Codex32 and Paper Computers with Andrew Poelstra – Blockstream Talk #29

Welcome back to blockchain talk today We're speaking with Andrew polstra in His role as head of research at Blockstream Andrew oversees a number of Projects that I think many of us in Bitcoin are probably only peripherally Aware of but that Andrew and his team Have been working on and thinking about For years already in this conversation We talked about mini script and a Possible deployment on Jade a review of Simplicity if you're interested in that Don't forget to also go back and look at Block stream Talk number 26 where we did A deep dive on Simplicity Drive chains And how they're different from layer Twos like lightning and liquid Bulletproofs plus plus Frost and music Too and also how paper computers can be Used to secure electronic computers Andrew and I discussed this idea about a Year ago how paper computers can be used To generate encode and even recover Bitcoin secret keys at the time I Thought it was pretty cool but since Then the recently launched codex 32 book Which has a number of punch out paper Computers inside is also really well Presented from an aesthetic perspective And I think the paper computers look Really cool so be sure to check that out I think the book should be out on the Block stream store by the time you see This so have a look if it's out we'll

I show You how To Make Huge Profits In A Short Time With Cryptos! I show You how To Make Huge Profits In A Short Time With Cryptos! Welcome to the Future of Money

Put a link in the description below Thank you Foreign Good to see you again hey Can we start maybe with a quick Introduction to yourself and blockstream Research yeah for sure so I'm Andrew Polster I am the director of block Stream research which I have been doing Since the beginning of 2018 when our CTO Greg Maxwell stepped down and we Restructured our engineering department A little bit to have a distinct Engineering and research Um distinct engineering and research Teams Um so my team now has I think eight or Nine people who sort of split even Within research who kind of split into Two teams one half who does cryptography With your knowledge proof signature and Stuff like that and the other half who Does scripting Focus stuff and that's Mini script Simplicity uh things like Cryptographic derivatives and options And applications of of these scripting Schemes of smart contracts on on top of Liquid and in some ways outside of Liquid we try to be a little bit more uh We try to be Bitcoin focused where we Can although certainly having a Multi-asset platform like liquid and one With all sorts of crypto toys makes it a Good fit for a lot of what we do on the

Uh crypto side we have uh Jonah stick And Tim ruffing and Liam Egan now who Joined us recently he's the author of The bulletproof plus plus Uh paper which is an extension of a zero Knowledge proof scheme called Bulletproof the redeveloped in part of Blockchain research a few years ago so Tim and Jonas have been with us since I Think before blockchain research were The thing uh they've been instrumental In in pushing forward music and frost Are too big kind of crypto Things music Is a an interactive multi-signature Scheme and frost is an interactive Threshold signature scheme for the Differences with music you can split a Signing key into maybe like five parts Or whatever and then if all the Participants come together they can Interactively produce a signature was Frost you can have a threshold so you Can say like any three of the five Participants can come together Uh since Liam joined the team we've also Branched out a bit and we've been Working on zero knowledge proofs in Particular bulletproof plus plus as I Mentioned so we've got an implementation Of that and see that we're hoping to Eventually bring into liquid we've got One in Rust which we're using in some Ways as a reference implementation and We're also working on cleaning up the uh

The bulletproof plus plus paper trying To simplify it where we can trying to Get it into a state where it's it's easy To understand even though it's uh in Some ways a fairly complicated thing Then on the scripting side we've got Myself I guess I would consider myself More on the scripting side than the Crypto side then we have Russell O'Connor who has been with the company Almost since his founding he's been Working on a smart Contracting language Called Simplicity for the last many Years and he's kind of like the the Force behind Simplicity in the last Couple of years more people on the team Have joined and we've started to make This much more of a team effort and Start working towards deployment and Working on to making this real uh but For the many years before that Russell Was writing code he was writing papers He was he was publishing stuff and Working out all of the detailed Mathematical structure of everything Who is a co-inventor of mini script Which is another project that came out Of blockchain research so many script is A way of reasoning about Bitcoin script In a way where you can model the script As kind of a set of spending conditions As a set of keys that you need to sign With as a set of hashes whose pre-images You need to reveal at a set of time

Locks time conditions so so your um Coins need to be a certain height before They can be spent and arbitrary Combination abilities so you can have Some set of keys then after a certain Time a different set of keys comes into Play kind of stuff like that uh prior to Miniscript It was possible but quite difficult to Do these kind of things in Bitcoin Script because the the model by which Bitcoin script operates is kind of one Where you have all of these opaque blobs Um of data that are all on what's called A stack one one after the other Um and you have this script engine which Is just running off codes to rearrange Things from the staff to pull things off The stack to put things on the stack and Then sometimes under certain conditions It will interpret some items as public Keys and signatures and hashes and Pre-images and stuff like that but in The course of the script interpreter Running You don't really this data doesn't Really have an identity onto the last Possible moment is really just this this Opaque blob manipulation machine so Minuscript allows us to reason about Stuff not of a sequence of blob Manipulations but it has to speak as a Series sorry as a set of spending Conditions which allows us to do all

Sorts of analysis in a much cleaner way And also to make the user experience of Using this much cleaner so many script And simplicity are kind of the two major Projects that we work on manuscript Being a subset of script which just Works on Simplicity which works on Bitcoin today Simplicity being much more Ambitiously complete overhaul uh so That's myself Russell Sackett and also Christian Leva is uh our fourth member Of the team working on the Simplicity Front and we're all kind of doing Different things here where uh or Russell of course was working on the Core like uh consensus code the C code The logic there uh Chris is working on Some of the the wallet structure and the Tooling around being able to actually Use Simplicity uh at least in uh in a Kind of playground context uh sanket is Working on example programs and making The language itself a little bit more Accessible Um and then I kind of write blog posts More or less and try to keep everything Together So um Beyond that and then we have two two More people on the team who are kind of Just like Free agents I guess we have Andrew Chow Who's a Bitcoin core developer uh we Sponsor his work on core and in

Particular he is the Bitcoin wallet Maintainer so he's been incredible for Us on also the wallet protocols Including output descriptors uh psbt uh The shift within core from using the um Uh the moving towards sqlite database Rather than the old bdb database which Was Um a little bit of a I don't want to say Unmaintained but we were using an Unmaintained version of it and it was Certainly showing us age a few weight is It's a much nicer thing to work with and The combination of sqlite and Descriptors has meant that the entire Architecture of the Bitcoin core wallet Has been radically transformed in the Last five years largely because of Andrew's efforts And uh And it's in much better shape than it Was before Um so I just said as an example of the Kind of problems that we used to have Before Um in the old and the original wallet Kind of as confused by Satoshi the Wallet would keep track of signing keys Right so you have a public key that Anybody can see on the blockchain and Use to validity signatures you have a Secret key which you use to reduce Signatures And in the early days of Bitcoin an

Address and a key were kind of the same Thing right like you need to think of an Address as just an encoding of a key but This thing that evolved there were kind Of new address types that appeared so Initially we had these paid to Pub Key Hash addresses where the address rather Than having the key would actually have A hash of the key then later we had paid A script hash which would add um which Would allow you to do multi-signatures And multiple key kind of things also Hidden by a single hash uh we had Segment which then introduced a couple New address formats a new best city to Address format Um and a new way of treating public keys Where the public key would be part of The transaction output but the signature Rather than being directly inside of the Transaction input would be in this new Witness field of the transaction it was Moved out of the way in a way that Allowed a the hashing structure of Transactions to change and then captured Of course the latest version of segwit So all of these different script output Types use the same keys I guess Tap Root I should use the new new kind of key but Uh but we have the same kind of key that Could now correspond to multiple address Types and Bitcoin core five years ago Didn't really distinguish very well Between these so for example if somebody

Generated a segment address and gave That to you you could take their segment Address you could reinterpret it as a Legacy pre-segment address and send Coins to that and the wall orders would Receive it and it wouldn't like the user Had no ability to control us to say like Really I want to stay with address like Because the address identifies payments To you and so if you give an address to Someone you want the coins to go to that Address you don't want them to change The address send money to a completely Unrelated address from from a user Perspective and I still have your wallet Acknowledge the coins this is going to Mess up your accounting right it's not Um so this this uh descriptor project That Peter Willa and then later uh Andrew chow and myself and Sackett Joined in on Uh this descriptive project allowed us To separate all of these things and then Minuscript allowed us to generalize it From more than just one key to as I said Multiple Keys hash pre images time locks Arbitrary combinations of these kind of Thing And then the final person on our team is Uh the last certainly not the least of Course is um Kiara Kiara Vickers who is the research Communications she's in charge of Of

The communication insight and also Outside of the research department so Internally that means she's working on Wiki pages I mean she's talking to People from other departments and asking What it is that they think that we do And does that correspond to what we're Actually doing and what what are people Interested in what are people confused About you know what do people want to Know Um you know what kind of things are we Doing that nobody's aware of kind of Stuff yeah Um the research as we might talk about And I've kind of hinted at we're doing a Whole ton of different things and often Until we got Kiara on the team we would Find ourselves doing things and realize That no one else in the company was even Aware that we were doing it it let alone The rest of the world Exactly exactly so the other part of her Job is is to manage our external Communications so she's written a good Number of our blog posts and the ones That she doesn't write she's on top of Us like saying you need to write a blog Post about this or write a blog post About that or you know what are you Doing and like how how does it affect The world and how can you share that With the world kind of thing And I mean before Kiara we kind of

