 Can you elaborate in detail how zero-knowledge groups work? Not in detail, but I can explain the general concept. The concept of the zero-knowledge proof is proving that a certain condition is true without knowing the inputs to that condition. For example, proving that the amounts in the transaction add up, so the amount you are spending and receiving, add up to the same amount. If you subtract the outputs from the inputs, the result is greater than zero, or equal to zero. That is basically a common type of proof, called the range proof, one type of zero-knowledge proof. You can do mathematical proofs using homomorphic encryption, where what you are doing is applying encryption to the values, and then you are able to do simple arithmetic with these values, or range proofs with these values, without decrypting them, without knowing them. You are able to verify the truth of a statement, like, no new coins were created in this transaction, without knowing how many coins were used in the transaction. Mario has a follow-up question. How could you create a zero-knowledge proof transaction? It seems that it is computationally complicated and not time-efficient. That is true. Zero-knowledge proofs are computationally complicated and not particularly efficient. They are not efficient in computation in time, but they are also not efficient in science. One of the big problems with zero-knowledge proofs in general, and homomorphic encryption in various types of zero-knowledge proofs, including range proofs, is the fact that they produce a very large amount of data in order to be able to validate these zero-knowledge proofs. You need a lot of data. So transactions using these systems can be ten times larger than transactions that don't have zero-knowledge proofs. This has been something that has been holding back for technology. Most of the development in zero-knowledge proofs is in being able to express them in less space, to use less data to communicate with zero-knowledge proofs. All of the great innovations that have come out of that space are about compressing the proofs, so that they are viable, so that you can actually create transaction sizes that can be propagated. It's not competitionally efficient, and it's not space efficient, and it's not time efficient. It's not intended to be. That's the trade-off. The trade-off is that in order to get very robust privacy, you lose some of the efficiency. Hello. I've been aware of you since last year, and you seem to be a person who really likes Bitcoin and the blockchain and all the benefits it might give. Very good. Thank you. I want you to try to play devil's advocate for me, and you might have received this question before. What could be the biggest danger to Bitcoin that can be thrown by, let's say, the banks or by international governments? Very good. Yes. Actually, maybe throw it off its original course of trying to be decentralized and just being a force for the individual. I get that question quite often, so I can answer it very directly and very simply. I think the biggest weakness that Bitcoin has is that the base layer, the first-layer blockchain, is insufficiently private. It does not have strong enough privacy anonymity guarantees. What that means is, if you're trying to build a currency on top of it, that threatens the currency's fungibility. Okay, so fungibility. First of all, it's a great word. I really like saying it because it sounds so much fun, but listening to it is not even half as much fun as actually saying it. You should try it because there's an F and then you go into some Ns and Gs and it's fungibility. It's really a lot of fun to say. The problem is nobody knows what the hell it means, so how many people here know what fungibility means? About half the audience. That's great. It's a weird economic term. What fungibility means is that in a system of money, it's important to not be able to distinguish between different units. Meaning, if I'm holding, let's say 1,000 won, that's a paper bill here. I haven't actually touched Korean money yet, I've only used debit cards. I'm holding a 1,000 won bill, right? If I go to a store and I give it to a storekeeper and I say, here's a 1,000 won. Give me something you can buy with a 1,000 won, probably something very small. They'll say, oh no, I don't like this one. Do you have any other 1,000 won bills? Not this one. But why? I don't know. It's number Ns in a three. I don't like those. I want one that doesn't end in a three. Do you have another? They can't do that. In fact, it's illegal to do that. They have to accept that any 1,000 won bill is the same as any other 1,000 won bill. They can't say, I don't know, the corner is a bit creased, so I'm only going to give you 950 on that one. If you had that kind of situation, you'd actually have a problem. How do we know? Because it's happened. In Roman times, when they had coins... I don't know if you've noticed. Have you noticed that almost in every country, if you have a metal coin, it has little lines around the outside. Have you noticed that? Do you know why those are there? So they don't shave them. Back in the days when money was actually made of something valuable, like silver or gold, if you had a coin and the edge was smooth, then you could just shave off a bit of silver and gold to make it a tiny bit smaller, and give it to someone, and then you