 Okay, how about this? Okay. So, according to this, Bitcoin, privacy, Zcash, origins, things you can do and also no questions about the prices of ICOs. Okay, I'm ready. And then, so if I only talk for 30 minutes, then we'll have lots and lots of time for questions. Right? How long can we, because then we can have lots of questions for sure. Okay, so it seems like, so I have two slide decks here and maybe I'll just switch it between them, depending on how technical you guys want it. Let me start with the introductory facts and then let me see if you already know all that. Okay, you already know about blockchains, right? That's a blockchain. And I like to say that the important properties of blockchains are that you can't go back and change your story later, which is called append only or immutable. And you can't give two different stories to two different people using the same blockchain, which I call canonical. This is a picture of encryption and the important thing you get from encryption isn't that nobody can see the data, it's that you get to control who gets to see the data. So I call that selective disclosure. So Zcash is the first thing that, as far as I know, is the first thing that combined those two properties, append only and canonical along with selective disclosure. Zcash is a blockchain with encryption added. And here is, so you know about Bitcoin, right? And you already know that Bitcoin is actually just a Microsoft Excel spreadsheet with a sender and a recipient and an amount. And the magical thing about Bitcoin that was the big breakthrough was that everyone in the world can have the same version of the Excel spreadsheet visible on their computer at the same time. So that's the consensus magic, which is the breakthrough in Bitcoin. But once you have the consensus magic, then you just implement money like this, right? You append a new row to the spreadsheet whenever you want to transfer money, transact. You all know that, right? Does that make sense? I should definitely go way faster than that. This is Zcash as an Excel spreadsheet. This might be the first thing I said you don't know is that Zcash uses encryption to conceal the sender and recipient and amount transacted. And then it adds this new column, which is a zero knowledge proof of the correctness of the encrypted transaction. Did you know that? Okay. All right. So do you know what a zero knowledge proof is? Okay, nobody does. I don't really know what a zero knowledge proof is. Here's one metaphor for a zero knowledge proof. Suppose you had a friend who was color blind and you had two balls of two different colors, but they looked like they were the same color to your friend. And your friend thinks that you're fooling him and that you actually have two gray balls instead of one green ball and one red ball. And you want to prove to him that the balls are different, but you don't want to let him know which one is red. So it's really easy to prove that they're different if you can tell him the fact. You can do it something. But if you want to make it so that you convince him that the balls are different, but you don't give him the information about which ball is which, how do you do that? The way you can do that is with an interactive protocol where your friend takes the two balls and holds them behind his back and either swaps them or he doesn't, but he doesn't tell you which he did, right? And then he shows them to you and you tell him whether or not he swapped them. Then he knows that either you can see the difference between the balls or you got really lucky and you're still bluffing. So then he repeats that process like a hundred times in a row. And if you can always tell whether or not he swapped a hundred times in a row, now he becomes convinced that you can see the difference between the balls. But because we did this weird protocol, he didn't learn any information about which ball is which. So that's a very simple metaphor for a zero-knowledge group which I guess is due to Oded Goldreich. Okay, well, you guys are obviously way more geeky than the last audience I talked to. So let's switch to the geeky slides. Here's different ways to add privacy to things. Like the first lightning talk described, you might not be able to see speaking of colorblindness, you can't tell that these are two different colors on this display, but what's that? Do you know about how stealth addresses work in Bitcoin or Monero? But do you want to? Okay, good. We still have 25 minutes. You might have a question. A stealth address is suppose you want to, somebody tells you their address like their Bitcoin address, and you want to send them a payment. And then later you want to send them a second payment, and you don't want someone watching the blockchain to be able to link those two to recognize from the fact that you're reusing the same address they'll know that you're paying the same person. Stealth addresses is a way to generate a new address each time. And all of the generated stealth addresses are public keys that correspond to the recipient's private key. So with his private key he can decrypt or receive each such payment. It's a lot like HD wallets. I think with HD wallets you have to generate the addresses with the private key. The difference is with stealth addresses, maybe some versions of HD wallets do allow this, where someone who doesn't have the private key can generate more public keys for you. So yeah, okay, so it's very much like HD wallets. So the important thing with stealth addresses is you don't have the private key, you just have someone's public key, and you can generate a new public key for them, which will work for them, but no one will be able to recognize that private key is corresponding to their private key. Now I need someone to come back in. We're gonna have to do this every six minutes from now on. Right. For every private key there's many public keys, and you can come up with any one of the public keys without using the private key. You can look at a public key and you can generate more public keys. So if you have that, then when you want to make payments to someone, you make a new one of their public keys for every time you're gonna make a payment. And this makes it so that someone looking at the blockchain doesn't recognize the recurring use of their original public key. So, this is gonna make it hard for someone looking at the blockchain to recognize the recipient of a transaction. It's not gonna do anything for the amount of the Bitcoin payment, or Monero or Zcash. It's not gonna do any, the stealth addresses by themselves won't hide the amount you send. Right. And by themselves they won't hide anything about the sender. You'll still have the same, you will still be visible as the sender. So, this means, this technique is read for the sender and the transaction details like the amount and attached metadata and stuff. Meaning it doesn't protect that, but it protects the recipient. Here's another technique, confidential transactions. This is a form of encryption that you can use with the blockchain to encrypt the value. And it, you can accompany it with a proof that the