WBD085 Audio Transcription 

Andrew Poelstra on Bitcoin Math & Research

Interview date: Saturday 9th March, 2019

Note: the following is a transcription of my interview with Andrew Poelstra, Director of Research at Blockstream. I have reviewed the transcription but if you find any mistakes, please feel free to email me. You can listen to the original recording here.

In this episode, I talk with Andrew Poelstrsa, Director of Research at Blockstream. We talk about math, signature technology, Bitcoin fungibility and his role researching Bitcoin.

“Mathematics is the art of finding patterns in logical structures and finding connections between seemingly apparently different structures.”

— Andrew Poelstra

Interview Transcription

Peter McCormack: Hi Andrew, how are you?

Andrew Poelstra: Hey Peter, I’m doing very well. How are you?

Peter McCormack: Very good, thank you. Thank you for coming on my podcast. I’m going to do something slightly different today. I usually do lots and lots of prep, but the things you cover go way over my head. So today, this is the first time I think that I’ve ever gone without any full prep apart from a weird interview I did recently with Pomp. I’m going to just try and let this roll today. So firstly I went to your session this morning. I didn’t understand any of it! I’m not technical, I’m a Bitcoin fan and I watched it and I was looking at the screen going, ‘okay, I don’t get this!’ So can you give me the background? You’re a mathematician, right?

Andrew Poelstra: I am a mathematician.

Peter McCormack: So give me the background and tell me about the work you do. Somebody said to me, ‘Andrew has a big brain of math’. So tell me all about this.

Andrew Poelstra: All right, so maybe I should start by saying that my talk this morning had a bit of an ulterior motive there. I was at MIT, which is full of undergraduates. We all know they like to go create startups doing strange, reckless cryptographic things. My goal there was to intimidate them out from trying to go build cryptographic protocols, as they weren’t ready to do the kind of research needed to do this in a high assurance way. So I was trying to be a little bit intimidating when I was doing this. I heard from a few people, they didn’t understand it.

Although in fairness to me, I wasn’t just being mean. I had 20 minutes to cover this topic. I really tried to cut it down and I still ran out of time to say the things that I wanted to say. It was at quarter after nine in the morning, the tea wasn’t working, so I showed up a bit late and I didn’t have time to get coffee. Nobody else did. It was not a good time for something so technical! It wasn’t just me being mean in there. It was also, that’s how these things go sometimes. But to answer your question about what I was talking about though or maybe to give a little bit of background on this.

So I work at Blockstream. I’m the Head of Research. One of our big prongs of Blockstream research is this whole collection of things that I call signature technology or scriptless scripts depending on how marketing friendly I feel like being. What these are, are a whole pile of ways that we have to encode interesting, multiparty, I don’t want to say smart contract, well I do, smart contract semantics in signature protocols. So what do I mean by that? I mean that it’s possible to create digital signatures or to create what are called multi signatures.

These are digital signature produced by a set of participants, all working cooperatively in such a way that no subset of them is able to produce a signature. It’s really something that’s jointly owned by all of these people at once. By extending these multisignature protocols, which are these off chain protocols where the different parties and various cryptographic objects to each other. By extending these to have other interesting semantics, these parties can ensure that the only way the final signature will be produced and the only way that a valid transaction, which has to have a signature will be produced, is if some sort of contract is satisfied.

So the simplest example of this that’s non-trivial is say like an atomic swap, a cross chain atomic swap, where somebody say wants to send some Bitcoins to a counterparty, but the only way that they… They don’t want that money to move unless they also receive an equivalent amount in Litecoin on the Litecoin chain, they want to receive that, right? So there’s a swap that’s happening, a Bitcoin for Litecoin swap. The problem is the Bitcoin Blockchain doesn’t know about Litecoin and the Litecoin Blockchain doesn’t know about Bitcoin. Neither one is willing to put verification code for the other into their consensus layer of course.