keep the shavings. If you do that with enough coins, eventually someone notices, they're like, Why is this coin banana-shaped? Is this part of the lunar cycle? Because this looks like a half moon. Where's the rest of the coin? So what they started doing is they put those ridges around as an anti-theft device, so that if you shave it, it's visible that you shave it. If you try to make the ridges again, because they're symmetrical, it's very obvious that you've cut new ridges into the coin. That's why they have a little circular ridge around the edge, and that's why they have the little lines. So what happens in Roman times with silver coins, is they started trading for different values, depending on how badly they were shaved. So it's like having a thousand-won bill, and someone is saying, I'll give you $8.76 for that one. That one looks pretty good. I'll give you $923. Well, the problem is, if money starts having a price, it stops working as money very well. If each piece of money has a different price, but not the one that's on it, but a slight discount depending on whether it's being tainted or shaved or something like that, you have a problem, and that's what fungibility is about. You know, there's another funny situation that we have. I don't know if you've heard this statistic, but every single dollar bill you've ever touched has cocaine on it. It also has E. coli. You. Yeah. So every single dollar bill you touch has cocaine on it. And the reason for that is because there's this way of rolling up a dollar bill and turning it into a straw, and using it to ingest cocaine, so people, you know, that kind of thing. So that means that eventually you take this dollar bill, it touches the other dollar bills in your pocket, they get a bit of cocaine, and then you give it to someone and it touches their bills they give, etc. And so everything has cocaine on it. Now this causes a bit of a problem, because what if you had a test, and you could run a test? And they actually suggested doing this in the 80s, and they said, well, let's test the dollar bills, and if they have cocaine, we won't accept them. And then they realized this is a very bad idea, because it would cause chaos. Can you imagine if every shopkeeper had to have a little testing system, and they'd be like, oh, sorry, this has too much cocaine on it, I won't take this one. But this one has just enough, I'll take this one. And so then what would happen is people would pay more for the ones that were clean, and less for the ones that were dirty. And then you have a real problem, because then the value of money can vary a lot. Not just 2% or 3%, but even 20%. Well, that's happening in Bitcoin today. You can actually buy Bitcoin that just came straight out of a fresh block, fresh from the oven, still smelling of hashes, and right from the Coinbase. They sell those at a higher price than Bitcoin that has touched other people's wallets. And the reason is that because you can trace Bitcoin from transaction to transaction to transaction, if you give Bitcoin to your exchange that you received from someone else, and that person received it from another person who stole it from empty gox, your exchange is going to go, ah, too dirty, no, thank you, and they'll shut down your account. And that's a problem, that's a big problem. Because if you start doing that across all of the money circulation, you end up breaking money. It stops working as money. The whole point of money is that you have one universally recognizable, verifiable thing that has one price. Right? It is the price, that's its purpose. And if it starts having different prices, it doesn't work. So, fungibility is a big problem. So, and how does fungibility relate to privacy? They relate in a very simple way. If you have strong privacy, if the money is anonymous, and if you can't trace where it's been before, then it becomes perfectly fungible. Then every unit is the same as every unit. You can't differentiate between them, and you can't have problems where the exchange will say, not this one, yes, this one, or where they trade for different prices. And today we don't have perfect fungibility in Bitcoin. There is perfect fungibility in some other blockchains. Privacy-focused ones like Zcash and Monero, and many others that have come out since. I would like to see privacy improvements in Bitcoin. The reason I'd like to see them is because this is a very specific attack vector for governments. What they can do is start circulating blacklists to say, any coin that is touched one of the following addresses is a bad Bitcoin. Then make the exchanges block any transactions. They will set a limit. They will say, if it's changed addresses less than six times, if it's touched one of these, they call that six hops, then you can't accept it. That would cause very, very serious problems to Bitcoin. Of course, what it would also cause to Bitcoin is the immediate implementation of strong privacy and anonymity. One of the ironic things, when you're working in a dynamic system, is that if you have a threat like that from government, if you have an attack like that from any government, the response that happens is that the system evolves to develop defenses against that particular attack. One of the reasons we don't have strong privacy today is because Bitcoin isn't being attacked enough. This applies to all