 Hi everybody. How are you doing today? Hello. Yeah? It's sunny outside. And here there's a typhoon coming. Yeah, very good. Let's enjoy this while it's here. Okay, so today we have a panel where we're going to be talking about mixers. We, I think maybe just to start off, so we only have one microphone, so we'll have to bear with us. We're going to have to be doing a little bit of passing. But I think to start off, why don't we just introduce ourselves? Why don't you guys give a quick intro to who you are? And how your project relates to mixers? Hi, my name is Wei Zi-en. Based in Singapore, I work with the ATV Foundation. And I'm working on a zero-knowledge signaling gadget called Semaphore, which is a base layer for a mixer called MicroMix. Hey guys, my name is Jay from Loopprint Protocol. So Loopprint Protocol is using a ZK Snacks to enable people to build up a decentralized high-performance, non-custodian, scalable decentralized change. This is fun. I'm Julian, one of the co-founder of Arjen. So we are a smart company as well, and we've been working on Hopper and open source privacy mixers. Hello, I'm Roma Storm. And we're working on a privacy solution called Armenia de Cash. Cool. Okay, so I think probably most of the people in this audience know what a mixer is, but I always like to start off with a panel with a couple definitions. So what is a mixer and what is it for? I think in the nutshell, a mixer is a privacy tool that breaks the link between addresses, which is different than confidentiality. So we're talking about privacy. So it is not a sender and a recipient being known, but you don't know what they are doing. In this case, you don't know who's sending a fixed amount of money to whom. Do you guys have anything? Is there anything else you can say about what a mixer is or isn't? Right, so there are two types of mixers. One is a centralized mixer. These have been around for many, many years, even since the early 2000s. No, early 2010s. Yeah, you go to bitcoin.com or something like that, and then you put in Bitcoin. You trust that they'll give you back to a different address and they usually do all the exit scan and you lose your money. But I think what we all do here is like a trustless mixer. You put in the fund somewhere and because it uses smart contracts or something like that, you know what can exit scan. So that's the point of this. One quick comment that I should add. A mixer could be used as a product, which could provide all chain anonymity and also metadata anonymity. What I mean by that on chain anonymity will provide you the anonymity of your transactions on a public blockchain. Metadata anonymity will provide you solutions like tour proxies, like to hide your metadata of your browsing sessions. And also from an exchange perspective, I would say like back in the old days, decentralized exchange is a first-generation mixer. So like large well, they just send the token like Bitcoin into decentralized exchange then with joining different addresses. Also, they can use shop shop as well. So you started to hint about the history of mixers, but what were the early mixers exactly? What were they called if anyone knows here? Where did this idea first emerge? So as I remember, one of the most, maybe not the first one, but one of the early mixers was a coin join in Bitcoin that it was called mixer, but if you look at it technically, if you observe all the inputs and outputs in that solution, it will still not give you the full anonymity comparing to privacy tools that is using zero knowledge proofs behind scenes such as ZK Snarex and other technologies. Then the next, okay, I'm going to the next phase which is zero knowledge base mixer, which is like we're in a very, very early stage in these solutions. Basically, they provide you a way where you can deposit some of your funds then using some sort of rules such as anonymity sets, you can establish a full privacy of your transaction when you're going to exit the mixer funds to some new address so you can break the chain of links in your production history. I think maybe if you want to go even further, I think cash has been used for many, many years and that's what people need to lower money, for example. So I think the first mixer of a laundry machine she can't know in New York in the process. I completely agree. I was about to say Bitcoin, but then you just mentioned cash. Cash, I mean the best two for money countries and also there's a lot of local dealers. They are like the individual mixer probably from over the days, so they receive money. You don't need to do KYC and then pass to someone else, the next receiver. They don't need to do KYC so I think that's probably the first mixer in the history. I think the only thing I'll add is we also want to think about our adversary model. So who do we want privacy from? Do we want privacy from the state or do we want privacy from a neighbor? So those are two very different things and can have different implications in how you do your mixing. Just a quick note. We forgot to mention two more important protocols that are also involved in privacy solutions on chain which is ring signatures and MIMBO WIMBO protocols. MIMBO WIMBO is used in the green cryptocurrencies. Ring signatures is used in the Monero cryptocurrency and the ZK starts one of the most widely popular blockchain with the ZK edge. That was actually the point I was also going to make because how does Monero fit into this? You just outlined the ring signatures