 has not been reported. In this case, it can be any possible crime where we say that either witness or the victim of the crime, they are not willing to come forward to report the crime. And this is again because they, you know, they are, they, they want, they do not want to play with their life because you know, for, for consequences after reporting the crime, somebody has some information about the crime. In this case, now the problem is that the criminals, they have the technology today that they can perform the criminal activities anonymously by staying anywhere in the world. But when it comes to the crime reporting, any protocol available or any platform available from where they can report the crime anonymously. Now, these three scenarios actually talk about the requirement or need of anonymity we started researching what anonymous protocols, which anonymous protocol we should be going with. Then we came up with some protocols like ring signatures, group signatures, blind signatures. If I talk about group signatures, it requires group managers. That means it's pseudo-anonymous, it's not completely anonymous, it's not completely decentralized. So in that case, it can be corrupted. So we didn't go with that. When we talk about ring signatures, ring signatures do not have any group managers, right? So that means it's better than group signatures, you know, and when we talk about blind signatures. So in, in case of blind signatures, some random number is actually, you know, given to, you know, to perform the anonymity here, right? There is one more protocol called Bolt Protocol. Now, this protocol is actually based on off-chain, you know, because it is an off-chain. So we are again not going with that. Then last protocol comes Zeke Snaks. Now, Zeke Snaks, it talks about the prover and verifier, right? And here, the prover tries to convince to verifier that, yes, he is the one who is having information, but he's not actually giving the information, right? And since Zeke Snaks has been successful so far in the off-chain. So that's why we actually, you know, use Zeke Snaks for, you know, using the anonymity in our protocol. And I think that's all from my side. If anybody has questions, they can come up with me. So I think Wipin will answer about this question more because he's here with me and he's working on this anonymity, right, on this research. So anyhow, there are two things, like anonymity and confidentiality. So we are always talking about bullet proof where we can apply, like, see, we are trying to use this new protocol called bullet proof protocol which provides authenticity and confidentiality. Thank you. Thank you both of you for talking about Zeke Snaks. Use him, private reporting, very interesting, all the best. Our second flash talk is basically when we talk about blockchain and we talk about the technology underlying, there is obviously a lot of questions in our mind about how the government looks at it, what is government's policy about blockchain, how is the government of the state or the country looking at furthering blockchain or using this technology to solve or address the challenges that it faces. I have now, with me, Tanvi, who will do the second flash talk. We'll talk about the initiatives and the policies that the government of Karnataka is taking to look at blockchain and what are the policies and formulation. We're going to have to just go on stage and talk. So I have a bunch of slides. If you could just set it up, just give me a few minutes. The first initiative we had was the first thing I think for me to clarify in the government's position is they're looking very solely at non-crypto applications. So they're looking at applications, especially that work within the government itself. So within government departments, how can they implement blockchain in citizen services? How can they implement blockchain? Of course, because the national government has a position on crypto currencies or a non-provision. We can't do anything in that space. So that's the first thing. So our blockchain hackathon was so far the largest in India. We had over 500 registrations. We had about 270 people who came, 60 teams that competed. And these were on five themes which were carefully designed by the government. These are all challenges in government for which we had solutions designed. The first of this was on identity management. So how can you actually do your KYC processes and other processes without citizens actually parking with their data? Because right now the data of the citizen resides in a government's database. It could be driver's license information, data information, whatever. It resides with a government authority. So is it possible to design a system where you own your data and you just authenticate it with different departments or services using a blockchain? The second application we looked at was Chain of Pestody which is where you find the trace products through their life cycles. So for example, no timbers produced by the forest department. They exported to different countries and they needed trace of whether it's legal, how it was cultivated, how it was sourced. So blockchain helped do that. And that's actually one of our active groups of concepts right now. The third area we looked at was your many permits and many activities where different departments have to collaborate. So like someone was mentioning, like you mentioned crime records. That somewhere where it's not always just the police. They might have to interact with Interpol or ID or they might have to interact with the law department. So how can different ministries collaborate on a blockchain? And I won't take up more time. So from the hackathon we had a bunch of solutions in America and we're now looking at building active VOCs from those. The second thing we did is we had a conflict which brought together global people, especially focused people focused on government applications. So we had people from the Netherlands where there's already 36 applications of blockchain in government. We had people from Dubai which already had records on blockchain. And we had a very good idea to exchange there. And we're looking to form a governance council on blockchain which comprises people from startups, comprises people from other governments, from industry and different government departments. And the way forward for us is we're actually designing a blockchain stack for our Karnataka. So this will bring together data from different departments in the sort of sandbox environment where we're hoping blockchain applications can be developed for citizen services. So we're in the process of building that right now. And I'll be around in this talk so if any of you want to talk to me after where you're going I'll be in the process of building that right now. If you want to talk to me after where you're interested in doing this kind of work with governance and blockchain and other emerging technologies feel free to come talk to me. All right. Good evening everyone. It's nice to see you in full room. So I'm glad you all came in. Before we start, I have a request. You all are full in your pocket. It's got a volume slider. Please turn it all the way down to zero because I can hear somebody's one going off. It's very annoying when that happens. So please, falls on silent. So I'm just going to briefly introduce Hasgeek and Zuko and we'll find him on the screen. That's nice. So I'm glad to have Zuko here and I'd like to thank Zendurex, Kotham and Karadar for making this happen. So thank you guys. So one of the things that we do at Hasgeek is when we post technology talks like this and we post larger ones where we come full-scale conferences. But one thing that we sort of are interested in is not just talking about technology for the sake of the technology itself but to also provide a frame of reference for why technology is interesting. And this is the context for what Zuko's going to talk about today. I'm going to refer back to a blog post he wrote in 2001 describing what he thought was an interesting problem back then which is to do with how you name things. For instance, my name is Kiran. Now, this is a nice name that you can refer to someone with. My name is not ABC123, which would have been a very odd name