 Hello. Thank you. Thank you all for being here. Thank you all for coming. I saw the presentation by Amber Balde and Patrick Nielsen yesterday, and there was a really good joke. When they got to the part of their presentation that was about their own project, Amber was talking, and Patrick stopped her and interrupted and said, have we reached the shilling point? So my talk today is 100% about Zcash, so it's like all shilling point, but not in the sense of asking you to buy more to pump the price, but to share a bunch of stuff that we've learned recently in cryptography and in regulation that everyone else can hopefully reuse and benefit from. Okay. First of all, can we bring up the house lights so I can see you better? I can see these people. All right. Will everyone please put down your phone and stand up for a minute? You and ZZ99 up there, would you please put down your phone and stand up for a minute? Okay. Everyone except that guy have stood up. Okay. Good. If you have never heard of Zcash, will you please sit down? Okay. Great. Wow. Okay. So if you've heard of it, but that's really like you've just heard of it, but you don't know anything about it. Would you please sit down? So that's like 10th. Okay. Sweet. So then I can skip that part, which is good because I was practicing my talk this morning and I found out, oh, like the rest of you can sit down too. Thanks. But don't get your phones out. Leave the phones out away. Yeah. I was practicing my talk and I realized that I put like an hour's worth of content into the slides and that we have 28 more minutes and I want a lot of questions. So I'm going to talk too fast and skip a lot of the technical content. But the goal is to say what we've just recently accomplished in cryptography, a couple pointers to possible future work that other people might also want and then talk about the regulatory situation. So what we've just now accomplished, Zcash, as you all know, except for that guy and like 10% of these guys, is a separate cryptocurrency that includes encryption and cryptography to make all the transactions private. And it was launched two years and four days ago on October 28th. So Zcash is two years old and that makes it like Ethereum, a grizzled veteran of the space. And four days ago on Zcash's second birthday, we introduced the first major upgrade, which is called sapling or Zcash 2.0. And the improvement, so the first thing we did, which most of you probably kind of know, is we pioneered the use of zero knowledge proofs. Just real quick, raise your hand, you know what a zero knowledge proof is or you've heard of it or whatever, great, this is great, what a great audience. So I'm really proud that zero knowledge proofs are so widely appreciated for what they could potentially do today because Zcash was the first application of them to anything in the real world as far as I know. That was two years ago. But the first version we put out two years ago was not efficient enough. It took 37 seconds on a like supercomputer laptop and it was not even possible on a mobile phone to generate the zero knowledge proof necessary to protect a single Zcash transaction. So what we've just activated on mainnet four days ago is Zcash 2.0 and we've reduced the time from 37 seconds in the first version to 2.3 seconds in the new version. Thanks. Yeah, so that's really great because now it's possible for people to generate these on their mobile phone. Now no one's actually implemented it and made available. There's not a client yet for someone to download and use, but the cryptography has made it possible to implement that client and for every exchange everywhere to support these zero knowledge proof based transactions and so forth by Corey. Oh, Corey's just getting ready because he's next. So real quick, there are basically three components of the cryptography that we have worked on for the last two years. We have a really, really great team of cryptographers and engineers who've been working on this really hard for two years straight to get us this far. So it's really a substantial advance that everyone else can benefit from because it's all open source, all the science results we had to come up with have been published in peer reviewed science papers. We didn't apply for any patents and there's no barriers to anyone else we're using this for any other purpose. Okay, the three major advances we had to do, the first one is replacing the hash function inside the so-called circuit that you have to prove when you make a transaction. And this is potentially useful for a lot of other people because hash functions are used everywhere. A great cryptographer once said that hash functions are like the nails of the internet. They're used to hold everything together. There's nothing you do that doesn't have at least one hash function inside. Well, two of our cryptographers came up with a more efficient way to implement a certain kind of hash function called a Peterson hash inside of zero knowledge proofs. And all by itself this reduced the runtime by 75%, which is a really great improvement. You might be able to use this yourself, but you have to be careful because SHA-256 and Peterson have slightly different properties so it's not just a simple drop in replacement for every use. And the result of like nine seconds per payment is still not quite good enough. So we kept looking for a couple of other innovations that would improve the performance while being safe enough and practical enough that we would be able to deploy it. The next one, well, this is a complicated slide. I'm going to gloss over this, but this is a bundle of a proving system, which is a SNARK. That's BCTV14, which we upgraded to GROT16. 