value is in the right range. Like, you're not spending money you didn't have. So, confidential transactions don't do anything to protect the sender or the recipient, but they can conceal the value you post in the transaction. Now, this is a technique, you know about CoinJoin? You all know CoinJoin. What's that? Yeah, it's allowing mixers, exactly. Yeah, so there's a series of different improvements inside here. The guy who did the first lightning talk described some of these technologies. Mixers are the lowest tech one that was deployed first for Bitcoin where a bunch of people send their money to a third party and ask him to please resend it to the ultimate recipients. But, and there's more sophisticated ways to do it such as the ring signatures that we talked about earlier. But, in general, they have the property that you're choosing a set of decoys, I call them. So, the transaction that people see on the blockchain, it's, the way it's spelled out, it basically says one of these five sending addresses sent some money to this receiving address, right? And the, and one of those five is the real one and the other four are decoys. And this protects the sending address sort of. This is like a yellow, it's not really green like those ones are. Like, these are really strong. This is, well, it's pretty strong if combined with other things. This is really strong. This is like total encryption, which means you can't learn anything about the value if you don't have the decryption key. But, this is weak, really, decoys. I'll show you why in a minute. And then the last one that was also mentioned in the first lightning talk is e-case snarx where zero knowledge proofs in general. Snarx is one particular way to do zero knowledge proofs, but zero knowledge proofs in general can be used to protect the amount transferred and the sender. And it's really strong. It actually, it actually makes it so that, well, I'll show you how in, in z-cash, we can make it so that you don't learn almost anything about the sender. I'll see if I can explain what I mean by that in a second. So, if you took something like Bitcoin and added confidential transactions to it, you would just get this. You, you, you would still have a publicly visible graph of every address that has paid every single address. The only thing that would not be visible is how much they paid. And then the modern version of Monero, which is descended from this, but the modern version of Monero uses three different techniques put together. So, the modern version of Monero uses stealth addresses and confidential transactions and a mix-in technique, which is ring, ring signatures. So, it's good on those two, but it's, it's weak on the sender privacy, because the decoy system only provides about a small number. Like, it currently in Monero, the number is five, but specifically what the number, whether it's five or 50, doesn't make much difference, I think, for this. So, z-cash combines z-case and arcs with stealth addresses, so that we get strong protection of that one, and this gives strong protection of the other two. So, that's why we say we get a green light in each of those three columns here. You want me to explain why decoys are fragile, or go on and talk about z-cash. Okay. So, I said we have the zero-knowledge proofs. A zero-knowledge proof is a general-purpose thing where you can prove not only that two balls are different colors, but also anything that you can write down in a sufficiently short program. You can then prove something about it. Now, the way I think about it, you can think about it as you have a document and you prove a truth about the contents of the document without revealing the document. But, I'm a programmer, so the way I think about it is you have a program and you can prove that a certain string is the output of running your program without revealing what the input was. It's really easy to make a non-zero knowledge, a proof which allows knowledge. If I want to prove to you that a certain string is the output from a certain program, I can just give you the inputs and then you can run the program and then you'll be persuaded that the string is the output. Makes sense? So, the weird thing about a zero-knowledge proof or the important difference is that I can give you a mathematical proof that I couldn't have come up with this big number if I hadn't run the program with some inputs that produce this output. So, I can prove to you that the output is an output from the program without revealing the inputs. So, in Zcash, we use that, and this is the program we use, and what this program says is like this. This is a merkle tree. You all know about merkle trees? Merkle trees are great. For a long time, whenever we were inventing things, we would figure out that there's another data structure called the bloom filter. You know about bloom filters? Bloom filters aren't great. They never work. So, for a long time, we would always think, oh, we should use a bloom filter for this, and then we'd say, oh, no, the false positives totally ruin it. It doesn't work if you throw it out, forget it. And then we'd say, oh, let's use a merkle tree for this. It always works. Merkle trees are great. So, we started calling ourselves the Merkle Tree Huggers Club, and this is, this merkle tree is serving to prove that all of these CMs, CMs are coins, but they're not a fixed denomination. They're like UTXOs, really. CMs are UTXOs. We sometimes call them notes. Yeah, CMs are notes, which are basically like encrypted UTXOs, because they have an arbitrary value attached to each one. And they're spent once. Okay? You all know what UTXOs are. Yeah. Cool. So, here's a merkle tree over all of the CMs that have ever been valid. So, whenever the Zcash miner is processing a new transaction, that appends another CM to the set of all CMs ever. That's the newly generated note. It's the new UTXO from this transaction, right? The transaction has consumed one or more UTXOs and produced one or more UTXOs, and whenever it produces new ones, it appends the miners, append them to the set. The CM itself is derived from your secret key. And every one of the arrows in here is basically just a secure hash function, like it's also SHA256. So, if you take your secret key and then you hash it with three different other things, it'll result in a CM. So, now, if you know the secret key that corresponds to a certain CM, that's what gives you the ability to spin that CM, right? So, you want to spend money. You want to spend one of these coins, but you don't want me to know which one you're spending. That's how you can have that strong privacy on the sender side. We can get a green light on the sender side if you can spend one of these coins and to be zero knowledge, to really max out the privacy, we have to make it so that out of all coins, or UTXOs or whatever, out of all ones that have ever been valid, you get zero information about which one is the one I'm spending. So, like in Monero, if you make a transaction, there are five candidate senders sending addresses for this transaction. In Zcash, the set of candidate sending addresses is all of the