and the zero-knowledge proof. Was there a third one that you just said? MIMBO WIMBO. Is MIMBO WIMBO its own? It's a protocol and from this protocol there was two projects derived from it, green cryptocurrencies and the green. But it's independent. It's not ring signatures, not zero-knowledge. So why don't we do a little bit of a comparison then? Are all the projects you're working more on the zero-knowledge side? Can we still talk about why you wouldn't do the ring signature version? That's been around a little bit longer. So it's somewhat tested. Why would you change that? In my opinion ring signatures could give you a lower... It's not the best tool to use to give you the full anonymity of your transactions. So let's say the ring signature, the anonymity set would consist of like 10 participants in a ring. Comparing to ZK Snarks, there is no limit. Technically there are some limits, but it's much, much higher in terms of your anonymity set. So anonymity set, it means how many other participants are participating in the whole process of mixing your funds with some other funds. So the ring signature in Monera, they would use some thick set of participants, like let's say 10. So there are some attacks that would happen, let's say if I'm the first one, I mean if I join a ring and the next person, you don't know who or the other, let's say, nine participants of that ring, so the anonymity could be completely broken. I was going to say the same, but you said it better. Yeah, I'll have a bit of an on. Just like for a ring signature, think about it, and now come to me and lend me like a hundred bucks, then Wei Jie says he needs ten hundred bucks, then I get to Wei Jie. Even I don't know them, but I remember their face. So if you want to be anonymous, you have to wait probably under the entire room, people to come to me, like half room to lend me the money, and I can't remember how much money is it and half room to come to me and then give them the money. Then it kind of mixed up, so I don't need to remember. It's not, I don't need to. It's hard for me to remember as a mixer. So that means that it takes time to be anonymous. That means people have to take time to wait. The timing is the limitation. Is that only on the ring signature setup where you actually can, but what I understood that you're saying there is like, if there's only a few participants say that it's actually pretty easy to trace it, but if there's a lot of participants over a long period of time, then it's harder. But is that only with ring signature type mixers or is that also a zero-knowledge style mixers? I think it's usually zero-knowledge style mixers. There have been articles that have been written and published about, such as for Zcash where you can de-analyze even shooter transactions, but based on heuristics. So for example, if you have a lot of users who deposit into a shooter pool and then they immediately drop to five minutes, you can look at all the transactions and sort of guess with high certainty that these are linked. So that's not nice, that's not good. So even so zero-knowledge is not a magic spell that makes everything disappear into the... So we have to educate users and we have to have good UI and behavioral nudges that encourage users to leave the deposit as long as possible or have good security sanity, security hygiene, things like that. So it's not just technology, it's also about how people use it. So I was going to say probably the same, even with mixers based on ZKS marks, you can also attack someone. So if I know that you are going to do a transaction and actually I do a lot of mixing myself, you may think that there's 50 people but actually you are alone. So it's kind of the same problem that brings signatures. Although theoretically the set is on moment, which is a bit better. And also you depend on the, as we mentioned, on the area of other people. If people act stupidly, but actually the set is close to zero because all the other person are following the same pattern. That actually speaks to another question that I had, which is, like we just mentioned one limitation of mixers, but what are the other issues around mixers, ways that mixers can actually get cracked? Is that what you say? Crack mixers? Okay. So as with any smart contract on Ethereum, there is smart contract risk. As with any cryptographic project, there is risk of the crypto primitives or crypto systems being broken. So to address those things, you need, first of all, audits. Second of all, you need a trusted setup that allows, that is like something that, like a Zcash powers of power trusted setup where you can have a multi-party competition where you will only need one person out of a whole set of people to do the trusted setup process, to be honest, for the whole thing to be secure. So that's what we're doing for semaphore mixer and the powers of power ceremony is open tomorrow. So if these things haven't done, then mixers could be attacked. I think also always in cryptography, the primitives, the mats may be really good, but all you're implementing is what creates the problem. For example, with mixers, today a lot of people are using Infura to access the blockchain. And actually if you do that, you connect to an IP address. So the mixers, they are assumed to be private because we assume that people use a local node, but in practice, most users will use a centralized service and actually you're getting information by just connecting to Infura or Alchemy or any