Wouldn't ask ourselves those questions Often enough and so often in fact for a Number of years uh you see almost no Public output from blockchain research Uh other than our appearances at Conferences that were almost accidental Right like it was just us going to Conferences to meet collaborators and Friends and then oh I guess I'll do a Talk while the cameras are here kind of Thing but we weren't uh we didn't have An organized way to do things until Kira Joined the team Um and as a final cut to Kira Um so this is what we'll probably be Talking about a little bit we have this New book called codex 32 out Kiara Coordinated all of the type setting and Artwork and stuff so she found she Didn't draw this but she found artists For this and she spent a lot of time With me going over PDF drafts and laying Out pages and getting all these nice Drop caps which you probably can't tell On the camera but they're very nicely Illustrated drop caps yeah I know I can See that yeah Um there's a few other illustrations Here and stuff that she said you know Over and over we need illustrations we Need illustrations so So this is a Really like quite a here's like here With crypto steel picture there yeah

Yeah yeah yeah yeah yeah yeah So so much of the uh the way that this Came together in the uh All right Um so much of the way that this book Came together was was Kiara driving Forward the uh The Human Side of this so It wasn't just a you know textbook of Mathematics Um and surprisingly maybe it shouldn't Be surprising but even for us on the Inside uh for the people working on Developing this and writing it out it's Actually been amazingly more interesting And engaging and fun to use this stuff Having all of the artwork in place and Having the new names for Stuff where you Know we don't talk about like Multiplication we talk about Fusion Right and we have various other names For mathematical operations Um that we We had to come up with so that we could Tell Um a nice narrative about what it is That people are doing with this book and That uh bringing that narrative together And it really improved the user Experience oh that's great yakira is on Our list of people we got to get on the Show um so looking forward to having her On a talking her whatever you think you Guys do Um that's a that's a massive amount of

Work Um and and speaking of you know the book And some of the stuff that you've been Working on that reminds me of last year When we spoke one of the cool things That we talked about was the idea of Paper computers Um which was super interesting so can You give us introduction to to that so The last year when we spoke we might Have had some paper computers it kind of Looked like this you can see here's I Don't remember I had them on the show Um let me show you real quick what they Look like today thanks uh in large part To Kiara's efforts oh wow that's cool This one um this one's cool this is Double-sided this was this was a Incredible Innovation the idea that we Could uh fit two computations onto one And then use this double-sided so in Fact the way that you use this is you Turn it while looking at this side and If you want like you can use this for Like you know ciphers and stuff if You're like trying maybe you're in like A student trying to hide stuff from your Teachers in grade four or something you Could use this if you think of my secret Key is going to be a symbol let's turn It to like the sent symbol there up top Okay okay There we go if I turn it there and flip It over and now you can see this is

Mapping letters to letters or letters And numbers to letters and numbers so You can use that as a cipher you just Map every follow the arrows outward to Uh to encrypt Follow the arrow with Inward to decrypt kind of thing and you Can do all sorts of fun stuff with that Um but I'm getting ahead of myself so Let's just talk a little bit about paper Computers and and you know what are These for why would anybody want to use Paper computers So on a high level what you can do with These these paper computers in Conjunction with these uh here they are Before they're cut out by the way so Where what is that book is that the book You just showed the Kiara all put Together yes this is a book that um I Just showed to these paper computers Here's a double-sided one so you cut it Out and fold it and stuff Um so this book kind of has three parts So one is the exposition that I showed You kind of explaining what's going on And then the uh the last part is a paper Compute with yukudo and in the middle We've got a whole bunch of these Worksheets And so the idea is that using these Worksheets in conjunction with paper Computers Following the instructions that are Written out in a fair bit of detail you

Can Create Secret data so like for example a um Seed words that you're familiar with for Your your Bitcoin wallet we those feed Words you normally you put that into a Wallet and then the wallet is able to Derive a sequence of addresses from that So we have a different format for the C Words that you're able to generate just By Rolling Dice and then doing there's a Certain worksheet that will help you Eliminate any dice caused by Manufacturing issues so what you can do Is generate the seed data by Rolling Dice you can attach a checksum to it Which is some extra redundant data that You stick on the end which will allow You to detect and correct errors so we Have a checksum that will allow you to Correct up to four errors so if you make Up to four errors anywhere in your in Your data then you will actually be able To determine where those errors are even If you didn't know and figure out what The correct values were and if you know Where the errors are which is maybe a More likely scenario if you have stuff In a crypto steel and then like some of The tiles get worn out or you know Warped or something like that you know Where they are then you can correct up To eight is it cool thing and this is These are guarantees so what this means

Is that if you have up to eight errors You can detect you can determine that Something's wrong guaranteed if you know Where they are you can even correct them And if you don't know where they are you Can correct up to four which is is a Nice property but this is a This is kind of a general property of Error correcting codes Um so bash32 addresses tap your Addresses segment addresses have the Same kind of principle and in fact you Can use the worksheets in this book so If you tweak them a little bit to verify The validity of of Um segment addresses if you want it's Exactly the same What's the title of That book and how do people get it the Title of this book is codex32 There are two places to get it uh one is The blockchain store which is Stored.blogstream.com uh you can buy This nice wonderfully printed and bound One that has all the all these Worksheets are tear outs the paper Computers are on heavy paper and you can Tear those out as well Um and the other place Is to go either to our website secret Codex32.com or to the GitHub repo which Is github.com blockchainresearch codex32 And on either the website or the GitHub Repo you can just go ahead and download That you can print out new extra copies

Of the worksheet you can print new Copies of the uh the paper computers you Probably want to take it to like a real Print shop because it's nice to have Them a little bit big and on heavy paper And stuff like that Um you can you can print the whole book It's all open source it's all freely Available Um but like you know this is you Definitely want to buy one of these at Least just to have it for such a nice Nicely bound thing and in fact I would Even suggest that if you buy a copy you Shouldn't actually tear it out and like Cut out the price that come with the Book you should just print your own and Keep the booking get two Buy two coffees exactly well presented Too I mean it looks it just looks really Aesthetically very nice it's really I'm Really surprised at like what a piece of Art it turned out to be right because The the progression here of course was That initially we just had these paper Computers and then they were kind of Boring they were flat and white and we Thought well why don't we put some Artwork on them and then why don't we Put some color artwork and then from There it just kind of grew To like the artwork is more than just Like a decoration on this you know the Artwork like really visually guides you

As to like which of these does what And uh And it fits into a broader theme about Kind of the the somewhat magical thing That we're doing here by doing this this Error correction and then of a fan Moment uh the ability to split and Reconstruct secret data which is Something called Shamir secret sharing Yeah yeah let's talk about that can you Talk a little bit more about Shamir Secret sharing and and and why you know Why people should learn about that sure So the idea behind Shamir secret sharing Is that if you have some piece of data Some some reasonably short secret piece Of data so like a Bitcoin seed then you Can split this up into multiple pieces That will allow you to reconstruct it And so why would you do this well if you Have something like a Bitcoin fee There's inherently a trade-off that you Have to make where if you want your data To be resistant if you want it to be Accessible right if you want to not lose It and to be able to recover it you kind Of want to make it pretty accessible so Here's by the way like this is a crypto Steel tube Unscrew that some and show off for People who aren't familiar with all These tiles here with data I haven't Seen that either I mean you've got lots Of little

Where where do where do we get that Where's that from like I've got the Block stream metal but that's something New I think these are on the Block Stream store as well the block stream Sent me one so I assume I'm gonna be Honest people just send me a lot of Stuff You've got lots of really cool toys These uh these tubes are really great Actually I got a demo one I think From The Block stream store and then I went And bought another like five or six of Them um because I actually this is the Uh I think this is the way to go for Crypto steel kind of stuff But there's a trade-off right so I can Have this here it's all nice it's just Sitting on my desk and like I'm showing It off on podcasts and stuff but all Right so that's easy I'm not going to Lose it you know it's sitting outside on My computer but the trade-off of course Is that if it's easy for me to access It's easy for anybody to access so I Have to worry you know are people going To come into my home are they going to Steal this is it going to be a Target Somehow Um so And Maybe I would want to go further maybe I'd want to have more than one copy Right so I have my copy here that

Anybody can take Um if I really want to protect it Against like a natural disaster or Something then I would probably want to Have another copy of somewhere else that I can't even keep an eye on it kind of Thing there's this trade-off here where I can either make this really accessible And redundant and then increase the risk Of theft or I can make it not very Accessible and not very redundant and Increase the risk that I'm going to lose Okay and that's a trade-off that's just A trade-off that you have to make with When you're storing secret data like This And so Shamir secret sharing lets you Make this trade-off in a bit of a more Nuanced way where it lets you split your Data into multiple pieces And you can set a threshold typically Two or three And if you have fewer pieces than a Threshold you don't learn anything about The secret But if you have threshold many pieces Then you learn the whole Secret so it's Not like I'm splitting it into like Multiple pieces and spreading them Everywhere like you know that's the more You collect and the more you know about The secret kind of thing or that's you This like sharp Cliff here where you go From knowing nothing at all you get one

Two shares and you get the third one and Then you know the whole thing it's the Way that this works And so this lets you kind of do this Nice trade-off where if you want to have Something that's that's very um I guess Redundant and resistant to people losing Shares and stuff you can create a whole Bunch of these different shares but if You're worried about them being Compromised you can increase the Threshold So what you might do for example is a Two of three or three of five maybe is Kind of a threshold that I would Recommend if you have five different Tubes they're all floating around the World Um you know being held by trusted Friends and family and lawyers and so Forth and any three of them will let you Reconstruct the secret So you can lose up to two of them and Still be able to recover your secret and Hopefully you'll notice when one goes Missing and you know you gotta like redo Things right Um You can lose up to two and you can Have up to two get compromised And in either case you're still fine and Again hopefully you notice the Compromise though that might be harder To notice right if like somebody is just Rightfullying through stuff so you can