addresses ever in the blockchain. In fact, there's a terrible hack in here, which is visible if you think about the height of this Merkle tree, because it's a fixed height Merkle tree. So, Zcash has a fixed capacity for transactions. I think it's currently a 29 height Merkle tree, so after we've done two to the 29 transactions, we can't do anymore. But anyway, we can explain later if you want how to get past that. So, you want to spend one of these notes, one of these UTXOs, and not reveal any information about which one you're spending. All you do is you generate a zero knowledge proof that you know some secret key, but you're not, this is one of the inputs, it's one of the secret inputs. So, you're not going to reveal this to anybody. You're just going to reveal, you're just going to publish a proof that you knew some such number that you put in. When you hashed it three different ways, it produced some cm, but it doesn't say which one it produced, and then you're going to say, and then I hashed this cm with this thing and this thing and this thing and this thing, and it resulted in the Merkle tree root. And I can verify that zero knowledge proof, and I can say, OK, he must have known some secret key which matched one of all possible, of all of the cm's ever, and it has a path through the Merkle tree that results in the root. Therefore, he knew the secret key to one of the coins, but I have zero information about which one. So, that's the privacy in Zcash. And that is, you should immediately have a lot of more questions about Zcash. The next one is the double spending prevention. You just proved to me that you knew a coin, but you didn't prove to me that you haven't already spent this coin to everybody else. So, for double spending protection, that's what this other thing is over here, a nullifier, which is if you take the same secret key and you hash it a different way, you get a different random number, and that gets output visibly to the miner. So, when you spend a UTXO, the miner doesn't learn. By the miner, I mean, like, you know, everyone, the public, right? Because everyone is watching the blockchain, but anyone can run a miner. And they don't learn which cm you're spending, but they do learn which nullifier goes with it. And so, they append this to a list of all nullifiers ever, a list of all spent UTXOs ever. So, Zcash has got twice the scalability problem that Bitcoin has. We have two ever-growing sets. Okay, that's the core of it. You got the basics. Hey, yeah, ask me questions. How are we doing? What's the transaction capacity? The answer is, okay, the question is, what's the transaction capacity? The answer is, we deployed the first version of Zcash a year and a half ago, and it has a Merkle tree in it, which is 29 levels deep, which means you can have two to the 29 transactions before the Merkle tree is full. And now, we're in the midst of deploying an upgrade to Zcash. And the upgrade has completely different cryptography, well, not completely, but largely different cryptography, and it comes with a new Merkle tree. So, once that upgrade activates in September of this year, then everyone's going to start producing UTXOs that go into the new tree. And I think we should just keep doing this. I think every six months or every 12 months, we should just upgrade the cryptography if we can, but definitely create a new Merkle tree every few months. Is it ZK Snark? Is the new cryptography? Oh, that's a good question. Is it Snark or Stark? The answer is, the version we're doing this year is still Snark. Snark with an N. You guys are so geeky. I love this. This is a lot more fun than a normal introductory lecture. Yeah, so the... I'm really excited about the new zero-knowledge proofs like Starks. The good thing about Starks is they don't have toxic waste. You know about toxic waste, y'all? Okay, toxic waste is the terrible bad thing about this whole project is that the zero-knowledge proof scheme that we use is called Snark, S-N-A-R-K. And it's... the reason we use it is because we want to use zero knowledge proofs so that the privacy set, the set of possible senders, is maximal. So with simpler, older cryptography like ring signatures, we can only fit a small number of candidates, like four, into the privacy set for the sender. With zero-knowledge proofs, we can fit a large number of candidates, like two to the 29. So currently, like in Zcash today, if you make a transaction, there's probably something on the order of 150,000 transactions that have previously happened, involved a shielded, an encrypted UTXO. So your privacy sets effectively 150,000, I think. Maybe you can subtract out some of them based on some other kind of deductions. But as a starting point, it's four or five orders of magnitude bigger than you can do with ring signatures. Okay, but that's the good thing about it, is that we can fit this other stuff. Oh, and the other cool thing about zero-knowledge proofs is a general-purpose thing, is we can fit in the value, how much you're transferring, so we don't have to use a separate encryption scheme to the value. And this means if we want to do more complicated things, like smart contracts or crypto-kitties or whatever, you just have to encode that. And zero-knowledge proofs are a general purpose, and they're very flexible. But the terrible bad thing about it is that Snarks have a, there's a secret key that if anyone knows it, they can forge proofs. Now forging proofs in Zcash doesn't allow you to violate anyone's privacy, but forging proofs allows you to counterfeit money, right? Because you can say, oh yeah, you can say fraudulently, I know some number which hashes to something, something, something, whatever, and it hashes to the root. And since you have the, you know the secret toxic waste, you can come up with those as much as you want. So the miners will believe that you have as many coins with whatever values you want. I want to just, on this point, I want to bring about that initially the search transaction was done. There was a kind of a, the ceremony was done. Yeah, yeah. Wait, what's the question? What was the significance of that ceremony? Okay, yeah. Okay, so, right, so the, the toxic waste is effectively like a private key that goes with a public key and we all need to use the public key for the zero knowledge proofs for snarks, that is. And so the obvious way to do it, the scientists who invented this are not me, right? This was all, the whole idea was invented by a bunch of different scientists from MIT and a bunch of different universities. And they presented it four years ago now at a conference called Real World Cryptography. And I was the like first one in line to ask a question. And I was like, what, what about the toxic waste and the private key? What are you going to do about that? And the scientist who was presenting at Matt Green, the cryptographer, said, oh, I don't know. I guess we'll like invite everybody to watch and we'll generate the public key on a computer and then we'll like destroy the computer so everyone will be convinced we didn't keep a copy of the private key. And I said, that's totally not good