to have. So the fact that I have a name that you can understand, remember and call me by. So if you want to create a naming system, what Zuko outlined was that there are three desirable characteristics of a naming system. One, it has to be a nice human meaningful name. Second, it has to be a globally unique name in that you want a name that nobody else has. Now if you take these two characteristics, you get something like DNS, the domain name system. That a domain name is globally unique in that only one person can have a certain domain name. There is no chance that the same domain name, the internet cooperation for assigned names and numbers. And I can then becomes a target for political control and it's part of what several governments around the world try to fight for control over. And that's not something you want anymore. You want to be in an era where you can think of decentralized technology as being possible. So if you take these three desirable characteristics, you want a human meaningful name. You want it to be globally unique and you want it to be decentralized without a single controlling authority. Tough luck. You can only have two of those three qualities. You have to lose one. Either you lose human meaningful names or you lose globally unique names or you lose decentralization. And while this was supposed to put out as a thought exercise in 2001, it's grown over time to be known as Zuko's Triangle and it's become an interesting design challenge. So in India today we have something like ADAR, which is a centralized system. And the more you look at this, the more you feel afraid of centralized systems because of the way the project is managed. And you want to say it would be nice to have that without central authority. The problem is nobody really knows how to do that because you're losing some other characteristic. And so if you take now Zuko's Triangle as a reference point and see when you design a system, are you willing or not? Is that a useful way to examine a technology and say which of these characteristics is the exhibit? Is it possible to solve for Zuko's Triangle or is it an impossible problem? There have been multiple attempts to solve it and there are multiple critics saying this attempt solves it in theory not in practice because in practice something else will break it at some point. And it's not like, it's not been attempted. One of the most recent examples is a name coin project which basically says can we use blockchain to solve for Zuko's Triangle? So the point of using this example now is to say having a frame of reference of this sort is a useful way to talk about technology because now it's not just what is this technology's characteristic but given a nicely defined paradox does it address it or not? And so I will take it over to Zuko from now and see Zuko's the founder of Zcash is also a health enthusiast which is really where I first discovered him and with a name like that well you can't forget it. So over to you, Zuko. Okay, how about this? Okay. So according to this Bitcoin, Privacy, Zcash, Origins things you can do and also no questions about the prices of ICOs. Alright, I'm ready. And then so if I only talk for 30 minutes then we'll have lots and lots of time for questions. Right? How long can we, because then we can have lots of questions for sure. Okay, so it seems like so I have two slide decks here and maybe I'll just switch it between them depending on how technical you guys wanted. Let me start with the introductory facts and then let me see if you already know all that. Okay, you already know about blockchains, right? That's a blockchain. And I like to say that the important properties of blockchains are that you can't go back and change your story later which is called append-only or immutable and you can't give two different stories to two different people using the same blockchain which I call canonical. This is a picture of encryption and the important thing you get from encryption isn't it isn't that nobody can see the data it's that you get to control who gets to see the data. So I call that selective disclosure. So Zcash is the first thing that as far as I know is the first thing that combined those two properties append-only and canonical along with selective disclosure. Zcash is a blockchain with encryption added and here is... So you know about Bitcoin, right? And you already know that Bitcoin is actually just a Microsoft Excel spreadsheet with a sender and a recipient and an amount. And the magical thing about Bitcoin that was the big breakthrough was that everyone in the world can have the same version of the Excel spreadsheet visible on their computer at the same time. But aside, so that's the consensus magic which is the breakthrough in Bitcoin. But once you have the consensus magic then you just implement money like this, right? You append a new row to the spreadsheet whenever you want to transfer money to transact. You all know that, right? Does that make sense? Okay, I should definitely go way faster than that. This is Zcash as an Excel spreadsheet. So this might be the first thing I said that you don't know is that Zcash uses encryption to conceal the sender and recipient and amount transacted and then it adds this new column which is a zero-knowledge proof of the correctness of the encrypted transaction. Did you know that? Okay. All right, so do you know what a zero-knowledge proof is? Okay, nobody does. I don't really know what a zero-knowledge proof is. Here's one metaphor for a zero-knowledge proof. Suppose you had a friend who was colorblind and you had two balls of two different colors but they looked like they were the same color to your friend. And your friend thinks that you're fooling him and that you actually have two gray balls instead of one green ball and one red ball. And you want to prove to him that the balls are different but you don't want to let him know which one is red. So it's really easy to prove that they're different if you can tell him the facts. You can do it some way. But if you want to make it so that you convince him that the balls are different but you don't give him the information about which ball is which, how do you do that? And the way you can do that is with an interactive protocol where your friend takes the two balls and holds them behind his back and either swaps them or he doesn't know what you did, right? And then he shows them to you and you tell him whether or not he swapped them then he knows that either you can see the difference between the balls or you got really lucky and you're still bluffing. So then he repeats that process like a hundred times in a row. And if you can always tell whether or not he swapped a hundred times in a row now he becomes convinced that you can see the difference between the balls. But because we did this weird protocol we didn't learn any information about which ball was which. So that's a very simple metaphor for zero-knowledge proof which I guess is due to Oded Goldreich. Okay, well, you guys are obviously way more geeky than the last audience I talked to. So let's switch to the geeky slides. Here's different ways to add privacy to things. Like the first lightning talk described. You might not be able to see speaking of color blindness you can't tell that these are two different colors on this display. But what's that? Do you know about how stealth addresses work in Bitcoin or Monero? But do you want to? Okay. We still have 25 minutes. A stealth address is suppose you want to somebody tells you their address like their Bitcoin address and you want to send them a payment and then later you want to send them a second payment and you don't want someone watching the blockchain to be able to link those two and to recognize from the fact that you're reusing the same address they'll know that you're paying the same person. Stealth addresses is a way to generate a new address each time. And the all of the generated stealth addresses are public keys that correspond to the recipient's private key so with his private key he can decrypt or receive each such payment. It's a lot like HD wallets I think with HD wallets you have to generate the addresses with the private key. The difference is with stealth addresses maybe some versions of HD