Put tamper-proof stickers on these and Get some sort of hint that they've been Accessed So three or five gives you this nice Benefit where you have a bunch of tubes Distributed but you need three to be Compromised in order for your coins to Be stolen or you need three to be lost Before you actually lose them so you Have like quite a bit of quite a bit of Room to make mistakes here So this is a way basically to when You're storing backups when you're Storing back at the data from your Secret sharing gives you a way to Distribute that back up in a more Nuanced way And I should say a little bit about how This compares to multi-signatures Because people use the multi-sig in Bitcoin to much the same effect right Because the coins in Bitcoin are not Necessarily held by a single key they Can be held by as many keys as you want So rather than having a single key That's split in three or five maybe I Want a multi-signature where I have five Keys and any three of them can sign And I would say that if you have a Choice between those two mechanisms you Always want to use multi-six right like Multifigs are just like universally Better and the reason is that with a Multi-signature you don't need to bring

The pieces together to produce a Signature right with Premier secret Sharing you've got all these shards and Then when you want the original secret You have to bring the shards together Reassemble them put them into a Bitcoin Wallet and spend your coins it's Multi-thig if you don't you can produce Part of your signature with one wallet Part of your signature with another Wallet part of your signature with Another wallet and they don't ever need To you never need to bring secret data All into one place why is that better It's actually nice a little bit more Complicated to use which is the reason That you wouldn't use it the reason that It's better from a security perspective Is that you don't ever bring you don't Have all your secrets in one place so The idea is that if you're using a Multi-signature rather than you like Personally producing a Producing part of a signature in one Place and the part in another you might Just call a friend of yours who's Holding the other key and asking them to Do the signature kind of part and They'll recognize your voice or maybe Have some sort of password because You're worried about deep fakes now Because that's not 20 20 anymore The idea here is that you can add Additional Access Control

So basically with Shamir secret sharing In order to use it you need to Reconstruct the whole sequence so at the Time of use the benefit of sharding goes Away That that's the trade-off that you're Making whereas with a multi-signature Everything stays charted always at the Same time So maybe a good way to think about this Which I think we wrote In the book is That you can use a multi-signature to Define a signing policy to say well I Have these three different custodians or Whoever and they could be me at a Different time but three different five Different custodians and I want any Three of them to be able to move the Coins that's the multi-signature whereas Shamir secret sharing you would use just As a backup management so I've got some Seeds that I want to keep at rest for Many years or many decades or something And when I want to actually use a feed I'm going to have to unchart and like Undo my security but as long as they're Going to be at rest for a long period of Time and I don't really want to think About them then smear secret sharing Lets me do that okay very cool shifting Gears here slightly to Um the Jade wallet what what sort of Steps does Jade take to mitigate the Dangers presented by electronic

Computers Um when storing the seeds long term yeah So this is the Jade by the way one of my Many props here yeah So I'll I'll talk a bit about some of The issues that people have with Electronic computers and why they might Want to use paper months which we Haven't yet dived into Um but one of the specific ways that Hardware wallets Um or any electronic computer can cause Problems for you is that the hardware Wallet can leak your secret key or leak Part of your secret key through the Signatures that it generates And there are a couple different ways That this can happen Um so one is something called a side Channel attack where during the signing Process you plug your Jade in right you Produce a signature or I think you can Use it in an air-gapped way I never have Um you plug in your your Jade you're Producing a signature and maybe there's Some malware on your computer that's Watching your USB bus and it sees a Power draw from a USB bus going up and Down very quickly as it's doing various Computations If the Jade were naively programmed to Produce these signatures you might Actually be able to distinguish zero Bits from one bit in your secret key by

Looking at the power draw trade changing Or looking at how the timing changes or Looking at various things like that Either called side channels So the Jade prevents against that by Using the lipstick b256k1 crypto Library The cryptography Library which is what's Used in Bitcoin core and misuse is Probably the most widely used Cryptography library in the Bitcoin Space at this point Um and libsecp has a tremendous amount Of quality assurance work going into it Uh we look at the assembler output so For one thing all of the algorithms that Are in libsac B are written to be Constant time so they never branch on Secret data they never put secret data Into array indices uh there are a number Of things they do to to be what's called Constant time meaning that no matter What the secret data is is actually Doing the same operations And then even Beyond writing the code in That way we look at the assembler output For popular compilers and for popular Processors and make sure that the Compiler haven't undermined us and said Like oh I see what you're doing I'm Going to stick a branch in there kind of Thing which compilers loves to do Um because in a compiler writer's mind Uh compiler benchmarks are the most Important value in the world even more

Important than security or correctness Or anything very frustrating Um the CPU CPU designers are in some Ways just as bad right your CPU will Take different amounts of time to Multiply different numbers and things Like this there's a lot of protections There Um another category though Even assuming that you have five Channels like your wallet is not leaking Data bias operation through side Channels it turns out that in the Signature that it outputs is possible For the hardware wallet to to leak Information about your secret key So the way that it does this is it or The way that you could leak secret data The way that you produce a signature First of all is you basically you Produce another random ephemeral key and You mix your real key with the ephemeral Key and that's what your signature is And you mix it in a way that's dependent On the exact transaction that you're Signing And what's important is that the Ephemeral key be unique and uniformly Random so you can leak your secret key Just by like copying the secret key and Using it twice instead of generating a Uniformly random one and this will be Very visible because like part of your Signature would look like your public

Key kind of thing So to avoid that the Jade and pretty much any hardware wallet That exists in Bitcoin will use either What's called deterministic Randomness Well it will for single signature that Uses deterministic Randomness where it Will take your secret key it'll take the Message it'll take some other Um kind of noise that it has feed this All into a hash function and then Produce a uniformly random knots we call A uniformly random ephemeral key to Prevent those kind of Um those kind of attacks now what's Scary here Similar with a side Channel thing is That this isn't observable If a hardware wallet were to do this Kind of attack so I'm telling you that Jade does this deterministically and it Will always be uniformly random and Independent but there's no way for you To tell whether the output is actually Uniformly round right like even if you Were to load the secret key data onto Another computer and then you can solve Out the signature and see what went into It if this data is supposed to be Uniformly random it just looks like Random data and there's no way you would Be able to tell if it was actually Honestly random or if it was biased in Some well you could detect bias given Enough enough signatures but imagine it

Was biased in a way that you needed Another key to detect the bias so There's ways we're like malicious Manufacturer or like a rogue employee Could produce nonsense Where you attach some bias and then you Mix it with a public key that the Attacker controls in such a way that the Attacker can then undo the mixing and Get the bias and then use that bias to Extract your secret key but nobody else Can this is complete that's completely Undetectable so what the Jade does to Prevent this and a few other Hardware Wallets have started doing this as well Is it uses a technology called Anti-xville Um and what this does is it takes some Randomness From the computer it takes its own it Makes its own uniformly random knots it Shows this to the computer the computer Provides an extra Randomness it then Mixes the computers Randomness into the Randomness that comes from the Jade And then it demonstrates it provides Kind of a certificate to the computer Showing that it did this correctly And then the new re Re-randomize knots is what actually goes In the blockchain And what this means is that if you have An attacker who compromised the Jade Somehow and is producing bad nonsense

From the Jade while the Jade produces His bad knots the computer will Re-randomize it and atheist his Fame Attacker hasn't compromised your Computer then whatever bias the attacker Stuck in there is erased So in order for this kind of attack to Work with anti-x fill if you need your Harder device and your host computer to Be simultaneously compromised by the Same actor And in fact you need a little bit more Than that you need the same actor to Also somehow have ability to see the the Correspondence between your computer and The Jade basically so you can't See I guess if they cooperate It would be tough but if they were to Cooperate you could maybe sneak some Data into the actual into the actual Knots that goes out although the way That we structure this commitment makes That pretty expensive to do So the idea is without anti-xville the Jade produces signatures and the Signatures that go on the blockchain Might leak your key data and there's Actually been a couple high profile Papers where bad wallets were doing this Uh by uh um Brightener and Nadia Henninger I believe Are their names or a couple researchers Who uh Have uh made a hobby of publishing

Papers in which they extract Bitcoin Keys from the blockchain by just Applying what they call lattice methods To detect bias nonsense nonsense that Are not uniformly random and independent And what they find invariably is that The compromise nonsense are used in Coins that have already been taken so Like there are real attacks out there That have been executed and people have Lost coins because of it is the idea so Anti-exual just like pretty much Completely blocks that so you mentioned Mini script earlier um is is there a Plan to bring mini script to Jade I Think that there is but I'm going to be Honest I don't know what the plan is I'm not I'm not the guy to ask Okay what would that mean for Jake yeah That's a great question so actually There is a hardware wallet The Ledger Which has mini script um on it all these And then I think that cold card and uh And trezor I've got my trailer is not Open and Jade are all planning to kind Of kind of join in and what manuscript Gets you on a hardware wallet is it Allows you to have a policy I have Multiple keys and put these into some Sort of policy so for example you could Say I want my coins rather than be in Control just by like a single Jade I want it to be controlled by a two of Three of three different Hardware

Devices I could have a Jade and cold Card and a ledger all together and after A certain time time lock so if the coins Haven't moved in it in six months or Something then I wanted to go to a Backup key which is on a treasure just Because I'm trying to use everything in This this example and what mini script Gets you is the ability to describe that Policy in a universal way that all these Different Hardware wallets will Understand In a way that they're all able to show The user these are the different keys And these are the conditions under which The coins can move given these Keys like These Keys need to sign or sometimes Needs to pass and this other key needs To sign basically So prior to mini scripts you more or Less couldn't do that Um so the various Hardware vendors would Support a basic from a multi-signature Which they kind of came to like a Gentleman's agreement and this is the Simplest way that we can interoperate And uh I'm going to score multi signatures like This but as soon as you want to do Something more interesting as soon as You wanted to stick time locks onto this Or or you know do do anything more Complicated then each Hardware wallet Vendor had to choose what exact policy

