 into our next talk, which is on Bitcoin Monero atomic swaps. I know this is a very hot level of research going on recently. There's a ton of interest. So ZK AO. Okay, you got the screen share going here. Hi. Can you hear me? We can hear you. Yes, I'm going to, since everything is seriously working on our end, I'm just gonna hop off and just let you take it from here. How about that? Oh, yeah. So basically, I would like to do it more interactively. So very welcome to ask questions or ask questions that people drop on the chat. So basically, in 2017, we were in CCC and we were discussing and we found it would be very interesting to create a project to swap Bitcoin for Monero in a trustless manner, atomically. And after a week, it was just for the, because it sounded very, very interesting and my colleague Hashed couldn't get his head out of that. And we ended up working on this project much more than we initially expected. So one of the things that cryptocurrencies bring is like this permissionless way of exchanging money online, for example, on the internet. And before, like all the electronic money was intermediated. Can you actually see my screen? Yes, I can see your screen. Yes. All right. And there is an issue with this because we have cash in society and cash is a bearer, peer-to-peer, permissionless and privacy-preserving form of money. And who has it can spend it, has the right to spend it. By having physical possession, peer-to-peer, you can just meet someone and give it to this person directly. If it's peer-to-peer, it's also permissionless. Nobody is on the way to intercept this transaction. And privacy-preserving, you can be locked in a room, give cash to someone and nobody else needs to know about it. And cash is legal. So we should not downgrade our online money by using or accepting a totally transparent financial system like Bitcoin. We have to have ways to be able to exercise privacy by, for example, swapping Bitcoin into Monero and going into the some private world. But you should do that in a permissionless manner. Like you should not ask permission to go private. So it looks like from this definition of cash, Monero is cash and Bitcoin is almost. Bitcoin has this property of permissionless. So you could spend your money in the wrong way and nobody could prevent you from doing that. However, because it's not privacy-preserving, people can watch you, what you're doing with your money and they might go after you because of that. So this is very problematic in an open society. So the way we see Atomic Swaps is more like a cash-to-cash exchange. So you have euros and you meet someone who has US dollar, you agree on an exchange rate and you exchange it in private. Nobody else needs to get involved in this exchange. Only the people in the exchange. And we think that Atomic Swaps, they are very similar to this, so it's a cash-to-cash exchange. And in the same way that you wouldn't want to, if someone tries to buy your moto for $2,000, you might take cash and not worry too much about it. But if you are trying to sell your house and somebody shows up with a million in cash, you are going to worry about it because you would want to know where it came from and if it's not counterfeit. So there is this natural tendency of people to judge the quality of what they're getting in an exchange. So in the grip of the space, now people are responsible for keeping taking care of their private keys. They could also be responsible for not engaging into suspicious looking transactions. Like if a transaction is too good to be true, it's probably not true. So one thing that Monero would gain, so Bitcoin users for sure would gain a lot of privacy by being able to switch to Monero in a trustless and permissionless manner. But what Monero gains from Bitcoin is its liquidity. It has like 100 times higher market cap and it's much more easily accessible. So Bitcoin is easy to get and if you have a network that you can get Monero, exchange Monero atomically, then you could go into Monero for that path. So it's very interesting to have permission as entry into privacy currency. It's not nice to have to ask for permission to go private. So with this I'm going to go and I'm going to try to go through the protocol in the form of a diagram. So here first I'm going to show this is the complete paper after the research. So this research started like literally like three years ago and and Hashten really did a good job and then you can find the summary here. And so I will I think the easiest way to understand the atomic swap is to play for the protocol. And we have a representation of the protocol in as a patronette. Can you guys tell me if you can see? If I zoom out, can you still see like this? Yes, we're largely able to see. I'm getting a good quality coming in from you. So the people watching the stream should still be able to read the text. Okay, that's great. Okay, so I'm going to just show like this. So here we have basically a protocol representation. So here you have Bob who starts with Bitcoin in his private wallet and Alice that starts with Monero on her private wallet. And what if the protocol goes through like