wallets do allow this where the someone who doesn't have the private key can generate more public keys for you. So, yeah okay so it's very much like HD wallets so the important thing with stealth addresses is you don't have the private key you just have someone's public key and you can generate a new public key for them which will work for them but no one will be able to recognize that private key is corresponding to their private key. Now I need someone to come back in. We're going to have to do this every six minutes from now on. Right. For every private key there's many public keys and you can come up with any one of the keys without using the private key. You can look at a public key and you can generate more public keys. So, if you have that then when you want to make payments to someone you make a new one of their public keys for every time you're going to make a payment. This makes it so that someone looking at the blockchain doesn't recognize the recurring use of their original public key. So this is going to make it hard for someone looking at the blockchain to recognize the recipient of a transaction. It's not going to do anything for the amount of the Bitcoin payment or Monero or Zcash. It's not going to do any the stealth addresses by themselves won't hide the amount that you send. Right. And by themselves they won't hide anything about the sender. You'll still have the same you will still be visible as the sender. So, this means this technique is read for the sender and the transaction details like the amount and attached metadata and stuff. Meaning it doesn't protect that, but it protects the recipient. Here's another technique confidential transactions. This is a form of encryption that you can use with a blockchain to encrypt the value and you can accompany it with a proof that the value is in the right range. You're not spending money you didn't have. So, confidential transactions don't do anything to protect the sender or the recipient, but they conceal the value you post in the transaction. Now this is a technique you know about coin join? You all know coin join? What's that? Yeah, it's allowing mixers, exactly. Yeah, so there's a series of different improvements inside here. The guy who did the first lightning talk described some of these technologies. Mixers are the lowest tech one that was deployed first for Bitcoin where a bunch of people send their money to a third party and ask him to please resend it to the ultimate recipients. And there's more sophisticated ways to do it such as the ring signatures that we talked about earlier. But in general they have the property that you're choosing a set of decoys I call them. So the transaction that people see on the blockchain it's the way it's spelled out it basically says one of these five sending addresses sent some money to this receiving address right? And the one of those five is the real one and the other four are decoys. And this protects the sending address sort of. This is like a yellow it's not really green like those ones are like these are really strong this is well it's pretty strong if combined with other things this is really strong it this is like total encryption which means you can't learn anything about the value if you don't have the decryption key but this is weak really decoys I'll show you why in a minute. And then the last one that was also mentioned the first lightning talk is where zero knowledge proofs in general Snarks is one particular way to do zero knowledge proofs but zero knowledge proofs in general can be used to protect the amount transferred and the sender and it's really strong it actually it actually makes it so that well I'll show you how in Zcash we can make it so that you don't learn almost anything about the sender I'll see if I can explain what I mean by that in a second. So if you took something like Bitcoin confidential transactions to it you would just get this still a publicly visible graph of every address that is paid every single address the only thing that would not be visible is how much they paid and then the modern version of Monero which is descended from this but the modern version of Monero uses three different techniques put together so the modern version of Monero uses stealth addresses and confidential transactions and a mix and technique which is ring ring signatures so it's good on those two but it's weak on the sender privacy because the decoy system only provides about a small number like it currently in Monero the number is five but specifically what the number whether it's five or 50 doesn't make much difference I think for this so so Zcash combines ZK snarks with stealth addresses so that we get strong protection of that one and this gives strong protection of the other two so that's why we say we get a green light in each of those three columns here do you want me to explain why decoys are fragile or go on and talk about Zcash okay okay so I said we have the zero knowledge proofs a zero knowledge proof is a general purpose thing where you can prove not only that two balls are different colors but also anything that you can write down in a sufficiently short program you can then prove something about it now the way I think about it you can think about it as a document and you prove a truth about the contents of the document without revealing the document but I'm a programmer so the way I think about it is you have a program and you can prove that a certain string is the output of running your program without revealing what the input was it's really easy to make a non-zero knowledge a proof which allows knowledge if I want to prove to you that a certain string is the output from a certain program I can just give you the inputs and then you can run the program and then you'll be persuaded that the string is the output makes sense so the weird thing about a zero knowledge proof or the important difference is that I can give you a mathematical proof that I couldn't have come up with this big number if I hadn't run the program with some inputs that produce this output so I can prove to you that the output is an output from the program without revealing the inputs so in Zcash we use that and this is the program we use and what this program says is like this this is a merkle tree, you all know about merkle trees merkle trees are great for a long time whenever we were inventing things we would figure out that there's another data structure called the bloom filter about bloom filters bloom filters aren't great, they never work so for a long time we would always think oh we should use a bloom filter for this and then we'd say oh no the false positives totally ruin it, it doesn't work let's use a merkle tree for this it always works, merkle trees are great so we started calling ourselves the merkle tree huggers club and this is this merkle tree is serving to prove that cms are coins but they're not a fixed denomination they're like UTXOs really cms are UTXOs we sometimes call them notes cms are notes which are basically like encrypted UTXOs because they have an arbitrary value attached to each one and they're spend once you all know what UTXOs are cool so here's a merkle tree over all of the cms that have ever been valid so whenever the Zcash minor is processing a new transaction that appends another cm to the set of all cms ever that's the newly generated no it's the new UTXO from this transaction the transaction has consumed one or more UTXOs and produced one or more UTXOs and whenever it produces new ones the minors append them to the set the cm itself is derived from your secret key and every one of the arrows in here is basically just a secure hash function like it's all SHA-256 so if you take your secret key and then you hash it with three different other things it'll result in a cm so now if you know the secret key corresponds to a certain cm that's what gives you the ability to spin that cm right so you want to spend money you want to spend one of these coins but you don't want me to know which one you're spending that's how you can have that strong privacy on the sender side we can get a green light on the sender side if you can spend one of these coins and to be zero knowledge to really max out the privacy we have to make it so that out of all