They wanted to support they had to write A whole bunch of code to produce Addresses from this to describe it to The user to produce signatures to do fee Estimation and so on and so forth and Then all that special code that they Wrote would only work on their product It wouldn't it wouldn't be able to be Carried forward to other things and so To interoperate you needed multiple Vendors to agree on specifically the Policy that you wanted to do and so it's Just really like pretty much nobody did Anything at all because the barrier is To doing anything more interesting than Than single sigs and multi-cigs were so High So miniscope gives us universal language To describe arbitrary policies that can Include multiple keys from multiple Devices and arbitrary combinations And It also structures this in a way that It's feasible for Wallace to show this To users although the The Ledger does Kind of a thing where it will show like A 500 character policy and it will like Scroll by on that tiny screen yeah the Screen is too small on The Ledger so There there's an ongoing project amongst Various Hardware vendors to try to come Up with some like shorthands or some Templates and stuff for this so so that You can get away with having a smaller

Screen Um because I mean the Jade Jade's bigger But it's not a whole lot better Um so yeah it feels more readable though I like the screen size yeah yeah Um I agree I agree So um so yeah there's a mini script Let's with this very little work from The person creating the policy it lets You describe kind of arbitrary policies And for a hardware vendor you got to put A bunch of work in a supporting mini Script but then once you've done that it Supports everything and it will support Everything alongside all the other Vendors so you get this interoperability And a lot more freedom than what you Could have before we we recently talked To Christian Um about Simplicity and he made some Comparisons to mini script what is Happening in simplicity at the moment And when can we expect to see it on Liquid so seeing it on liquid that's That's kind of a fun question there's a Bit of a happy hiccup in our scheduling Here which is that probably not now but By the time this is published I'm going To be a father which means that I'm Going to take a few months Congratulations come back and gradually Come back in that's awesome thank you so That's uh that's very exciting for me um But it's less exciting for the

Simplicity team now has a schedule Kind of thrown out because I'm gonna Jump off but Um the plan of Simplicity is that we are Looking to to bring together kind of a Developer release of simplicity so we're Going to launch it on the liquid test Network which is much easier than Launching it on the good for real Eventually we will move it to liquid but Initially we're going to launch it on The liquid test Network we're going to Release some Simplicity libraries Release you can actually see our Development live on GitHub if you want Where we have an encoding of Simplicity In like a normal text ASCII format with Comments and syntax highlighting and all That good stuff we will have some Example programs and documentation stuff That people need to get started And we'll have kind of a an experimental Or toy wallet that users can use with a Liquid test Network where they can write Simplicity programs produce addresses From that and then send and receive Coins so you'll have kind of a Playground with all these different Components together we'll build kind of A playground where you can actually Start using Simplicity and seeing what It's like to create programs that do Interesting things and see what it's Like to use them

So the idea and maybe we should should Reorder this but the idea behind Simplicity and the way it relates to Mini script is that mini script as I Mentioned lets you do signature checks Hashtag checks and time blocks those few Things and then various combinations of Those we have something called Combinators where you can have an and of Those so both need to be true or an or One of them does or a threshold you can Do three to five or five or ten or Whatever And The idea is that you can kind of build Arbitrary spending policies by building These arbitrary trees we're at the Leaves you've got these actual checks And then you've got ands and orders Building all the internal nodes And so Simplicity takes this concept of Having a tree based program where Everything is kind of built out of a Tree of commoners and it takes it to the Extreme in two ways one is that the Leaves rather than being Um like very high level kind of nebulous Things like signature checks which is Actually shorthand for all sorts of Elliptic curve math and like something Pretty complicated or hash checks which Are similarly a pretty complicated Bundle of things or time locks which Involve reference to the blockchain and

Actually there's a fair bit of Complexity and defining precisely what a Time lock is Simplicity says well let's make the Leaves Be the simplest possible thing that we Can still produce programs from like in Like the abstract computer science That's Um and the two leaves there are two Leaf Combinators in Simplicity Um that uh in in course Simplicity I Should say and let me grab real quick Lots lots of props so Simplicity itself Is actually so small that it fits on This t-shirt yeah yeah I've got the Shirt Yeah so this uh this is all like pretty Abstract and kind of difficult to read But what I want to emphasize is that There are two combinators called Unit And idem there unit does nothing it just Produces an empty value and Eiden takes Is the identity function it takes a Value and it outputs the same value And it turns out that using those two Functions and just composing them in Various ways you can actually build any Arbitrary computation which is kind of a Cool surprising thing and to do that I Mean you need more than those two and The other the other direction the Simplicity goes further than manuscript Is that the combinators rather than the

Ands and ORS of these things are Slightly more mathematically nuanced Um so they we need to find ways to take These units and these identity functions And build up arbitrary code from them But the cool thing is that there's only Seven of them and all of these are as Mathematical functions Very small they're all like one-liners The kind of thing that you can write out I mean well you can fit them on on a T-shirt so what that means is that Simplicity you is a definition of Simplicity you can fit into any sort of Theorem proven uh apparatus so that you Can you can use what's called formal Methods with simplicity so we have a Reference implementation of Simplicity In the theorem proving system but If you want to use you know agda or Idris or F-sharp or you know whatever Other theorem proving setup that maybe People are familiar with you can Implement Simplicity in there and then You can create formal proof of Properties of your Simplicity program So unlike in mini script where you can Argue things you can Kind of convince yourself with semantic Properties you can take a mini script And say well I'm a counter signer Meaning that there's no way to spend Coins from this mini script unless I am The one signing it

And you can make statements like that But they're all kind of the argument for It is rigorous but it's kind of ad hoc And it's a little bit informal because Ultimately mini script is only as well Defined as a script interpreter that's Underlying right so every fragment of Manuscript is something like a check Sig Which means you take a key and then you Call the checksig operator and the Chexig operator is defined by the C plus Code in Bitcoin core and it has like all Sorts of you know C plus pluses is very Difficult to really nail down exactly Under every Edge case what the code is Going to do In Simplicity well sorry in manuscript You just can't load that you can't Create a formal model of this so you're Kind of doomed to be doing this kind of Ad hoc kind of reasoning And the danger there is that if you try To scale manuscript up to do more Complicated things imagine Bitcoin was Extended so it could do arbitrary Arithmetic or verify zero knowledge Proof or check Oracle signatures or you Know do do various covenants all the Things that people want to extend Bitcoin with If you were to try to use the mini Script model to build complicated things With if you would quickly run into Trouble

Because The reasoning that you would need to do To convince yourself of the security and Correctness of these things would become Very large and it would be quite Difficult to manage So as an example on liquid we have a Multi-asset blockchain and we have a way To construct collateralized options and So what what an option is what a call Option is for example on chain is a Mechanism where you can take a Bitcoin And maybe you want to to create a fifty Thousand dollar Bitcoin call option Using this and so what that means you're Going to create the right but not the Obligation for for somebody to buy the Bitcoin we got fifty thousand that's one Point in the future And even though Bitcoin is worth much Less than 50 000 right now that option Actually has value because maybe the Price goes up to 100K and then you know In the future somebody will get the 50k At a steal So the way this is modeled on chain is That you take your Bitcoin you lock it Up in a script and the script says the Only way to move this Bitcoin is either To destroy the original option and Cancel it or the date written on the Option goes by and nobody takes it so Then it expires and then money goes back To the uh the original or it gets

Exercised so somebody can take it but They have to put up the fifty thousand Dollars and send it to me or send it to Whoever the the counterparty winds up Being after these things drift around The market for a while And so you've got these three different Endpoints Each of which is actually a Collection of different conditions that Have to be true about your script and You have to argue that these things Continue to be true no matter how the Option moves around the blockchain No matter how the option tokens are are Issued and de-issued and destroyed and So on And you could convince yourself of the Correctness of all this and we pretty Much have internally approximately if We've tried to develop these kind of Things we've gotten pretty good at Reasoning about all the things that we Do with scripts but then if you tweak Something in the script then It's hard to say which parts of your ad Hoc reasoning continue to be true right Like there's a temptation to kind of say Well we convinced ourselves this old Thing was correct and then we tweaked it Just a little bit so like probably that Only changes our argument a bit so it Should still be good kind of thing And after many iterations over the life Cycle of any sort of software project

You're going to find that you've changed Your stuff quite a bit and the original Reasoning for its correctness kind of Becomes stale and eventually you're Going to trip up and you'll find that There's a bug and this is not correct or It's not secure So with Simplicity you can instead take Everything that you want to be true you Can Write formally what you need to be true Somehow in your proof system and then Prove that is correct And now when you tweak your code you Re-run the proof verifier and it will Tell you what things used to be true That are no longer true and then you can Go repair those specific parts of your Proof assuming they're repairable and if Not then you've got a bug and your thing Great job right you're uh your uh your Formal methods were able to save you and So You can do this kind of mechanistic Um proving that a program written Simplicity matches some sort of Specification and that's something that You can only do if you have a formal Model and this is really like the the Million dollar or billion dollar value Proposition of Simplicity is that it's Defined in such a way that Simplicity is Itself a formal model it's not only a Collection of code that runs on the on

The blockchain and checks various Conditions it is a formal model that you Can Um represent inside of a proving system And you can get very high Assurance of Whatever properties of your contracts You want to be true and that insurance Will continue to hold even as you Iterate on things as long as you make Sure that the machine checkable proof Continue to machine check in terms of Formal verifications is it the Simplicity of Simplicity that makes it Different from other smart chains other Smart contracts and how they work on Other chains that's one way to put it Right so mathematically is very simple Right so you have like the identity Function as I mentioned you can write That f of x equals x is there your Identity function or the unit function Where that function of f of x equals one For one is it's not actually the number One it's something like special unit Value Um so it is simple in that sense but Where I think the real Simplicity comes From or the real ability to formalize is Simply the fact that these were defined In a way that had formalization in mind Where we were thinking what is the Mathematical structure of this Um so evm as an example which is a the Op code language that's used in ethereum