Alice should end up with Bitcoin and Bob should end up with Monero on their private wallets. And I'm going to play the protocol and slowly I'm going to explain more and more what each transaction does and how they're looking like. So basically all the logic will happen on the Bitcoin side because Monero doesn't just fix keys. So how we do it is like you do a whole game theory on the Bitcoin side. So like Bob is going to Bob with Bitcoin is going to need the protocol by creating two transactions. A soft lock transaction that's going to be the transaction that locks the Monero, the Bitcoin that is going to be sent to Alice. So it's the locked Bitcoin is going to end up with this script on this output. And a transaction that is a refund transaction and Bob already partially signs it and sends it to Alice. And this refund transaction is going to spend the soft lock output and give the money back to Bob basically. So this is a refund path. So Alice checks the information that Bob gives and Alice signs the refund transaction because all the information is correct. And having the refund Bob can safely lock the money on this soft lock contract and publish it to the blockchain, wait for it to be mined. And the money is going to be on this very special output here. Nothing happened on Monero chain yet. Alice has to lock her money as well. And Alice is going to feel convinced she should do it because she can see that the lock Bitcoin is locked in the correct address. So basically Alice locks her Monero in this special address. This address is derived by both Alice and Bob actually. So none of them control this address. They only know half of the private keys. So what is interesting now is that whoever learns the other half of the private key gets the Bitcoin, gets the Monero, sorry. And it's either going to be a refund or a complete swap. So at this point, Alice can't do anything. Bob has to reveal a special secret. This is just a synchronization secret. It's like a the authorization of Bob to let Alice move on on the protocol. So Bob shares the secret. This secret is needed to unlock this output. So this output needs this secret, synchronization secret, it needs Alice. This Alice half key is the is the private spend key that is locked in this output here. So Bob has half of it. Alice has the other half. So basically in order to Alice to spend this output, she's going to have to reveal this key. How does she reveal this key is through this. So basically we use this ECDSA adapter signature, which is basically like Alice's, Bob gives Alice an encrypted transaction that in order for her to do an encrypted signature and in order for her to decrypt the signature and use it here, she has to, she's going to, when she decrypted, she links this key basically. Because if you have the Bob has the decrypted and encrypted version of the signature, he can recover easily this key. So basically you force Alice to reveal this key and Alice gets the Bitcoin in her private wallet. Now this key that got leaked can be used by Bob to claim his Monero on the other side. So that's how the protocol would run in the successful case. But of course there are tons of cases that are not the successful case. And for example, I went back in time a little bit. For example here, like basically Bob recites that he doesn't give the secret to authorize Alice to continue running the protocol. So he doesn't trigger this. What can Alice do? The only thing she can do is like after a timeout, this is a, she can publish the refund transaction. Okay now let's try, now we're going to understand a little bit the refund transaction. So she, Alice published this refund transaction because Bob wasn't responsive. He wasn't triggering this one. And so like right now, if Bob does not become responsive, Alice is going to be able to take this path and take the Bitcoin. But if Bob can, he should become responsive. Otherwise he's going to lose his money. And he's going to try to consume this output. And again, this is like the same scheme as before with adapter signature. And this key is going to get leaked by Bob decrypting Alice's signature that is needed on this transaction. And it's interesting now that because Bob leaked his Monero key, Alice can claim her refund on the Monero chain like this. So this is very interesting because like we managed to, like although we don't have any time lock or any scripting capability here, we managed to gain liveness by forcing Bob to act. So we forced Bob to leak this key. And so basically, we managed to make this protocol live just on the Bitcoin, with Game Theory on the Bitcoin side. And yeah, so many things can happen here, like even things that should never happen. For example, let's go back in time. It should never happen. It should happen on the protocol, but in practice, it will not happen because of Game Theory. So let's see, for example, if you would allow Alice not to lock her Monero, if Alice just refuses to, oops, let's go here. So Bitcoin is locked and there is no, and Alice doesn't lock her Monero. Then like Bob goes, okay, I'm going to claim the refund after time lock. And now what if, so there's this path, for