So how can you make these two Blockchains communicate? There is a standard way to do this. I believe developed by TierNolan in 2013 or 2012, where basically you encumber coins on both Blockchains with what’s called a hash pre-image challenge, where basically you say, in order to move these coins, you have to reveal some secret. The trick is that you use the same secret on both Blockchains. So initially one party knows a secret, the other does not. Then what happens is a party who knows the secret, publishes it to the Blockchain to take their coins. Maybe they publish it to the Litecoin chain in order to take their Litecoins.

The other party copies the secret off of the Litecoin chain onto the Bitcoin chain and uses that to take their coins. So that way the act of taking the money reveals a secret, which causes the money to be given away. It’s possible, to extend a multisignature protocol so that the act of completing a multisignature reveals the secret and equivalently you can extend a multisignature protocol, or conversely you can extend a multisignature protocol and that knowing a secret allows you to complete the multisignature. As long as you use the same secret in both sides, the effect is that you can have a multisignature moving coins on Litecoin, such that when one party completes a signature to take their coins, they reveal a secret which the other party learns by reading the final signature of the Blockchain and doing some computations.

Then they can use that secret to complete a signature on the Bitcoin side and take their coins. The cool thing is that what hits the Blockchain here are just these two signatures and what’s even cooler, it’s not even multiple signatures. It’s actually one signature on each chain that the two parties jointly created.

Peter McCormack: Okay. But are you enabling shitcoining then?

Andrew Poelstra: So it’s unfortunate that there is nothing that you can… There’s nothing on other chains that you can trade with. Let me take that back. So, there are lots of Blockchains out there. Not all Blockchains have their own asset types. Not all Blockchains have shitcoins on them.

As one example, that’s dear to us at Blockstream is we have a side chain called Liquid. What a side chain is, is basically a Blockchain that doesn’t have its own native asset. It supports what is called a cryptographic peg or in our case a federated peg, which is controlled by a consortium of our customers. I think 11 or 15 of them need to… Following the rules of the system, they need to sign off that the rules of the system were followed moving coins off of Liquid into Bitcoin. So Liquid is a separate Blockchain that supports Bitcoin.

It also supports other assets that people can issue and whatever the semantics of those assets are, that’s up to the issuer. That’s not so interesting for these purposes. What is interesting is that if you want to move Bitcoins into Liquid, you need to put them up in some output that is controlled by this consortium. That’s like an 11 or 15 multisignature output. Then for it to be recognized and to be moved on the Liquid side of things, we require 100 confirmations, which takes a long time. That takes the better part of a day.

Peter McCormack: Why 100?

Andrew Poelstra: 100 is the what’s called the maturity limit in Bitcoin. So I’m going to get a little bit technical here, but in Bitcoin, if there’s something, say there is a Blockchain reorganization, then assuming no foul play, basically all of the same transactions will eventually wind up back on the Blockchain and people who weren’t actually trying to exploit the reorganization to cause grief, will see no effect basically, as your transactions just wind up back on the chain.

Maybe in a different order, maybe in different blocks, that’s all fine. So typical users who are not under attack don’t really need to worry about reorganizations except as far as keeping the databases in sync and stuff like this. But there’s one big exception to this, which are coinbase transactions, which are transactions that are created in a new block. So every block, the person who creates the block, gets to create the free transaction that gives 12.5 coins to them and has no inputs whatsoever.

If there’s a reorganization, these transactions are completely destroyed. They can’t go back onto the Blockchain because the new blocks will have different coinbase transactions. They’ll have different TX IDs.

Peter McCormack: So if there’s a reorganization, we reduce the total supply?

Andrew Poelstra: No, so the reorganization will replace some blocks with other blocks. So the 12.5 coins in the blocks that were destroyed are gone. But there will be a different 12.5 coins.

Peter McCormack: So the miners who mined those will be slightly upset.

Andrew Poelstra: Yes the miner will certainly be upset. But importantly, so will anybody who received coins from these miners. Imagine the miners could create these transactions and then immediately send them off to some other party. The other party would need to look at the Blockchain and say, ‘oh, these coins actually came from a coinbase transaction’. So, you know, it’s not only if it’s foul play if there is any other reorganization at all and these happen all the time for one or two blocks just because of network propagation effects, but with any reorganization at all, these coins are no good.