2014 and 2016 are the years that these science papers were published. There's an elliptic curve, it's a BN128 that we upgraded to BLS12381. And by the way, we helped Ethereum add BN128 into Ethereum and the Metropolis upgrade. So now we have different elliptic curves from each other, but whatever, that's probably fine. And then there's the implementation, which is just open source library that anyone can use. The older implementation is called LibSNARK and the new implementation that we wrote over the last two years and we've now deployed is called Bellman. The old one's written in C in assembly, except we never use the assembly because assembly is dangerous. And the new one's written in Rust, which is even safer than C. And all of this stuff is reusable for any zero-knowledge proof system. And all bundled together, it gives you twice as fast, which can be necessary for some uses. And then the last thing is a thing called a split circuit design, which I probably don't have time to explain, but it gives us another 50% improvement and that's how we get down to 2.3 seconds for a typical transaction. That's where we're at today. Okay, next, where would we like to go next? Well, Zcash 2.0 sapling, it's really fantastic. It might be good enough for the foreseeable future, but there's at least one thing that bothers me. The SNARKs, which is the proving system that we've started with all along, it has this thing called toxic waste, which is why I call toxic waste. Cryptographers call it a structured reference string, but toxic waste is a much better word because it makes it clear to you that this is a thing you should worry about. If the toxic waste is an unguessable long random number, it's like a private key, and if you knew it, you could forge Zcash out of thin air. Now, that's terrible, but even if you knew the toxic waste, you can't violate anyone else's privacy. You can forge new Zcash for yourself, but you cannot see or manipulate anyone else's Zcash. So there's a limit to how bad it is, but it's still pretty damn bad. If you could forge Zcash, that would ruin the whole point. So we went to this extravagant effort and did, I'm pretty sure, the most secure, sophisticated cryptographic ceremony ever in 2016 to set up the system while preventing the toxic waste from ever coming into existence, making sure that nobody at any moment ever had a chance to generate that number. And then we did a way, way more sophisticated and secure ceremony last, just recently this year, for the new version. So I'm really sure that the toxic waste can't possibly exist, and a lot of people in this room actually contributed to that process to make sure that even if I were cheating and trying to steal a copy of the toxic waste, they would have prevented me from doing that and vice versa. However, this still bothers me, because for one thing, I can't convince everyone else in the world of this. There could still be a fud where someone says, I don't know, I think maybe Zuko is saying that, but he and 100 other random people around the world were actually secretly in cahoots. So it would be cool for Zcash as well as for other uses of zero-knowledge proofs if you could use one of the newer proving systems which have no toxic waste. And this slide is all about how we can't yet in Zcash, because we need all of the fields to be green for it to be efficient enough to put into the Nakamoto blockchain design where the like the Zcash sapling design where every transaction has to have a zero-knowledge proof generated and then the proof has to be transmitted with it and verified by all the miners. That puts a lot of constraints on the performance. And the new things like Starks, which was a hugely popular overflow talk yesterday by Eli Bin Sasan, who's one of the Zcash founders. Starks take 45 kilobytes at least per proof string, and that 45 kilobytes is just way too much to put into the blockchain with every single transaction. So that's a non-starter for now. Bottom line is there's only one row so far. That we can do this with. Okay, so other people could use Starks for other things that have different performance constraints. And we could potentially improve Zcash and like Zcash 3.0 with a few possible techniques that don't only have time to explain. Here are four things that you should take a picture of because I don't have time to talk about them, but they might be useful for Zcash or other zero-knowledge proof systems for the next generation. And we have some very rough estimates of how much savings we could get. So it's like, hmm, it's close, it's interesting. All right, I'm just going to scoot along. Here's something else I totally don't have time to talk about, which is what if we change the architecture? Okay, I have to talk about it. What if we change the architecture? So it's not a simple Bitcoin-inspired Nakamoto consensus where you have to generate a zero-knowledge proof with every transaction and then carry it along. So what's good about it is that we separated privacy from mining. All the privacy happens on the end-user computer who generates an encrypted and zero-knowledge proven transaction. And then all the rest of the consensus algorithm just deals with these encrypted blobs. But what if we changed it to a new consensus