example, here that Alice can spend the refund. So if this would happen, Alice would end up with both Bitcoin and Monero. And that's totally not an atomic swap. So this path is very important for the Game Theory that we explained before. It's to force Bob to react. So in practice, this path would never happen because Bob can directly move the Bitcoin from this output into his private wallet by publishing this transaction and this transaction together. And this transaction, he could pay tons of fees to make it pay for the child, the parent pays for the child. So we are pretty convinced that by basically embedding the Monero private spend keys as the encryption keys for some Bitcoin signatures is a very interesting way to basically leak keys that can be used on the other chain. And with the trick that Sarah presented before, explained before in previous talk, you can like, because Monero and Bitcoin use different curves. So you can prove that that key is actually the same on both sides. So we're pretty convinced that the protocol is complete. Yeah. So if you guys have any questions specific to the protocol, I think it's very interesting, especially now that we can try to play it. Sure. Thank you so much. First, I just want to point out that I'm paying attention to the YouTube. I'm paying attention to Discord. Surring nother is still on. So if he does have any questions, of course, Surring, hop on in. I guess first question. So you've architected the general process for how it works. What is the next step to implement this into a functional system? What does that look like? Oh, so we have to first start organizing ourselves to see how big of a project this can be in terms of how many people should work on it. We are currently like three people and maybe we want to work with more people on this project if it happens. Like, basically, we're still like in the face of trying to write some timeline of a project, like some deliverables that we know are necessary, let's say prerequisites for achieving the final goal. So basically, I think in the next months or so, I think we're going to basically present this to the community and make a CCS proposal. And depending on how it goes, then we will see how much effort we can put into it. But there's a lot of things to be done. On the GitHub page that you shared, and I also sent this on YouTube for people to see, I'll post it in Discord also. Is this diagram available there too? Oh, the issue of this diagram is that it uses some weird software to play it. And today my housemate took two hours to get it to work. So the description is easy to give, but this software is very weird. Greatest PN editor, but I could share the diagrams. Yeah, I can't say I've heard of this before, but even like a PDF export or something. Oh yeah, that's for sure. That's easy. So I think we can share the sub graphs for sure. We want to eventually make a playable JavaScript thing out of this, but we have to do by hand. Yeah. Okay, understood. It is really cool to see a walkthrough with this because I know that you publish some stuff on GitHub. I personally haven't really looked through it in full detail. Just I don't have those skills personally. I know other people in the community are excited and have looked at it. So it is cool to be able to sit down and have this walkthrough right in front of me. I think it's a very good initial starting point to get some of the ideas in here. You go ahead. So I think this kind of diagram helps you bind together all the information because you have all these Bitcoin transactions and it's a little hard to see what are the requirements of them and things like that. And here it becomes like, oh, you see the function and you see the function of transactions. Oh, this transaction is making that key or it's forcing him to act quick before that path becomes available. And I think this is where this kind of diagrams, several patterns, they bind everything together and it's much easier to go through it. And this is actually a form of diagram. It's not just a graph. So I did have one question. 99.9% sure I know the answer, but I think it's helpful to ask anyone just to clarify, especially for anyone else who maybe hasn't read the PDF yet. This doesn't require any particular protocol changes to either the Bitcoin or the Monero side. Is that right? Yes, that's right. Because I seem to remember seeing a couple of questions just in other media that basically seem to imply like, you know, when would a network upgrade enable this just to be clear, like there wouldn't need to be networks, network upgrades to enable this. I mean, in theory, people could be doing this right now, although it seems very unlikely without software support, right? Yeah. So for sure, like we don't need anything right now. Even the ECDSA has been done already, like we were totally unaware of this work, but it looks like very high quality, so if you can just use it. So like, basically, we just use like a normal key in Monero and in Bitcoin in scripts, there is fingerprinting like from the Bitcoin script. So people are going to be able to possibly tell that, oh, this is, this was probably an atomic