So I don’t want to accept these coins, they’re very risky. So the Bitcoin protocol has a rule, which is you are not allowed to move coinbase transaction for 100 blocks. This is really quite excessive. There has never been a reorganization of 100 blocks. There’s never been a reorganization of more than 20, 25 blocks.

Peter McCormack: When did that happen? It’s quite a long time ago right?

Andrew Poelstra: It was, yeah. I don’t remember the details, so I don’t want to say anything for sure. But I believe it was related to a database synchronization bug and in Bitcoin, before it was called Bitcoin Core in 2013 or so.

Peter McCormack: So Liquid is designed to protect itself against any situation where a reorganization might happen?

Andrew Poelstra: Essentially, yes. In Liquid, if they was a reorganization so deep that coins moved into Liquid and then later moved out, were actually invalidated by a double spend attack or something, then there’s really no recourse to that for users of the system. Basically, the solvency of the system would be in danger. So we needed a limit that was much higher than anything that had been seen before, that was so high that realistically it would cause an ecosystem wide crisis and who knows what would happen in the case of such a reorganization.

Conveniently Bitcoin Core had such a number that was already being used for such a purpose, which is reorganization of coinbase transactions, where the idea is that since coinbase transactions can only be spent after 100 blocks, you as a receiver of coins don’t even need to think or worry like, ‘oh, these coins are less risky than other coins’. You can say after 100 blocks, basically, all the coins are as fungible as they’re going to get. Basically as a rule of thumb.

So we just copied that rule of thumb from Bitcoin, which is essentially what we did. But to bring this back to signature technology, which is much more interesting than…I’m falling asleep here in front of the mic! To bring this back to signature technology, this means that if you’re moving coins into Liquid, it’s very slow. It’s very annoying. It takes the better part of a day.

Wouldn’t it be nice if you could just swap your Bitcoins on the Bitcoin chain with somebody else’s Bitcoin on the Liquid chain? Because these are freely exchangeable, other than the time value of the better part of a day, like the price of these should be essentially the same. So you could use these cross chain atomic swaps to do this, no shitcoining anywhere in sight!

Peter McCormack: Brilliant! So atomic swaps have a purpose now?

Andrew Poelstra: Exactly, atomic swaps have a purpose now! So we can do this using digital signatures, it’s kind of the cool thing. Maybe the other, well not the other cool thing, but the reason that I brought up atomic swaps is not because they’re inherently a particularly interesting thing, but because it’s a simple example of some much more exciting stuff. But before I go into that, let me double back to what I talked about this morning!

So I’ve been talking about these multisignature protocols saying, ‘oh, you can extend a multisignature protocol to do this, you can extend it to do that’ and whatever. Well, the truth is that to do this and a way that is straight forward enough that there is production ready code and that there is reasonably audited, verifiable and constant time high assurance code written out there, you actually can’t do this with ECDSA, which is the current signature scheme in Bitcoin.

There are a few research projects out there to allow you to do these kinds of things, using ECDSA. They all involve much more complicated cryptography, significantly more complicated code, the computational requirements for participants are over a thousand times as much, these take often multiple seconds on commodity hardware to do this kind of stuff.

The cryptographic assumptions underlying these are much stronger than the elliptic curve discrete logarithm assumption that we’re used to using in Bitcoin. ECDSA requires you make all of these tradeoffs, though you’re not making them on the Blockchain, the participants in these protocols, will have to make those kinds of trade-offs. That’s a hard pill to swallow and empirically we’ve known how to do this in some way or another for several years, I guess four or five years and nobody has deployed it in a production-ready setting. Even though in principle this is possible on Bitcoin.

