"Privacy and Zero-Knowledge Proof Are Going To Be Critical for A Free Society" - Kieran Mesquita

Ishan Pandey: Hi Kieran, welcome to our series “Behind the Startup.” Please tell us about yourself and the story behind Railgun?

Kieran Mesquita: Railgun was ideated and founded by Emmanuel Goldstein as a way to enable privacy-preserving smart contract interactions on Ethereum. I believe privacy and self-determination are fundamental human rights that have been heavily eroded with the advent of modern technology. While Ethereum has great potential to reclaim the right to self-determination, its public nature coupled with critical design shortfalls (account-model) that make it trivial to track user actions should be cause for concern, especially when dealing with money. As a lifelong believer in the right to privacy, Mr Goldstein’s pitch made perfect sense to me.

Prior to Railgun, I was already heavily involved in multiple blockchain projects. I started in the early days of Bitcoin trying to get an edge in CPU and later GPU mining, and later I engaged in multiple blockchain projects covering things like pushing the boundaries on running wallets on lower and lower-cost devices, permissionless crowdfunding, consensus algorithms, cross-chain bridges, and DEX’s. Besides blockchain, I’ve dabbled few other fields, namely astronomy and hobby electronics. I’m currently most active developing on Ethereum and the smart contract space.

Ishan Pandey: Can you explain how Zero-knowledge proof technology works?

Kieran Mesquita: At a high level, zero-knowledge proofs are a system whereby a prover can prove something to a verifier without revealing the details about the thing being verified. For example, an ID checks where the prover wishes to prove they are over 18 without revealing the details on their ID or revealing their exact age can be done with zero-knowledge proof.

Getting into the implementation details, a zero-knowledge proving system takes a program represented as an arithmetic circuit, a set of public inputs, and a set of private inputs, and outputs an execution proof that the program was successfully executed with the given inputs. The verifier can then check that the program was executed successfully with the public inputs and execution proof. In the above example, the public inputs could be a hash of the ID data (perhaps publicly published by the issuer of the ID so that authenticity can be verified) and today’s date. The private inputs would then be the fields on the ID, such as date of birth and name. The arithmetic circuit would then check that A) the hash of the ID fields matches the hash that was given as public input and B) the date of birth on the ID is at least 18 years earlier than today’s date. For example, there is a number of different zero-knowledge proving systems like plonk, marlin, halo, and the one used in Railgun – groth16.

These properties are incredibly useful in privacy-orientated blockchain applications where actions need to be publically verifiable without revealing their contents. We can look at how zero-knowledge proofs are applied to private cryptocurrencies – note that I have used “owner” to mean the individual or software that has access to the private key required to take actions such as spending coins.

Privacy-focused transaction systems generally use UTXO accounting and apply a zero-knowledge proof system to transactions. Transactions in a UTXO (Unspent Transaction Outputs) accounting system specify outputs from previous transactions as inputs and define a new set of outputs. Each output contains the parameters that specify how it can be spent (for standard wallets, this is simply a check that the transaction is signed with a particular key pair corresponding to a wallet address) and a value for the amount of coins that output represents. In order for a transaction to be valid, the spending requirements for each input needs to be satisfied and the sum of the outputs of the transaction cannot exceed the sum of its inputs.

The zero-knowledge proof variation of the UTXO model uses some blinded form of the UTXO such as its hash or encrypted so that only the owner of the UTXO can decrypt it and the UTXOs are stored in a cryptographic accumulator such as a MerkleTree. UTXOs exist perpetually in the accumulator with a nullifier (a value that can be deterministically generated from the UTXO only by the owner, usually a hash of the private key plus some values contained in the UTXO) used to prevent double spends. The private inputs to the zero-knowledge proof for a transaction would be the input and output UTXOs. The public inputs are the current UTXO accumulator state (eg. the MerkleTree root), nullifiers for the input UTXOs and the blinded output UTXOs. The arithmetic circuit would verify that A) the UTXOs exist in the accumulator, B) the spender is the owner of the UTXOs, C) the nullifiers correctly correspond to the UTXOs, and D) the sum of the outputs is less than or equal to the sum of the inputs. The verifier would then simply need to check that the nullifiers had not been used in a previous transaction to prevent double-spending, that the accumulator state used is the current or previous state of the UTXO accumulator and then add the blinded UTXOs to the UTXO accumulator.

