 Okay, wonderful people of the Kiosk West stage, welcome with me together a good friend, Jeremy Rand is at it again, this time still about namecoin, but this time he is presenting a blueprint. Please go ahead Jeremy. Thank you. So I'm pretty sure that most of the people here have already seen this slide by now, but for anyone who hasn't seen it and is new to the namecoin thing over the past two days, namecoin is DNS on a blockchain and we are interested in privacy aspects in particular for this talk. So let's get moved straight ahead to the content. So my previous two talks yesterday and today were about stuff that we've already coded. It may not have been completely fully baked, but it's stuff we've already coded and stuff that we want people to test. This talk is a little bit different. This talk is about a plan we have for something that is not yet fully built. In fact, it's not even significantly built at all. And the main reason for this is that we want to get feedback on whether you guys think our plan makes sense. We want a sanity check. We think it makes sense. We've had it reviewed by a number of people in the community, but we want more feedback. So please poke a bunch of holes in this plan. As you may know, namecoin is not anonymous, just like Bitcoin isn't anonymous. And we think this is a really big problem, because there are users who urgently need a namecoin-like system that is anonymous. For example, in one case, we were approached on IRC a few years ago by someone who really wanted to use namecoin. But he said he needed it to be anonymous, and he wouldn't tell us exactly what he was using it for, and we didn't really want to know what he was using it for, for obvious reasons. But based on what he said, it sounded to us like he was at serious risk of losing his job if his usage of namecoin became de-anonymized. And so at the time, we had to tell him, look, if you are determined to use namecoin, we'll help you as best we can. We'll do what we can to try to keep you safe. But you need to realize this is not a use case that namecoin can do properly right now. And so if something bad happens to you, we're sorry, we'll do the best we can, but we can't guarantee your safety here. And this is problematic. Anonymous speech is a fundamental human right. Using namecoin to host a website is clearly speech. And so the fact that you can't easily use namecoin to host a website anonymously, this is a serious problem in terms of civil liberties, and we want to fix that. So if you follow cryptocurrencies, you're probably aware that there are cryptocurrencies out there that have reasonably good anonymity. The two most well-known examples are Monero and Zcash. And there are some others that are trying to do experiments with that kind of stuff as well. There will be more experiments in the future. Monero and Zcash are probably the two best known. And so the obvious solution that we considered, and a lot of people have suggested to us is, oh, well, you should just do a soft fork so that you can add ring signatures from Monero or ZK Snarks from Zcash. And that way you'll have all the same anonymity features that Monero or Zcash would have. And this is interesting because the assumption that that's what you would do, that's an assumption that derives from what you would do in a currency blockchain. Namecoin isn't a currency blockchain. You can use it as a currency, but the primary use case is naming. And so it's not at all clear that that's really an assumption that holds well. So what are some problems with the idea of having namecoin soft fork to add anonymity to the consensus rules? Well, for one thing, this would actually put us in competition with Zcash and Monero and every other anonymous currency. Because the result would be that users who use Bitcoin but want better anonymity, they might be tempted to move to namecoin. And this is kind of not great because we prefer to collaborate with other projects rather than compete with them. Monero and Zcash are doing their thing reasonably well. We don't really want to start getting into a situation where they would consider us competitors or that we would consider them competitors. And the other issue here is that we do not want to have to choose one specific anonymity technique for all of our users. Some people like Monero, some people like Zcash, and it's important for the users to be able to decide what anonymity technology they use. In the same way that the web browser on your computer, you can use a SOX proxy, but that SOX proxy can be Tor, it can be I2P, etc. It's actually possible to use Tor browser even with I2P. And so it's important for end users to have that choice. And this is really important in the case that maybe another blockchain comes along in two years that is seriously competitive with Monero and Zcash. Well, if we've already made a decision now that either Monero or Zcash will be the one that we officially support in terms of consensus rules. Well, what happens in two years when that other blockchain gets released? It's going to cause political problems at least, and at worst it might lead to hostile forks being attempted, which we've seen similar stuff happen in the Bitcoin scene. It's not something that we really want to be getting involved in. Some other problems that would occur if we were to adopt ring signatures or ZK snarks is their scalability problems. Monero and Zcash both do not scale