algorithm, sharding? Maybe you can use zero-knowledge proofs to solve some of the problems in some of the currently unsolved problems in consensus algorithms and sharding. Anything like that would open up the constraints back here. So if we had a much, much more high bandwidth consensus algorithm, then we could use Starks, even though they have, like, two orders of magnitude greater bandwidth requirements and stuff like that. Okay. Possible changes. Not coming anytime soon to Zcash because we're conservative and it took us two years to upgrade the cryptography. It'll probably take another two years to make the next upgrade. All right, now I mentioned back here one of the three improvements that we've already vetted and gotten security audits and deployed and tested and activated on mainnet and now people are using it today. The third one is split circuit design and it's specific to a payment system like Zcash. It's not... Well, I don't know if you could apply the same kind of principle to other zero-knowledge proof systems, but I'll describe it real quick. This is the old Zcash 1.0 core. This is all the bits of data coming in and out that need to be proven by the zero-knowledge proof. You don't have to understand any of it except for... Well, these big old things on the left, ZUTXO, that's two coins that are being consumed and two new coins that are coming out. So if you are paying someone, you're probably going to consume a coin that's worth 10 Zcash and you're going to give them five and then you're going to give yourself change for five. This is the so-called UTXO data model from Bitcoin, which is different than the balanced data model from Ethereum. So the zero-knowledge proof in the original Zcash 1.0 has to prove the correctness of all of these pieces even if you were only spending one coin. You have to prove the correctness of that coin and a dummy, which takes twice as long. So the split circuit design is we'll have two proofs, one proof that you're consuming a coin and a different proof that you're producing a new coin. And that way, if you're consuming only one coin, you don't have to prove that you're consuming two coins. And that all by itself is a 50% savings, and it's useful for all UTXO-style systems. Earlier, I said it's for transaction systems, but the UTXO-style might also be useful for Ethereum-style smart contracts. There's a new paper by some scientists that includes some of the Zcash scientists called ZEXE, which describes how to extend the Zcash-style data model and zero-knowledge proving system to prove the validity of arbitrary smart contracts without having the miners run all the smart contracts. So instead of someone submitting a smart contract or executing a smart contract and all the miners run it and then they can sense on the resulting output, instead, the first person runs it and generates a zero-knowledge proof that this is the correct output. And then all the miners just verify the validity of the zero-knowledge proof. That's a new paper. Okay. Oh, good. I'm going to have lots of time for questions. I hope you have questions, because I totally lost over all the complicated stuff in the last two slides. You can ask me about those if you want. All right. Finally, about the regulatory situation. So you have probably heard that law enforcement and regulators and governments fear privacy or that privacy technology like Zcash is incompatible with regulation, and I'm here to say that's totally wrong. It's not incompatible with regulation and the actual regulators are not afraid of it and are not trying to prevent it. So there's this widespread common myth that is the actual problem. It's not the regulators that are the actual problem. Here's the current very simplified state of the important things in the world, which is that almost everywhere the legal status of cryptocurrencies in general and Zcash in specific is ambiguous. In China and in India, it is all cryptocurrencies, Zcash, Bitcoin, Ethereum, et cetera, are all effectively banned. And here's the really interesting little appreciated fact that I want to tell you. In the United States, there's a regulator called the New York Department of Financial Services, which is the most important regulator of cryptocurrencies because even though technically they're only supposed to be regulating the state of New York, but almost every company who wants to serve Americans does not want to exclude New York. And this regulator, the New York Department of Financial Services, set themselves up as the gatekeepers and the arbiters of all cryptocurrencies years ago when they made this thing called the BIT license, which says if you're a company, you want to sell cryptocurrencies like you're in exchange or whatever. You want to allow people to trade in cryptocurrencies and you're serving citizens of New York, regardless of where you're located, if citizens of New York are among your customers, then you require our prior permission to do anything. That's how the BIT license works. And so therefore, all the cryptocurrency companies have been queuing up to ask this regulator for permission to do all the things ever since. Here's the little understood fact. That regulator has approved about seven different coins as being legal for people to serve to the citizens of New York, and Zcash is the seventh one, the most recent one. Yeah. Thanks. That's really important. And they explicitly went so far as to put out a press release under their official logo