There are some things they did that are Actually Formalization you know reasonably Formalization friendly where for example They'd have arithmetic using 256-bit Numbers where you can add two numbers And you say overflow it will wrap around Which is something you have to to be Aware of Um but other than that the addition of Subtraction worked exactly the way that You'd expect But then there are other things in Ethereum that are very difficult to Reason about so for example they have Constructs that will allow you to call Remotely into other code and then Recursively call so you have functions That can call themselves and call others You have loops you can construct Programs in ethereum that will Loop and Where you can't tell a priori how many Times they're going to Loop you set a Limit of course your gas limit so that That will cap it but if you Loop more Times in the gas limit then your your Transaction will simply fail And it's possible to construct programs At evm where you simply can't guarantee That that's not going to happen and in Fact it's difficult to construct Programs in ebm where that can happen So in Simplicity we defined every Combinator with an eye towards being

Formalizable We avoided having functions and this is Maybe kind of a surprising thing about Simplicity but we don't have functions That you can like move around and like Manipulate a Simplicity program is Itself a function But the values that you manipulate are Always values And what that means is that the number Of possibilities of these values can't Grow dramatically faster than your Program itself grows so the more Complicated a program you write the more Complicated the values you can work with But in something like ethereum or Anything that has first class functions You can have a slightly more complicated Program that all of a sudden goes from Being tractable to reasonable to Completely intractable or like even Literally impossible you can create Uncomputable or halting complete kind of Constructions So The other thing that Simplicity does That makes it easier to reason about Is it uses this combinator model rather Than the op code model so when Bitcoin Script I mentioned you have the stack Right and you've got like all these Blobs of data on the stack you can Rearrange them and pop them you know Push them kind of thing

Um evm doesn't use a stack it uses Um a hash map or uses a map where you Have kind of an arbitrary number of Variables and you have kind of every Contract how this this data story you Can just write stuff and read stuff in Arbitrary places And In both cases the way that your scripts Work is you do like One op code after Another so you have this whole massive State of the blockchain and what's in Your contracts uh local memory and and So forth and then every op code Manipulates that entire state in some Way I see you have this series of state Manipulations and this very quickly Becomes difficult to wrap your head Around And to reason about mechanically whereas Simplicity like minuscript tries to be Very local in its reasoning your Programs are structured as trees we're At the bottom you've got some combinator And manuscript is like an and or an or And uh in Simplicity is probably the Composition combinator And you can always look at subtrees of Your program so given a Simplicity Program you can say well I've got the Composition of this thing and of this Thing and I'm going to reason about this And try to make you know fruit um come Up with some provable statements and

Properties that hold about this find Some properties I need to hold above This and then I'm going to prove That given two programs that have the Properties that I care about if they are Composed with this particular combinator Then the composition will hold but we'll Have some other property which is that The coins can't get stolen or something Like that so it's designed to be Composable to break apart In ways where kind of the default mode Of constructing Simplicity programs will Lend itself towards this kind of Analysis being charged can you talk About how Simplicity would be able to Offer CTV and APO functionality it's Sure so Simplicity in terms of Expressivity goes much further than Bitcoin script and uh And much further than uh well much Further than script in two ways Um one is that you can express any kind Of computation that you want in Simplicity the Bitcoin script is is kind Of dumb you can only add numbers that Are up to 32 bits in size and there are Additional limitations there Um you have branches and stuff you can Only do so many branches you have no Um well really the arithmetic oh and you Have no ability to like break down Um these stack elements we don't have Obcat or op substring that would let you

Pull apart data or reconstruct it so in Bitcoin script is just a lot of things You can't express for really just like Accidental historical reasons right like It wouldn't fundamentally change the way That Bitcoin works if you could add 64-bit numbers but you can't Um so ethereum does does a much better Job being more expressive in this way Than the other way that Simplicity goes Further so Simplicity goes all the way Where you can anything that is possible Any computation is possible to express You can express it in simplicity I believe the same is true for evm and In both cases there's a caveat that you Know your transaction has to fit inside Of a block kind of thing so there are There are actually limits here but in a Hypothetical world where you had Infinitely sized blocks and infinitely Sized transactions then you could Express any computation The other direction The other direction that Simplicity Extends things is by having what we call Covenants the ability to introspect Properties of the transaction so in a Simplicity program or in a theorem Contract you can say well Only I have you know like 10 BTC in this Output and at most one BTC is allowed to Move in a given block or in a given day Or something like that

Um or you're allowed to move an Unlimited amount to this address but not To any other address or you're allowed To like there's a limit on your fee rate Or a limit on your output unless this Extra key signs and then that limit is Relaxed kind of thing so you can look at Where the money's going it's not just Like you know what once the coins are Unlocked once your policy is is Satisfied then the coin the free-for-all Is the way that Bitcoin works with Covenants You can you can control not only under What conditions do the coins move but Where do they move given those Conditions So those two things together arbitrary Computations and transaction Introspections allow you to do pretty Much anything that you would want to do On a blockchain and in particular they Allow you to do things like any promo or Op CTV or you know pretty much any Proposal or off Vault by James LeBron or Any of the proposals that people have Suggested to bring onto Bitcoin you can Implement those in Simplicity because Simplicity is expressive enough And something that's cool about this is This dovetails quite nicely with what I Was saying earlier about Simplicity Being kind of a specification language Of Simplicity having a formal model

And that means that even if Simplicity Is not on bitcoin Which it won't be you know certainly This decade hopefully it will next Negative but you know that's that's That's uh be optimistic right is it that Far out is it because Christian said he Thought maybe 10 years is so it could be More than a decade it could well this Decade is less than 10 years right But it could be so getting things into Bitcoin is always very difficult the Simplicity is actually very big despite The name right it's an entire Replacement for this script interpreter And there are a lot of design decisions And simplicity that are open to debate Right like Um one one of the nice things about Taproot is because it was so small we Were like forced into a bunch of design Decisions so that there was less room For people to bike shed you know how Exactly we should have done this Um Simplicity does everything there are A lot of ways to do everything so They're they're you know will soon be a Lot of strong opinions about different Trade-offs who can make and so yeah in Addition to the usual consensus process And going through the QA and the Blindness and all the difficult things Um but even without Simplicity on Bitcoin Simplicity has a role to play on

Bitcoin because these other smaller Incremental improvements that people Talk about like opcat or op Vault or op CTV or or say cash APO Um These can all be specified in simplicity So rather than coming up with a proposal Where you kind of write some pseudocode You probably write like some C plus plus Code that you converge in the core and You write some python code that you can Kind of use as pseudo code to illustrate What you're doing You can write Simplicity code and then Now if somebody has a technical concern Like oh this new proposal might enable Some sort of like A horrible transaction structure or some Sort of Crisis you can produce a proof In simplicity That will that will bound up like Hopefully you can prove that like Whatever someone's saying like literally Can't happen that would be nice but even If it is possible for like for for your New OP code to be abused to cause bad Transactions you can come up with a Proof that like that can only happen Under certain circumstances or you can Say well I can prove that as long as a User stays Within These guard rails then They're not going to lose their funds Kind of thing and then maybe you Actually want to build those guardrails

In or not or whatever but what's cool Here is that because we have A machine checkable specification Language in Simplicity we're able to Make these kind of claims and we're able To create like very rigid proofs Um like like solid proof that uh are not Really subject to debate or if they're Subject to debate It's a it's a much more fruitful debate Than the kind of like speculation and Like well what if people do this kind of Um and arguing about definitions that we See with a lot of other proposals There's been a lot of talk recently also About Drive chains can you explain what Drive chains are and how they're Different than other layer twos like Um or how they're different from Layer Two is like liquid or lightning sure so In brief the drive chains are a kind of A side chain uh similar to liquid Um but not so similar to leaning Um so maybe actually let me start with Lightning and then build try to move so Lightning lightning is a layer two where At the lowest level is kind of a layer Two between two people so you and I can Open What's called a payment Channel and Then we by refining a single transaction Between us are able to shut money Between you and I and then where the Network part comes in is this kind of This cool construction called an hdlc

Which means that if you and I have a Channel and then me and Chris have a Channel over here we're able to link Those so you can pay Chris by giving me Money in a way where you can be assured That when we update our channel to give Me money at the same time my channel was Chrisly updated so the money's just Going through me minus a fee perhaps so You have these two party channels and This ability to link the two-party Channels Liquid so there isn't so I guess in Lightning there really isn't a change in The custody model right if you have Coins and lightning they are still your Coins Um they may be tied up temporarily and Like you need a counter party to uh to Sign off on movements unless you want to Exit which has a delay and so on but the Coins never really leave your custody So liquid to contrast is a side chain And in liquid the idea is that you move Your coins out of your own custody into Custody of the chain and on liquid the Custody of the chain means they're Actually in the custody of a quorum of What we call Watchmen these 15 different Signers who all have Bitcoin keys and Any 11 of those 15 are able to find to Move the coins And while your coins are in custody On the Bitcoin chain while they're in

Custody of the Watchmen then you kind of Receive a token on the liquid blockchain Representing that and then when you want To move back to bitcoin you destroy the Token on liquid The Watchman will find a transaction to Give it back to you and so you're Actually moving custody in and out and This is all transparent so in liquid You have you basically you move the coin The custody of the blockchain which Means custody of its Federation and then When you want to move the coins out you You basically request to have your coins Back in the Federation sign the Transaction So this was all transparent and you can See on the liquid chain what coins are Moving in and what coins are moving out So if the Federation is going to Misbehave in some way then that would be Immediately noticed and presumably cause Some sort of Exodus and chaos and and These functionaries are known at least To each other uh so there would be legal Action and so forth But uh but ultimately you are actually Moving the coins out of your own custody On the Bitcoin blockchain and so in some Sense you can think of liquid as being Kind of like this giant multi-sig split Custody wallet for all of the coins that Are on the sidechain And while the coins are on the sidechain