as well as Bitcoin. This is primarily because ring signatures and ZK snarks cannot be pruned, and they're also more expensive to verify, at least in the case of ZK snarks. And so this is really annoying because with Namecoin, you know, a lot of users may not want to have a really unscalable system, especially since we're competing with the DNS, which is incredibly scalable. And another problem is the anonymity set. If anonymity is baked into the Namecoin blockchain, then that means at best your anonymity set is the set of Namecoin users. Well, Namecoin users are actually a pretty small set when you compare it to Monero users or Zcash users. So even if we have good anonymity within that anonymity set, the fact that you're using Namecoin is going to be made public with your real identity if we were to do this. And this might attract enough attention to you that someone might do, you know, old-fashioned police work and track you down. And this is not really acceptable. So the solution to this problem is that we can realize that the definition of anonymity as applied to a currency simply doesn't make any sense when you apply it to a naming system. Because when you have an anonymous currency, when you make a transaction, you want to be certain that a currency transaction cannot be linked to any other currency transaction you've ever made. This kind of requirement doesn't make any sense for Namecoin. And that's because with Namecoin, all of the transactions you make for a specific name, from registering that name to renewing it periodically and updating its contents, those are already linkable to each other. That's by design. There's no way you can get around that in a naming system. And it's not inherently harmful that that's the case. Knowing that the person who updated a name is the same person who registered the name, you know, that's not particularly incriminating. That's just obvious. So we can have a different definition of anonymity that applies to a naming blockchain. And that is that for a given name that you've registered, all of the transactions for that name need to be completely unlinkable to any transactions you've made for a different name or to any currency activity you may have had on that blockchain. So this means that the names themselves can't be linked to each other. And it also means that the currency transactions can't be linked to the name transactions. So here is an approach that we came up with, which is that, let's say Alice has some Monero, and she really, really wants to get a Namecoin name. And Bob has some Namecoins. He's not using them to register a name, but he would really like to get some Monero, right? So they can exchange Monero for a Namecoin. And Alice can now register a name using the Namecoins that she got from Bob. And the important thing here is no one can tell who registered that name. The person who knows the most about that is Bob. But all Bob will see is it'll trace to a particular Monero transaction, and the trail pretty much goes cold from there, assuming that Moneros and anonymity properties hold up. So this has a lot of benefits. For one thing, it means that Namecoin is not competing with Monero or Zcash. You have to use Monero or Zcash or some other anonymous currency to do this, so that eliminates any problems with competition. The users have the choice of what anonymous blockchain they can use. They can use Monero, they can use Zcash. If they're really adventurous, they can just use bitcoins that were mixed through CoinJoin over and over, or maybe even a centralized mixer if you're really not worried about having all your coins stolen. For scalability, this makes a lot of sense also, because since the ring signatures in ZK Snarks stay on the Monero and Zcash blockchains, users who just want to read data from the blockchain with Namecoin, they don't need to ever process that information. And so as a result, this means that the vast majority of Namecoin users don't need to process that information. For example, if you look at the DNS, pretty much 100% of the world population that uses the internet is using DNS to read data. The number of users in the world who write data to the DNS is vastly smaller. So if we can make things more scalable for that much larger set of people, that is a huge, huge win. And lastly, the great advantage of this is that the anonymity set is the entire Monero or Zcash anonymity set. It's not restricted to Namecoin users, because no one knows which user on Monero purchased those Namecoins. And so the fact that you use Namecoin itself can stay secret. Now, as you may have noticed, the previous talk to this talk was from Bisk. And as far as I can tell, Bisk is a really, really well-suited platform for facilitating this kind of use case. I've done some security anonymity review for Bisk over the past year. The Bisk devs are clearly extremely competent. They know their stuff. When you bring up an issue that they weren't aware of, they ask all the right questions and they do all the right things. So from a security and anonymity standpoint, Bisk is very well-suited for this. They have exactly the same ideals that are relevant here. And so basically the idea is you would have a custom UI that facilitates the workflow of starting with Monero or Zcash or whatever. And you end up with a working Namecoin name that you've registered. This could be further made more secure using a really fun trick