enough. You could totally keep a copy of the private key just because you got them to watch you destroying a computer. And he said, okay, fine, then you do it. And that was the beginning of our relationship. And that's one of the steps in the beginning of our relationship. So, so then we did something much more sophisticated. We did this thing called the ceremony, which is where there were six different computers. And none of them would ever have the private key. So we called the private key the toxic waste. And we said, we're going to make it so that there are six different inert, harmless precursor chemicals. And if all six of the chemicals come together in the same room, that forms toxic waste. But we're going to have this process where each of the separate stations destroys their harmless precursor chemical separately so that the toxic waste never exists anywhere even for an instant. So that was the thing called the ceremony. We there's a really great podcast about it by Radiolab. The title of the podcast is called the ceremony. It's really good. They're really great storytellers. And that still wasn't good enough. So now for this version that we're doing right now, there's a new improved ceremony, which has like at least 60 people involved so far. And anyone could join. It was on a public mailing list. It's still ongoing, but there's two phases and you've missed your chance to participate in the first phase, but you can participate in the second phase. Oh, okay. Well, so currently there's a somewhat better way, which is doing a much better ceremony. But then the really good way would be what he asked about, which was new forms of zero knowledge proofs that don't have any toxic waste at all, like in the in the math. That makes sense. So the one he mentioned is Starks. The tea in Starks, the scientist who invented Starks uses the tea for transparent, but I prefer to think of it as toxic waste free zero knowledge proofs. Starks are really cool. See, I think I have they're really cool new kind of zero knowledge proof. There's at least two good candidates for new improved zero knowledge proofs, both of which are toxic waste free. One is called bullet proofs, which is from some researchers at Stanford, including Dan Blanet, and the other is called Starks, by some researchers in Israel, one of whom is one of the founding scientists of Zcash, is in his Eleven Sasan. They have interesting different trade-offs from each other, but neither of them is really efficient enough to just plug right into Zcash as it currently exists. But I'm hoping that in another year or so, we'll figure out how to make them efficient enough to replace the Starks in Zcash with a toxic waste free crypto primitive. Does that make sense? Inbid into the code of target interactions or things like this that are actually like, can we do once with the music? That's a good question. Yeah, I think we should, I think that Zcash as a community should make it non-optional eventually, but we should have a burn-in period where people have a chance to transition. Like we're already doing this with Sprout and Saffling. So Zcash Sprout is the code name for the first version that currently is running that you can use right now. And Zcash Saffling is the code name for the new version that's coming out this year. Oh, hey, I'm almost done with my 30 minutes. How much more time do we have to keep talking? Does anyone in charge of making a stop? Great. Okay, we have lots of time. What was my point? So we have Zcash Sprout and Zcash Saffling are two different cryptography systems with different Merkle trees. And when we activate Saffling in September, it will be possible to transfer money from like to spend one of your old Sprout UTXOs to generate a Saffling coin or vice versa. But then I am going to advocate for the Zcash community that after a certain deprecation period of like six months or 12 months or something, we take away the ability to generate new Sprout coins. We always do hard forked upgrades, which means if you don't keep your software up to date, then you'll fork off on a separate blockchain fork. Right? Yeah. Yeah, so there is support for Sprout. It's currently got support right now in the current version. And then the new version that we're putting out has support for both Sprout and Saffling. And it's possible to send money back and forth. And then I propose that after another six or twelve months, we make it so that you can spend money out of the old Sprout nodes, cannot put money into the old Sprout nodes. So then everyone has to migrate. That's what I proposed. And yeah, it requires backwards incompatible network uploads. And then I also think hopefully we will still have enough engineering bandwidth and market position and users and everything else that we can go ahead and make another version using the new cryptography that doesn't have talk to waste, make it either Starks or Bulletproofs. But that'll be 2019 at the earliest before that activates. But we kind of have to get started working on it now because it takes like a year to implement one of these upgrades and deploy it. Yeah. How do you think the anonymity of Zcached fares against the master node concept of Dash? Would you consider it to be too centralized? Yeah, I haven't thought about it that much because, A, it's somewhat centralized in a way. Like I'm not sure I trust the master nodes or if I think that's, I don't know. This doesn't feel very good. But the other reason, I mean, frankly, I'll just be honest here, even though this is getting live cast and going to get in trouble for being honest. But just to be honest, I've worked in the field of privacy technology for a long time. And, you know, there's a lot of science papers and a lot of sort of deep thinking goes into it. And one thing that we know is that it's one of these things that seems deceptively easy. So newcomers come along and they think, oh, I'll just add privacy this way. And they haven't studied all the decades of science papers and they don't realize that just adding privacy that way doesn't work. And that's why we didn't already do it 20 years ago. So I just assume without looking that the privacy system is totally weak because every new fengal privacy system is totally weak. Sorry, but that's the truth. I've never gotten around to looking at it. So mixing could be great if they did it right. But he said it's just based on mixing, I think. And, like, it is possible to have good privacy from mixes, but you have to understand how to do it. It involves either batching or inserting delay a couple of different ways that it can work. So I was following the zero-coin protocol for a while. Is that what turned into Z cash? Yeah, the zero-coin protocol was made by some of these scientists. And it was just like this. It was very similar design to this, except instead of a general-purpose zero-knowledge proof in a Merkle tree and encoding the value into here, instead it had this funky other data structure that's not a Merkle tree, but it's a different kind of accumulator. And that thing was too inefficient. So, yeah, I did heckle that guy, Matt Green, at that conference