As UTXOs are only stored in blinded form, the amounts and owners are hidden from public view and using nullifiers to prevent double-spending instead of removing UTXOs from the current state hides what UTXOs are spent in any particular transaction.

Ishan Pandey: Miners worldwide have just authorized the first Bitcoin upgrade in four years and it is called Taproot, effective from November this year. What does this upgrade mean for the cryptocurrency in terms of privacy and efficiency? Further, how do you think it will affect the market?

Kieran Mesquita: Taproot consists of two upgrades, schnorr and tapscript. Schnorr signatures are a lightweight signature scheme that has a number of advantages over ECDSA signatures but have had their adoption slowed due to being covered by a patent. The three advantages of schnorr signatures that are most applicable to Bitcoin are their size, non-malleability, and linearity.

The smaller Schorr signature sizes are an obvious benefit in Bitcoin where space on the blockchain is a premium. Schnorr public keys are 32 bytes instead of 33 bytes and signatures are 65 bytes instead of 71 or 72 bytes with sighash flags. Schnorr signatures can be aggregated via an interactive aggregation scheme allowing transactions to be created with a signature that is simultaneously valid for all inputs, further compounding the space savings.

ECDSA signatures are malleable, meaning someone can take a valid signature A of value X and alter it to produce a valid signature B of value X. Since changing the signature text changes the TxID of a transaction, it can lead to a number of attacks, for example:

1. If an exchange was tracking withdrawals by TxID and an attacker was to alter the TxID via signature malleability and have the altered transaction mined, the exchange might never recognise that the withdraw transaction has been mined (this was the attack used against Mt.Gox).

2. Chained transactions in the mempool can be invalidated if the TxID of the parent transaction is altered since transactions reference UTXOs by TxID of the previous transaction.

Segwit partially solves transaction malleability by not including the transaction signature as part of the TxID hash preimage, ensuring the TxID is not changeable; however, witness data is still susceptible. Schnorr signatures ensure the entire transaction is non-malleable. This is useful for applications like the Lightning Network, which requires non-malleable to function securely.

Linearity allows a group keys to be efficiently aggregated into a single public key that represents the group, where group keys can collaborate to produce a single signature that is valid for the group public key. Verification of schnorr signatures on-chain only requires storing/verifying a single signature, making multisigs cheaper.

Tapscript aggregates multiple spend scripts for a UTXO into a merkle tree. Transactions spending from tapscript UTXOs need only reveal the spend script they are executing. This allows large scripts to be broken down into smaller spend scripts, reducing the size of the redeem script for these inputs and, therefore, the transaction cost to spend them.

While Taproot decreases the size of Bitcoin transactions, it only marginally increases pseudonymity by obfuscating or revealing less of the redeem script information which provides some privacy benefits to institutions like Coinbase, such as hiding which signers in a multisig have authorized a particular transaction. It doesn’t provide any pseudonymity benefits for the average user and doesn’t do anything to increase anonymity. I’d consider taproot to be an upgrade to efficiency and not privacy primarily.

I try to stay away from making predictions on market/price performance, especially as it is driven by narrative rather than the technical viability and merits of any proposed or implemented upgrade.

Ishan Pandey: Several experts predict that the cryptocurrency Ethereum will eventually overtake Bitcoin especially given the current volatility in the market and that Ethereum is programmable and faster than Bitcoin. What are your views on this prediction?

Kieran Mesquita: Ethereum has shown a willingness to acknowledge shortfalls and improve, whereas Bitcoin has stagnated with the community actively ignoring issues or labelling them as ‘features.’ In almost all metrics but price Ethereum has already overtaken Bitcoin.