The side chain is a completely Independent blockchain so there's this Other set of functionaries they're Actually the same people but Conceptually they're different called Called block signs and the block signers Sine sign block so rather than having a Proof of work you have a blockchain That's extended by the block sign or Signing blocks and on this chain you Have coins which represent the Bitcoins That are custody in the system as well As other assets and then if kind of we Have all these other different rules we Have the kind of free for all because It's totally a separate blockchain so we Have confidential transactions on that We have multiple assets on there that You can issue and de-issue you can Create your own asset types and and Trade them and so forth we have new Script op codes that allow you to do Covenants so liquid has had covenants Since it was launched in 2018 in some Way shape or form Um we will have a simplicity at some Point uh so we have um we have all of These different extensions that we're Able to deploy on liquid because Liquid is kind of a smaller network of Participants where there's a higher Barrier to entry than there is on Bitcoin like we're able to require Higher Hardware requirements to use

Liquid for example and we are able to Make changes to liquid without requiring You know buy-in like a million different Industries and a million of them Participants kind of thing so changes to Bitcoin are very hard there are many Different stakeholders with many Different interests and so on and in the Liquid everything's just just smaller so We can do more stuff more quickly and we Can use it as more of a um I don't want to say a playground right I Mean there's real money it's a Production it's a production grade System Um but we can use it to deploy Technology that would not be Deployable At least immediately on bitcoin as well As technology like multiple assets that Just on principle would never be on Bitcoin right like no matter how how Rock Solid we made the tech the Bitcoin Community would never accept Bitcoin Being a multi-asset blockchain and we Would never push that of course but like That's the kind of thing we can do on Liquid because it's a different Beast Now Drive chains are also a side chain Now unlike liquid when you move coins Onto the drive chain You rather than having them be in Custody and having all these block Signers uh signing blocks so basically You have a set of signers and liquid

Moving everything forward and everything Kind of mechanically works because you Have all these always online Participants in Drive chains you kind of Reuse the Bitcoin blockchain so the Blockchain under Drive Chains would be Merge mined with Bitcoin so Bitcoin Miners are going to mine the drive chain Chain simultaneously with Bitcoin and The way that coins move on and off is That you lock your coins on bitcoin and You would need some some extra op codes For this to work but you lock your your Coins on bitcoin then they become Accessible on the drive chain the um Blockchain and then when you want to Move your coins back you destroy your Coins on the drive chain thing so Similar to liquid so far and then you Provide a proof on bitcoin so rather Than requesting instead of blocks to the Watchman saying hey I bring my coins Give me my Bitcoins back if you provide A proof to the Bitcoin to the Bitcoin Blockchain And this proof looks at the drive chain Chain and says like okay well indeed you Burn these coins and they've been buried Under 100 blocks kind of thing uh so That's proof of valid so all right the Coins are destroyed you can have them Back on bitcoin And The economics of this are

Pretty radical actually like the sounds Mechanically like a pretty reasonable Design right but the incentive structure Here is is really very different from The way things work on liquid or the way Things work on bitcoin and the reason is That with Drive chains if you make a Proof and try to move your coins back Onto Bitcoin then and then the drive Chain chain gets Rewritten because some Rogue miners decide to rewrite a bunch Of blocks or something Then The The Bitcoin chain has already accepted Your proof right but then the drive Change hand gets Rewritten so that your Proof is no longer on the chain So now after the change has been Rewritten you have your coins in both Places see basically what's happened is You you've made the drive chain Installment you manage to steal coins And maybe more worrisome even if you Don't care about Drive chains there's Kind of an incentive to do this like the More money goes onto the drive chain the More value there is in miners trying to Rewrite the chain and steal coins this Way so it creates something of a Honeypot and maybe worth it creates an Incentive for Bitcoin miners to Misbehave and to try to rewrite Bitcoin Blocks and that's just a consequence of

This merged mining structure so the Incentives here are They're very strange right and then so The main guy driving this is uh this guy Paul storks he is an economist by by Trade or by study or something Um and his reaction to these kind of Weird incentive structures is to kind of Lean into it and say well like that's How the world works right like Everything is like interlocking Incentive structures and we can just Like build enough technology so that we Can we can build a world around any kind Of incentive structure and He's really struggled to get anybody From the Bitcoin Community to to agree With this This way of looking at things right so Those are Drive chains as I see it are Really viewed by it was suspicion from The Bitcoin Community is as being like Not really incentive compatible so as is As is everything Yeah right this is everything I mean Bitcoin itself is really on the edge of Being incentive compatible right so uh See you you do anything to it and then You And really what's the upside because if The goal is to have multi-asset on Bitcoin I mean we can do that with Liquid already so isn't that a better Safer way to do it well the upside is

That you could argue in liquid you've Got these 15 participants who have the Ability to respond with all the funds And if Drive chains if you want to Abscale abscond with all the funds you Have to rewrite the chain a whole bunch Which is expensive So there is an argument so there are Different trust models right and I agree With the intuition you're maybe getting At that like the liquid trust model is Probably a better trust model here But it is quite different from Bitcoin And it is a trust model in which you're Assuming that 15 participants or 11 of 15 participants don't collude to run off With the coins right and it's very Different from the trust model of Lightning where there's really like no Ability to steal anything whether or the Trust model of Bitcoin itself Uh or even more so there's no ability to Steal anything Um at least unless you like rewrite Thousands of blocks or you know as many Blocks as you want to secure your coins By you can wait that many blocks and Then you have that much security yeah But isn't the answer to that is to Increase the number of people that need To collude yeah so that's that's a fun Direction to go on right is to have These like massive Mega federations Um so imagine a liquid of where we had

You know like 110 out of 150 or like you Know add a few more zeros to this yeah In different countries in different Languages that just would be extremely Unlikely to collude I think trustwise That's a great direction to go on um and I would certainly feel comfortable with That kind of model then you run into Trade-offs of course where technically It's quite difficult to uh to run a Network that has this many participants Who all need to be in sync all the time Right for the same reasons yeah Um and maybe socially it becomes harder To coordinate all these people to be Running the same blockchain and agree Um like when do we want to do upgrades And stuff like that but uh but yeah Certainly that would improve the trust Model to just increase the numbers okay So at the beginning you touched on I Just gave a brief mention of frost and Music too can you talk a little bit more About those maybe give a more detailed Introduction and um and some color on What's going on there the idea behind Music or music too is that you can have A single public key That represents a group of participants And The everybody every member of this group Of participants has their own key But what you do in music is you combine Them all into one key

So from the perspective of the Blockchain from the perspective of Validators there's just one key and you Can't tell whether this is a single key That represents one person or a single Key that represents a group of science And the music 2 protocol allows all of These individual key holders together to Interactively produce a single signature That is a valid signature on a Transaction with the combined key so This whole group of participants is able To act as a single signer and the cool Thing here is that each individual Signer is able to retain their own key Material And They they never even when they're Interacting with each other they never Reveal their own key material so if any One signer doesn't like a transaction They have veto power basically like they So like the the policy this represents Is every single one of these signers Agrees on the transaction And the cool thing here is that It produces one it produces one Signature or zero signatures right like It either works or it doesn't and so When you successfully sign the uh You know you get this the scalability Benefit and this privacy benefit Together and with Taproot there's even a Little bit more of a benefit because in

Tapgrid if you can produce a single Signature that authorizes those Transactions that's very cheap and as Soon as you need to go past your single Signature you need to introduce what's Called a script spend and there's just a Bit of extra data that you got to throw On on chain Um you wind up costing yourself like an Extra 30 or 40 bytes or something So The Idea behind music is that you can take a Single key and have it represent a group Of people okay and then if an Interactive protocol here that's Actually Surprisingly non-trivial so I sort of Casually said that like the individual Fighting with routine their key material And like they can't like trick each Other into giving things up but when you Create an interactive protocol you've Got to think what happens when signers Lie to each other or what happens when One signer says like sends some data to A participant and different data to the Other participants or what happens on a Finer like does half the protocol and Then like doesn't reply anymore just Like drops off or what if a finer Um just replied but like extremely Slowly kind of thing or what if he Replies so slowly that some participant

Thinks he dropped off but other ones Don't you know there's a million Different failure emotes here With um with basic two conveniently if Anything goes wrong the signature Doesn't show up that's kind of like the Nice thing about having this like All or Nothing kind of kind of model So this leads me into Frost and frost is A threshold signature scheme And in Frost you have maybe like 10 Participants and now like any five of Them or any eight of them or you know Whatever whatever parameters you want if You have a quorum of them they are able To kind of interactively fill in the Gaps for the missing participants And they're able to produce a single Signature so now just like with music You have one side one key one signature Assuming everything works but now the Signature represents a a quorum of People so you have this Quorum kind of Policy and what's cool is you can Nest These um or at least you've been working Very hard to make these nestable so the Individual keys and a frost can Themselves be frost they themselves Being bb6 and for me fig we can do this I'm not so sure about Frost Um and so you can have kind of these Arbitrarily complicated policies signing Policies that are all represented by a Single key

And to reduce a signature with a single Key everybody needs to do this Interactive protocol in the background But all of the complexity here is kind Of offloaded to the finder themselves And so the blockchain doesn't care about The complexity so the blockchain just Sees one key one signature and they Can't tell if it's a normal single key Wallet they can't tell whether it's a 202 lightning Channel they can't tell if The 203 escrow they can't tell if it's Some like more complicated thing is the Idea behind Frost but as you might Imagine the complexities of this Interactive protocol are even worse for Frost then for music right in music you Kind of worry about all this kind of Misbehavior in Frost you could imagine That you need seven of ten signers but Then you have an eighth finer shows up And just starts gripping things and you Still want the protocol to work right You want to make sure that even if you Can't necessarily tell who's misbehaving Somehow you eventually figure it out and You're able to get like as long as you Have seven honest parties you can Somehow weed out all the discussed ones And then produce a valid signature and That's a lot of the work that we've been Doing uh over the last year three four Years has been defining your protocol That's resilient to all these different