other local item. So I think that's a limitation. In the case of hardware and semaphore, there's the question of how do you transfer it to an account that doesn't have ether. And so there's the question of who's paying gas. And in that case, we use relayers. And again, if you access a relayer, you usually connect to a service. And again, your IP address may need information. So there are solutions such as using Tor as you mentioned before. But I think all these practical details are what may actually reduce your price. I guess these are like externalities. They're like the things that won't necessarily be thought of when designing the cryptography, but rather the implementation. Is there also a hardware, I mean Infura, I guess is sort of in that direction, but is there any sort of like hardware issue or when you're implementing it on an existing blockchain, are there issues with that? Currently right now, if you want to use a mixer that's on your mobile device, you would have to have a web assembly enabled in your mobile browser. So that would be the huge limitation for users. And also, let's say, if you use a mixer with a much higher level of miracle trees, you would have to spend a lot of gas on the viewing just to execute the withdrawal transaction. So for example, if you use a miracle tree with a system levels, which would give you the maximum amount of transactions that could be stored in that tree, 65,000. The amount of gas for each withdrawal would be around right now for the Istanbul artwork, 800,000 gas for the withdrawal. You mentioned really briefly relayers, but can you define what a relayer is in this context and how that could actually be a limitation? I think the idea of using relayers is, as I mentioned in the case where the recipient doesn't have either. So there's the question of how can you withdraw basically to see if someone has made it for you. Of course, you can send in some heat or you can pay the gas, but again, that transaction will break the link. So the idea is to use a third party that will actually make the withdrawal on your behalf and will be repaid the gas by these different mechanisms. But in the case of Hopper, for example, the person that is relaying the transaction will receive part of the amount that has been part of the transfer. So the idea is again, we need to break that link between the sender and the recipient because of the problem of the gas and the material. And so then with mixers, there's different strategies. You can have one mixer, one centralized mixer, which is the symbol's possibility. But of course, if you want to make it completely trustless, you should have made more of mixers. And I think the semaphore guys are working on that. I'd just like to add a few thoughts on the relayers. So in turn of the cash, we also use the relayers network. And for the next release, we are working very hard right now with the integration of the gas station network made by Hopper Zeppelin. I think they're working on generic solutions to provide the relayer network for any smart contract developer. So that would increase the level of decentralization and the level of community because you could either choose which relayers you want to assign the withdrawal of your conduction or you can even spin up your own relayer. And the more relayers we have in the network, the better it is for everyone. And potentially, I think, we can even maybe all the mixers could collaborate using the one set of the relayer network. So it would benefit the homework. We sort of talked a little bit about how zero-knowledge proofs are used for the sort of zero-knowledge proof style mixers. But where does the zero-knowledge proof exactly live? Like, what is it done one time? I'd like to hear a little bit more about how those designs actually happen. So first, when you deposit if or tokens of your mixer, that's done in the clear. But when you withdraw, you generate a signal proof in your browser, send the proof to the relayer, send it to the smart contract that ratifies the proof on-chain. And if it's valid, then it proves that that person will send the proof. And what's the member of the set of people who deposit it first place, but listen, review the exact identity in the first place. I mean the original identity. So the proof happens, the ratification happens on-chain. The proof is generated off-chain. So it is written by the team and the trustee set-up is done by the team as well and also by the company. Yeah, that's really good. But are all of these projects, like there's three projects here where you use the zero-knowledge proof construction, are you all using it in the same way? Is it all based on the same original paper or idea? I would say that I think the architecture of the design is the same. We are all using a Merkle 3D privacy mixer. So that's where you mentioned the idea that you mean a secret coin which is a leaf in a Merkle tree, and you prove that when you withdraw, you prove that you know the secret behind one of the leaf in the Merkle tree, and it hasn't been double-spent. So I think this construction is the same, you know, three set-ups, but then there's again a lot of implementation details on what kind of lashing function do you use for your Merkle tree and what kind of lashing functions do you use to create your leaf and so on. You know these details? We are all a bit different because we may target different use cases, but the global architecture is the same. And those implementation details