Ship Fast. Rest Easy. LaunchDarkly.Earn Crypto Rewards Monthly
Visit Mysterium Network https://bit.ly/2Nz0MX5
promoted
Andrew Poelstra on Bitcoin Math & Research by@xeraconAndrew Poelstra on Bitcoin Math & Research
@xeraconUmesh .A Bhat
Audio interview transcriptionβββWBD085
Note: the following is a transcription of my interview with Andrew Poelstra, Director of Research at Blockstream. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.
You can subscribe to the podcast and listen to all episodesΒ here.
In this episode, I talk with Andrew Poelstrsa, Director of Research at Blockstream. We talk about math, signature technology, Bitcoin fungibility and his role researching Bitcoin.
Connect with What Bitcoin Did:
Listen: iTunes | Spotify | Stitcher | SoundCloud | YouTube | TuneIn
Follow: Website | Email | Blog | Twitter | Medium | Instagram |Β YouTube
Interview Transcription
Interview Date: Saturday 9th March,Β 2019
βMathematics is the art of finding patterns in logical structures and finding connections between seemingly apparently different structures.β
β AndrewΒ Poelstra
Peter McCormack: Hi Andrew, how areΒ you?
Andrew Poelstra: Hey Peter, Iβm doing very well. How areΒ you?
Peter McCormack: Very good, thank you. Thank you for coming on my podcast. Iβm going to do something slightly different today. I usually do lots and lots of prep, but the things you cover go way over my head. So today, this is the first time I think that Iβve ever gone without any full prep apart from a weird interview I did recently with Pomp. Iβm going to just try and let this roll today. So firstly I went to your session this morning. I didnβt understand any of it! Iβm not technical, Iβm a Bitcoin fan and I watched it and I was looking at the screen going, βokay, I donβt get this!β So can you give me the background? Youβre a mathematician, right?
Andrew Poelstra: I am a mathematician.
Peter McCormack: So give me the background and tell me about the work you do. Somebody said to me, βAndrew has a big brain of mathβ. So tell me all aboutΒ this.
Andrew Poelstra: All right, so maybe I should start by saying that my talk this morning had a bit of an ulterior motive there. I was at MIT, which is full of undergraduates. We all know they like to go create startups doing strange, reckless cryptographic things. My goal there was to intimidate them out from trying to go build cryptographic protocols, as they werenβt ready to do the kind of research needed to do this in a high assurance way. So I was trying to be a little bit intimidating when I was doing this. I heard from a few people, they didnβt understand it.
Although in fairness to me, I wasnβt just being mean. I had 20 minutes to cover this topic. I really tried to cut it down and I still ran out of time to say the things that I wanted to say. It was at quarter after nine in the morning, the tea wasnβt working, so I showed up a bit late and I didnβt have time to get coffee. Nobody else did. It was not a good time for something so technical! It wasnβt just me being mean in there. It was also, thatβs how these things go sometimes. But to answer your question about what I was talking about though or maybe to give a little bit of background onΒ this.
So I work at Blockstream. Iβm the Head of Research. One of our big prongs of Blockstream research is this whole collection of things that I call signature technology or scriptless scripts depending on how marketing friendly I feel like being. What these are, are a whole pile of ways that we have to encode interesting, multiparty, I donβt want to say smart contract, well I do, smart contract semantics in signature protocols. So what do I mean by that? I mean that itβs possible to create digital signatures or to create what are called multi signatures.
These are digital signature produced by a set of participants, all working cooperatively in such a way that no subset of them is able to produce a signature. Itβs really something thatβs jointly owned by all of these people at once. By extending these multisignature protocols, which are these off chain protocols where the different parties and various cryptographic objects to each other. By extending these to have other interesting semantics, these parties can ensure that the only way the final signature will be produced and the only way that a valid transaction, which has to have a signature will be produced, is if some sort of contract is satisfied.
So the simplest example of this thatβs non-trivial is say like an atomic swap, a cross chain atomic swap, where somebody say wants to send some Bitcoins to a counterparty, but the only way that theyβ¦ They donβt want that money to move unless they also receive an equivalent amount in Litecoin on the Litecoin chain, they want to receive that, right? So thereβs a swap thatβs happening, a Bitcoin for Litecoin swap. The problem is the Bitcoin Blockchain doesnβt know about Litecoin and the Litecoin Blockchain doesnβt know about Bitcoin. Neither one is willing to put verification code for the other into their consensus layer ofΒ course.
So how can you make these two Blockchains communicate? There is a standard way to do this. I believe developed by TierNolan in 2013 or 2012, where basically you encumber coins on both Blockchains with whatβs called a hash pre-image challenge, where basically you say, in order to move these coins, you have to reveal some secret. The trick is that you use the same secret on both Blockchains. So initially one party knows a secret, the other does not. Then what happens is a party who knows the secret, publishes it to the Blockchain to take their coins. Maybe they publish it to the Litecoin chain in order to take their Litecoins.
The other party copies the secret off of the Litecoin chain onto the Bitcoin chain and uses that to take their coins. So that way the act of taking the money reveals a secret, which causes the money to be given away. Itβs possible, to extend a multisignature protocol so that the act of completing a multisignature reveals the secret and equivalently you can extend a multisignature protocol, or conversely you can extend a multisignature protocol and that knowing a secret allows you to complete the multisignature. As long as you use the same secret in both sides, the effect is that you can have a multisignature moving coins on Litecoin, such that when one party completes a signature to take their coins, they reveal a secret which the other party learns by reading the final signature of the Blockchain and doing some computations.
Then they can use that secret to complete a signature on the Bitcoin side and take their coins. The cool thing is that what hits the Blockchain here are just these two signatures and whatβs even cooler, itβs not even multiple signatures. Itβs actually one signature on each chain that the two parties jointlyΒ created.
Peter McCormack: Okay. But are you enabling shitcoining then?
Andrew Poelstra: So itβs unfortunate that there is nothing that you canβ¦ Thereβs nothing on other chains that you can trade with. Let me take that back. So, there are lots of Blockchains out there. Not all Blockchains have their own asset types. Not all Blockchains have shitcoins onΒ them.
As one example, thatβs dear to us at Blockstream is we have a side chain called Liquid. What a side chain is, is basically a Blockchain that doesnβt have its own native asset. It supports what is called a cryptographic peg or in our case a federated peg, which is controlled by a consortium of our customers. I think 11 or 15 of them need toβ¦ Following the rules of the system, they need to sign off that the rules of the system were followed moving coins off of Liquid into Bitcoin. So Liquid is a separate Blockchain that supportsΒ Bitcoin.
It also supports other assets that people can issue and whatever the semantics of those assets are, thatβs up to the issuer. Thatβs not so interesting for these purposes. What is interesting is that if you want to move Bitcoins into Liquid, you need to put them up in some output that is controlled by this consortium. Thatβs like an 11 or 15 multisignature output. Then for it to be recognized and to be moved on the Liquid side of things, we require 100 confirmations, which takes a long time. That takes the better part of aΒ day.
Peter McCormack: WhyΒ 100?
Andrew Poelstra: 100 is the whatβs called the maturity limit in Bitcoin. So Iβm going to get a little bit technical here, but in Bitcoin, if thereβs something, say there is a Blockchain reorganization, then assuming no foul play, basically all of the same transactions will eventually wind up back on the Blockchain and people who werenβt actually trying to exploit the reorganization to cause grief, will see no effect basically, as your transactions just wind up back on theΒ chain.
Maybe in a different order, maybe in different blocks, thatβs all fine. So typical users who are not under attack donβt really need to worry about reorganizations except as far as keeping the databases in sync and stuff like this. But thereβs one big exception to this, which are coinbase transactions, which are transactions that are created in a new block. So every block, the person who creates the block, gets to create the free transaction that gives 12.5 coins to them and has no inputs whatsoever.
If thereβs a reorganization, these transactions are completely destroyed. They canβt go back onto the Blockchain because the new blocks will have different coinbase transactions. Theyβll have different TXΒ IDs.
Peter McCormack: So if thereβs a reorganization, we reduce the totalΒ supply?
