:42,480 --> 00:22:45,149 at the bottom and then. 606 00:22:45,150 --> 00:22:47,429 Yeah, reroute everything to 607 00:22:47,430 --> 00:22:48,430 places to the right. 608 00:22:50,550 --> 00:22:52,679 And so this should already give you 609 00:22:52,680 --> 00:22:54,749 a good idea of what to do. 610 00:22:54,750 --> 00:22:56,309 Right. You just need to look up, try to 611 00:22:56,310 --> 00:22:58,529 forsakes, take all the pieces, 612 00:22:58,530 --> 00:23:00,719 transform them all into these, into these 613 00:23:00,720 --> 00:23:02,759 arithmetic circles, just combine 614 00:23:02,760 --> 00:23:04,109 everything together. 615 00:23:04,110 --> 00:23:06,359 And when you're done, it looks 616 00:23:06,360 --> 00:23:07,360 something like this. 617 00:23:08,430 --> 00:23:10,619 Um, so this is from the zero 618 00:23:10,620 --> 00:23:12,419 cache paper. 619 00:23:12,420 --> 00:23:14,069 They have this wonderful salad in there, 620 00:23:14,070 --> 00:23:17,219 which is basically just boil it all down. 621 00:23:17,220 --> 00:23:19,319 So the H here that shanteau five 622 00:23:19,320 --> 00:23:20,489 six. 623 00:23:20,490 --> 00:23:22,680 Um, you see that a lot, 624 00:23:24,270 --> 00:23:26,039 but actually not that much more. 625 00:23:26,040 --> 00:23:27,539 There's a concatenation, right. 626 00:23:27,540 --> 00:23:30,119 This, this bar, there are some constants 627 00:23:30,120 --> 00:23:31,799 and there's regular arithmetic on 628 00:23:31,800 --> 00:23:33,989 numbers. So this, this down here 629 00:23:33,990 --> 00:23:36,329 is the is the balancing and 630 00:23:36,330 --> 00:23:38,129 some values plus some other values have 631 00:23:38,130 --> 00:23:39,789 to equal some values. 632 00:23:39,790 --> 00:23:41,879 Uh, here's here's here's a check for 633 00:23:41,880 --> 00:23:44,519 overflow. That's also easy to represent. 634 00:23:44,520 --> 00:23:45,520 If you think about it. 635 00:23:46,740 --> 00:23:48,629 Here is the condition that the 636 00:23:48,630 --> 00:23:50,609 commitments are formed correctly. 637 00:23:50,610 --> 00:23:52,679 Here's the nullifier being formed 638 00:23:52,680 --> 00:23:53,699 correctly. 639 00:23:53,700 --> 00:23:55,319 And the only thing that's missing from 640 00:23:55,320 --> 00:23:57,479 this picture is the the Merkle 641 00:23:57,480 --> 00:23:59,699 tree look up because that didn't fit 642 00:23:59,700 --> 00:24:00,689 on a single line. 643 00:24:00,690 --> 00:24:03,059 So they don't have it in the paper. 644 00:24:03,060 --> 00:24:04,079 Too bad. 645 00:24:04,080 --> 00:24:05,580 Yeah, but 646 00:24:07,710 --> 00:24:08,710 that's basically it. 647 00:24:09,990 --> 00:24:12,239 So I think 648 00:24:12,240 --> 00:24:14,220 we have like seven minutes for questions. 649 00:24:21,420 --> 00:24:23,899 A short Q&A right now. 650 00:24:23,900 --> 00:24:25,520 Please come up to the microphones. 651 00:24:28,400 --> 00:24:29,400 Number four, 652 00:24:31,820 --> 00:24:32,899 assuming that 653 00:24:34,010 --> 00:24:36,439 there is a bug and that someone 654 00:24:36,440 --> 00:24:38,839 can create 655 00:24:38,840 --> 00:24:40,999 money out of thin air 656 00:24:41,000 --> 00:24:42,529 using this anonymous. 