in 2014. But actually an important historical step happened the previous year at the Bitcoin conference in San Jose in 2013 when Matt Green and Ian Myers gave a presentation at that conference about zero-coin. And that the 2013 Bitcoin conference was like one of the first, if not the first time that Bitcoin was like a big enough thing that you could get a whole crowd of people together into one place to talk about it. So Matt Green and Ian Myers gave a presentation on zero-coin and the Bitcoin core developers who were there gave like an official statement from the stage saying, don't get the wrong idea, don't think that we're going to be putting the zero-coin thing into Bitcoin anytime soon because it's way too inefficient. The transaction sizes or the proof sizes were something on the order of 70 kilobytes I think and that would have been too much to fit into the Bitcoin blockchain. So then at that conference were the some scientists who were inventing the new snarks. So they saw the zero-coin presentation and they said to themselves and they said to the zero-coin scientists, hey, we can do the same thing as your 70 kilobyte accumulator using snarks and snarks only have about 288 byte proof sizes. So that would be a huge performance improvement. So that that was called zero cash and then Zcash came as a contraction of zero cash. And so that's the history of that. Zcash handles privacy for on-chain payments, right? So what about Bolt and the private IO use? What's the last thing? Private use? Oh, I don't know about private IO use. But I know about Bolt. Bolt is another invention by Ian Myers, who I just mentioned. And it's like Lightning Network but it preserves privacy. So in Lightning Network, you have a hash pre-image and you reveal a common pre-image as used in multiple transactions, I guess. I don't remember how it works. And in Bolt, instead, you use some kind of signature or proof that you know a common pre-image without revealing it or something like that and then you're not exposing your privacy, which I think seems really important in Lightning because if you're making lots and lots of small transactions, you're revealing that much more information about yourself and you would probably end up revealing that to some like large centralized third parties if you just use Lightning Network, I think. So I'm glad Bolt exists as an improvement to that. Next? Yeah. Hi, Zuko. My question is what was the reason for you to partner with Ethereum Foundation and what is the status of that partnership today? The reason was mostly just that we wanted to help. The partnership with the Ethereum Foundation just boiled down to us chatting back and forth and helping each other understand stuff and then it resulted, they did most of the work, we started, we started them off but then of course eventually we got distracted working on our own stuff and they finished it by themselves and they added snarks or, well, they added elliptic curve, cryptography and pairing into Ethereum and with those pairings you could implement snarks. So that was the fruit of that collaboration so far is that there are now pairing operations built into Ethereum. However, nobody's used it yet to make like Zcash style things on top of Ethereum. Did I answer your question? I mean, I'd be happy to collaborate with them again. I'm going to be hanging out with Vitalik this summer I hope. Hey man, what's the reason for 20% of the block reward going through founders? That's a good question. So back to the history books, those guys met up at that conference in 2013 and invented this in science and then in 2014 I heckled them at conferences saying you're not doing it well enough and then so then Matt Green said fine, you figured out. And then they asked me to take over the project of making it into a like full scale deployed reliable thing. And so then I agreed to do that and then I needed money. And so I went and got investment money from some Silicon Valley and Chinese and Singaporean and New York people like Bitcoin, Angel Investors and VCs and stuff like that. And we raised a total of $3 million from them and we told them in return for your $3 million the Zcash company will get a share of the newly mined coins after the blockchain launches and then we'll give you some of the coins. So that's how we got the money to hire, well, pay rent for starters. And then after paying rent we also hired other people to help us do it. So the answer is so that we could afford to hire people to do it and we could afford to do it ourselves. Anyway this is a blog post we put out back then. This is the Zcash monetary base follows the Bitcoin policy. So it's this much for the first four years and then half as much every four years thereafter and it never goes above 21 million Zcash coins. And then this is that during the first four years from launch until 2020, the end of 2020, 80% of the newly generated coins go to the miner who found that block and 20% go to the company. If it was just for initial funding then that bit of the graph should just go down after like 2020, right? It'll be truly decentralized after that because you've funded already. This is the total amount that's ever being distributed. So we're getting more and more because we're like here now, right? Like a bird of the way through. We're getting more and more every block. And then at this point, we stop getting more. That makes sense. Yeah, but technically at that point you wouldn't need to get any anymore, right? It should just be fully decentralized and miners should get at this point all their work. Yeah, we don't get any more after in the current consensus rules. We don't get any more after this point, which by the way, I think is a bad idea. I think the founders reward is a this is called the founders reward. And it shouldn't be called reward because that's totally the wrong idea. It should be called like the development fund, right? So I think if you're if you're going to have a blockchain, you should and some other blockchains are experimenting with things like this. You should somehow arrange to have a bunch of skilled developers improving it and maintaining it for you. This is a pretty good way to do it. It's my opinion. The question was, can I answer that question? Is Zcash looking at integrating Lightning Network? Sure. I mean, someone else could do the work, too, because Lightning is pretty independent. You don't really need to make changes, except Zcash doesn't have, what do we not have? We don't have, we have malleable signatures that we inherited from Bitcoin, because Zcash is a clone of Bitcoin from like, we started with 0.10 and then we upgraded to 0.11, but we never upgraded beyond that. So we have some bugs and limitations we inherited from Bitcoin, 0.11 that we've never yet back ported the fixes. One of them is malleability, and malleability is a bit of a pain for Lightning Network. So either we should fix malleability, which is what we should really do, or someone should deploy a version of Lightning Network that works around malleability. I think we might also lack the opcsv opcode, which is another thing, but we should fix that. That