impacts heavily on how much gas consumption you're going to use, as you already mentioned, in different use cases for different types of applications, because I don't think all the mixers are trying to solve the same problem. Everyone has its own view like what's the most important issue to solve? Yeah, even from our perspective, because for us, right now, the first priority is scalability, but we still have the demands for the privacy, so we just postpone the delay, the privacy, but all the infrastructure and processes are the same. There's one more point, which is that all four of us and the whole Ziggy community working together creates a different, not just a mixers, but also another Ziggy project creates a lot of positive side effects. So we're not just helping the community to get better privacy options. We are also advancing on zero-knowledge research and development. Yeah, so it might be a bit messy, might be decentralized, might be like, there are four mixers when you need one, but eventually, hopefully, the efforts that everybody puts in can allow everybody to flourish. Can you guys go into more detail of these different use cases, because I actually would like to understand the differences between these projects. And then after that, by the way, I want to ask about the use case for Texas, but first let's find out the difference between the projects. Just a super simple formula. Name one D5 project plus privacy, that's a use case. Let's say I'm a trader, I just got a bunch of tokens from someone I want to use there to trade whatever, and I need some gas, and I don't want them to see my balance because I'm a whale, which I'm not. So I use a mixer, I get a gas, and I trade whatever, as I use playback events, like you deposit some dye because you want to get a spot at the event, if you don't show, then the dye is distributed to other participants, but I don't want people to know that I am a whale and at the event, because I don't want people to know that I am a whale. So name a D5 project, name an instrument project, plus privacy, that's a use case. I want to say us, but I want to keep it later. So I think in our case, as I mentioned, we are at first building a smart contract based wallet, so we are a wallet and what we've tried to do is to actually abstract most of the complexity from the blockchain to really enable us to reach outside of this crypto bubble so kind of target people which are less tech savvy than we all are in this room and so if you start talking about financial application, people have some expectation of what it means and people expect some kind of privacy, so our user expecting a certain level of privacy and actually a theorem is a fantastic tool because it's a public ledger, it's fully transparent, but it doesn't contain that privacy naturally. And for us the realization that the interest for mixer came from some of our users because they wanted to provision a wallet, some of them had a lot of funds on the hardware wallet for example and they were saying we want to provision a hardware wallet but we don't want to create that link between this hardware wallet and our hardware wallet so that's why we really started thinking for us in a very simple use case how can we transfer E from a hardware wallet to an arch and wallet without creating that connection so for us it's kind of a simple use case but it was really driven by request from our users. Just to add a few things the very easy explanation what we're trying to solve is let's say you have your debit card and do you want to publish all your transactions from your debit card? And most of the time people will say no, you don't want to publish anything but that's what we're trying to solve because every transaction in the field of space in a blockchain is publicly available in one and I think privacy is one of the human rights that everyone should have and this one point which is this is not about mixing large amounts because there's no way you can mix a million F through a mixer because you need so many deposits so many withdrawals it's not going to be worth the time you might as well use the banking system which is used traditionally too on the money. So this is just a small amount that you want to get privacy for small purchases for paper gas there's no way you can render your entire fortune through a mixer if it's not going to happen Now I want to ask you about this a DEX use case for mixers what does that look like if you can Sure So right now we're all in the problem with the DEX horrible use experience and terrible liquidity volume so we right now using zero large proof to scale up the throughput which is really successful but like because most of DEX is like they're not licensed DEX people don't want to do KYC but we also talk to regulators they want to license a more regulated decentralized exchange but then to enable the large or well or institutional investors to trade out the DEX because we're very close to the Hong Kong stock exchange commission so for them if you're a centralized exchange you have to prove your custody is really safe which is really hard but for decentralized exchange it's very native so you're on your own it's super safe but in traditional because I have a traditional financial background so like traditional if they want to buy or buy some stocks they don't disclose straight away they start to buy stake in once they reach the cinema then they will release the news says we will purchase like 5% 2% like Berkshire as way