657 00:24:43,850 --> 00:24:45,349 Is there a way that 658 00:24:47,370 --> 00:24:49,759 that the community can at some point 659 00:24:49,760 --> 00:24:52,039 see that there is much more 660 00:24:54,170 --> 00:24:55,889 coin then? Then there should be. 661 00:24:55,890 --> 00:24:56,890 Yeah. 662 00:24:59,330 --> 00:25:00,330 So 663 00:25:02,060 --> 00:25:03,139 not immediately. 664 00:25:03,140 --> 00:25:04,609 And this is actually one of the big 665 00:25:04,610 --> 00:25:05,610 dangers. 666 00:25:06,260 --> 00:25:08,119 So it's a very good question. 667 00:25:08,120 --> 00:25:09,679 One thing that you can see, if you 668 00:25:09,680 --> 00:25:11,809 remember the slide 669 00:25:11,810 --> 00:25:13,429 with the joint split statement, you can 670 00:25:13,430 --> 00:25:15,589 see when when coins are created 671 00:25:15,590 --> 00:25:17,009 and you can see when they are spent. 672 00:25:17,010 --> 00:25:19,729 So at any time the 673 00:25:19,730 --> 00:25:21,829 system has a picture of how many coins 674 00:25:21,830 --> 00:25:23,809 have been created so far and how many 675 00:25:23,810 --> 00:25:25,519 points have already been spent. 676 00:25:25,520 --> 00:25:27,619 But it's not that, of 677 00:25:27,620 --> 00:25:29,569 course, doesn't give you exactly what you 678 00:25:29,570 --> 00:25:31,639 want. And there has actually 679 00:25:31,640 --> 00:25:34,399 been talk about 680 00:25:34,400 --> 00:25:36,739 extending the system in the future to 681 00:25:36,740 --> 00:25:38,899 include a sort of 682 00:25:38,900 --> 00:25:41,779 regular account 683 00:25:41,780 --> 00:25:44,329 where they where every node is 684 00:25:44,330 --> 00:25:46,759 required to regularly 685 00:25:46,760 --> 00:25:48,649 transfer all their money into the 686 00:25:48,650 --> 00:25:50,809 transparent world and 687 00:25:50,810 --> 00:25:52,339 then at their leisure, transfer them 688 00:25:52,340 --> 00:25:54,019 back. So it doesn't it wouldn't actually 689 00:25:54,020 --> 00:25:55,909 hurt your anonymity, but that's not in 690 00:25:55,910 --> 00:25:56,910 there yet. 691 00:25:57,650 --> 00:25:59,659 Thank you. OK, one question from the 692 00:25:59,660 --> 00:26:00,660 Internet. 693 00:26:01,840 --> 00:26:04,029 Is a split in the of 694 00:26:04,030 --> 00:26:05,650 the chain's cash possible, 695 00:26:06,760 --> 00:26:07,719 a fork? You mean? 696 00:26:07,720 --> 00:26:10,329 Yes, that 697 00:26:10,330 --> 00:26:12,789 would work exactly as in Bitcoin. 698 00:26:12,790 --> 00:26:15,009 So, yeah, the all 699 00:26:15,010 --> 00:26:17,589 the all the conditions 700 00:26:17,590 --> 00:26:19,839 and everything are enforced by the same 701 00:26:19,840 --> 00:26:21,609 sort of consensus mechanism as in 702 00:26:21,610 --> 00:26:22,610 Bitcoin. 703 00:26:23,950 --> 00:26:26,079 And the last one, microphone number 704 00:26:26,080 --> 00:26:27,080 eight. 705 00:26:28,000 --> 00:26:29,000 Yes, 706 00:26:30,550 --> 00:26:32,109 I was wondering if you've 707 00:26:33,250 --> 00:26:35,709 kind of looked at the funding aspect 708 00:26:35,710 --> 00:26:37,839 and the ethical aspects and the 709 00:26:37,840 --> 00:26:39,909 algorithm of of Zied Cash, and 710 00:26:39,910 --> 00:26:41,619 I was wondering what you think about 711 00:26:41,620 --> 00:26:44,199 those, because when I looked 712 00:26:44,200 --> 00:26:46,389 at how they're funded and 713 00:26:46,390 --> 00:26:48,550 what the algorithm, 714 00:26:49,600 --> 00:26:53,079 how the algorithm is collecting 715 00:26:53,080 --> 00:26:54,789 money for the developers and for the 716 00:26:54,790 --> 00:26:56,979 investors, I found that in the 717 00:26:56,980 --> 00:26:59,229 first four years, 20 percent of 718 00:26:59,230 --> 00:27:01,419 all the coins will go to the 719 00:27:01,420 --> 00:27:04,059 developers and 720 00:27:04,060 --> 00:27:04,989 the investors. 