coins or UTXOs or whatever out of all ones that have ever been valid you get zero information about which one is the one I'm spending okay so so like in Monero if you make a transaction there are five plausible I mean there are five candidate senders sending addresses for this transaction in Zcash the set of candidate sending addresses is all of the addresses ever in the blockchain make sense now in fact there's a terrible hack in here which is uh visible if you think about the height of this Merkle tree because it's a fixed height Merkle tree so Zcash has a fixed capacity for transactions I think it's currently a 29 height Merkle tree so after we've done two to the 29 transactions we can't do anymore but anyway we can explain later if you want how to get past that if you want to spend one of these notes one of these UTXOs and not reveal any information about which one you're spending all you do is you generate a zero knowledge proof that you know some secret key this is one of the inputs it's one of the secret inputs so you're not going to reveal this to anybody you're just going to reveal you're just going to publish a proof that you knew some such number that you put in when you hashed it three different ways it produced some cm but it doesn't say which one it produced and then you're going to say and then I hashed this cm with this thing and this thing and this thing and it resulted in the Merkle tree root and I can verify that zero knowledge proof and I can say okay he must have known some secret key which matched one of all possible of all of the cm's ever and it has a path through the Merkle tree that results in the root therefore he knew the secret key to one of the coins but I have zero information about which one so that's the privacy in Zcash and that is you should immediately have a lot of more questions about Zcash the next one is the double spending prevention right? you just proved to me that you knew a coin but you didn't prove to me that you haven't already spent this coin to everybody else so for double spending protection that's what this other thing is over here a nullifier which is if you take the same secret key and you hashed it a different way you get a different random number and that gets output visibly to the miner so when you spend a UTXO the miner doesn't learn by the miner I mean like you know everyone the public right? because everyone is is watching the blockchain but anyone can run a miner and they don't learn which cm you're spending but they do learn which nullifier goes with it and so they append this to a list of all nullifiers ever a list of all spent UTXOs ever so Zcash has got twice the scalability problem that Bitcoin has we have two ever growing sets okay that's the core of it you got the basics ask me questions how are we doing what's the transaction capacity the answer is okay the question is what's the transaction capacity the answer is we deployed the first version of Zcash a year and a half ago and it has a merkle tree in it which is 29 levels deep which means you can have two to the 29 transactions before the merkle tree is full and now we're in the midst of deploying an upgrade to Zcash and the upgrade has completely different cryptography well not completely but largely different cryptography and it comes with a new merkle tree so once that upgrade activates in September of this year then everyone's going to start um producing uh UTXOs that go into the new tree and I think we should just keep doing this I think every six months or every 12 months we should just upgrade the cryptography if we can but definitely create a new merkle tree every few months is it ZK snark is the new cryptography oh that's a good question is it snark or stark the answer is the version we're doing this year is still snark snark with an N um the yeah you guys are so geeky I love this wow this is a lot more fun than a normal introductory lecture um yeah so the I'm really excited about the new zero knowledge proofs like starks the good thing about starks is they don't have toxic waste you know about toxic waste y'all okay toxic waste is the the terrible bad thing about this whole project is that um the zero knowledge proof scheme that we use is called snark s-n-a-r-k and it's the reason we use it is because we want to use zero knowledge proofs so that the the privacy set the set of possible senders is maximal so so with with simpler older cryptography like ring signatures we can only fit a small number of candidates like four um into the privacy set for the sender with zero knowledge proofs we can fit a large number of candidates like two to the 29 um so currently like in zcash today if you make a transaction there's probably something on the order of 150,000 um transactions that have previously happened involved a shielded an encrypted UTXO so your privacy sets effectively 150,000 I think maybe you can subtract out some of them based on some other kind of deductions but as a starting point it's four or five orders of magnitude bigger than you can do with uh ring signatures okay but that's the good thing about it is that we can we can fit this other stuff the thing about um zero knowledge proofs is a general purpose it can fit in the value um how much you're transferring so we don't have to use a separate encryption scheme for you and this means if we want to do more complicated things like smart contracts or crypto kiddies or whatever you just have to encode that and um zero knowledge proofs are general purpose and they're very flexible but the terrible bad thing about it is that uh snarks have a there's a secret key that if anyone knows it they can forge um proofs now forging proofs in zcash doesn't allow you to violate anyone's privacy but uh forging proofs allows you to counterfeit money right because you can you can say oh yeah you can say fraudulently I know some number which hashes to something something something whatever and it and hashes to the root and since you have the you know the secret toxic waste you can come up with those as much as you want so the miners will believe that you have as many coins with whatever values you want I I I want to just on this point I want to bring about that when initially the subject transaction was done there was a kind of a uh ceremony was done yeah wait what's the question what was the significance of that ceremony okay yeah okay so right so the the the toxic waste is effectively like a private key that goes with a public key and we all need to use the public key for the zero knowledge proofs for snarks that is and so the obvious way to do it um the scientists who invented this are not me right this was all the whole idea was invented by a bunch of different scientists from MIT and a bunch of different universities and they presented it four years ago now at a conference called real world cryptography and I was the like first one in line to ask a question and I was like what what about the toxic waste and the private key what are you gonna do about that and the scientists who was presenting at Matt Green cryptographer said oh I don't know I guess we'll like invite everybody to watch and we'll generate the public key on a computer and then we'll like destroy the computer so everyone will be convinced we didn't keep a copy of the private key and I said that's totally not good enough you could totally keep a copy of the private key just because you got them to watch you destroying a computer and he said okay fine then you do it and that was the beginning of our relationship and that's why I'm doing Zcash now it was one of the steps in the beginning of our relationship so so then we did something much more sophisticated we did this thing called the ceremony which is where there were six different computers and none of them would ever have the private key so we called the private key the toxic waste and we said we're gonna make it so that there are six different inert harmless precursor chemicals and if all six of the chemicals come together in the same room that forms toxic waste but we're gonna have this process where each of the separate stations destroys their harmless precursor chemical separately so that the toxic waste never exists anywhere even for an instant so that was the thing called the ceremony we uh