cryptocurrencies. If cryptocurrencies start getting attacked using privacy as the attack mechanism, two things are going to happen. One, privacy will become very valuable, which means that any cryptocurrencies that do strong privacy immediately become much more valuable, because everybody wants the private ones. Two, every cryptocurrency that doesn't have privacy has privacy, which probably is also why governments haven't tried to attack in that way. They actually like the fact that they can track these things, and they know that if they attack it in a very obvious way, they'll stop being able to track them because they will immediately get privacy. Gareth asks, privacy coins like Monero and Zcash are invaluable to people in authoritarian regimes who want to try to protect their wealth from government confiscation and inflation. I wonder if the new implementations of Membo-Wimble, such as Grim and Beam, will be a better option than the existing privacy coins, such as Monero or Zcash. Membo-Wimble is a much smaller, more efficient blockchain and can store more transactions. Can you see it displacing the current top two privacy coins over time? I don't know. I think it's important to realize that Membo-Wimble has different trade-offs, both in terms of security and privacy, as well as efficiency and scalability. I would like to see this experimentation continue across all of the privacy coins, because it enables us to see how different trade-offs and different privacy techniques can be used, and what their pros and cons are. Perhaps in the future, we can see more of those privacy techniques combined, so that we see a lot of cross-pollination between the research and development teams in these various privacy coins and other coins. Techniques invented in one place are used in another. That's one of the wonderful things about working in a broad open-source ecosystem, like cryptocurrencies and open blockchains, where an invention made in one place can be used anywhere else. It's not encumbered by patents, or even if it is under open-source, that doesn't really matter. We will see a lot of cross-pollination. Whether Grin and Beam displace the current two privacy coins over time, it depends on what you mean by displace. If you mean that they might rise to have a larger market cap, I don't really think those metrics are meaningful. The question is, do these new technologies offer more choices for people operating under conditions where privacy is absolutely essential? I think they do. Do they displace? This isn't a zero-sum competition. Grin and Beam can thrive and grow both together, as well as against the other privacy coins, without any sacrifices. I'm hoping to see not only these privacy coins, but more privacy coins develop and explore other areas. That's the only way we learn. Of course, not all of them are going to survive or succeed or flourish. That's okay, too. These experiments are not about winning, they are about offering choice and exploring different avenues. Could you comment on the Zcash inflation vulnerability that was recently exposed, and whether this has implications on the feasibility of base-layer privacy on Bitcoin? Many Bitcoin proponents believe that the fixed supply of Bitcoin is one of its greatest value propositions. Is there a risk that by obfuscating the base-layer for privacy reasons, would make it less auditable and create a risk of inflation bug that goes unnoticed for quite a long time? In the case of Z-case snarks, the vulnerability existed for eight months. If I understand correctly, there's no way of knowing if it was exploited. Would it not be reckless to deploy nascent cryptography on the whole network, given the fact that second-layer solutions may prove to be sufficient? This is a great question about the balance between privacy technologies and the risk that privacy technologies introduce in the form of an inflation bug. Let's explore this a bit better and explain what exactly is happening in this case. One of the important privacy technologies is the ability to encrypt the amount of a transaction, so they can't see how much money is being moved within a transaction, in such a way that you can still audit the amount without knowing what it is. There are a number of different techniques to do this. Zero-knowledge proofs are various forms. Zero-knowledge proofs are proofs where you can prove that something is true without knowing the specific details. For example, within a UTXO set or within a transaction itself, you have a certain number of inputs on one side and a certain number of outputs on the other side. A transaction is valid if the total of inputs minus the total of outputs is equal to an amount greater than or equal to zero. Zero is equal to the fees, which is the left over, or zero if there is no fee, which is unlikely today. Let's say the total on each side of the equation should balance. You should have effectively double entry bookkeeping. You shouldn't be able to spend more money than you have. Now, if the amounts are encrypted, how do you know that they add up? That is where you get a zero-knowledge proof. The zero-knowledge proof is where you can do mathematics, basic arithmetic, on two values that are encrypted, in a way that doesn't reveal their value. You can do a subtraction, a range proof, as it's called, where you can show that the encrypted values of the