721 00:27:04,990 --> 00:27:06,939 And after that, it stops. 722 00:27:06,940 --> 00:27:09,219 And the total amount that will ever 723 00:27:09,220 --> 00:27:10,869 be made of coins, 724 00:27:12,100 --> 00:27:14,739 10 percent of those will then be 725 00:27:14,740 --> 00:27:16,899 for the developers and the investors. 726 00:27:16,900 --> 00:27:19,539 What do you think ethically 727 00:27:19,540 --> 00:27:21,099 about the choice they make there? 728 00:27:21,100 --> 00:27:24,189 Because they are kind of 729 00:27:24,190 --> 00:27:26,619 algorithmically programing 730 00:27:26,620 --> 00:27:27,709 the inequality? 731 00:27:27,710 --> 00:27:29,380 Well, OK, um. 732 00:27:30,510 --> 00:27:31,510 So. 733 00:27:32,490 --> 00:27:34,679 I can, of course, only speak from my 734 00:27:34,680 --> 00:27:37,079 own interpretation of this, 735 00:27:37,080 --> 00:27:39,179 and I will admit I didn't look at it 736 00:27:39,180 --> 00:27:40,649 too closely because I was mostly 737 00:27:40,650 --> 00:27:41,909 interested in the technical side. 738 00:27:41,910 --> 00:27:44,039 But the way I interpret it is that I 739 00:27:44,040 --> 00:27:45,040 think they did this 740 00:27:48,030 --> 00:27:50,279 this way, that 741 00:27:50,280 --> 00:27:52,630 in order to, um. 742 00:27:55,140 --> 00:27:57,570 Have an alternative that's better than 743 00:27:58,820 --> 00:28:01,109 than than a pre 744 00:28:01,110 --> 00:28:02,099 mine. 745 00:28:02,100 --> 00:28:03,869 I think they didn't want to do the pre 746 00:28:03,870 --> 00:28:06,029 mining thing that some currencies do 747 00:28:06,030 --> 00:28:08,429 where the where the initial developers 748 00:28:08,430 --> 00:28:10,559 just just generate a bunch of coins 749 00:28:10,560 --> 00:28:11,579 and then they own. 750 00:28:12,720 --> 00:28:15,149 And they also have the slow start mining, 751 00:28:15,150 --> 00:28:16,470 which I couldn't mention. 752 00:28:17,670 --> 00:28:19,769 That means that the first 753 00:28:19,770 --> 00:28:22,019 time, the first few blocks, 754 00:28:22,020 --> 00:28:24,359 I don't know how many the 755 00:28:24,360 --> 00:28:26,549 the mining reward is lower 756 00:28:26,550 --> 00:28:28,199 and it slowly ramps up. 757 00:28:28,200 --> 00:28:30,359 And I think they did those 758 00:28:30,360 --> 00:28:32,819 things in order to avoid 759 00:28:32,820 --> 00:28:34,919 a situation where the developers have 760 00:28:34,920 --> 00:28:37,049 a lot of power concentrated in 761 00:28:37,050 --> 00:28:39,209 the beginning. And I think this phoners 762 00:28:39,210 --> 00:28:41,999 reward that you mentioned where it is 763 00:28:42,000 --> 00:28:43,979 put into the algorithm, that for the 764 00:28:43,980 --> 00:28:46,049 first four years they get a percentage of 765 00:28:46,050 --> 00:28:48,569 all the mined coins is basically to just 766 00:28:48,570 --> 00:28:50,699 balance that out, to do that in a fashion 767 00:28:50,700 --> 00:28:51,599 that's transparent. 768 00:28:51,600 --> 00:28:53,459 I think that's the intention. 