there's a really great podcast about it by Radiolab it's the title of the podcast it's called the ceremony it's really good they're really great storytellers and that still wasn't good enough so now for this version that we're doing right now there's a new improved ceremony which has like at least 60 people involved so far and anyone could join it was on a public mailing list it's still ongoing but there's two phases and you've missed your chance to participate in the first phase but you can participate in the second phase oh okay well so currently there's a somewhat better way which is doing a much better ceremony but then the really good way would be what he asked about which was new forms of zero knowledge proofs that don't have any toxic waste at all like in the in the math does that make sense? so the one he mentioned is Starks the T in Starks the scientist who invented Starks uses the T for transparent but I prefer to think of it as toxic waste free zero knowledge proofs Starks are a really cool let's see I I think I have they're a really cool new kind of zero knowledge proof there's at least two good candidates for new improved zero knowledge proofs both of which are toxic waste free which is from some researchers at Stanford including Dan Bonnet and the other is called Starks by some researchers in Israel one of whom is one of the founding scientists of Zcash his name is Elie Bin Sasan and they have interesting different trade-offs from each other but neither of them is really efficient enough to just plug right into Zcash as it currently exists but I'm hoping that in another year or so we'll figure out how to make them efficient enough to replace the Snarks in Zcash with a toxic waste free crypto primitive does that make sense Inbuilt into the code of all the transactions or these are just the options that we do once they can use it not they call it forever That's a good question I think that Zcash as a community should make it non-optional eventually but we should have a a burn-in period where people have a chance to transition like we're already doing this with Sprout and Saffling so Zcash Sprout is the code name for the first version that currently is running that you can use right now and Zcash Saffling is the code name for the new version that's coming out this year oh hey I'm almost done with my 30 minutes what time do we have to keep talking is anyone in charge of making a stop great okay we have lots of time what was my point so we have Zcash Sprout and Zcash Saffling are two different cryptography systems with different Merkel trees and when we activate Saffling in September it will be possible to transfer money from to spend one of your old Sprout UTXOs to generate a Saffling coin or vice versa but then I I'm going to advocate for the Zcash community that after a certain deprecation period of like 6 months or 12 months we take away the ability to generate new Sprout points we always do hard forked upgrades which means if you don't keep your software up to date then you'll fork off on a separate blockchain fork yeah so there is support for Sprout it's currently got support right now in the current version the new version that we're putting out has support for both Sprout and Saffling and it's possible to send money back and forth and then I propose that after another 6 or 12 months we make it so that you can spend money out of the old Sprout nodes but you cannot put money into the old Sprout nodes so then everyone has to migrate that's what I propose and yeah it requires forked upgrades and then I also think hopefully we will still have enough engineering bandwidth and market position and users and everything else that we can go ahead and make another version using the new cryptography that doesn't have toxic waste i.e. either Starks or Bulletproofs but that will be 2019 at the earliest before that activates like a year to implement one of these upgrades yeah how do you think the anonymity of Zcash fares against the Masternode concept of Dash would you consider to be too centralized? I haven't thought about it that much because A, it's somewhat centralized in a way like I'm not sure if I trust the Masternodes or if I think that's I don't know but the other reason frankly I'll just be honest even though this is getting livecast and getting in trouble for being honest but just to be honest I've worked in the field of privacy technology for a long time and there's a lot of science papers and a lot of deep thinking that goes into it and one thing that we know is that it's one of these things that seems deceptively easy so newcomers come along and go I'll just add privacy this way and they haven't studied all the decades of science papers and they don't realize that just adding privacy that way doesn't work and that's why we didn't already do it 20 years ago so I just assume without looking that the Dash privacy system is totally weak because every new fangled privacy system is totally weak sorry but that's the truth I've never gotten around to looking at it so mixing could be great if they did it right but he said it's just based on mixing I think and it is possible to have good privacy from mixes but you have to understand how to do it it involves either batching or inserting delay there's a couple of different ways that it can work so I was following the zero coin protocol for a while is that what turned into Zcash? yeah the zero coin protocol was made by some of these scientists and it was just like this it was very similar design to this except instead of a general purpose zero knowledge proof in a merkle tree and encoding the value into here instead it had this funky other data structure that's not a merkle tree but it's a different kind of accumulator and that thing was too inefficient so yeah so I did heckle that guy Matt Green at that conference in 2014 but actually an important historical step happened the previous year at the Bitcoin conference in San Jose in 2013 when Matt Green and Ian Myers gave a presentation at that conference about zero coin and that the 2013 Bitcoin conference was like one of the first if not the first time that Bitcoin was like a big enough thing that you could get a whole crowd of people together into one place to talk about it so Matt Green and Ian Myers gave a presentation on zero coin and the Bitcoin core developers who were there gave like an official statement from the stage saying don't get the wrong idea don't think that we're going to be putting the zero coin thing into Bitcoin anytime soon because it's it's way too inefficient the transaction sizes or the proof sizes or whatever you call it were something on the order of 70 kilobytes I think and that would have been too too much to fit into the Bitcoin blockchain so then at that conference were the some scientists who were inventing the new snarks so they saw the zero coin presentation and they said to themselves and they said to the zero coin scientists hey we can do the same thing as your 70 kilobyte accumulator using snarks and snarks only have about 288 byte proof sizes so that would be a huge performance improvement so that that was called zero cash and then Zcash came as a contraction of zero cash and so that's the history of that okay Zcash handles privacy for on-chain payments right so what about Bolt and Private IO what's the last thing Private IO use oh I don't know about Private IO use but I know about Bolt Bolt is another invention by Ian Myers who I just mentioned and it's like Lightning Network but it preserves privacy so in Lightning Network you have a hash pre-image and you reveal a common pre-image that's used in multiple transactions I guess I don't remember how it works and in Bolt instead you do some kind of signature or proof that you know a common pre-image without revealing it or something like that and then you're not exposing your privacy which I think seems really important in Lightning because if you're making lots and lots of small transactions you're revealing that much more information about yourself and you would probably end up revealing that to some large centralized third parties if you just use Lightning Network I think so I'm glad Bolt exists as an improvement to that next Hi Zuko my question is what was the reason for you to