Andrew Poelstra: No, so the reorganization will replace some blocks with other blocks. So the 12.5 coins in the blocks that were destroyed are gone. But there will be a different 12.5Β coins.
Peter McCormack: So the miners who mined those will be slightlyΒ upset.
Andrew Poelstra: Yes the miner will certainly be upset. But importantly, so will anybody who received coins from these miners. Imagine the miners could create these transactions and then immediately send them off to some other party. The other party would need to look at the Blockchain and say, βoh, these coins actually came from a coinbase transactionβ. So, you know, itβs not only if itβs foul play if there is any other reorganization at all and these happen all the time for one or two blocks just because of network propagation effects, but with any reorganization at all, these coins are noΒ good.
So I donβt want to accept these coins, theyβre very risky. So the Bitcoin protocol has a rule, which is you are not allowed to move coinbase transaction for 100 blocks. This is really quite excessive. There has never been a reorganization of 100 blocks. Thereβs never been a reorganization of more than 20, 25Β blocks.
Peter McCormack: When did that happen? Itβs quite a long time agoΒ right?
Andrew Poelstra: It was, yeah. I donβt remember the details, so I donβt want to say anything for sure. But I believe it was related to a database synchronization bug and in Bitcoin, before it was called Bitcoin Core in 2013 orΒ so.
Peter McCormack: So Liquid is designed to protect itself against any situation where a reorganization mightΒ happen?
Andrew Poelstra: Essentially, yes. In Liquid, if they was a reorganization so deep that coins moved into Liquid and then later moved out, were actually invalidated by a double spend attack or something, then thereβs really no recourse to that for users of the system. Basically, the solvency of the system would be in danger. So we needed a limit that was much higher than anything that had been seen before, that was so high that realistically it would cause an ecosystem wide crisis and who knows what would happen in the case of such a reorganization.
Conveniently Bitcoin Core had such a number that was already being used for such a purpose, which is reorganization of coinbase transactions, where the idea is that since coinbase transactions can only be spent after 100 blocks, you as a receiver of coins donβt even need to think or worry like, βoh, these coins are less risky than other coinsβ. You can say after 100 blocks, basically, all the coins are as fungible as theyβre going to get. Basically as a rule ofΒ thumb.
So we just copied that rule of thumb from Bitcoin, which is essentially what we did. But to bring this back to signature technology, which is much more interesting thanβ¦Iβm falling asleep here in front of the mic! To bring this back to signature technology, this means that if youβre moving coins into Liquid, itβs very slow. Itβs very annoying. It takes the better part of aΒ day.
Wouldnβt it be nice if you could just swap your Bitcoins on the Bitcoin chain with somebody elseβs Bitcoin on the Liquid chain? Because these are freely exchangeable, other than the time value of the better part of a day, like the price of these should be essentially the same. So you could use these cross chain atomic swaps to do this, no shitcoining anywhere inΒ sight!
Peter McCormack: Brilliant! So atomic swaps have a purposeΒ now?
Andrew Poelstra: Exactly, atomic swaps have a purpose now! So we can do this using digital signatures, itβs kind of the cool thing. Maybe the other, well not the other cool thing, but the reason that I brought up atomic swaps is not because theyβre inherently a particularly interesting thing, but because itβs a simple example of some much more exciting stuff. But before I go into that, let me double back to what I talked about thisΒ morning!
So Iβve been talking about these multisignature protocols saying, βoh, you can extend a multisignature protocol to do this, you can extend it to do thatβ and whatever. Well, the truth is that to do this and a way that is straight forward enough that there is production ready code and that there is reasonably audited, verifiable and constant time high assurance code written out there, you actually canβt do this with ECDSA, which is the current signature scheme inΒ Bitcoin.
There are a few research projects out there to allow you to do these kinds of things, using ECDSA. They all involve much more complicated cryptography, significantly more complicated code, the computational requirements for participants are over a thousand times as much, these take often multiple seconds on commodity hardware to do this kind ofΒ stuff.
The cryptographic assumptions underlying these are much stronger than the elliptic curve discrete logarithm assumption that weβre used to using in Bitcoin. ECDSA requires you make all of these tradeoffs, though youβre not making them on the Blockchain, the participants in these protocols, will have to make those kinds of trade-offs. Thatβs a hard pill to swallow and empirically weβve known how to do this in some way or another for several years, I guess four or five years and nobody has deployed it in a production-ready setting. Even though in principle this is possible onΒ Bitcoin.
So ideally Bitcoin would not be using ECDSA. ECDSA makes this unnecessarily difficult and it actually does this kind of on purpose. The history of ECDSA is interesting and it is a lesson for anybody who is thinking about patenting cryptography out there. The story here is that in 1989, Claus P, Schnorr developed a signature scheme called Schnorr signatures and these are, algebraically, a very straightforward type of signature. Theyβre the simplest possible, proof of knowledge that is the simplest possibleβ¦ The best kind of example of something called the Fiat Shamir Transform in academic cryptography.
Itβs kind of a building block for a lot of cryptography thatβs been built ever since then. In addition to being a building block of more complicated, more exciting protocols, by itself, these are actually digital signatures, which is cool. Thatβs kind of the simplest thing you can do with cryptography, is make a digital signature. Schnorr put a patent onΒ this.
Peter McCormack: Was it last year that itΒ expired?
Andrew Poelstra: It was actually a little while ago that it expired. It expired in 2008. So Schnorr patented this and he attempted to enforce his patent. He demanded royalty payments for anybody who wanted to useΒ it.
Peter McCormack: Nobody usedΒ it!
Andrew Poelstra: Yeah! In practice, nobodyβs willing to use patented cryptography. This was unable to be standardized, as standardized bodies didnβt want to touch patented cryptography that would involve royalty payments to random private parties. In this case Dr Schnorr personally. So in response NIST, the National Institute for Science and Technology Developed ECDSA. Iβm sorry, DSA I should say. It was actually not elliptic curve based initially. Although it was a simple transformation from the original scheme, to use ellipticΒ curves.
DSA was basically a response to Schnorr where they took the simple algebraic structure of Schnorr and they made it as complicated as they could without making the signature any larger, I think is a fair way to describe this. It does some very weird things, like in the elliptic curve variant, you take an elliptic curve point, you compute this, itβs like an ephemeral public key thatβs used as part of the signature, and you interpret one part of this elliptic curve point. You take the X coordinate, so you interpret it as a geometric object and then you take one of its coordinates and then you interpret that as a βScalerβ, which is an object like a secret key and you do some algebra in mixing your secret key and your Scalers and you do something called the modular inverse, which is like a division.
None of this stuff is prevalent in Schnorr signatures. Schnorr signatures is just multiplying and add, which are the simplest things that you can do. This was developed basically to evade these patents and Schnorr claimed at various times over the years, on I think the Coder Punks mailing list that ECDSA actually does violate the Schnorr patent despite these changes. But to the best of my knowledge, he never claimed this in court. Purely mailingΒ lists.
So the result was that everybody used ECDSA, it was standardized and thatβs what people used. So in 2008 finally the patent expired. Iβm not sure how quickly anybody noticed this. I can tell you that in 2010, Dan Bernstein released the Ed25519 signature protocol, which is actually a type of Schnorr signature, which is tweaked in a couple of subtle ways to make the signature fastβ¦
Peter McCormack: Wait hold on, so the patent ran out the year beforeΒ Bitcoin?
Andrew Poelstra: Yes,Β exactly.
Peter McCormack: So it could have been that Satoshi was sitting on it for a while and thought βIβm just going to wait forΒ theβ¦β
Andrew Poelstra: I donβt believe that Satoshi was aware of the patent expiring. The reason I donβt believe this is that Bitcoin in its initial incarnation used open SSL for its signature. It also used open SSL in a lot of other places, for example in its big number library. So Bitcoinβs script support site initially it supported addition, multiplication and division of arbitrarily largeΒ numbers.
It did this using all these open SSL functions and thatβs in the consensus code in a few places. There is these kinds of obscure data structure, the number encodings that come from open SSLβs big number library. The thing that I conclude from this is that Satoshi made a lot of design decisions based on what he could do using commercially available, off the shelf crypto libraries, which is certainly the right way to design these kinds of systems. You really donβt want to be rolling your ownΒ crypto.