one should be easy. They're both easy. It just takes forever, because there's so many other things that we could do then. So basically, yes, we totally like to fix that. And practically speaking, we might get it fixed by the end of this year, maybe, December, if we don't prioritize other things between now and then? Yeah, one question from me. So which are the most exciting development or applications which you see being built on top of Zcash? Sadly, to me, I don't see applications using Zcash as a platform. I see user facing apps like wallets mainly, multi coin wallets, usually, implementing Zcash. You might consider decentralized exchange to be an application. And I think that'll come in 2018 using the atomic cross chain transactions at me. But that's about it. It's kind of disappointing because Zcash has, like I said at the very beginning, Zcash is the first combination of the blockchain properties with the encryption properties. So you can do potentially interesting things. You all know about the encrypted love note in the blockchain? Like right after this launched in like a couple months in, a young woman that I know told me that she had received a very small Zcash payment. And you know about the encrypted memo field? But it's similar to opera turn, but it's encrypted with the same encryption so that only the recipient can see it, right? So only the recipient knows the value and only the recipient sees the memo that comes with it. So in the encrypted memo field, there was a hyperlink to an IPFS file. And the IPFS file was a scan of tickets to this event that she and her boyfriend had been talking about going to other seats. So it's an encrypted love note in the blockchain. It really exists, although I've never seen it, because only the sender and the receiver can see it. But it's like immutable in the Zcash blockchain. Anyway, so like, you know, someone should make an app for love notes on top of Zcash. But as far as I know, nobody has. Hi, I have a question. When moving from the love notes, the possibility that given the fact that it's not possible to find out whether it's possible to prevent both the identity of the sender and the recipient of the cash currency to be anonymous. I'm just wondering, I mean, if we've seen from a law enforcement perspective, instantly there would be a Oh, no, this is going to be used for illegal activity. I was just wondering how you know, you plan to deal with that and how to address questions. I mean, inevitably I'm sure you're going to get somebody coming to say, hey, help us find out who did this. I'm just wondering how. Yeah. Yeah, we definitely get that. The main thing that I tell law enforcement is this is an open source project. And if you want, like, special access to it, don't come to me, but go to github.com.zcash. But really, actually, law enforcement, bless their souls, that's really the number one, like, higher order bit that they need to learn is that it's not a service that my company operates. And they do learn. I just have to tell them that if they're investigating something involving Zcash, that the the place to go, if you're trying to find out something about a Zcash user is the exchange that you think that user is using, right? Yeah, I don't know. It's a long conversation which I've had a lot of times. Hi. Is there a possibility? Did you consider that cash could have been a hard fork of Bitcoin because the code is almost same, whether a reason is it a possibility or not? A hard fork of Bitcoin, what? No, since the almost the code base was pretty much the Bitcoin. Oh, could Bitcoin hard fork? That cash could have been a hard fork of it. I'm in favor. I don't predict it because, you know, Bitcoin has a phenomenally strong culture now of never hard forking to make disruptive improvements, right? I mean, you're kind of aware like there's a big conversation about changing the block size by 2X or X or something. So I think it's my perception is that the Bitcoin users and everybody who's still invested in the Bitcoin project is on board with being very conservative and not making risky changes like that. So I don't expect that to ever happen. But someone could always make a fork. Or like when I say fork, that's a really ambiguous word these days. But someone could always do one of those like airdrop kind of things where they are, they copy the Bitcoin ledger in order to give their new coin to all the Bitcoin owner. But then they could use the Zcash source code. Yeah, somebody's already doing something like that but I wasn't going to mention it. I think it's a little bit standing. I'm getting so much trouble. I hope nobody's watching that live cast. But it would be a good idea in principle if you could do it without being standing. Hi, Zuko. So like I want to ask question on integration of ZK Slash with Ethereum where in present scenario the gas that is required to process a transaction is much higher than the gas being produced to the block. So how that situation can be dealt out? The gas to produce a transaction with, what did you say about the different hires? So the gas that is required to process a transaction when we are integrating ZK Slash with Ethereum, right? The block reward of Ethereum itself is lesser than the requirement of the gas to process the transaction. Which is just, I mean, the point is it's expensive to verify a transaction. You have to pay a lot. And this is probably the reason why, as I mentioned before, nobody's made a ZCash-like thing on top of the theory you met is to be really expensive for every single transaction, right? Yes. Somehow. And what, you want to know how I think we should fix that? Yeah. Maybe E-WASM will fix everything? Is this glorious E-WASM future? I was just thinking the other day I need to go find some E-WASM experts and say, when glorious E-WASM future, sir? E-WASM is this plan to, I don't really understand it. It's a plan to replace the Ethereum virtual machine with a different virtual machine which can be much more efficiently compiled. And if so, then maybe that would reduce the cost, the gas costs of these particular transactions. But I don't know, actually. Why is it so expensive? Why is it so expensive if we have pairings already? So I think they still have this problem. So that's why it's, that's not coming into the main net. So they are still working on it. That's what I did. Okay. Well, I don't know for sure why it's so expensive. Yeah, and I'm not sure how to fix it either. Maybe like the Ethereum scaling solutions make everything cheaper, I don't know. So you're also working on, you know, coming up with the platform where we can build apps on Zcash? For sure. I mean, it's a, I mean, can you build apps on Bitcoin? You know, I don't hear about people building apps on Bitcoin anymore, but they used to talk about that. And so, yeah, Zcash is an open network. It's an open source software package. It has an RPC API, so you can, like there's a little Ruby script or Python script called ZMSG, which you can put a message into Z message, right? It's for encrypted love notes, right? That's what I think of as an app on top of Zcash is that little script