partner with Ethereum Foundation and what is the status of that partnership today the reason was mostly just that we wanted to help the partnership with the Ethereum Foundation just boiled down to us chatting back and forth and helping each other understand stuff and then it resulted they did most of the work and started them off eventually we got distracted working on our own stuff and they finished it by themselves and they added Snarks or well they added Elliptic Curved Cryptography and Pairings into Ethereum and with those pairings you could implement Snarks so that was the fruit of that collaboration so far is that there are now pairing operations built into Ethereum yet to make Zcash style things on top of Ethereum does that answer your question I mean I'd be happy to collaborate with them again I'm going to be hanging out with Vitalik this summer I hope Hey man what's the reason for 20% of the block reward going through founders that's a good question so back to the history books those guys met up at that conference in 2013 and invented this new science and then in 2014 I heckled them at conferences saying you're not doing it well enough and then so then Matt Green said fine you figure it out and then they asked me to take over the project of making it into a full scale deployed reliable thing and so then I agreed to do that and then I needed money and so I went and got investment money from some Silicon Valley and Chinese and Singaporean and New York people like Bitcoin, Angel investors and VCs and stuff like that and we raised a total of $3 million from them and so we told them in return for your $3 million the Zcash company will get a share of the newly mined coins after the blockchain launches and then we'll give you some performance so that's how we got the money to hire well to pay rent for starters and then then after paying rent we also hired other people to help us do it so the answer is so that we could afford to hire people we could afford to do it ourselves anyway this is the blog post we put out back then this is the Zcash monetary base follows the Bitcoin policy so it's this much for the first four years and then half as much every four years thereafter and it never goes above 21 million Zcash coins and then this is that the the first four years from launch until 2020 the end of 2020 um 80% of the newly generated coins go to the miner who found that block and 20% go to the company if it was just for initial funding then that bit of the graph should just go down after like 2020 right then it would be truly decentralized after that because you've funded already and then this is the total amount that's ever been distributed so we're getting more and more because we're like here now right like a third of the way through we're getting more and more every block and then at this point we stop getting more does that make sense yeah but technically at that point you wouldn't need to get any anymore right it should just be fully decentralized and miners should get at this point all their work yeah we don't get anymore after in the current consensus rules we don't get anymore after this point which by the way I think is a bad idea I think the founders reward is a this is called the founders reward and it shouldn't be called reward because that's totally the wrong idea it should be called like the development fund right so I think if you're going to have a blockchain you should and some other blockchains are experimenting with things like this um you should somehow arrange to have a bunch of skilled developers improving it and maintaining it for you to do it it's my opinion the question was can I answer that question is zcash looking at integrating lightning network um sure I mean someone else could do the work too because lightning is pretty independent you don't really need to make changes except zcash doesn't have what do we not have we don't have we have malleable signatures that we inherited from bitcoin because zcash is a clone of bitcoin from like we started with 0.10 and then we upgraded to 0.11 but we never upgraded beyond that so we have some bugs and limitations that we inherited from bitcoin 0.11 that we've never yet uh back ported the fixes one of them is malleability and malleability is a bit of a pain for lightning network so either we should fix malleability which is what we should really do or someone should deploy a version of lightning network that works around malleability um I think we might also lack the opcsv opcode which is another pain so we should fix that that one should be easy they're both easy it just takes forever because there's so many other things that need to be done so basically yes we totally like to fix that and practically speaking we might get it fixed by the end of this year maybe December if we don't prioritize other things between now and then yeah one question from me so which are the most exciting development or applications which you see being built on top of Zcash um sadly to me I don't see applications using Zcash as a platform um I see user facing apps like wallets mainly multi-coin wallets usually uh implementing Zcash um you might consider decentralized exchange to be an application and I think that will come in 2018 using the atomic cross-chain transactions technique but that's about it it's kind of disappointing because Zcash has like I said at the very beginning Zcash is the first combination of the blockchain properties with the encryption properties so you can do potentially interesting things like do y'all know about the encrypted love note in the blockchain like right after this launched in like a couple months in uh a young woman that I know told me that she had received a very small Zcash payment and do you know about the encrypted memo field what it's similar to opera turn but it's encrypted with the same encryption so that only the recipient can see it right so only the recipient knows the value and only the recipient sees the memo that comes with it so in the encrypted memo field there was a hyperlink to a IPFS file and the IPFS file was a scan of tickets to this event that she and her boyfriend have been talking about going to overseas so it's an encrypted love note in the blockchain it really exists although I've never seen it because only the sender and the receiver can see it but it's like immutable in the Zcash blockchain anyway so like you know someone should make an app for love notes on top of Zcash but as far as I know nobody has I have a question moving from the love notes the possibility that given the fact that it's not possible to find out who the it's possible to prevent both the identity of the sender and the recipient of the Cache to currency to be anonymous I'm just wondering given I mean if from a law enforcement perspective instantly there would be a oh no this is going to be used for illegal activity I was just wondering how you know you plan to deal with that and how to address questions I mean inevitably I'm sure you're going to get somebody coming to say hey help us find out who it is I'm just wondering how you yeah we definitely get that the main thing that I tell law enforcement this is an open source project and if you want like special access to it don't come to me but go to github.com slash Zcash but really actually law enforcement bless their souls that's really the number one like higher order bit that they need to learn is that it's not a service that my company operates and they do learn I just have to tell them that if they're investigating something involving Zcash that the the place to go if you're trying to find out something about a Zcash user is the exchange that you think that user is using right yeah I don't know it's a long conversation which I've had a lot of times um hi is there a possibility did you consider Zcash could have been a hard fork of bitcoin because the code is almost same whether a reason is it a possibility or not hard fork of bitcoin what no since the almost the code base was pretty much the bitcoin oh could bitcoin hard fork Zcash could have been a hard fork ever I don't predict it because bitcoin has a phenomenally strong culture now of never hard forking to make disruptive improvements right you're kind of aware like there's a big conversation about