they will say I bought 2% of coca-cola shares so like right now it's really hard even they do it on a centralized exchange people can see a large amount say USDT or USDC or die transferring to a centralized exchange most likely it will be a large purchase or even for even if they can disclose this but a centralized exchange knows that someone like a corporate account is going to purchase like what kind of tokens but for decentralized exchange we use mixer which will be our next stage so we can hide those kind of information for institutional investors this is our case the way that you've described these protocols they sound very much like their layer 2 they're like on top of existing blockchains but like is there maybe I've wrong here so correct me if I'm wrong but are they competing with those protocols that are coming out with it built in? I don't think I think you're touching the subject of how you can utilize zero-nudge proof as a scalability solution and there are companies and projects that are actually trying to solve that problem I think in our case in the mixer's case we're not trying to solve that and in case of tornado cash it's not a way to solution we don't have any meta-transactions off-chain and we don't have any roadmap for that we are only going to be working on a way of one solution so every transaction is going to be mined and published on-chain but to answer the question yes we can utilize zero-nudge proof protocols for scalability and way of solutions such as MetroVibeson okay I just have one question how much time do we have? you have 10 minutes or something? I have one last question but I also want to open up the floor you have 15 minutes sorry 10 minutes 10 minutes okay so I'm going to ask the last question and I'm going to throw it out there that I will be opening up for questions so if you want to think about your questions now get them ready that would be good but I have one last question which I'm sure is everyone's least favorite question which is about regulators and the law so how legal are mixers and how do you deal with that how do you even think about it I'm not a lawyer I mean the code I write is open source and out there and anybody can keep my coding because it's open source I can copy and use it so I'm not a lawyer either I only did a law study back in university but in the traditional financial world like Nasdaq or New York Stock Exchange they even allow those very similar function as a mixer so you can do those kind of duck pool or the broker can purchase stocks anonymously and I think somehow the legislation they can figure out how to adopt blockchain and mixers maybe in the future but right now I don't think it's very friendly even like just like blockchain it's going to take a little bit of time for them to understand they just don't like innovation and creation stuff so we do think about regulation about the margin and that's actually why copyright is an open source project it's a separate application and it's not about the margin because it's such a great area we don't want to make things too rapidly there is a clear problem with mixer is that if you use a mixer this company is looking at a blockchain and you start to kind of tame your cons and I think that's a real problem for me I see two reasons to have privacy as you mentioned you don't want people to know exactly how much money you have and who you have transacted to but it's also a way to preserve fungibility meaning that one eater should be one eater with respect to who are sending it and what's the history of that eater and now for regulators if you start to use a mixer they may actually take your account and actually mixers can be counter productive in that sense that your account may be flagged and so then you have no way to actually exit your crypto to the fiat system because you attend and some exchange will not accept your cryptocurrency so I think this is a real problem today that needs to be fixed by regulators fortunately not us it's a lot of value to provide the technology hopefully all that they will go in the right direction unfortunately we already see some pressure from governments like Japan for example they ban the private cryptocurrency that enable privacy like Manera, Zcash so we are going to have some issues with that and last year there was a one mixer that was seized by Europol because it's very important how you advertise the mixer if you advertise your mixer like you're going to help some guys to do something you probably should never advertise it this way you're going to be in huge trouble so it's very important that we to make it a clear message to the governments and regulators that this is not our goal our goal is to have the private elections to enable privacy yeah unfortunately the state is unknown we don't know what the other countries are going to do about the revolutions how it's going to go ok so thank you for answering that I could tell that was a little painful for you I appreciate it but there's only one mic so I guess I'm going to be running around I think you actually came to me first and then you thanks it just sounds like a fashion comment to the last topic it's interesting so the thing that that problem can be actually addressed by hopefully comic identity systems where you can just construct a mixer that accepts for example identities that can prove that they have KYC but without revealing anything more and that makes a mixer at least for the anonymity this as good as anything