769 00:28:53,460 --> 00:28:55,739 Um, apart from that, you 770 00:28:55,740 --> 00:28:58,469 said about 771 00:28:58,470 --> 00:29:00,569 basically algorithmically making this 772 00:29:00,570 --> 00:29:01,529 choice. 773 00:29:01,530 --> 00:29:03,719 So how do I interpret 774 00:29:03,720 --> 00:29:04,719 that ethically? 775 00:29:04,720 --> 00:29:06,120 I would say, well. 776 00:29:07,640 --> 00:29:10,099 It is put by them into the algorithm, 777 00:29:10,100 --> 00:29:12,799 but it's still the the network consensus 778 00:29:12,800 --> 00:29:14,209 that confirms it. 779 00:29:14,210 --> 00:29:15,919 So there's absolutely not nothing 780 00:29:15,920 --> 00:29:18,019 stopping the the network 781 00:29:18,020 --> 00:29:19,399 to democratically decide. 782 00:29:19,400 --> 00:29:21,559 We want only half the share 783 00:29:21,560 --> 00:29:23,359 for the founders or no share at all. 784 00:29:23,360 --> 00:29:25,339 And there is actually there's an 785 00:29:25,340 --> 00:29:27,139 basically or an alternative Vikash. 786 00:29:27,140 --> 00:29:29,179 I don't know if it took off or not that 787 00:29:29,180 --> 00:29:30,949 that just simply rips out the founder's 788 00:29:30,950 --> 00:29:31,459 award. 789 00:29:31,460 --> 00:29:34,249 And there's also another one that simply 790 00:29:34,250 --> 00:29:35,719 that replaces it with something else 791 00:29:35,720 --> 00:29:38,329 entirely. So there's a big discussion 792 00:29:38,330 --> 00:29:39,259 to be had about that. 793 00:29:39,260 --> 00:29:40,879 And I think it's pretty interesting, but 794 00:29:40,880 --> 00:29:43,429 that's basically my interpretation. 795 00:29:43,430 --> 00:29:44,430 Thank you. 796 00:29:45,060 --> 00:29:47,129 One more question, Mike 797 00:29:47,130 --> 00:29:48,130 seven. 798 00:29:49,210 --> 00:29:51,159 Yes, you already went into this a little 799 00:29:51,160 --> 00:29:53,739 bit, but I wonder what 800 00:29:53,740 --> 00:29:56,739 alternative zero cash 801 00:29:56,740 --> 00:29:58,509 solutions you have looked into because, 802 00:29:58,510 --> 00:30:00,589 for example, there exists Monero 803 00:30:00,590 --> 00:30:02,799 money, which is 804 00:30:02,800 --> 00:30:04,599 based on a different hashing algorithm, I 805 00:30:04,600 --> 00:30:06,189 guess, but I don't really know what the 806 00:30:06,190 --> 00:30:07,629 difference is. Yeah. 807 00:30:07,630 --> 00:30:09,789 Um, I have to admit, I am not 808 00:30:09,790 --> 00:30:10,779 familiar with Monero. 809 00:30:10,780 --> 00:30:13,479 I know only that Monero uses 810 00:30:13,480 --> 00:30:14,709 something called ring signatures. 811 00:30:14,710 --> 00:30:16,749 So there's some some math magic in there 812 00:30:16,750 --> 00:30:18,519 as well. But I haven't looked at the 813 00:30:18,520 --> 00:30:19,969 differences to that. 814 00:30:19,970 --> 00:30:22,119 I yeah, I'm I'm 815 00:30:22,120 --> 00:30:24,069 guessing that the privacy guarantees that 816 00:30:24,070 --> 00:30:26,259 they can make are less strong than 817 00:30:26,260 --> 00:30:27,549 the ones in cash. 818 00:30:27,550 --> 00:30:29,859 But, um, I yeah. 819 00:30:29,860 --> 00:30:30,880 I don't know the details. 820 00:30:32,990 --> 00:30:35,119 And this is it for tonight, 821 00:30:35,120 --> 00:30:37,279 please. A round of applause for 822 00:30:37,280 --> 00:30:38,280 our lost.