But an unfortunate consequence of this is that he wound up using ECDSA because there was open SSL code for that and there wouldnβt be open SSL Schnorr code. I donβt even know if there is any now, now that I think about that. I suspect SSL, supports Ed25519 now, I suspect and then thatβs Schnorr code. But basically, at the time there was no library that supported Schnorr signatures. The patent had just expired. Nobody was using them. Nobody was really thinking aboutΒ them.
Also at this time, even after Bitcoin was launched, it would be quite a while before people started thinking about signatures in the kind of ways that we think about them in the Bitcoin space. Started thinking about these compact multi signatures and these threshold signatures and these adaptive signatures, which is what I call that scheme where you encrypt a secret, as part of the multisignature protocol. All these cool things that we talked about related to Schnorr signatures, nobody was thinking about backΒ then.
You thought of a signature as, you have some public key and thatβs may be associated to a key fob that you use to get into a building, the building management, how the registry of everybodyβs public keys and their key fobs. When you beep into a building, that fob creates a signature on some random nonce that the door chooses, if itβs the valid signature, you get in. So the model that everybody was thinking of was one in which you had a fixed set of public keys, you were maybe verifying these signatures with some powerful door computer and you were producing them with some tiny, weak piece of hardware or something likeΒ that.
That was kind of the application of digital signatures and then the internet showed up and digital signatures were used in TLS or SSL to authenticate websites. But again, the kind of design constraints was essentially the same. You had some overtax server producing these signatures. It needs to be cheap to produce. Then you have peopleβs commodity hardware verifying like one for every web page, who cares about that? You have the certificate authority infrastructure which is a canonical list of public keys and they signed a new canonical list and so on and the keys are always fixed and youβre never making multisignatures, youβre never encoding weird things in the signature and they really just fixed public keys, signing is cheap. You donβt care if verification is cheap orΒ not.
So with that context so you can finally double back to what my talk was about this morning, which was trying to develop some of these cool applications of Schnorr signatures. So the wider context here is that we hope in the coming weeks to publish a proposal for Bitcoin to extend the protocol to support Schnorr signatures as well as ECDSA and a couple other maybe less exciting things alongside that.
In advance of this kind of proposal, what we want is the ability to do all of these cool things that weβre talking about. So weβve actually written code to do Schnorr multi signatures. Weβve written code to do threshold signatures, which are an extension of that, where maybe youβve got 10 participants and you want any seven of them to be able to produce a signature. Thereβs kind of some cool tricks you can doΒ there.
Peter McCormack: Is Schnorr in Zcash,Β right?
Andrew Poelstra: So Zcash, I believe uses ECDSA for its unshielded transactions because those are essentially just Bitcoin transactions. But for its shielded transactions, it uses some more elaborate cryptographic constructions.
Peter McCormack: I thought it used Schnorr, but maybe Iβm wrong. You probably donβtΒ care!
Andrew Poelstra: I donβt know eitherΒ way.
Peter McCormack: But look, this is all just mathΒ right?
Andrew Poelstra: This is all thisΒ math.
Peter McCormack: Everything isΒ math?
Andrew Poelstra: Well, okay, Iβm going to say no to that! This was a lot of what my talk was about, which was if you think of everything as just math, then you necessarily make a lot of simplifying assumptions about how things work in practice. So one example that I talked about in my talk, was when you generate a signature, whether this be Schnorr or ECDSA or most signatures with a few exceptions, you need to produce some fresh randomness as part of the signature protocol.
Fresh secret randomness and then you basically treat this as an ephemeral secret key and thereβs like an ephemeral public key associated to it, which we call a βnonceβ and eventually, it becomes part of the signature. If this random secret is anything short of uniform, if you have 256 random bits, but your seventh bit turns out to be 1, more often than not, then given enough signatures itβs possible for somebody to extract your secret key. There was actually a paper published about this a few weeks, maybe a month or two ago by a Nadia Heninger, at UCDS and a second other, Iβm forgetting his nameΒ now.
Peter McCormack: Iβll look itΒ up.
Andrew Poelstra: Which did this actually, it found some bias nonces in the Bitcoin Blockchain and was able to extract secrets, just using this kind of attack and they were very slightly biased by only like a bit too. But nonetheless, it was possible to extract the secret. So the way this looks in a mathematical paper is there is a symbol of this, which is an arrow sign with a dollar above it and that means like, choose randomly and the dollar is kind ofΒ funny.
Peter McCormack: Itβs ironicΒ really!
Andrew Poelstra: Yeah it is ironic! The truth of this has nothing to do with Bitcoin where these dollars and cents signs come in. The idea is that youβre flipping a coin and a dollar is a 100 coins. So if you need like hundreds of bits, then you take a dollar, youβre flipping hundreds of coins is the idea. Thereβs this visual pun there that has survived to this day and now I think modern readers probably think it might have something to do with Bitcoin, but itβs not, itβs just some ridiculous pun about coin flipping.
So youβve got this symbol, a dollar sign with an arrow below it and that means uniformly randomness and you have that for the secret nonce, you have this for your secret key and you have us in a few other places. The reason I say this is not just math is that if you screw up choosing your private key so itβs not uniformly random, it really doesnβt matter. It just has to have sufficient entropy, that nobody can guessΒ it.
If you screw up choosing your nonce uniformly randomly, by even one bit or even less than a bit in principle, then you lose all of your keys and all of your money. The truth is, that itβs hard to get uniform randomness in practice. Eventually, you need some sort of source of entropy, some sort of source of guessable data. You need to somehow βwhitenβ that, you need to turn it from whatever distribution youβre getting, if youβre using like some sort of hardware RNG, it probably changes its distribution based on the heat aroundΒ it.
You need to somehow whatβs called βwhitenβ that to make it uniform. You need to do this reliably. If youβre in a virtual machine or something, you worry about what happens if the virtual machine is cloned after you choose your randomness and now youβre actually using the same randomness in two virtual machines. You worry in multiple multiparty protocols, what happens if somebody restarts the protocol part way through after someone has chosen their randomness, will they choose the same randomness?
These problems actually for the case of single signatures, just ordinary ECDSA or Schnorr signatures is actually solved. What you do is you take your secret key and your message and you just hash that. It turns out that if you use a hash function like sha256, this is so close to randomness that no one has been able to detect a meaningful deviation from uniform. If you put the same input into this twice, so weβve got the same thing of course, but if youβre hashing your secret key and your message, the only way to get the same input is if youβre signing the same message twice, so youβll just produce the same signature.
Thatβs no more of a risk than somebody copying and pasting your digital signature, it doesnβt matter. But then as soon as you go into these multiparty protocols, suddenly this matters a lot. Suddenly you need to think, well actually the random challenge that goes into the signature is something that includes contributions from everybody. So if one party is generating the randomness deterministically this way, such as always generate the same randomness and the sameΒ message.
Somebody else starts multiple signing sessions and the same message, but tweaks their contribution, the result will actually be multiple signatures but the same nonce and you can steal the private key. This is scary! The reason that I answered your question, is it just math with no, is that this really isnβt just math. The way that this kind of thing happens, which is subtle and actually often when I talk to people developing multisignature protocols, they were shocked, horrified and hurry to check theirΒ code.
The way that this happens is that you have these papers, that have an arrow with a dollar sign, choose uniform randomness. Okay, thatβs fine. I mean you assume and for the purpose of papers here in this idealized model where you assume the source of the randomness. In real life, you think, βwell, I need some randomness and I donβt want to worry about biases from hardware RNGs or lack of entropy or virtual machines splitting or whatever.
So instead Iβm going to use some sort of hash function and Iβm just going to hash all the data thatβs going into the signature. This will give me uniformly random data, thatβs uniform, except for the fact that it repeats if you give it the same input, but thatβs fine. Itβs fine if it repeats because everything else will repeat, Iβm duplicating it. This is such an obviously safe thing to do, that probably nobody even thinks about the assumptions going into that. They think, βwell is this hash function really a good hash function when sha2566 was perfectly fineβ. Then thatβs the end ofΒ it.