else and the authority should be always right something like that I think do you mind about anything else I mean I want to say yes I think this is clearly one potential solution I think it is also possible I think to keep the proof so you may have your privacy but it is still in regulation or government ask you to prove where the funds come from it is possible to being able to show that so you can actually keep that secret and only if you are requested prove that you know the origin of the funding so I think there are solutions to what was that I think I think if somebody is going to execute that solution that means there is going to be some central company that is going to keep records of all those KYC applications and forms so that basically we are going to create another central bank but that is not necessarily but that moves the problem to how you exactly feel like I am in existence this also presents zero known proof that you have KYC sure but we are going to give the power to that central authority it doesn't have to be central but yeah fuck KYC this is also on the same subject as the last question I am not sure if it was answered in the last correct question here but are there proposed technical solutions to tainted coins the idea of being able to take these tokens which should be fungible and are being made by exchanges to be non-fungible is there a proposed technical solution to treating them as fungible again or making exchanges be unable to recognize them as such I think technically there are some ideas how to solve that but it is not very easy to provide the solutions for example like everywhere should like burn the address after it is used and like use the new address for railway transaction and the smart contracts since all the mixers have like a one smart contract and all the like companies like chain analysis they can basically parse all the transactions and detect this transaction where it is somehow a mixer so it could be wet that problem could be kind of solved by creative of course but again it is all in those ideas all in the air and we are not there yet to think about those problems right now we are still in a very rare stage where we just need to solve how to do basic mixing for now then maybe like later on once we figure it out we will work on something like this okay I think this is probably the last question do you mind just coming up this probably won't so my question is about the UX in implementing mixer some sort of bullet so obviously like having a mixer would be great but if when we are using our full privacy and it is not idealizing it might not be the best mixer because everybody is using it so how do we get people to actually want to use it and how do we make that UX seamless and easy such an interesting question okay so you find correct you are worried about the UX problems in current state of the world I think his question was not so much just UX, UI is bad but rather how do you get the regular user to use it because if only irregular users are using it then it could become very kind of like tainted or it would be seen as dangerous what you want is the regular users is that kind of what you are saying? thank you personally I don't think the UX, UI of mixer is that complicated I think it can be made simple I think Tornado did a great job I think it is as simple as that because it is in that file we didn't put fancy UI on top of it but I think the steps are easy to understand you can tell a user then to withdraw it is another key can you invite the user I think the difficulty is to invite the user to behave smartly in when to withdraw and I think that is the most difficult part in terms of UX but again there are solutions you can actually block the withdrawal until a certain time but there are still that can be done at the UI level so personally I don't think the UX will challenge production the main challenge I think is regulation I am actually going to grab it maybe just one last question I just think that users have to be educated about privacy and I think when you saw the Acrofax hacks and saw the revelations people started acting differently and that kind of education is useful in the long term so that people can be more motivated to use mixes so I don't think we really have much more time but if Barry you want to say something just to respond to that question I think that we should try and integrate with wallets and have this new feature similar with a browser where you have created your private tab I would like to have created your private address I think that's an idea that people can understand and it's like the first step for like having these bigger mixer pools and these mixer equations it's quickly something on top but actually your initial idea was to enable what we call incognito wallets so basically you have your origin wallet you can create an incognito wallet and actually use a mixer to transfer some fronts between those two I think so, yeah, we wanted to reproduce what you do with Chrome you can do incognito wallets so I do believe that this is a nice way to solve that problem and to incentivize users and make it simple for them to use it Alright I think we got a lot of points in I want to say thank you to our panelists for joining I forgot to introduce myself so I'm Anna and I'm the co-host of a podcast called Zero Knowledge we talk about topics that are related to this a lot of zero knowledge stuff so if you're into it, please check it out called the Zero Knowledge Podcast