Failure months um shifting gears again a Little bit we recently talked to the Guys from zerosync and we talked about Zero knowledge proofs in the block Stream satellite which I thought was Pretty cool can you can you talk about Um you know how something like that that Would work and what do you think of this Proposition I think it's a really cool Idea Um How does it work Um I mean there's a lot there's a lot of Work to be done to to make this pull Together but the idea is for a user is That rather than having you know an Entire blockchain to download so The idea when you sync up a Bitcoin node What you're trying to do is figure out The current utxo set which is you know What coins are where what coins belong To what addresses basically and the utxo Set is Something like Um I know there's like a few dozen Gigabytes or something like that it's Not it's certainly not small but it's It's not extremely large but in order to Compute the UT Excel set you have to Download every single transaction in Every single block that ever happened in Bitcoin and we have some like seven Eight hundred thousand blocks until the

Entire Bitcoin blockchain now totals um The better part of a terabyte in order To download So the idea behind zero think is that You could take the utxo set which is Like 10 gigs or something and then the Entire blockchain leading up to that you Replace it with a zero knowledge proof That there was a sequence of Transactions that started from zero and Ended with this utxos And the zero knowledge proof rather than Being you know like 800 gigs or Something is on the order of like half a Megabyte or a quarter of a mega gig just Incredibly small Um absolutely incredibly small it would Be if they were using Starks it would be I think 120 to 150 kilobytes so like Really just unbelievably like way Smaller than even a single block and Verification would be way smaller would Be commensurate with you know 100 Kilobyte Um kind of thing so to verify this You're talking about taking you know Like tens of milliseconds kind of thing Like well under a second versus Verifying you know the whole 800 Gigabyte chain which on a powerful Processor is going to take you Um you know like the better part of a Day which is like continually turn it in Your a core CPU

Um for six or eight hours to sync the Entire blockchain And that with you know like year and Year through optimization kind of thing So you dramatically reduce the the size And the verification burden needed to Get you from zero to the current utxo Set is the idea And the difficulty there Is kind of well I've touched on this When I was talking about Simplicity is That the actual rules of the Bitcoin Blockchain are not Super well defined it's kind of a scary Thing actually because everybody needs To agree on exactly the rules of the Chain like down to like the you know Every every bit every bite every Decision needs to be happen in sync but The rules are defined by a pile of Plus Code that's kind of evolved over the Last eight years Um mostly towards being maintainable and Better defined and using modern idioms And stuff but it's still Um like the rules are defined by the Code So if you want to prove that all these Rules are obeyed and zero knowledge you Need to somehow lift all the C plus code Into a zero knowledge proof scheme and Have the statements being proven in zero Knowledge exactly match the rules of the Blockchain

So as I understand it the zero thing People are trying something much less Ambitious at least to start or rather Than validating all of the rules and Validating all of the scripts and all The signatures and stuff they're just Trying to validate the utxo update I Think is what they're doing first so you Sort of assume that the transactions are Valid Um assume that any transaction that Makes it into the chain is valid and Then proven zero knowledge that there Was a sequence of transactions that were Interchanged and even that is actually That's a much more well-defined like And it's not hard to specify this of Your knowledge but doing so in a way Where you could attractively produce a Proof with so much data is a really Ambitious uh it's a really ambitious Thing Um so I I wish all the best to to this Project I think it's super cool and I'm Super excited to see it Um But the technology that they're using Arguably isn't here yet like I mean They're really on the frontier of of What's possible with these are alleged Proof schemes and what is the idea there Like how does that tie in with the Satellite if you were thinking the Bitcoin blockchain from blockchain

Satellite say then you need to get the Entire all of blockchain data as I've Been saying and if that's 800 gigabytes They need to obtain 800 gigabytes of Data from the blockchain satellite and It's a bit less than that because we can Press it and we do like a certain thing Where we replay the last 24 hours blocks And and so forth and we we try to Structure this so that it's easy to uh As easy as it can be to get all this Data but it's nonetheless going to take You several days I don't know the exact Number but at least several days maybe More than a week to obtain all this data From the satellite link whereas if we Had zero sync then you would be able to Download the entire block history like 100 kilobytes so that's you know you Download that from the satellite in like A second or less than a second and then The address for utxo set if you wanted To download the full thing you could do That in a much faster faster way but you Might not even need to download the Whole thing Only cared about the utxos that your Wallet cared about you might be able to Download a proof that you're the Specific utx that you care about are Included in the machine for example so There's a lot of room to dramatically Reduce the amount of data you care about Before an individual wallet user you can

Convince yourself of a state of the Chain uh with only a few hundred Kilobytes of data instead of hundreds of Gigabytes like a factor of 1 million Reduction in the amount of data that you Need to obtain huge huge applications There for redundancy and then for giving Access to people in really remote areas And then I guess you could have like a Hub and spoke structure as well where You're using the satellite and then People with you know mobile devices are Syncing up with the satellite that seems Super cool yeah yeah it's a super cool Future feature so you know I'm really Hopeful that That this stuff will start to come Together but I think this is this is a Project to watch over the coming years Not like the coming months can you let Us know what's been happening with um Development of bulletproofs plus plus And where that's going sure yeah so Bulletproof plus plus is a new paper Um that is an improvement on our old Bulletproof protocol which in turn is an Improvement on our old range proof Protocol so when liquid launched I say Even much much before liquid back in Like 2015 or so when we first developed Confidential transactions we created a Scheme called a range proof so the idea Behind confidential transactions is that Rather than having amounts on your

Inputs and outputs and you can kind of See where all the money's flowing you Have what are called Pederson Commitments and these commitments you Prove in zero knowledge that they add to Zero so that each one commits to an Actual value so there's a real value on Every input and output but they're Hidden and you provide a zero knowledge Proof that they all sum to zero And this is this is pretty cool but There's a trade-off here which in that Which is that to produce the serial Knowledge proof you can't use integers You have to use numbers modulo 2 to the 256 or modulo a prime number that's near That and what that means is that your Numbers wrap around Okay so if I give you two outputs that Are very close to 2 to the 256 and then I add them together Than or if I have a number that's very Close to 256 and then another number That like pushes you over the edge I add Them together they'll wrap around to the Zero so I effectively have negative Numbers or I can make things cancel So naively if we were doing confidential Transactions using these commitments With just a zero knowledge proof that Things add to zero I could do something Like have a one Bitcoin input and then I Would have a 10 Bitcoin output and a Negative 9 Bitcoin output and together

Right it all adds up right because 10 Equals negative 9 equals one so so it's All on the level but then like the Negative nine one that you know might Throw away Um so we don't want that to happen so What we do is we prove that all of our Numbers are between 0 and 2 to the 64. And 2 to the 64 is a very large number It is Something like I mean it's four billion Squares so 16 billion billion or so and But it's nonetheless much much much Smaller than 2 to the 256. so no matter How many numbers between 0 and 2 to the 64 you add up you're not going to get up To two to 256 and wrap around Um why right yes you would have to add So many of them that they wouldn't fit Into the universe kind of thing so we Use what's called a range proof which Says we're in the range 0 to 2 so 64. And we created a and this is another Kind of zero knowledge proof we prove in Zero knowledge that we're in the range But nothing else We developed a scheme in 2015 Greg Maxwell did that at the time was the Most efficient range proof in the Literature that didn't have a trusted Setup or any other weird crypto Assumptions Which is funny because it wasn't that Long ago but these are just like

Horrifically inefficiently 64-bit range Proofs are like four kilobytes and for For context a normal transaction output Is like a public key and an amount it's Like 40 bytes of data so we're adding 4 000 bytes to a 40 byte object you know We wind up you know like clearly 100x in The side of our outputs but 10xing the Whole transaction right like even even When you advertise it across the whole Transaction is it's pretty rough So we developed a scheme called Bulletproof a few years later Um to use larger are friends at Stanford Dan Bonnet and uh Benedict moons and John boodle at a University College London uh we developed this new scheme Called bulletproof and now instead of Being four kilobytes uh four thousand Bytes now the size of around 600 bytes So like a tremendous Improvement like a 5x Improvement and the uh and the total Size of these things and it was also Roughly twice as fast to validate And then a few years later some Researcher developed a new scheme called Bulletproof plus that was a little bit Smaller and a little bit faster and Honestly we didn't read the paper like We were going to And we probably still would but before We got around to it this guy Liam Eagan Showed up and he developed this new Paper called bulletproof plus plus okay

So he can find all of this and the Benefits of bulletproof plus plus are Not only is a smaller and faster so our 600 byte thing is now like 450 bytes or Something like it's really small as well As being faster but it's also possible To combine proof across a whole Transaction and this is possible we call This aggregation this is possible with The original bulletproofs but only if You have the same asset for all your Outputs so as soon as we introduced Assets like it broke this this Aggregation feature of bulletproof plus Plus so you couldn't uh so we had these Nice 600 byte proofs but you needed a New one for every output With bulletproof plus plus we can Combine them across an entire Transaction with all of the assets No matter how many different assets you Could have a giant transaction that's 10 Inputs and 10 outputs and like five Assets they're like all being mixed and Matched and so forth and you attach a Single proof to this transaction which Is five or six hundred bytes in size and Which takes just a couple milliseconds To verify versus the old bulletproof Which take four or five milliseconds per Output kind of thing and uh the later or Sorry the original range proofs were Four or five milliseconds bulletproof For two and a half and then bulletproof