So you take this kind of unwritten, unspoken assumption that is valid, beneficial and best practice for single signatures. That appears to not be even really changing the model from your mathematical idealization very much. Then you apply it to a new scenario and suddenly the specific assumptions you made, that repeats can only come by producing the same signature, is wrong. But because you never vocalized that, you donβt notice that that was one place where you deviated from the paper, where the actual difference between your ideal paper model and the model in real life, is that you now require these reputations to be either, everything repeats or nothing repeats. The result is that you lose yourΒ keys.
This was basically what my talk was about this morning, it was just a series of examples of this. Fairly either simple assumptions that were so subtle that you might not realize you were making them or assumptions that were so obviously safe that you donβt even notice when you carry over to a more general scheme where they actually donβt hold, where suddenly they were just basically in the background.
Peter McCormack: I was going to say, youβve made my job really easy because Iβve had one question and weβve done half an hour now, so Iβve only got to do one more question and weβre done! I was really scared about this interview. I was like, β what do I ask Andrew, heβs so clever and I donβt know any ofΒ this!β
Andrew Poelstra: I really appreciate this. I now would discourage people from watching my talk if theyβve heard this podcast because I was very constrained for time during the talk. I actually went over time and I was still rushing stuff and skipping things. The funny thing was that I had actually intended to skip a lot of stuff in that talk. I had already removed a whole ton of stuff. So Iβm glad to have the opportunity to babbleΒ now!
Peter McCormack: All right, well listen, let me ask the things that I find interesting because people are certainly going to listen to that and be fascinated by it. I am, but at the same time Iβm like, βI donβt understand a lot of itβ. But I tell you what I am interested in understanding. A couple of things firstly, youβre a mathematician, right? What does that mean toΒ you?
Andrew Poelstra: Oh, thatβs a very personal question.
Peter McCormack: Let me ask you a funny question. I keep talking about it. I start every interview with βwhat is Bitcoin?β Because every answer is different and I heard first heard Adam Back do it on the Epicenter podcast, it was such a fascinating answer and Iβve never stopped asking it. What is math? Can you describeΒ math?
Andrew Poelstra: So mathematics in general, is the art of finding patterns in logical structures and finding connections between seemingly apparently very different logical structures.
Peter McCormack: Thatβs amazing, thatβs quotable!
Andrew Poelstra: ThankΒ you.
Peter McCormack: I have a quote for each show, Iβm going to use that! Just talk me through, what was the education progression? When you got interested in math, youβve obviously gone through, Iβm assuming youβve done all the way up to a masters? So talk me through that progression and what your thesis was? I probably wonβt understand it, but Iβm fascinated by itΒ anyway.
Andrew Poelstra: Certainly! So the progression into cryptography is actually kind of interesting. When I was 12 or 13 years old, I was watching Stephen Colbert who now does the TodayΒ Show.
Peter McCormack: But you probably already had your masterβs atΒ 13?
Andrew Poelstra: Pretty much! At the time I had not even started applying to colleges or anything like that, or university, as we say inΒ Canada.
Peter McCormack: We say university inΒ England.
Andrew Poelstra: Excellent! So I live in Texas now. Iβm so used to speaking to Americans that Iβve adopted their turns of phrase. So I was watching Stephen Colbert and he was doing this bit on how some cryptographers had decoded some Enigma messages from World War II. Of course, Stephen was laughingΒ likeβ¦
Peter McCormack: Bletchley Park? Thatβs about 25 minutes from myΒ house.
Andrew Poelstra: Wow!
Peter McCormack: Yeah I live in Bedford and Bletchley⦠As a kid, we used to go to the local swimming pool there because they had water slides.
Andrew Poelstra: Thatβs very cool. Thatβs like a mythical place toΒ me.
Peter McCormack: Youβve notΒ been?
Andrew Poelstra: Iβve never been,Β no.
Peter McCormack: Do you ever come toΒ London?
Andrew Poelstra: I have been to London twice, for one day because British Airways stranded me, this happened multipleΒ times.
Peter McCormack: Right, next time youβre in England, Iβm going to get you from the airport and I will take you to Bletchley Park and then you can get your connection.
Andrew Poelstra: Can you imagine? So I get those funny stamps in the passport, where they say that you are only admitted for 24 hours. I took one of those and then used it to go to Bletchley Park. That would be a good statement about immigration. So, of course, Stephen was making fun of these guys, like βdonβt you know that the war ended 70 years ago. So these messages are not a strategic interest anymore?β But what I got from this was, βwhoa, thatβs very interesting that it would be possible to encrypt something so well, that like 70 years later, people are still working to decrypt itβ. Especially something like World War II communications, which are extremely high volume, so not one of those like weird codex that people found in the ground from however many, years ago where youβve got 20 words to decrypt and it could be anything.
So I got very interested in the history of cryptography. I bought this book, βThe Code Breakersβ by David Kahn, which is giant and itβs like four inches thick. I read through this and I thought like, wouldnβt it be cool to be a cryptographer? But then I got into university and I talked to various people in the mathematics department and none of them really did cryptography at the university I went to, which is Simon Fraser in Burnaby, British Columbia. I said, βokay, well weβll see. I mean, Iβll start doing a math degree and then Iβll just sort of see what I feel like a few yearsΒ thenβ.
Then what happened was, after a couple of years, I went from sort of going through the motions thinking, βwell, if I canβt do crypto, Iβm just going to bum through and get a degree and see what kind of happensβ. I fell in with a group of mathematicians who really very serious. They were all doing honours degrees, which seemed like a big deal to me at the time. They were all studying stuff in their spare time and theyβre all reading these papers. Well, actually I started dating one of them and then I felt the need to impress her ofΒ course!
Peter McCormack: Did you impressΒ her?
Andrew Poelstra: You know I never did. I did improve my GPA, get into grad school, did a bunch of reading courses and did half of a masterβs in my undergraduate. But it was in this kind of vain attemptΒ toβ¦
Peter McCormack: Where is sheΒ now?
Andrew Poelstra: Sheβs in the Bay Area. Sheβs working forΒ Google.
Peter McCormack: You stillΒ friends?
Andrew Poelstra: No, I havenβt talked to her in a fewΒ years.
Peter McCormack: You should show her what youβre doing now. You should say look, βIβve fucking levelled upΒ here!β
Andrew Poelstra: Well, she wasnβt impressed back when I was doing it when I was datingΒ her!
Peter McCormack: Come on man, youβre Head of Research at Blockstream.
Andrew Poelstra: Thatβs true. I should also tell her how much I can lift! Thatβll showΒ her!
Peter McCormack: Do you want to know something else funny. Let me see if you can guess it. So Bletchley Park has come up in one other interview and it was a very cryptography based interview. Can you guess who it was with? Iβd be amazed if you know. You will knowΒ him.
Andrew Poelstra: I mean the obvious guess is Adam Back, but then if you say that Iβm not going to getΒ itβ¦
Peter McCormack: You need to go older thanΒ that.
Andrew Poelstra: Oh, IanΒ Grigg?
Peter McCormack: No, probably older, like the grandfather of cryptography kind ofΒ stuff.
Andrew Poelstra: Who have you had? Phil Rockaway? DavidΒ Chaum?
Peter McCormack: Iβve met David Chaum, but noβ¦ WhitΒ Diffie
Andrew Poelstra: Whit Diffie, nice! Itβs a bit older yeah. Heβs amazing. Iβve never spoken to him, but I see he kind of lingers around Stanford. I showed up at conferenceβ¦
Peter McCormack: I just sat there for the whole interview, just fascinated by the way he spoke. God, I keep on interrupting you. You were with this group of mathematiciansβ¦
Andrew Poelstra: So I started doing real analysis, probability and mathematical physics actually. When I started at school I thought I canβt do cryptography, maybe should I do a physics degree, should I do a computer science degree? I did math as a hedge. That was my initial thought about a math degree. Itβs a hedge between CS andΒ physics.