changing the block size by 2x or 4x or something so I think it's my perception is that users and everybody who's still invested in the bitcoin project is on board with being very conservative and not making risky changes like that I don't expect that to ever happen but someone could always make a fork um when I say fork that's a really ambiguous word these days but someone could always do one of those like air drop kind of things where they are they copy the bitcoin ledger in order to give their new to all the bitcoin owners but then they could use the Zcash force code yeah somebody's already doing something like that but I wasn't going to mention it because I think it's a little bit scammy I'm getting so much trouble I hope nobody's watching that livecast but it would be a good idea in principle if you could do it without being scammy uh hi uh Zuko so uh like I want to ask question on integration of Zcash with Ethereum where in present scenario the uh the gas that is required to process a transaction is much uh higher than the gas being you know produced to the block so how that uh you know situation can be dealt with the gas to produce a transaction with what would you say about the different so the gas that is required to process the transaction uh like in when we are integrating Zcash with Ethereum right the block reward of Ethereum itself uh is lesser than the requirement of the gas to process the transaction which is just I mean the point is it's expensive to verify a transaction you have to pay a lot and this is probably the reason why as I mentioned before nobody's made a Zcash like thing on top of Ethereum it is to be really expensive for every single transaction right yes and what you want to know how I think we should fix that yeah um maybe EWASM will fix everything is this glorious EWASM future I was just thinking the other day I need to go find some EWASM experts and say when glorious EWASM future sir uh EWASM is this plan to I don't really understand it's a plan to like replace the Ethereum virtual machine with uh different virtual machine which can be much more efficiently compiled and if so then maybe that would reduce the cost the gas cost of these particular transactions um but I don't know actually why is it so expensive why is it so expensive if we have pairings already so I think they still have this problem so that's why you know that's not coming into the main net so they are still working on it that's what I did well I don't know for sure why it's so expensive um yeah and I'm not sure how to fix it either maybe like the Ethereum scaling solutions make everything cheaper I don't know so you're also uh working on you know coming up with the platform where we can build apps on Zcash um for sure I mean it's a I mean you can can you build apps on Bitcoin you know I don't hear about people building apps on Bitcoin anymore but they used to talk about that and um so yeah Zcash is an open network it's an open source software package an RPC API so you can like there's a little Ruby script or Python script called ZMSG which uh you can put a message into Z message right it's for encrypted love notes right um that's what I think of as an app on top of Zcash is that little script that uses the RPC API to send encrypted love notes as we understand outside cryptocurrency the volume of currency which is printed volume and value is a function of a number of things for instance the value on an economy largely right and there are other concerns that a central bank would be interested in addressing now um which means they have a formula into which it's a function into which a lot of inputs go and they decide what value and volume to print here the volume of volume value whatever gets generated as a function of I don't know mining and nobody knows where and when the next uh you know unit of currency will pop up so there has to be an equivalent for this to work even though you're trying to be extra government and you know sort of um what do you have what do you call it have fungible borders and not be restricted by the concept of government it still needs to be parallel for it to work right um those concepts need to be replicated it was explicitly a reaction against um that uh practice of uh the government using monetary policy to try to influence the economy I understand that my point is um nevermind government regulating it but as a currency unit as a storage value uh I mean as a like a battery right it needs to store value that that's what this currency is doing whether it's paper currency or cryptocurrency its function is the same nevermind the government negate a government from the equation it needs to grow be be able to you know otherwise there will be a supply demand mismatch um yeah so there's a a theory that I used to believe that you have to increase the supply of currency approximately as the demand increases or maybe 2% faster than the demand increases um for various good reasons and then um at some point someone told me a great scientist named Marcus Miller who uh probably the most influential scientist and well one of the two most influential scientists in my whole life yeah Marcus Miller he uh I mentioned that belief to him and he said why he said in fact no if you just had 1.0 of the currency but it were infinitely divisible then uh people would adjust to the fact that the price of everything tends to go down in terms of your currency people would figure it out and well so bitcoin and ethereum and zcash are experiments to determine who's right who's the second scientist uh David Chom is the one I was thinking of David Chom is um he's one of the so he's in the inventor of cryptocurrency he's the inventor of the concept of money on the internet and he's the inventor of the concept of privacy preserving money on the internet he's also the inventor of the concept of anonymizing routers like Tor and every other known way to add anonymity onto uh a network and he's also the inventor of some fundamental concepts in cryptography and he's also one of those people who um performed a courageous act of civil disobedience and uh rested cryptography from the control of the military in the 1970s and 1980s and turned it into a public science uh and he was my first boss hey he's a cook uh does zcash have a scaling strategy or a solution uh no but we have uh that's because nobody does like if you're picking a winner today and you're saying oh I'm definitely gonna use plasma or I'm definitely use lightning network or whatever then I think you're diluted because we don't know if any of those are gonna work so instead we're we're watching to those other things to see if they actually work um in which case we can copy whichever one works the best and we're also trying to do our own research um in our spare time because we have too many other things to do but it's possible that zero knowledge proofs could be part of a scaling solution so researching that could a decentralized exchange or a dex a scaling solution in itself oh I don't know why'd you say that just had a thought yeah I don't know that's what you thought you guys asked great questions I'm glad I stopped early on just that one right so when you say atomic swaps coming in I think that's basically a way of scaling in in many ways probably I think that's what okay that's a good point I see what you're getting at um but it loses the it's not a sidechain the idea of sidechaining which is another one of those glorious ideas that I'm skeptical of ever work along with e-wasm and plasma and lightning and everything else that's never worked I'm skeptical if it's ever gonna work uh but the whole idea of sidechains was that you could swap or trade out to some other chain and you'd have the same value when you came back right that I could understand would be totally a scaling solution but if you have to get if you have to negotiate a new price on the market when you come back then I'm not sure that qualifies as a scaling solution yeah yeah maybe if maybe if the prices are a little more stable in the future between the two the multiple different things you're trading back and forth in then you won't mind trading back and forth sometimes that's a good point I mean I definitely want that cross chain interop as soon as possible but