swap. Like this is this follows like that protocol there. So however, after that route, software, I think it's B341, like we could hide this protocol in the success cases, if people all agree on it. So then it would be pretty interesting, because then we wouldn't have any trace left on the Bitcoin blockchain about the swap. Okay, sorry, just to be clear, you may have said this, and maybe I just wasn't listening closely enough. So as far as the soft fork is concerned, are you saying that's a soft fork in Monero or Bitcoin to enable that, where in the best of cases, if it goes through and there are no contentious problems, that it would be much more difficult to mark the Bitcoin as related to a swap? It's sorry. So soft fork, is that related to Monero or Bitcoin? Bitcoin, sorry, this is the Bitcoin, it's like the, it's the big snore, big tab route, the tab script. It's like, so it's, if when Bitcoin gets snore, Bitcoin is going to get tab route as well. So it's, that's what I'm talking about. So but before you can look at it and say, oh, that could be an atomic swap. After that, then you can't say anything. So it's very interesting. Okay, very interesting. That'll help prevent a surveillance software from just marking it all as higher risk. Yeah. Okay, this is the last question, just putting it out there for those that are watching this on YouTube or anything. If you have any questions, now's a great chance to answer them. We have just a few minutes left, although it doesn't seem like this research team is going anywhere. It looks like they're just getting started. They have their work cut out for themselves. But it is exciting to hear about it. Really no questions coming in. Serene, did you have anything else that you wanted to get at? You may have walked away. No, no, no, I'm here. No, I think this is, I think this is extremely exciting. I think, I think there's still, you know, questions to ask about, you know, especially with, you know, what was brought up about, you know, possible fingerprinting, I think is very important. You know, I think making sure that it's clearly understood that the privacy implications are about how the transactions are initialized initially, and there have been some talk on, you know, our research on channel about this too. But, you know, I mean, this is great. You know, previously, when it was first brought up, it was kind of this, you know, I thought that we had, you know, improving systems that could show this particular quality. And they're like, yeah, wouldn't that be great. And now it turns out like, this adapter signature and cross group stuff, it can be done. So I think it's very exciting. Yeah, I have to say, when I first saw the pitch of like Monero Bitcoin Atomic Swaps, I just assumed it was someone trying to pitch like a centralized exchange that they were just calling a swap. And then I had to do a little bit further to be like, oh, actually, these people are not kidding around. This is actually something that's, that's not just Yeah, we started at CCC and we were just like, how do we make Bitcoin private? And I guess one last question that I had that, you know, that is mentioned in the paper, you know, I think it's actually mentioned pretty, pretty clear in the paper too, that this is not just limited to Monero or to Bitcoin. In the paper, you know, you and your colleagues talk about kind of pretty specifically what the requirements are for each of the different kind of types of chains and protocols. Is that right? Yeah, like, basically, like think about it, how much are we using of Monero here? Like, it's just a normal address. Like, so it's like, there's nothing special there. So anything that has as much capability as Monero can be one side of the Bitcoin trade. But so like, if you go, so Bitcoin is already very capable. So if you go to things that are more capable than that, that Bitcoin, then it's like, it gets even easier. But of course, then you get more finger printing, like, even like, so you have like, like much deeper traces of what you've been doing left on chain. So yeah, like so for sure, like, and I think the trick of the cross group equality, that that makes like the bridge between any identity curve, I think, like, so then like, you can just basically cross across any, any chain, basically, if you can, if you can produce these groups. So I think it's, it's, it's pretty like the protocol itself, because we can play like the game theory, only once on one side shows it, that it's possible to do stuff with very limited resources, I think protocols should be very minimal. And and like, we cannot use complicated primitives, or let's say complicated systems to deal with simple things like, like accounting. And it sounds like on the Bitcoin side, at least, maybe the big limitation right now is just in CDSA. Is that right? Oh, yeah, that makes things like ugly and hard. Like, like, yeah, to do that, the adapter signature on, on snor would be trivial. For example. Yeah, cool. Thanks for the questions. Oh, thank you. I know we were brought in here the last minute to do something, but it was definitely worth it. It was great to have you included at DEF CON.