So when I started doing math seriously, I started doing real analysis and probability, which are all very mathematical physics focused forms of mathematics. I really disliked algebra and number theory. I felt like these fields where just a random hodgepodge of very ad hoc statements that I guess you could prove are true. It seemed like there was no rhyme or reason or structure to this and it was just a zoo of stuff that I would have to memorize and I would never understand how any of it fit together.
So I avoided algebra and number theory as much as I possibly could, throughout my degree in. I got a degree where I basically did no number theory or real analysis and from there I transitioned to the University of Texas at Austin, where I did my masters and what it was focusing on there initially, what I wrote in all of my application letters is that I wanted to do mathematical physics. So I got to Texas, so a new state and a new country, it was very far away. Itβs funny, I grew up right beside the US border and I thought, βoh, America, thatβs the same as Canada. WhoΒ cares?β
Peter McCormack: You are all the same, right? I mean, you guys are a little bitΒ calmer.
Andrew Poelstra: Yeah, exactly right. It was funny, what a shock it was! It turns out Texas is very different fromΒ Canada!
Peter McCormack: I mean Iβve been to Vancouver and Iβve been to Dallas. I mean they very different.
Andrew Poelstra: Yeah. But Vancouver and Bellingham are actually not that different. I mean there are visible differences, but like itβs easy to make that transition. It was not easy to transition to Austin. So I found myself in Texas. It was very hot. It was very strange. Everybody talked funny. Everything was far away, so big and it smelled like granite. You couldnβt get herbal tea at Mcdonaldβs.
Peter McCormack: You can get herbal tea at Mcdonaldβs?
Andrew Poelstra: In Vancouver, you can, absolutely.
Peter McCormack: Thatβs so funny! What do you get? Can I have a Big Mac and a herbalΒ tea?
Andrew Poelstra: Yeah, you can absolutely do that in Vancouver.
Peter McCormack: You canβt get a beer at Mcdonaldβs in theΒ UK.
Andrew Poelstra: Thatβs true, nor in Canada or most of theΒ US.
Peter McCormack: You could probably get a gun in Mcdonaldβs in Texas. Come out with a Big Mac and a GlockΒ 9.
Andrew Poelstra: Yeah probably! So around this time, I started hanging out on IRC, on the Bitcoin Wizards channel, which happened to have just been created actually a few months before I showed up in Texas. I think Iβm going to do mathematical physics and then I show up, everything's weird and Iβm hiding in my apartment for a few months and hanging out onΒ IRC.
Thereβs all these strange people on the IRC channel, like Greg Maxwell, Pieter Wuille, Adam Back, Andrew Miller and all of the people who now we all know and love, but at the time they were not well known and they were just weird basically. Now itβs like eccentric and endearing IΒ guess!
Peter McCormack: Iβm gradually ticking them off asΒ well.
Andrew Poelstra: Excellent! These guys were downloading cryptography papers off the internet, reading them and doing their own research. I thought, βwhat? Thatβs a thing you can do? I donβt need to be part of this? It doesnβt matter that there arenβt these professors who are doing what I want?β Because there still werenβt, even at UT, anybody doing the kind of cryptography that I had wanted to do as a child. So theyβre doing all of this cool stuff and ironically they were talking about Schnorr signatures at this time, they were like βhey, thereβs this thing thatβs not ECDSA and itβs so much faster blah, blah blahβ. We hadnβt even thought about any of the cool applications that Iβve talked aboutΒ today.
At that time it was purely like, itβs algebraically simpler and itβs faster. Wouldnβt it be cool if we had these Schnorr signatures instead of ECDSA? That was just my first experience there of Schnorr signatures, was also proving that there was no, what we call the malleability, that you couldnβt take a Schnorr signature and somehow change it to be a different signature on the same message, which you can do withΒ ECDSA.
Before SegWit this would cause all manner of problems, the second layer and that you could change TX IDs by changing signatures, with Schnorr signatures you couldnβt do that. That was the kind of thing that we cared about back then. So to be honest, I didnβt go to class at all. In theΒ USβ¦
Peter McCormack: You droppedΒ out?
Andrew Poelstra: I did drop out, but I havenβt gotten to that part of the story. So I started this PhD program. I hadnβt done a masters or anything. In the US and the natural sciences, you just go straight into a PhD, which is a bit silly because the result is the first couple of years are basically coursework and the kind of stuff that you might have done in a masters if you had separate degrees for this. So I never went toΒ class.
Fortunately, because my undergraduate education had been so blessed, it was a fairly small school, a very small math department and I had a lot of professors who were willing to personally help me out. I mean you can look these guys up like Veselin Jungic or Paul Tupper or Nilima Nigam in particular, were basically personally teaching me mathematics for years at SFU. It was really quite incredible. So as a result of that, I was able to just check out of all the prelims. So I would show up for class literally at the end of every semester to write the final exams and otherwise, I didnβt go to school. I would just spend all my time doing Bitcoin research.
After a few years of this, it became clear that I was not really progressing at all in my PhD in any way. It also became clear that the kind of research that I was doing in the Bitcoin space, while itβs very exciting and thereβs a lot to it, is not PhD level research. Itβs not deep enough. Thereβs a lot of cool applications, but ultimately like the algebra is small enough to fit on a single side and is small enough for me to explain on more mathematically focused podcasts in the space of 20 minutes. It just wasnβt PhD level stuff, but it was the stuff that I love to do and it was also morally the kind of stuff that I wanted toΒ do.
There was a feeling I was getting, from the kind of cryptography that people were doing in academia, that it wasnβt really focused on real-world things. It wasnβt really trying to solve problems. It was still very much mired in this idea of having some sort of public key infrastructure. Some blessed list of public keys that is set by some authority and increasingly the world is seeming to be a place where you donβt have these trusted authorities to decide whoβs allowed to produce signatures and then whoΒ doesnβt.
Bitcoin-like really is like the perfect example of that kind of thing. These Bitcoin people were not only doing the kind of cool cryptography that I found very exciting, but they were doing it very much for humanitarian reasons. They cared about self-sovereignty, they cared about individual agency, preventing surveillance and preventing censorship of economic activity. They were doing this by developing new cryptography and this just excited me to no end. So after a couple of years of this, I came to love Austin and I wanted to stayΒ there.
A few of my friends from IRC started this company called Blockstream, where now I am Head of Research. At the time it was very much just a collection of IRC people and a few people from the VC world, who came together and we started this company. I actually did not join initially. I said I want to keep doing my PhD because you need a PhD to be a cryptographer, thatβs what everyone said and I donβt want to be rolling my own crypto and so forth. So I did some sort of part-time consulting work for Blockstream for a little while, but after a while of this, it became clear that I was not getting anything out of thisΒ PhD.
I wasnβt going to class. I didnβt know half the professors. I actually made a half-hearted attempt to switch from math into computer science. Itβs not like when youβre doing a bachelors, you canβt just switch. I actually applied to a separate PhD program, got in and then I dropped out of that. Then I dropped out of the first one. So I dropped it of 2 PhD programs when it became clear that Blockstream would sponsor my VISA to stay in Austin and just walked away from academia completely.
The funny thing here is going way back all the mathematical physics, all the real analysis that I do, now has nothing to do with what I do. Now I need to know algebra and number theory; the things that I try so hard toΒ avoid!
Peter McCormack: Is that because you just didnβt like them? When I did math right, obviously I did it to a veryβ¦ I stopped at GCSE level in the UK, 16. There were things I just didnβt understand. Did you not understand it or just not enjoyΒ it?
Andrew Poelstra: I did not enjoy it. So some parts of it I did not understand. So especially in higher algebra, there are schemes, shears, categories and I donβt know. Real mathematicians listening to this podcast are laughing at me because Iβm forgetting theΒ words!
Peter McCormack: Youβre a mathematician come onΒ man!
Andrew Poelstra: I have business cards that say, mathematician.
Peter McCormack: Yeah, Iβve seen them, youβre a mathematician!
Andrew Poelstra: But people doing really intense PhD level algebra, really the kind of stuff where you can focus on one problem extremely deeply for years on end, which is a beautiful thing. I sometimes miss the opportunity to do that. Thatβs like, I mean the one thing that I gave up walking away from academia.