in cryptocurrency called atomic cross-chain trades. The idea of atomic cross-chain trades is that if you have one kind of cryptocurrency and I have a different kind of cryptocurrency on two separate blockchains, we can trade those two for each other in a way that is completely atomic, which means if one of us doesn't end up paying, then the other doesn't have to pay either. So there's no counterparty risk whatsoever as long as we assume that the blockchains aren't getting reorganized by a ridiculous number of blocks. This is more easy to do for Zcash than it is for Monero simply because atomic cross-chain trades, most of the schemes that exist for those assume something is similar to Bitcoin, and Zcash is more similar to Bitcoin than Monero is. That said, I've been talking with people who are familiar with atomic cross-chain trades in a lot of detail. As far as we can tell, it should still be possible to make this work in Monero as well. It's just a little bit more extra work. There is another issue, of course, which is that once you've registered the name anonymously, you're going to have to keep paying Namecoins to renew it or update it. You want to make sure that economic activity stays isolated to that name. For example, you don't want to use the same change output to renew one name that you already used for a different name because that violates the anonymity properties that we want. This is actually fairly straightforward to solve because you can just have a coin selection algorithm in the wallet application that keeps all of those names, currency, change outputs, segregated from each other. Wallets already usually have fairly flexible and customizable coin selection algorithms, which is mainly because they try to do clever things like improve privacy or minimize fees, so customizing a wallet to have this behavior is actually not incredibly difficult. It should be noted, though, that if we do that, which is kind of necessary for the anonymity, if you buy a name and then you want to buy a second name, even if you have some Namecoins left over in your wallet from the first name, you're going to have to use more Monero to buy more Namecoins. This could be considered to be sort of a UX issue because some users will be annoyed that they have to do this. It's not clear to me exactly how annoying this will be. I'm curious if you guys have feedback on how problematic this is likely to be with users. There is a really big open question about the anonymity issue, which is that when you buy some Namecoins, you have to choose how many Namecoins you're buying. If, let's say, you really like to delete, and so you always buy 13.37 Namecoins whenever you're buying a name, that info is public. People will probably notice, hey, there's like these five names that were all registered using 13.37 Namecoins. Maybe those are the same guy. It's not entirely clear to us at this point how big of a problem this is and what the best countermeasure is. The most straightforward solution, as far as I can tell, is just to standardize on a particular amount and make the UI always do that unless you do some kind of override indicating you really know what you're doing. But again, that might be a UX issue that would annoy some users. And so I'm curious what your feedback is on whether there's a better way we can keep people safe than what I just described. So I want to just issue an open invitation to collaborate to the Monero people and the Bisq people because this is a really important use case as far as I can tell. Namecoin, Monero, and Bisq are in a relatively good position to actually implement this. I think we should be working together. So let's collaborate on this and let's bring anonymous DNS-like naming to the mainstream. Contact info is up there. You'll be able to find me at the Monero assembly. I'm wearing a Namecoin shirt. I should be easy to pick out. Do we have time for questions? Do we? Yes, we do. Thank you, Jeremy. A applause. Well done, audience. Questions? Yeah, almost on the other side. Just pass the mic, please. I can't hear you from up here. I'm sorry. Use the mic. Are there any plans to implement confidential transactions at least when they're in Bitcoin? Confidential transactions for the purpose of hiding the amounts. Yeah, so as far as I can tell, the issue with confidential transactions up until a few weeks ago was that they require very large range proofs and that was just not going to scale very well with Namecoin. Recently, as some people here are probably aware, Greg Maxwell and some other cryptographers created a new type of range proof that can do confidential transactions in a much more scalable way. I know Monero is looking at implementing that in their blockchain. I don't want to speculate too much at this point about whether Namecoin would consider adding that. I think for now we just sort of want to wait and see how well that holds up. The fact that Monero is implementing it means that it should get some heavy torture testing pretty soon. But at this point, I don't know. I think it's too early to really say. If Bitcoin adds it on their end, then it's almost certain that we will merge it because we try to follow Bitcoin as closely as possible. If Bitcoin doesn't merge it, which honestly I kind of doubt they will, then it's a lot harder for us to justify. No more questions from the audience? Jeremy, thank you very much. That was excellent again. Thanks.