in the name of their official leader and superintendent and all that, which expressly mentions the encrypted feature of Zcash. And when I tell people about this, they sometimes ask me, why did they do that? What are they thinking? And I don't know for sure because they didn't give a justification or an explanation of their decision in their public press release. And I met with them in private to explain cryptography to them many times. And they didn't tell me anything in private either because they're the government and they're the ones who ask the questions. But one thing I do know is that I've become very familiar with all the rules and regulations in the United States and in Europe and so on. And one thing I do know is that Zcash and cryptography mixed with blockchains in general is absolutely compatible with the rules and regulations. As an exchange or any business that's dealing... The regulations, the way that's currently done, they apply to businesses like exchanges or financial institutions. They don't apply to software developers or individual users. But as an exchange, you can comply with all of the requirements while supplying encrypted Zcash to your customers. That's a fact. So that's something that the NYDFS, the New York Department of Financial Services, and my team discussed. And then this really interesting thing happened where they called my team back to New York for another meeting. I've never talked about this publicly before. And I thought to myself, I think we covered everything in all the previous meetings, so it's not clear why they need another meeting. Maybe it's to tell us something. And we all filed into the official building in New York City and we all lined up on the opposite sides of the official table. And they opened the meeting by saying the leader of the NYDFS who was present in the room gestured to their colleagues and said, we all agree that we don't want the pocketbooks of our families and the citizens of our communities to be exposed to everyone on the Internet. Yeah, so that's all they ever said. I think that was why we had that meeting. But I think it really shows that regulators and the rest of us in this community share a lot of values. We want a safe and prosperous society and we all want a society in which the citizens have meaningful political participation and we want people to be protected from crime and fraud. And encryption technology is compatible with all of that. I'm reminded of 25 years ago now when I was playing a tiny niche role in an earlier round of this drama when SSL was being invented, SSL slash TLS. And at that time, the United States, one small faction within the United States government created by the FBI and Al Gore and the NSA opposed the invention of SSL because it might allow criminals to use the Internet or something. And that's funny now because 25 years later, the US government requires you to use SSL, right? There's a ton of laws which say if you do not use SSL to protect your customers then you were in violation in a lot of specific cases. And I kind of think that's the same thing that's going to play out with encryption on blockchains and hopefully a lot less than 20 years. All of the good regulators in all of the good countries will require this kind of encryption to protect the people. And lastly, I want to say that I myself and everyone involved in the Zcash project is doing this just because we care about what kind of world we're building for our children and grandchildren to grow up in. Because privacy is a human right and it's necessary for political participation, for morality and for intimacy and human relationships. And it is not okay for our societies to continue careening into a world where there's pervasive and intimate violation of everyone's privacy by one or three centralized actors that's never been tried before. It's wrong and it's dangerous. Thanks. And all of us are part of our opportunity to change that and to make a world that's safe and healthy for our children to grow up in. That's it, ready for questions? You got to come down to the, or you got to acquire a mic so that the people on the live stream can hear the question. Thank you. Thanks for your thoughts and I really like how you actually twisted that whole thing that people often say about like think of the children, right? Yeah. But in the right way, right? That's really good. So I wanted to ask you what your thoughts are on similar privacy projects like Monero. And I also wanted to ask you about smart contracts and other features that you seem to have not focused on yet and if you have any intention to look at those. Well, those are two big questions. Okay, so first of all, there was a really great talk by Zcash founding scientist Ian Myers yesterday in which he laid into Monero and all systems that use what he calls decoy-based privacy. So you should go watch the live stream, or the recording if you haven't seen it. Now the zero-knowledge based privacy that we have has different problems, but privacy is really, really hard and I wouldn't want it to look like we've solved it but we've made a substantial improvement that everyone needs to learn from. And I like to work with the Monero people on that and we both benefit from each other. And the other question was about smart contracts. Yeah, so it's something that we've deliberately kept out of Zcash and kept out of the public discussion of the future of Zcash and were to keep things simple. Like in theory, we could