Peter McCormack: Let me ask you something. I saw a film recently, and I canβt remember the name. It was about this guy whoβs raising his sisterβs daughter because the sister killed herself and this kidβs a genius. It talked about a sister who had been working on one of these seven unsolved problems. Is that a real thing? Are there these big unsolved math problems outΒ there?
Andrew Poelstra: OhΒ yes!
Peter McCormack: So that was a realΒ thing?
Andrew Poelstra: That is, yeah, absolutely.
Peter McCormack: Wow. So how many areΒ left?
Andrew Poelstra: So I believe there were 10 and there are 7. So you can look this up, they are called Hilbertβs problem.
Peter McCormack: They are unsolved?
Andrew Poelstra: Yes thatβsΒ correct.
Peter McCormack: Have you looked at any and thought Iβm going to doΒ that?
Andrew Poelstra: Yeah IΒ have.
Peter McCormack: You get legendary status if you solved one,Β right?
Andrew Poelstra: Oh yeah, absolutely. So which ones have I looked at? The one thatβs maybe most familiar to me now is actually P vs NP; are the set of program that you can efficiently compute the same of the set of programs whose computation can efficiently verify.
Peter McCormack: Yeah. I mean Iβve got no idea what youβre saying, but tell meΒ anyway.
Andrew Poelstra: Well, the answerβs obviously no. But nobody knows how to prove this. Actually, if the answer were not no, then probably cryptography would not be a thing anymore. That would be really the ultimate destruction of everything that Iβve done and everyone who Iβve talked to whoβs a cryptographer, it would just completely be obviated. It would be meaningless.
Peter McCormack: Youβd be screwed man. What would you do? Youβd have to do something new. You would have to go back to yourΒ PhD!
Andrew Poelstra: I might doΒ that.
Peter McCormack: But your Bitcoin would be worthless. So youβd need to get a job! That would be so fucked! Could there be new problems? So there were these 10. Could someone go, βoh look, I found a new problemβ.
Andrew Poelstra: Yep!
Peter McCormack: Itβs so fascinating. Itβs so out of myΒ depth.
Andrew Poelstra: Yeah. Unfortunately, we can look them up if you want, but actually, most of them, even if you read them itβs hard to understand what they mean and itβs hardΒ toβ¦
Peter McCormack: But theyβre all on a wall somewhere at one university, is that right? Iβll send you the link to the film because of the filmβs fascinating. This little kid sheβs so smart, but itβs a real story aboutΒ thisβ¦
Andrew Poelstra: Itβll probably be at Cambridge because I believe thatβs where David Hilbert worked in the late 1800s, earlyΒ 1900s.
Peter McCormack: I thought it was in the US? Maybe itβs been Hollywoodized!
Andrew Poelstra: It mightβve been Hollywoodized. Iβm sure that Hilbert was a Brit. Maybe Iβm wrong aboutΒ that.
Peter McCormack: Well, listen, Iβm conscious of time and I could literally talk to you for hours. I was scared of this interview thinking, βwhat am I gonna talk to him about?β This is so fascinating. So youβre Head of Research. Have you always been Head of Research sinceΒ youβ¦
Andrew Poelstra: No. So when I started at Blockstream, Gregory Maxwell was there. He was the CTO and at the time we were a smaller company than we are now. Basically, everybody doing any sort of engineering was more or less a researcher. We were combining our sidechain research and our crypto research and like our actual development of Liquid and itβs open source counterpart called Elements. Greg would more or less oversee all of thisΒ stuff.
We grew and Gregβs position of CTO became increasingly like a management position and increasingly being a bridge between engineering and product. A lot of stuff that I donβt think Greg enjoyed doing every day and I think he found that he was being pulled away from the cool problem solving that he always loved doing. So last year, I guess at the beginning of 2017, he left. He gave us six months notice, he gave us quite a bit of notice, fortunately.
So when he left as CTO, this left a gap as far as research management. At that time we restructured a bit so the day to day engineering was not so much in Gregβs hands, but there were still a few gaps in particular around our kind of long term, pie in the sky or even just like not even pie in the sky, but things with a long time horizon, that kind of research. A lot of it was fairly deep in cryptographic and at this point, weβve moved past the, βoh, look at these Schnorr signatures, they are not malleableβ kind of phase and we were doing quite a lot of the research.
So in lieu of Greg, we created a new position, the Director of Research, which Greg asked me to take, where initially the way this was pitched to me was that I would more or less make sure that the three or four people we had doing just their own research project, just to make sure that they were still alive and that they were happy and that they would keep doing what they were doing. Maybe Iβd have to show up at some meetings every week or something like that. But really I could keep on doing my own research projects and it wouldnβt be a thing, but we needed somebody who was in charge of research who could talk to the media and stuff likeΒ this.
Of course, thatβs not how things went. I got into this and then five minutes later I was in charge of patent strategy and then I was showing up at management meetings all the time. Then I was having to set the direction of our various research initiatives and having an idea of how this would turn into productization and all of this stuff. I was talking to the press quite a bit more than Iβd expected and I found myself having less time to be doing this research.
I mean, itβs a lot of fun that I get to go talk about this stuff. But the truth is all the real heavy lifting is being done now by Pieter Wuille, Jonas Nick and Tim Ruffing. Itβs a lot of fun. It was surprising, if youβve asked me a few years ago about that, I would have been horrified by the idea. I would have said, βoh no, I want to keep writing, I want to keep doing mathematics all day and doing crypto researchβ.
Peter McCormack: But itβs kind of interesting because itβs not that youβre justβ¦ I guess for your role as Head of Research for Blockstream, youβre really a researcher forΒ Bitcoin?
Andrew Poelstra: Yeah! Then personally my motivations and everything that I do and even everything that Blockstream research is doing, ultimately comes down to, what would be good for the Bitcoin ecosystem and what will move the Bitcoin ecosystem towards the world I want to see, where all coins are fungible, where all outputs looks the same, where things are efficient enough that people can actually use a system where itβs private enough, that people donβt have to worry about their landlord knowing when they get a raise or businesses that donβt have to worry about exposing their financial stuff to otherΒ people.
Peter McCormack: Is that a lot of your work at the moment, on fungibility then?
Andrew Poelstra: Yes, indirectly. Most of the work that I focus on, on the research side is this scriptless script signature tech stuff that Iβve been talking about and these join the two things that I care about, which are privacy and scalability, in the sense that the result of all of this cool tech is that you can do these very intricate, interesting smart contract kind of things and the result what hits the Blockchain is just a signature. Thatβs not even a marked signature in anyΒ way.
Itβs just like an ordinary signature that secretly was generated in a way that involves some sort of cool multiparty conversation. But in the end, you see one public key and you see one signature. Whether or not you have coins owned by one person or owned by multiple people or owned by split custody with some other thing with a timelock back out kind of thing or like a lightning channel or whatever. These all just look theΒ same.
Peter McCormack: Does that mean youβre basically going to be screwing with chain analysis?
Andrew Poelstra: Oh,Β yes!
Peter McCormack: Because letβs be honest, theyβre evil! How far away are we from seeingΒ this?
Andrew Poelstra: So I hope that in the next couple of weeks we should finally write down a proposal and submit that to the Bitcoin mailing list. Weβve been going back and forth a whole lot on this thing called SigHash-NoInput which unfortunately is tangential to everything else. But if youβre going to have a new signature, you might as well have new rules for what exactly is science, is this thing called SigHash mode, which the lightning folks and a few other folks want an extension to this called SigHash-NoInput, where basically you donβt sign any details of the coin that youβre spending and this lets you rebind transactions to different transactional stuff and you do some layer two stuff more efficiently.
Doing that safely and doing that in a way that wonβt encourage reckless behaviour or loss of the privacy and fungibility has been actually harder than every other part of this Schnorr signature stuff combined. Unfortunately, this is the kind of stuff that we have to nail down before we can do a proposal because this is consensus rules.
Peter McCormack: So, whatβs the process? So you get your paper, you send it out to the Bitcoin mailing list, is that like a peer reviewΒ process?
Andrew Poelstra: Yeah, so we publish something to the Bitcoin mailing list. We basically write a draft of what will become a BIP. So we have to write code alongside this, but actually, weβve written almost all of the code for this. We actually have working code for all of these things. We just need to nail down a bunch of parameters. We publish this to the mailingΒ list.