Ishan Pandey: DeFi has ushered in an open alternative to the present banking system that promises greater financial inclusion. In your opinion, how has DeFi revolutionized the virtual assets economy, and do you think it should be more heavily regulated?

Kieran Mesquita: DeFi has brought a much-needed explosion of utility to the cryptocurrency space. If it is the goal of cryptocurrency to build a new financial system many more financial primitives need to be available. Financial systems consist of a lot more than just cash.

As for regulators, they need to be careful not to stifle the innovation we see in the space. The most valuable thing the SEC did in 2018 was to create the HoweyCoins ICO. The messaging that we often see that blanket labels everything as a scam simply serves to make it harder to differentiate genuine scams from legitimate projects in the cryptocurrency space. I think education is a lot more valuable than regulation, and I can name a number of educational YouTubers that have done more for DeFi on a shoestring budget than regulators.

Ishan Pandey: Facebook intends to launch its own cryptocurrency, Diem, to make digital payments more convenient. Can Facebook be trusted to put the public’s interests ahead of its own in light of the accusations against the company on issues such as user privacy and data mining of users?

Kieran Mesquita: Diem is closer to PayPal with scripting capabilities than a decentralized cryptocurrency.

An inclusive global financial system (as is Diem’s stated purpose) must respect the fundamental human rights to privacy and self-determination.

These goals are not achievable through a currency whose governing body is composed of corporates whose business model stands in stark opposition to these goals. Instead, we need to look to currencies like Bitcoin, like Ethereum, where users need not trust any single entity to have faith in its integrity. Improving the privacy of the applications being built on these public chains is fundamental to realizing the goal of a truly global, fair, and inclusive financial system.

Ishan Pandey: CBDC projects are gaining traction around the world, and the ASEAN region will be no exception, with numerous central banks, commercial banks, and FinTechs promoting CBDC pilots, such as Singapore’s Project Ubin. What are your views on the ongoing CBDC developments and what is your take on it?

Kieran Mesquita: CBDCs are an incremental improvement to efficiency in the existing financial system but come with valid economic policy and privacy concerns. Historically there has been a layer of insulation between the wider economy which is influenced by fiscal policy, and the nation’s central bank, which has solely been responsible for balancing interest rates. The danger is central banks could slip away from the role of managing monetary health and become more akin to a branch of law enforcement, making decisions based on influences and goals that might be in conflict with maintaining a healthy economy.

Ishan Pandey: After China, Thailand has become the latest Asian jurisdiction to impose trading restrictions on highly speculative cryptocurrencies and NFTs, including meme coins like Dogecoin. What is your opinion on the move of the regulators and the rationale behind it?

Kieran Mesquita: Modern-day societies have long been skewed in favour of the de facto elite that has access to hedge funds and other financial institutions. The average person has been disenfranchised and ignored for so long that things like the GameStop/AMC phenomenon and now ‘joke coins’ like Dogecoin have begun to serve as an outlet to protest against Wall Street and the large institutions. While well-intended perhaps, regulators taking actions to shutter this escape valve instead of addresses the wider systemic problems does little to protect the little guy as they are chartered to do.

Ishan Pandey: According to you, what new trends will we see in the cryptocurrency industry?

Kieran Mesquita: Narratives around cryptocurrency change so quickly that predicting future trends requires pulling out your crystal ball. However, I can talk about where I would hope to see cryptocurrency move in the future: privacy, privacy, privacy. While privacy coins have been around for 6-7 years at this point, an eon in cryptocurrency terms, they’ve been mostly restricted to purely transactional use cases. Historically we have not seen privacy solutions applied to the areas where the most economic activity is happening (like DeFi and NFTs). I would hope to see a renewed focus on privacy in other areas where blockchain is seeing applications.

Disclaimer: The purpose of this article is to remove informational asymmetry existing today in our digital markets by performing due diligence by asking the right questions and equipping readers with better opinions to make informed decisions. The material does not constitute any investment, financial, or legal advice. Please do your research before investing in any digital assets or tokens, etc. The writer does not have any vested interest in the company. Ishan Pandey.