that uses the RPC API to send encrypted love notes. As we understand outside cryptocurrency, the volume of currency which is printed, volume and value, the function of a number of things, for instance, the value on an economy largely, right? And there are other concerns that a central bank would be interested in addressing. Now, which means they have a formula into which it's a function into which a lot of inputs go and they decide what value and volume to print. Sure, the volume of volume value, whatever, gets generated as a function of, I don't know, mining and nobody knows where and when the next unit of currency will pop up. So there has to be an equivalent for this to work, even though you're trying to be extra government and sort of what do you call it? You have fungible borders and not be restricted by the current government. It still needs to be parallel for it to work, right? Those concepts need to be replicated. It was explicitly a reaction against that practice of the government using monetary policy to try to influence the economy. I understand that. My point is, never mind government regulating it, but as a currency unit, as a storage value, I mean, as a, like a battery, right? It needs to store value, but that's what this currency is doing. Whether it's paper currency or cryptocurrency, its function is the same. Never mind the government, negate a government from the equation, it still needs to grow, be able to, you know, otherwise it'll be a supply-demand mismatch. Yeah, so there's a theory that I used to believe that you have to increase the supply of currency approximately as the demand increases or maybe 2% faster than the demand increases for various good reasons and then at some point someone told me a great scientist named Marcus Miller who is probably the most influential scientist and well, one of the two most influential scientists in my whole life, yeah, Marcus Miller, he, I mentioned that belief to him and he said, why? He said, in fact, no, if you just had 1.0 of the currency, but it were infinitely divisible, then people would adjust. To the fact that the price of everything tends to go down in terms of your currency. People would figure it out. And also, Bitcoin and Ethereum and Zcash are experiments to determine who's right. Who's the second scientist? David Chom is the one I was thinking of. David Chom is, he's one of the, so he's in the event of cryptocurrency. He's the event of the concept of money on the internet and he's the inventor of the concept of privacy preserving money on the internet. He's also the inventor of the concept of anonymizing routers like Tor and every other known way to add anonymity onto a network. And he's also the inventor of some fundamental concepts in photography and he's also one of those people who performed a courageous act of civil disobedience and rested cryptography from the control of the United States military in the 1970s and 1980s and turned it into a public science. And he was my first boss. Hi, he's a good. Does Zcash have a scaling strategy or a solution? No, but we have, that's because nobody does. Like if you're picking a winner today and you're saying, oh, I'm definitely going to use plasma or I'm definitely going to use lightning network or whatever, then I think you're deluded because we don't know if any of those are going to work. So instead, we're watching those other things to see if they actually work. In which case we can copy whichever one works the best. And we're also trying to do our own research in our spare time because we have too many other things to do but it's possible that zero knowledge proofs could be part of a scaling solution. So researching that. Could a decentralized exchange or a DEX be a scaling solution in itself? Oh, I don't know, I didn't see that. Just had a thought. Yeah, I don't know, that's an interesting thought. You guys asked great questions. I'm glad they stopped early. On just that one, right? So when you say atomic swaps coming in, I think that's basically a way of scaling in many ways. Okay, that's a good point, I see what you're getting at. But it loses the, it's not a side chain, the idea of side chaining, which is another one of those glorious ideas that I'm skeptical of ever work along with you as an emplacement and lightning and everything else that's never worked. I'm skeptical if it's ever gonna work. But the whole idea of side chains was that you could swap or trade out to some other chain and you'd have the same value when you came back. Right? That, I could understand, would be totally a scaling solution. But if you have to negotiate a new price on the market when you come back, then I'm not sure that qualifies to a scaling solution. Yeah, maybe if the prices are a little more stable in the future between the multiple different things you're trading back and forth in, then you won't mind trading back and forth sometimes. Yeah, that's a good point. Yeah, I mean I definitely want that cross chain interop as soon as possible and I'm excited that it might actually happen in 2018. Oh, atomic swaps or cross chain atomic transactions are the same on Zcash as on Bitcoin and most things, which is you have a contract with a hash free image. Do y'all know how hash time locked contracts work? Oh yeah, yeah, once again, malleability. But I think we might be able to work around it anyway. We really need to fix malleability. Yeah, not 100% committed to that because there are a lot of other things we also want to do, but I think it's probably one of the most important. I mean the first thing on our roadmap for 2018 is deploying the sapling crypto. I didn't point this out but the new improved sapling crypto will make it possible to have shielded transactions in mobile phones and hardware wallets. I think that's really important and as well as maybe like in JavaScript apps and maybe it'll be easier to implement it in more different exchanges and servers and things. So that's the main thrust because right now Zcash kind of sucks in this way, right? I don't know if you're aware, but most wallets and most exchanges and most applications like OpenBazaar or anything, I guess OpenBazaar is an app built on top of Zcash or AdableZcash. Most of those things don't support the encrypted transactions at all. Do you know this? Yeah, so that's our main priority is changing that and the way to change that is to deploy the new sapling transactions and then pressure everyone else to upgrade their products to use them to support them. Hi, hello. You see proof of stake taking all proof of work? Oh, yeah, it's one of those things that I'm waiting to see if it works but actually there have been smaller coins that have used it in various variants already and I really like Vlad's Ampter and Vitalik Buterin and others who have thought carefully about proof of stake. So I'm kind of gradually warming up to it. Your question was, does it take over from proof of work? I don't know, there's a whole bunch of people who firmly believe that proof of work is better and they would refuse to switch proof of stake so I suppose that means we'll have both and definitely. Hey, hi. Yeah, I