I'm not sure what it is that it might actually happen in 2018 oh atomic swaps or cross chain atomic transactions are the same on zcash as on bitcoin and most things which is you have a contract with a hash pre-image do y'all know how hash time locked contracts work um oh yeah yeah once again malleability but I think we might be able to work around it fix malleability yeah uh not 100% committed to that because um there are a lot of other things we also want to do but I think it's probably one of the most important I mean the first thing on our roadmap for 2018 is deploying the sapling crypto um I didn't point this out but the new improved sapling crypto will make it possible to have shielded transactions in mobile phones and hardware wallets I think that's really important and as well as maybe like in javascript apps and maybe it'll be easier to implement it in more different exchanges and servers and things so that's the main thrust because right now zcash kind of sucks in this way right I don't know if you're aware but um most wallets and most exchanges and most uh applications like open bizarre or anything I guess open bizarre is an app built on top of zcash um or compatible with zcash um most of those things don't support the encrypted transactions at all do you know this yeah so uh that's our main priority is changing that and the way to change that is to deploy the new sapling transactions and then pressure everyone else to upgrade their products to use them to support them hello you see proof of steak taking all proof of work oh um yeah it's one of those things that I'm waiting to see if it works but actually you know there have been small smaller coins that have used it in various variants already and um I really like Vlad's Ampfer and Vitalik Buterin and others who have thought carefully about proof of steak so I'm kind of gradually warming up to it your question was does it take over from proof of work I don't know there's a whole bunch of people who firmly believe that proof of work is better and they would refuse to switch proof of steak so I suppose that means we'll have both and definitely uh okay um yeah I know you're on camera but uh what do you feel government should be doing uh or should they be doing anything in response to this whole revolution I've been talking a little bit about that about the what the Indian government should be doing my thought I'm actually pretty satisfied with the behavior of the United States regulator so far much to my surprise they have not done anything stupid and like knee-jerk reaction and whatever whatever um yeah and I guess I kind of think this might be partly due to this one outfit called coin center this policy um advocacy whatever you said that you're a policy person and you're the only policy person in the room so yeah you should like coin center because they're the policy people in the room in uh United States uh bitcoin meetups and they've been working for like many years now maybe four years um and they're very proactive they go and tell the government regulators ahead of time what new issues are going to be cropping up and uh first of all just teaching them is really helpful because ignorance leads to fear and fear leads to really bad law and um and then since coin center is the one that taught them then they totally have credibility so then when they come back and they say we suggest that you do this sort of like sensible boring predictable things and they often do it so um I guess my advice is that the Indian government should hire coin center to come advise them yeah Jerry Brito is the founder Hi Zuko, me again uh does Zcash see uh a possibility of moving to proof of stake you said you're warming up to the idea oh yeah I think we should definitely consider it my main plan has always been to wait until Ethereum switches or doesn't and then we'll learn right from whatever they did or didn't do and what happened to them when they did or didn't do it and then decide like second mover behavior sure and can proof of stake really work without developer checkpoints oh I don't think anything can work without developer checkpoints I don't believe in the bitcoin um dogma that the longest heaviest valid chain wins I don't believe the longest heaviest valid chain wins like I think if if someone came along today and said I have a new bitcoin blockchain and it's got way more hash power than your bitcoin blockchain but it forked off a year ago and I got all the bitcoins since a year ago I don't believe for a minute that the rest of the world would say okay I guess you win man well imagination of how people behave is that they would collectively agree that their bitcoins are still worth something even though somebody else has greater hash power and has 100% of the new bitcoins okay guys last last three questions um how would you increase public confidence in using these technologies um they're highly technical um they're not I mean even though like certain sets of people use them a lot of people don't understand their function or what they're used for and what I've seen for example in bitcoin and a lot of cryptocurrencies is that they're simply being used to speculative assets feeding the entire point yeah um how do you change that to grow that's a good question because I think public confidence is really but probably for good reason and I think that's the most important or one of the most important things long run um I think the passage of time helps anything that's new people are suspicious of and once like once like a new generation grows up like everything that came out after you were like 13 or whatever you're suspicious of but anyway I also think all of the cryptocurrency user experiences except for the speculative asset that you described that the user experience of buying and selling cryptocurrencies as a speculative asset is getting pretty good but the user experience of using it for anything else is still terrible as far as I know and so I think that goes a long way like a simple familiar understandable user experience I think would make people a lot more comfortable Azuka Zcash obviously can be used yeah Zcash obviously can be used for both good and bad purposes right in the sense that the bad people can hide there and the people who want to preserve their privacy can do that so it's kind of like a double edged knife do you think that the pros greatly outweigh the cons in this case I do yeah of course or I wouldn't be doing this that's why I why I'm committing like most of the rest of my life to this project is I think the pros vastly vastly outweigh the cons I think there's the amount of good that humans can do for each other if they're empowered is is more than any measurement we know how to make we can make each other infinitely rich and explore the stars and immortal or maybe you don't want to be immortal but the potential of humanity is completely unbounded it's so much better than the alternative and by the way I watched a talk by Ed Snowden he talked about cryptocurrency so I fast forwarded to that part and he said something on this topic he said something like if I forget you should ask Ed Snowden he's very eloquent what are your thoughts on nano the erstwhile dry blocks I don't know anything about it okay so thank you everyone for asking so many questions and thank you Zoko for patiently answering just one final question how can developers in this room contribute to Zcash if you just can take a couple of minutes to oh that's a really good question yeah there's lots of contribution that needed I've got I've got I've got a few URLs that you should write down of course it's an open source project and so there's always code and code reviews needed the Zcash foundation yeah the Zcash foundation is currently or imminently going to be soliciting proposals for where they'll pay you $10,000 or $20,000 or something like that to do cool stuff and there's a wide variety of things they consider cool including contributing to Monero and making cool videos and other stuff beyond code but like about half at least of the stuff that they have funded so far is writing code I guess that's the main thing I would advise is write code for the project great stuff thank you very much and thank you all for attending and thank you so much