People will reply in various ways saying like, βhey, I want to use this in this way, you need to support thisβ, βthis breaks such and such a use caseβ, βI worry that people are going to use this in the wrong way and we could possibly lose fundsβ, βI worry this is unsafeβ, I worry this is too complicatedβ, βI worry itβs not complicated enoughβ and soΒ on.
Peter McCormack: Thatβs quite interesting. So I talked about it with Bryan Bishop. He taught me about BIPs and how they work and itβs very interesting because I assume that just checking to make sure that youβre not screwing anything up, that youβve thought about everything. But actually, people can widen the scope by saying, βokay, this is cool. Thatβs really interesting. I didnβt knowΒ thatβ
Andrew Poelstra: Yeah, absolutely. Then theyβll also say, βthis is a new versionβ. So one thing that SegWit introduced, is this notion of script versioning, a version of Bitcoin outputs and this proposal will take a new version number. It will be the first use of the SegWit versioning scheme. People will say like, βis this everything that we want in version one outputsβ.
There is a whole bunch of stuff that we wanted to do that we actually had to remove from the scope, because the design constructed was too high and we just werenβt getting toward the proposal. Iβm sure people will talk about some stuff like that. So my guess is that this period of discussion will actually not last too long. I think weβll have like maybe a month of back and forth with these kinds of designΒ things.
Then hopefully design will quiet down and weβll be in a position where we have a BIP, weβll get a BIP number and then now we have a proposal. Well, a proposal is just a proposal. Next, we need to think about, βwell if you want to deploy this, how are we going to deploy this? How are we going to get consensus?β Thereβs a whole discussion around that and thereβs a whole discussion around the scheduling ofΒ that.
Iβm separate enough from Bitcoin protocol development that I canβt really say what thatβs going to look like and actually I think nobodyβs really quite sure. The last major change, of course, was SegWit and there was a lot of crazy politicking that most of us did not expect going into it and a lot of the things that were just really very much against the BitcoinΒ ethos.
Peter McCormack: But I think thatβs slightly different. So, okay, say it gets through the peer review process, everyoneβs happy. How long does it take for the code to becomes deployed? This is to be deported onΒ core?
Andrew Poelstra: Yep. So what it will look like isβ¦ Suppose everybody agrees this is what we want, this is how we want to deploy it, we have code already that you can merge into core. Like I said, there are a few parameters weβve got to nail down, but we pretty much have code already in core. That would go into the next Bitcoin core release, the code for the deployment. Although it might not yet have the parameters for activation set at thatΒ point.
But it would be in Bitcoin core, it will be something you could review, it would probably be something that you could test. Then thereβll be a discussion about what the actual activation parameters are and then some date far in the future, I donβt want to make any guesses as to what this would look likeβ¦ Well, 6β12 months after weβve decided this is what we want to do and we have code thatβs gone through the code review process. So in addition to the protocol, we to go through codeΒ review.
Peter McCormack: But this could beΒ 2020?
Andrew Poelstra: I think soΒ yeah.
Peter McCormack: So if this comes in, are we going to have full fungibility at thatΒ point?
Andrew Poelstra: So, this has been such an optimistic interview up to this point! There are a couple of tradeoffs that you have to make when youβre using this kind of stuff versus using a more typical Bitcoin check-multisig like everybody publishes individual signatures and everyone sees the policy kind of thing. One big one is that everybody whoβs participating in these schemes needs to interact to do so. So thereβs an additional protocol complexity to doingΒ this.
So on the wallet side, it will actually be quite a while before wallets will upgrade, well for multisignature wallets to upgrade to use this kind of stuff. Although they are certainly incentivized to because the resulting signatures will be much smaller. But it is an interactive protocol, itβs quite a bit of complexity and R&D that needs to be done to actually deploy this. But there are a few people who have significant incentive to deploy thisΒ quickly.
Peter McCormack: Say I have a wallet that has activated and you havenβt, what does that mean? If I send something to you. Am I anonymous, but youΒ arenβt?
Andrew Poelstra: So what it will look like is when the coins are sitting in your pocket, they will look indistinguishable from anyone else using this version. Even if you have some weird multisig policy going on, even if you are actually some split custody with some company like BitGo or like Blockstreamβs GreenAddress or some other company doing that, no one will be able to tell what exactly youβre doing. Even after you spend the coins, no one will be able to tell what your policy was when you spent them. Then theyβll show up in myΒ pocket.
Actually, if I give you a fresh address, even if itβs an old address, nobodyβs going to be able to tell anything. But when I spend those if Iβve got some sort of multisig policy, people say, βah, that looks like something multisig. Ah, that looks like a BitGo transaction. That looks like a Liquid transactionβ, whatever. So itβs only upon spending that these fungibility improvements start to become apparent and the reason for that is that already in the version zero output, if youβre doing complicated scripts, the output is just a hash of the script and you donβt reveal the script until spendingΒ time.
So the real benefits come with like coins that are moving a lot. Let me see the other trade-off. So the first one was the interactivity. The other one is that you need your keys online and that sort of comes with interactivity. You canβt have some keys in a vault where you take them out and then you create a signature and you carry the signature out of your vault and then put it into a computer. I mean you can, but because of an interactive protocol, youβre going to have to turn right back around and go into the vault for the second phase of the protocol and itβs very annoying. Itβs probably not practical in realΒ life.
So this would be the kind of thing that you want for coins that are moving a lot, definitely, because you get the improved privacy and fungibility and thatβs where the big fungibility gains are to be made. But if youβve got coins that you consider to be in long term storage, you probably should just leave them on the old school outputs. Weβll continue to have for quite a long time, weβll have coins in these old school outputs, which is unfortunate because they wonβt get to share the privacy and theyβll clearly be old schoolΒ outputs.
Peter McCormack: But at some point, I guess you can bounce them around between wallets andΒ thenβ¦
Andrew Poelstra: Yep. I mean eventually if you want to bring those coins back in into the economy, you can do some of that and at that point, you should move to the new outputΒ type.
Peter McCormack: This is going to be a real problem for regulators right?
Andrew Poelstra: So itβs really not. So historically regulators have gotten information on peopleβs financial activity by talking to financial institutions and they have various reporting requirements. In order to be various types of financial institution anywhere in the United States or Europe or Canada or the UK, you have to comply with these regulatory requirements that include a lot of reporting requirements and KYC requirements and so forth. Traditionally thatβs been done by voluntary reporting.
When this Bitcoin stuff came out, a lot of these regulators got this kind of gleam in their eye and theyβre like, βwait a minute, what if we donβt have to talk to anybody and what if we donβt have to make it visible what weβre doing to track all of this information? Why canβt we just copy it out of the Blockchain?β They hire people like chain analysts and so forth to extract this information directly from the Blockchain. But that was never something they could do before Bitcoin and in fact, I think a lot of people are not using Bitcoin because this is possible.
This is not even like going back to the status quo of cash, what itβs going to look like, well it kind of is in a couple of ways, but for ordinary users who are storing their coins in banks or exchanges or some custodian who subject to regulatory requirement, they will still have to be in compliant with the same sort of regulatory requirements that they would have had before, to be interacting with the economy. Itβs a concern that regulators have, as this allows people to be their own bank and store their own money and to transact likeΒ that.
This is already a problem that regulators have with cash and this is maybe not something that you notice living in the UK or even in Canada where I came from, but in the southern United States, almost all of the economy is actually cash-based and people still do the reporting. They do audits. They pay their taxes and stuff, more or less because thatβs what they need to do to be in a functioning society. The regulators donβt depend on this kind of draconian abilities that theyβve acquired over the years and Iβm sure thereβll be sad to see these go, but I donβt think itβs that big of a problem forΒ them.
Peter McCormack: I that they could be alarmed throughΒ myths.
Andrew Poelstra: Hmm. They certainly could be alarmed through myths. So the worry that I hear from some people is that I am making the world go completely dark and like anything can happen and nobody can tell whatβs happening basically.