know you're on camera but what do you feel governments should be doing or should they be doing anything in response to this whole revolution? Yeah, I've been talking a little bit about that about what the Indian government should be doing. My thought, I'm actually pretty satisfied with the behavior of the United States regulator so far. Much to my surprise, they have not done anything stupid in knee-jerk reaction and whatever, whatever. Yeah, and I guess I kind of think this might be partly due to this one outfit called Coin Center, this policy advocacy, whatever. You said that you're a policy person and you're the only policy person in the room so yeah, you should like Coin Center because they're the policy people in the room in the United States, Bitcoin meetups. And they've been working for like many years now, maybe four years. And they're very proactive. They go and tell the government regulators ahead of time what new issues are going to be cropping up and first of all, just teaching them is really helpful because ignorance leads to fear and fear leads to really bad law. And then, since Coin Center's the one that taught them, then they totally have credibility so then when they come back and they say, we suggest that you do this sort of like sensible, boring, predictable thing then they often do it. So I guess my advice is that the Indian government should hire Coin Center to come advise them. Yeah, Jerry Brito is the founder. Hi, Zuko, me again. Does Zcash see a possibility of moving to Proof of State? You said you're warming up to the idea. Oh, yeah, I think we should definitely consider it. My main plan has always been to wait until Ethereum switches or doesn't and then we'll learn from whatever they did or didn't do and what happened to them when they did or didn't do it and then decide like second mover behavior. Sure, and can Proof of State really work without developer checkpoints? Oh, I don't think anything can work without developer checkpoints. I don't believe in the Bitcoin dogma that the longest, heaviest valid chain wins. I don't believe the longest, heaviest valid chain wins. Like I think if someone came along today and said, I have a new Bitcoin blockchain and it's got way more hash power than your Bitcoin blockchain, but it forked off a year ago and I got all the Bitcoins since a year ago. I don't believe for a minute that the rest of the world would say, oh, okay, I guess you win, man, well played. No, they would say screw that, we're keeping our Bitcoins. We don't know that and having a developer checkpoint is way more centralized and defeats the whole point. Yeah, we don't know that, I don't know what would happen. I find it really, I mean, there's gotta be some point. So suppose someone comes along and they start at the Genesis plot and they're literally saying, you know what? I own 100% of the Bitcoins that exist and I have the hash power to prove it. You think everybody starts like buying that person's Bitcoins for fiat because their Bitcoins are worthless? I don't think that's how that turns out. Yeah, that's the amazing thing about money is that it really, like all money, including fiat money, is that it really isn't anything but that everyone else also believes that it's worth something. So my, I agree with you that we don't know really what would happen, but my imagination of how people behave is that they would collectively agree that their Bitcoins are still worth something, even though somebody else has greater hash power and has 100% of the new Bitcoins. Okay, guys, last three questions, sorry. I think of, how would you increase public confidence in using these technologies? They're highly technical, they're not, I mean, even though certain sets of people use them, a lot of people don't understand their function or what they're used for and what I've seen, for example, in Bitcoin and a lot of cryptocurrencies is that they're simply being used for speculative assets, defeating the entire point, right? How do you change that to go? That's a good question, because I think public confidence is really low, but probably for good reason. And I think that's the most important, or one of the most important things, long run. I think the passage of time helps anything that's new people are suspicious of and once like, once like a new generation grows up, like everything that came out after you were like 13 or whatever you're suspicious of, but anyway. I also think all of the cryptocurrency user experiences, except for the speculative asset that you described, that the user experience of buying and selling cryptocurrencies as a speculative asset is getting pretty good. But the user experience of using it for anything else is still terrible, as far as I know. And so I think that goes a long way, like a simple, familiar, understandable user experience I think would make people a lot more comfortable. Zcash obviously can be used for both good and bad purposes, right, and the sense that the bad people can hide their missing and the people who want to preserve their privacy can do that. So it's kind of like a double edged knife. Do you think that the pros greatly outweigh the cons in this case? I do, yeah, of course, or I wouldn't be doing this. That's why I'm committing like most of the rest of my life to this project, because I think the pros vastly, vastly outweigh the cons. I think the amount of good that humans can do for each other if they're empowered is more than any measurement we know how to make. We can make each other infinitely rich and explore the stars and immortal, or maybe you don't want to be immortal, but the potential of humanity is completely unbounded. It's so much better than the alternative. And by the way, I watched a talk by Ed Snowden he gave on, he talked about cryptocurrency, so I fast forwarded to that part. And he said something on this topic. He said something like, if, I forgot, you should ask Ed Snowden. He's very eloquent. What are your thoughts on nano, the erstwhile dry blocks? I don't know anything about it. Okay, so thank you everyone for asking so many questions and thank you Zoco for patiently answering. Yeah, thank you very much. Just one final question. How can developers in this room contribute to Zcash if you just can't take a couple of minutes to? Oh, that's a really good question, yeah. There's lots of contribution that needed. Got, I've got, there we go. I've got a few URLs that you should write down. Of course, it's an open source project and so there's always code and code reviews needed. The Zcash Foundation, yeah. The Zcash Foundation is currently or imminently going to be soliciting proposals for where they'll pay you $10,000 or $20,000 or something like that to do cool stuff. And there's a wide variety of things they consider cool, including contributing to Monero and making cool videos and other stuff beyond code. But like about half at least of the stuff that they have funded so far is writing code. I guess that's the main thing I would advise is write code for the project. Great stuff. Thank you very much and thank you all for attending and thank you. Thank you, thank you.