inputs, let's call that bananas, minus the encrypted values of the outputs, let's call that apples, is within a range that is greater than zero. You don't know what number of bananas is, and you don't know what number of apples is, but you can do the mathematics and arithmetic and say bananas minus apples greater than zero. That's what a range proof is. Now, if there is a bug in there, what you can do is actually create bitcoin on the encrypted side of outputs, or create the cryptocurrency of the system, in a way that increases the supply. You're essentially generating currency from nothing and introducing it into the supply, in a way that can't be detected because the values are encrypted. They'll still validate in the long-term. This is a very serious bug. In the case of Zcash, fortunately it happened in an environment where there hasn't been much use, and it's still very experimental, and this is a great lesson for Bitcoin. This creates a fundamental challenge for privacy. If you introduce privacy in the base layer of a cryptocurrency that has very strict monetary characteristics, what if there's a bug in the range proofs of that that cause a significant inflation bug? This is one of the criticisms levied against zero-knowledge ZK Snarks, as they're called, because this is relatively new cryptography. As a result, it hasn't been broadly tested, it has been extensively peer-reviewed, but it hasn't been broadly tested, and it's quite complex stuff. In this case, there was a bug. The bug actually goes all the way back to the equations in the white papers describing ZK Snarks. It was identified, one of the equations was wrong, and no one noticed for eight months. The question is, what about adding things like bullet proofs, which are used in confidential transactions, currently implemented only in test networks around Bitcoin, and sidechains like the liquid sidechain? What about adding that technology to the Bitcoin base layer so as to improve the privacy of the base layer? Is it too early to add that technology? I don't know. Is the risk too great that that might introduce an inflation bug? I think the argument that you can do it in second-layer solutions isn't absolutely true. I think a lot of the privacy solutions are much better applied in the base layer, because it's very difficult to maintain privacy on the second layer if the base layer can be monitored and surveilled. However, this is a true consideration now. This is a real design trade-off. This is the essence of cryptocurrency design, I think, and the very difficult fundamental trade-offs that exist in engineering cryptocurrencies. There are no perfect solutions. Everything involves giving a bit in one area in order to gain a bit in another area. You can't just be best at everything. We're going to see this debate happen very strongly. I think it's part of the reason why it's going to be difficult to introduce privacy technologies in the base layer of Bitcoin. I hope that we will introduce privacy technologies in the base layer of Bitcoin, even if there is a small risk that there are exploitable inflation bugs that could go undetected and cause some problems with the inflation of the supply of Bitcoin. I think in the long run, the risk of not having sufficient privacy in the base layer is greater than the risk of a small inflation bug, which I think with maturity will not go undetected for very long. But this is a very difficult risk analysis, and I'm not confident about that opinion. I'm leaning more towards privacy at the moment. I could be persuaded otherwise. I'm not certain or fixed in my opinion on this. I would like to hear a broader debate, and understand how big the risk is. I understand the risk of not having privacy in the base layer. To me, that's a clear risk. It involves undermining the fungibility of Bitcoin, being able to introduce regulation and legislation that makes it very difficult for anyone other than criminals to use Bitcoin, because the very use of Bitcoin that involves using black lists, white lists, tracking addresses, and complying with surveillance regulations will make it impossible for normal businesses, for legitimate users, to use cryptocurrency. That's a real risk. I understand that I can quantify that risk. The problem on the other side of this equation is a risk that I don't understand. I don't know how big the risk of an inflation bug is. It's not zero. We know that now. It's not zero risk, because it's already happened. But how big is it? How repeatable is that bug? How many other bugs could possibly exist? That I don't know. I'm not qualified to know it. I'm not a cryptographer. I don't understand range-proofs to that degree, so that I can evaluate that risk. This is a broader debate that we're going to have in this community. It's a very interesting glimpse into the very important, very serious trade-offs that exist. Maybe it turns out that the risk of inflation is much greater than the risk of not having privacy. We really need to work about moving privacy to the second layer. I don't know. I could be persuaded either way at this point. We'll find out. This is a very interesting debate to come in the crypto space. It's not going to play out just in Bitcoin. This is going to play out in every cryptocurrency that has the same fundamental challenges of protecting privacy and the integrity of the currency.