Or a little smaller but the big thing is That bulletproof and now prove Transaction instead of per output which Is a cool thing And So this is what bulletproofs are and When Liam joined our team Uh bulletproof existed basically as as a Paper that Liam had written that was Not a super well structured paper like a Whole pile of neat mathematical tricks That um that we were able to combine and So what happened was we brought Um we brought Liam onto the team and Then Liam and Sackett and Um Elliot Jin who worked with us and and Um A few other people came together and we Just kind of did like a series of Sprints so the first one we actually Brought some of my batteries just low That's fine Um And so unfortunately that they're all Gone now but you can sort of see behind Me there's a Blackboard there and so I Actually brought Liam to my house and we Had this giant wall Blackboard there and We filled it up but now now with the Erase this there's other unrelated stuff There which is less exciting Um so we spent a weekend just like with Liam she's like doing this crash course And Liam kind of convinced us that all

These crazy mathematical tricks actually Worked and then we did some similar Crash courses between Liam and and Tim And Jonas and so forth and we've spent a Lot of time cleaning up the paper Tightening up the proof in the paper in The arguments in tightening up we Actually found like a serious problem That would have been a soundness issue So it's good that we went through this Exercise of verifying the proof Um that we were able to patch that up And now everything everything's good now We've been working on simplifying the Paper I've been working on implementing Things so we have fan kit has written an Implementation of bulletproof plus plus In Rust as well as one in C so the rust One we kind of use as a reference and We're able to update that and iterate Very quickly because rust is a very Expressive language that lets you kind Of kind of Express mathematical Abstractions reasonably well C is not C is very difficult like as Soon as you change your your Mathematical abstractions you have to Like rewrite half your C code all the Time because it's just such a rigid Um and unfortunately structured language So we've been working on well we've been Continuing to work on getting the paper Together Um which we we tried to submit earlier

We weren't really thrilled with the State of the paper and I turned up the Peer reviewers or not either Unfortunately so it wasn't accepted but I think we're going to resubmit Uh later this year I think in October Although I forget to which conference Um cleaning up the paper getting the two Implementations in order Um working on as part of our our efforts To clean up the paper we've been able to Um Kind of move away from having range Proof of a particular kind of zero Knowledge proof to doing arbitrary zero Knowledge proofs So bulletproof could always do arbitrary Through your knowledge proofs Bulletproof plus plus could always do Arbitrary through knowledge proof but in The early days we would think of the General like proving a random program is Correct kind of thing has this big General kind of scary thing and range Proofs with this like smaller thing we Would just focus on because range proofs Are a much simpler thing to prove with Our new bulletproof plus plus Architecture they're one in the same the Range Crews really are just a special Case of the general thing so while we're Working on a range proofs we're Simultaneously working on general Purpose zero knowledge proof

So we have a project to make our xero Knowledge proof that the way that we Encode these programs as Um and as sequences of polynomials we Want that to be compatible with other Zero knowledge proofs that are in the Literature and that are deployed on Various blockchains and so forth so We've got a lot of work cut out for us Um finishing the paper writing a Specification for proving and verifying Things doing General zero knowledge Proofs including encoding these programs Um getting the paper accepted getting Our code Um like going through all the code Review and QA and writing tests and Everything and getting our multiple Implementations in sync and then in the End Will have something where we'll probably Be in a state where we could Deploy on Liquid and Unfortunately replacing our range proof Code is a hard Fork to liquid like is Going to be like a Flag Day it's going To be quite a difficult deployment so We're pretty apprehensive we're not Super close to that so it's an abstract Kind of apprehension but at some point We're going to have to really Um kind of bite the bullet and figure Out how how do we want to do that Deployment

And One further complicating factor is that The way that we do Assets in liquid Today is not compatible with the way we Do assets and bulletproof plus plus And initially we thought this was just Like a no-go we like wouldn't be able to Square this and then Liam came up with a Way where we can do a conversion so they Have another kind of zero knowledge Proof that we have to deploy on the Blockchain where you prove in zero Knowledge that an asset represented in The old format is equivalent to an asset Represented in the new format and you're Thereby able to Port your old assets Without revealing what they are you stay In zero knowledgeable time you port your Old assets from the old regime to the New regime and then you can transfer to Bulletproof that way So that's one direction for Bulletproof The other direction we're going which Will feel much more confident about Deploying is try and Implement a Bulletproof plus plus verifier in Simplicity and saying well if we can get Simplicity at the liquid that's a soft Fork and that's kind of self-contained That's something that we can manage then If we can write a bulletproof plus Verifier and simplicity Which is hard but it might be harder Than coordinating a hard fork and having

All this like crazy conversion stuff Then we could start to go in a different Direction where rather than thinking About the range proof and the Commitments on chain and stuff we'll try To think about Um just arbitrary zero knowledge proofs Like the kind of like the options that I Talked about and other Financial Derivatives involved in like mini script Things What if we could hide the exact policies That we're using on liquid so we're no Longer revealing all of our code all the Time what if all of the transcripts on Liquid were happening in zero knowledge So that every Um Um Basically every transfer looks the same So we get this the usual privacy and Scalability because they're not Revealing our exact scripts just Providing a zero knowledge proof for the Scripts are satisfied And we get a um Well yeah privacy and scalability Basically and then the result is is a Blockchain where a fungibility that was The third word that I'm looking for is That you look at all the coins on liquid And they all kind of came that you can't Really tell the history of them and you Can't like Mark certain coins as being

Worth more or less than others which is Uh as soon as you start doing that your Your currency is dead you know and You've spent Um there's a long uh huge subfield of The history of money and the history of Monetary policies and just keeping money Fungible Um when various parties are always Trying to Market and taint it in various Ways so yeah I mean so much of what you Guys are working on is kind of really Long-term long-time Horizon projects What excites you most about Bitcoin Development over the next 12 or maybe 18 Months but right now I think the biggest Problem the most short-term problem the Most important immediate term problem in Bitcoin is custody is usability user Experience for storing your own points And there are two projects that I'm Working on that I think are improving That story one is manuscript which lets You create policies where you have Certain keys and then after a time lock Different Keys become active and so on And I'm really happy to see companies Like lyanna coming up so lyanna does Like estate planning they will provide Phone support and stuff and help you set Up this thing and help you store your Keys and like write documents so you can Hand off stuff so that when you die Maybe your keys go away but then the

Backup keys become active and those are Accessible to your estate lawyer or Whoever they need to be accessible to Then the other piece of that of course Has this book codex 32 where you can do Shimir Secret sharing and check Something where you can have your Secrets stored in these steel tubes and Rather than having your backups or Whatever Um in these two they sit somewhere and You never touch them and then you try to Pull them out in 50 years uh and you Know hope that they're intact and you Know nothing awful has happened to them With the worksheets in this book you can Pull these out every year you can come Up with kind of a a ritual where every Year or you know however often you want To do this you take your C data out you Fill out one of these check something Sheets And if the checksum worksheet passes you Know that your data is intact you know That like you didn't actually put the Tiles in the wrong order or none of them Degraded or like if there's some sort of Natural disaster you know they didn't Get flat node or anything crazy Um or you can imagine that you just like Misplace the tube and then you find the Tube eventually and then you're like Okay I want to check on this you know Who knows where it was

Um or you know if you died in the tube On up at your lawyer's office for 18 Months and then eventually got to the Right place There's all these things you want to do To check the integrity and you probably Don't want to have to load all the tube Data into a hardware wallet every time You do this but if you're loading your Data if you're restoring your backup Every single year then eventually you Know over the years and decades you're Going to have a hardware wallet that's Broken in some way it's just like the Law of large numbers right because like This Jade is not going to last for 50 years say you know I would be Impressed if it lasts for 10 years kind Of thing right like you do have to cycle Too these things but with the paperwork Sheets you don't have to worry that all Of your Hardware wallets are deleting The data they say they're deleting that They're um Um you know not leaking data when they Say they're not looking data your secret Data stays on these worksheets right so You have this nice single page worksheet Let me find this guy here you tear this Out these are all perforated pages but I Don't want to rip this one out even Though I've got another password Um you fill out all your secret data you Tear out the page if you tear up the

Page first you read on a hard surface All the secret data and you destroy it Um and you know that your secret data is Only on this page and nowhere else other Than the tube itself and destroying Paper is something that is very easy to Do in a way where you can have have very High assurance that it is actually Destroyed and I've had a lot of fun Experimenting this with various ways and I found actually the most reliable thing Is to put the piece of paper in your Blender with like a cup of water Um and it's just Transit into this great Goop that uh that you definitely can't Read anything In our earlier earlier experiments if You're trying to burn it in various ways And surprisingly like aside from the Safety issues is actually very hard to Burn paper or very easy to burn away Where you can still read it right if you Just have a single sheet of paper And you set fire to it you can turn the Whole paper black but you'll be able to See pencil marks at the right angle so If you want to burn it like you need to Totally turn it to Ash and like really Smash it up so you pretty much need like A wood fireplace that you put it in with A whole bunch of other material kind of Thing Um and then uh and then of course There's their safety issue that I'm I'm

Hesitant to recommend to a bunch of Bitcoiners living in high-rise Apartments that they'd be setting fire To pieces of paper what could go wrong Yeah Exactly right That's very cool I'm I'm excited to go Out and to get the book and take a look Where can people go to find out more About block stream research sure so we Have a Twitter account Um which is at be okay research uh on X Or Twitter whatever you want to call it [Music] Um We have a website Um which I think is.com slash research But you might want to edit that to find The real URL Um we publish a blog post on the Block Stream blog I'm just the the you know Public blockchain blog we publish a lot From research we have a GitHub account Uh github.com blockstreamresearch Um and in particular GitHub blocksteam Research codex32 is where you can Download the Open Source copy of this Book and see the source code and get new Copies of the worksheets and and print New copies of the paper computers and Stuff Um because I while I encourage you to Buy one of these beautifully bound books Once you get it you're not going to want

To rip it apart you're going to want to Just print your own and then keep the Book yeah no it's very cool yeah go buy Two yeah Well Andrew I really appreciate your Time today this is uh we've spent a lot Of time and uh learned a lot so that's Really appreciated and I look forward to Having you on again in a couple of Months yeah thanks for telling Jesse it Was a lot of fun Foreign

You May Also Like