extend Zcash to execute arbitrary smart contracts. And as of about three weeks ago maybe, a few scientists that include some of our scientists published a paper describing in a lot more detail how that would work and what the efficiency would be and what the security properties would be and so forth. But so far I kind of want smart contracts to keep working on Ethereum and just pure private payments to be the focus of Zcash. But that could change. Hey, so besides just winning the, or educating users about shielded transactions, could you talk a little bit about the rest of the stars that need to align across governance, business and technology to make that become a default? So Amber, the questioner is a member of the board of the Zcash Foundation, which is a separate thing from my company. I'm the CEO of the company and the Zcash Foundation that Amber is a director of, is a completely separate independent thing. And it sounds like a question that Amber should answer. What was that? Aside from educating users, governance and business, oh, can I have my slides back? I have a slide about this. Anyway, the major touch point between, oh yeah, thanks, perfect. The premier touch point between regulators in the technology and between users in the technology right now is exchanges, right? This is a map of all of the exchanges that already provide Zcash to their users. And so they are actually the most effective, both at educating the users and at educating the regulators. Note that there are none in India or China. There are lots in US and there are lots in Singapore, Hong Kong, Korea, et cetera. One more thing that is really necessary is better UX as everyone, I think, has figured out. We've all done this backwards by building the technology first and then trying to figure out how to put a user experience on top of it. So now we have to fix that and make a really good user experience and then figure out how to fit it to the technology. That's my answer. Any other questions? Yeah. Do you think a connection between Zcash and Ethereum is possible? Oh, a connection between Zcash and Ethereum. Oh, that's a great question. Hey, listen, there's this EIP for Blake 2, a secure hash function. Please, please contact your friendly neighborhood Ethereum developer and tell them that you support the Blake EIP because that would be one way to reduce the gas costs of Ethereum smart contracts, evaluating the Zcash proof of work, which might allow certain kinds of connection. There's this whole crazy idea that is purely hypothetical, but Vitalik brought it up first, so I can say it, which is Zcash and Ethereum could just merge. So I don't know how this would work. Yeah, thanks. I appreciate the support. In the meantime, I think people using multiple different networks and technologies for different purposes is the practical, the pragmatic thing to do. But there are a few technical ideas for how we can have decentralized, trustless, cross-chain interop, and one of the details that would help is the EIP about Blake 2. Thanks. Question over there. Hi. I heard you saying a couple of months ago in a podcast interview that approximately 7% of all the transactions on Zcash are shielded. What's the state of the shielded transactions today and what needs to happen that technically we will see more of them? Right. So Zcash, I didn't get into this. Zcash supported backwards compatible clear text mode. It's like HTTP and HTTPS. For a long, long time, everyone still supported HTTP, but then more and more people started supporting or even requiring HTTPS. Zcash allows the old Bitcoin-style non-private mode and the questioner was pointing out that most transactions use only the old unencrypted mode and what needs to change. So the first, there's two things. First of all, well, three things. Sorry, there's a lot. But first of all, the cryptography, which is the whole first part of my talk, is that we needed to reduce the computation cost from 37 seconds on a laptop down to a couple of seconds so that that reduces the barrier. By the way, this also reminds me when SSL was new, it was expensive and computers were a lot weaker back then and that was one of the reasons why it took so many years for SSL to become ubiquitous. But the other one is all these exchanges need to start supporting all these exchanges, need to start supporting the encrypted mode in order to protect their users. And they need to understand, which they mostly don't because of this FUD, they don't realize that the regulators are almost certainly okay with that. They just need to tell the regulators this is user protection, it's compatible with all of the regulations and we need to do it to protect users. So after you contact your friendly neighborhood Ethereum developer, contact your friendly neighborhood cryptocurrency exchange and say you want encrypted, shielded transactions like SSL instead of HTTP in order to protect you. The last thing is UX. Like we're making a new wallet and stuff that I didn't have time to get into. Any more questions? Hi, thanks for moving this project forward. So I have a question about, so say you are doing a service for the business, where the business resolves their transactions, payments and of course there is this notion of privacy that you know, different parties they don't want to know about like with who the business is done. So perfect use case. Do you think that or up to your knowledge, if for the tax reasons, some regulatory or tax authority could come