Peter McCormack: You are the dark overlord then? You are enabling terrorists and criminals?
Andrew Poelstra: Yeah, Iβve heard this fromΒ people.
Peter McCormack: But does that play on your mind atΒ all?
Andrew Poelstra: No. So there are two answers that I have depending on who Iβm talking to you and I guess I donβt really know who your audience is, but thatβs fine. So to regulators, I point out that all of this privacy technology still admits the ability to create audit trails and to know who your customer is and the ability to follow the law. In fact, in a lot of ways this makes these reporting requirements easier to comply with and more secure to comply with because you can do things like committing audit logs to a Bitcoin signature using a sign of contract constructions, so nothing hits a Blockchain, nothingβs visible on the chain, but now youβve got a cryptographic commitment to whatever auditing requirements are required associate to that transaction, that is anchored to that transaction in the Blockchain.
Actually, secretly your Bitcoin signature is also signing this data. So thatβs the kind of stuff they should be happy about, that that kind of thing is possible. When I talk to actual financial regulators, people creating the rules, theyβre actually excited, they think thatβs cool. But the other thing that people mean when they sayβ¦ Congresspeople, right? People who are, I mean, I guess they make laws but they donβt know what theyβre doing and thereβs kind of an hysteria that theyβre worried about that this is somehow enabling cybercriminals or money launderers or terrorists or whatever.
The truth is that money laundering is a very large industry in this world, itβs a very high margin industry. By making privacy technology cheaper, weβre doing two things. One is weβre taking the margins from those people, who are bad people, but we arenβt making this kind of criminal behaviour like the actual drug trafficking or whatever is happening behind the scenes, weβre not making that anyΒ easier.
Those industries already by virtue of being black market industries are operating outside of the law and they have these incredible margins. First of all, theyβre spending an incredible amount on being criminals, like evading people chasing after them and stuff like this. So their financial shenanigans are just like one part of that wider cost and maybe we make that one part a little bit cheaper, but oh well theyβre still in a very high margin business IΒ guess.
Thatβs not going to enable anything that wasnβt enabled before, but the people who benefit from cheap privacy, who canβt use or who canβt participate in the economy in a private way because itβs too expensive, are ordinary people who are trying to live their lives, trying to pay their rent and trying to buy their groceries without these credit card companies, their advertisers, the credit agencies, their landlords and their governments watching their every move and using this information to develop profiles on them, which are then used for all sorts of nefarious purposes, like a lot of the psychological warfare that advertising companies like to engageΒ in.
Thatβs the kind of thing that you canβt avoid as an ordinary person without spending a lot of time and effort, paying ATM fees all the time and carrying giant wads of bills around and worrying that somebodyβs going to mug you and being unable to spend money online. All of these crazy inconveniences and you canβt pay your rent in cash in most of the United States anymore because of this kind of thing. Those are the people who suddenly will be able to transact, free of surveillance and free of censorship because of this. Those arenβt bad people. Those arenβt people who shouldnβt be able to doΒ this.
Peter McCormack: No, that makes totalΒ sense.
Andrew Poelstra: The people who shouldnβt be able to do this are already doing it and they can afford to do it no matter how expensive we try to makeΒ it.
Peter McCormack: All right man, Iβm sold! So bring fungibility on. We have crushed an hour and seven minutes without even thinking. Iβm just conscious of time. Itβs late. YouβreΒ tired.
Andrew Poelstra: I am tired. My mouth is dry. I need toΒ sleep!
Peter McCormack: So one final question and you can keep it as short as you want. The first thing I saw of yours, was your presentation about Mimble Wimble and that was very interesting. Now weβve seen it appear on GRIN and BEAM, how do you feel aboutΒ that?
Andrew Poelstra: Itβs very interesting. So Mimble Wimble appeared completely anonymously, like Bitcoin-style, somebody dead dropped this text document on Bitcoin Wizards. I became involved in the project fairly early on. The way it worked was a bunch of extensions of this confidential asset stuff that I mentioned very early on. So I had been thinking about this kind of crypto already and so when I saw that there were a couple of really cool innovations that this βVoldemortβ guy had come up with as part of Mimble Wimble and I was able to pick those up pretty quickly and I did a few talks aboutΒ it.
I did a talk at βScaling Bitcoinβ in Milan explaining what this protocol was. Shortly after that, the GRIN project started, also operated by a whole bunch of anonymous people using Harry Potter names and I find this culture of anonymous cryptography fascinating and endearing in a way. Itβs very strange that this novel research and development thatβs happening, by people who are not trying to gain credit or credentials or even having a reputation to back the research with. Itβs just throwing it out there and hoping that it sticks or hoping that it gets enough traction, without anybody clearly backingΒ it.
I feel like this is a kind of thing that you might expect reading old science fiction novels, to see that kind of society develop where people are anonymously pushing forward the frontier of science and like somehow information can live on its own and live and die by its own merits. This is a very idealistic, kind of Utopian vision and I really enjoy seeing that kind of thing play out in real life. Of course, the real world is not so simple and clean as this, but in this one respect, it kind ofΒ is.
The fact that you have these anonymous papers and actually Voldemort cited at a whole bunch of these other ones in the Mimble Wimble paper and you can go look these up. So thereβs actually a long history in the Bitcoin ecosystem and in the cryptocurrency space, this kind of anonymous stuff. I think itβs delightful. This is my answer toΒ that.
Peter McCormack: Is it coming toΒ Bitcoin?
Andrew Poelstra: Mimble Wimble? Not anytime soon. So thatβs a much longer answer, but inΒ shortβ¦
Peter McCormack: Weβll do that anotherΒ day!
Andrew Poelstra: Yeah, weβll do that another day. But I can give you a sound bite for it, which is basically right now Bitcoinβs soundness is unassailable. You can verify the soundness of the system by downloading the transactions by checking that the amount of every transaction are equal in the input and output, I guess less the transaction fee. There has been no inflation at any point in Bitcoinβs history.
If we replaced that unassailability, you look and add up the numbers, with a cryptographic assumption, no matter how strong it is, that would be a change in Bitcoin security model that I think would be a tough pill for a lot of people to swallow. So thatβs the biggestβ¦ There are lots of more and more detailed reasons that Mimble Wimble needs a lot more development and improvement before it could be something we consider for Bitcoin, but I feel like thatβs the big moral hump that weβd have to get over to move in that direction.
Peter McCormack: All right. I canβt tell you how much Iβve enjoyed this. Just to close out. How do people follow you? How do they follow yourΒ work?
Andrew Poelstra: All right, I am on IRC as AndyToshi.
Peter McCormack: Wow. Everybody says Twitter first. Youβve goneΒ IRC.
Andrew Poelstra: I do not have a TwitterΒ account.
Peter McCormack: Youβre missing so much! We have so muchΒ fun.
Andrew Poelstra: So people text me Twitter links and thatβs how I read Twitter; is by getting links byΒ text.
Peter McCormack: Youβre missing all the trolling and all theΒ fun!
Andrew Poelstra: Yup! You can follow what Iβm working on on GitHub; github.com/apoelstra and I think my email address is on GitHub. Itβs apoelstra@wpsoftware.net. You can shoot me an email and chat with me about what Iβm doing. If youβre in the Austin, Texas area and you want to buy me some coffee or a beer, I will show up at least once to talk toΒ you!
Peter McCormack: Iβm going to be there. What is it? I think itβs the 20th and Iβm thinking I was going to be meet up with Justin. I owe you a beer after this. Iβm going to take you for a beer when we hitΒ Austin!
Andrew Poelstra: Cool, yeah, definitely a shoot me a message in some way and I will probably be in Austin on the 20th. So there we go. That is how to follow me. You travel to Austin, Texas and a buy me aΒ beer!
Peter McCormack: Thank you soΒ much.
Andrew Poelstra: Thank you. This is a lot ofΒ fun.
Connect with What Bitcoin Did:
Listen: iTunes | Spotify | Stitcher | SoundCloud | YouTube | TuneIn
Follow: Website | Email| Blog | Twitter | Medium | Instagram |Β YouTube
Related
Tags
Join Hacker Noon
Create your free account to unlock your custom reading experience.