and ask to the service provider, so let's say in this case, which is built on top of the ZCache to reveal all the details about like a certain entity? Okay, I think I understand the question. If you have encrypted transactions on a public blockchain like ZCache, can some party, in your case, it's a tax authority, come ask some other party to reveal some of the transactions? Yes, this is a really ill-appreciated fact about encryption. Encryption doesn't give you all dark all the time where no one can see anything. What encryption gives is selective disclosure of data. So ZCache is the first-ever thing that it combines the blockchain properties of canonical append-only data with the encryption properties, which is that if you have the decryption key that lets you see some of the data in the blockchain, you can give that decryption key to a third party and then they can see that data in the blockchain. See what I mean? That's really interesting. Yeah, so it's subtle, but the bottom line is it's possible to reveal data to some parties without revealing it to unauthorized parties in the blockchain, which is good. But that would require to share the private key? No, not the key that allows you to spend money, a different key that allows you to see the transactions, but not to spend the money. Make sense? Hey, Zuko, you talked a little about the Banscape and the ban in India. Do you have any, like, more insights to share or anecdotes from what's going on out there? It's not too much my place to say. I mean, the government of India banned banks from serving Bitcoin companies in India several weeks ago, and then just a few days ago the most terrible thing happened. One of those Indian Bitcoin exchanges, and Bitcoin exchanges in the world, they set up, since the banks had been required to cut them off, they set up ATMs that would take rupees in paper and give you Bitcoins. Okay? Because that was the only remaining legal thing for them to do. And then the most horrible thing happened about two weeks ago is that they were arrested, which doesn't make any sense under any law that I've heard. That's what's going on. So that's the last thing I heard about India. Zugo, as somebody who thinks about privacy all the time and can you paint a picture for us? Let's say, you know, projecting from today to end years into the future, how would decentralized applications actually provide privacy for people, not just on the transaction level, but on other levels? Yeah. That's that technology it's possible technologically and there's this thing called ZXE, Z-E-X-E, which is a science paper that describes a technology that could accomplish something along those lines. It's possible cryptographically speaking to have shared distributed apps, which you get the property you want. I don't know the right word for it, but the property that you know the app is going to do the right thing and it can't be subverted by the owner of the server since there's no server. You can have a distributed app, which when you use it, you don't have to link what you're doing to anything else about you. You don't even have to necessarily reveal the moves you're making within the app. So it's a lot of work. No one's actually implemented it yet, but scientifically it's possible. Why do you think the adoption of Zcash on darknet markets has been almost zero and is that something that bothers you or do you not really care? Why do I think the adoption of Zcash on darknet markets is almost zero and is that something that bothers me? I think, you know, my best guess is, so I mean part of it is I've made some tweets saying screw you criminals go away this isn't for you and that doesn't really change the scientific or the open source code but I honestly think, because I heard this from someone who studies like the criminal underground that criminals don't trust Zcash because they don't trust me and that doesn't bother me. I think that's good. It's like the darknet markets are a shitty early adopter market because they're small, they wouldn't be very active users. It's a tiny little minority and then it would turn off the rest of mainstream society who would associate you with crime and drugs and whatever. So it doesn't bother me. So, how Zcash is expanding in Japan? There are some outlets which can legally accept currencies put on balance sheets. Are there any obstacles for wide adoption into fear to the world because of this privacy? I didn't understand the beginning of the question. How is Zcash what? Are there any obstacles from regulators and other authorities to use Zcash in Japan? Yes, in Japan where the cryptocurrencies are allowed to be used for local goods. There is an obstacle which is the there's a Japanese self-regulatory organization, which is the Japanese exchanges that have published a draft proposal for how they think the government ought to regulate them, which says that the government should require them not to supply Zcash. And I think that's a mistake on their part is that they, like a lot of people incorrectly think that encryption is incompatible with consumer protection and AML KYC processes and computer security and all that. So I'm hoping that they will notice the example of NYDFS doing the opposite. Maybe they'll even learn from the example of HTTPS 25 years ago, but that's currently in play. So Japan is gray on the map because it's not an ongoing conversation right now. It's not settled. Okay, no more questions. Thank you very much for being here.