So ideally Bitcoin would not be using ECDSA. ECDSA makes this unnecessarily difficult and it actually does this kind of on purpose. The history of ECDSA is interesting and it is a lesson for anybody who is thinking about patenting cryptography out there. The story here is that in 1989, Claus P, Schnorr developed a signature scheme called Schnorr signatures and these are, algebraically, a very straightforward type of signature. They’re the simplest possible, proof of knowledge that is the simplest possible… The best kind of example of something called the Fiat Shamir Transform in academic cryptography.

It’s kind of a building block for a lot of cryptography that’s been built ever since then. In addition to being a building block of more complicated, more exciting protocols, by itself, these are actually digital signatures, which is cool. That’s kind of the simplest thing you can do with cryptography, is make a digital signature. Schnorr put a patent on this.

Peter McCormack: Was it last year that it expired?

Andrew Poelstra: It was actually a little while ago that it expired. It expired in 2008. So Schnorr patented this and he attempted to enforce his patent. He demanded royalty payments for anybody who wanted to use it.

Peter McCormack: Nobody used it!

Andrew Poelstra: Yeah! In practice, nobody’s willing to use patented cryptography. This was unable to be standardized, as standardized bodies didn’t want to touch patented cryptography that would involve royalty payments to random private parties. In this case Dr Schnorr personally. So in response NIST, the National Institute for Science and Technology Developed ECDSA. I’m sorry, DSA I should say. It was actually not elliptic curve based initially. Although it was a simple transformation from the original scheme, to use elliptic curves.

DSA was basically a response to Schnorr where they took the simple algebraic structure of Schnorr and they made it as complicated as they could without making the signature any larger, I think is a fair way to describe this. It does some very weird things, like in the elliptic curve variant, you take an elliptic curve point, you compute this, it’s like an ephemeral public key that’s used as part of the signature, and you interpret one part of this elliptic curve point. You take the X coordinate, so you interpret it as a geometric object and then you take one of its coordinates and then you interpret that as a ‘Scaler’, which is an object like a secret key and you do some algebra in mixing your secret key and your Scalers and you do something called the modular inverse, which is like a division.

None of this stuff is prevalent in Schnorr signatures. Schnorr signatures is just multiplying and add, which are the simplest things that you can do. This was developed basically to evade these patents and Schnorr claimed at various times over the years, on I think the Coder Punks mailing list that ECDSA actually does violate the Schnorr patent despite these changes. But to the best of my knowledge, he never claimed this in court. Purely mailing lists.

So the result was that everybody used ECDSA, it was standardized and that’s what people used. So in 2008 finally the patent expired. I’m not sure how quickly anybody noticed this. I can tell you that in 2010, Dan Bernstein released the Ed25519 signature protocol, which is actually a type of Schnorr signature, which is tweaked in a couple of subtle ways to make the signature fast…

Peter McCormack: Wait hold on, so the patent ran out the year before Bitcoin?

Andrew Poelstra: Yes, exactly.

Peter McCormack: So it could have been that Satoshi was sitting on it for a while and thought ‘I’m just going to wait for the…’

Andrew Poelstra: I don’t believe that Satoshi was aware of the patent expiring. The reason I don’t believe this is that Bitcoin in its initial incarnation used open SSL for its signature. It also used open SSL in a lot of other places, for example in its big number library. So Bitcoin’s script support site initially it supported addition, multiplication and division of arbitrarily large numbers.

It did this using all these open SSL functions and that’s in the consensus code in a few places. There is these kinds of obscure data structure, the number encodings that come from open SSL’s big number library. The thing that I conclude from this is that Satoshi made a lot of design decisions based on what he could do using commercially available, off the shelf crypto libraries, which is certainly the right way to design these kinds of systems. You really don’t want to be rolling your own crypto.

But an unfortunate consequence of this is that he wound up using ECDSA because there was open SSL code for that and there wouldn’t be open SSL Schnorr code. I don’t even know if there is any now, now that I think about that. I suspect SSL, supports Ed25519 now, I suspect and then that’s Schnorr code. But basically, at the time there was no library that supported Schnorr signatures. The patent had just expired. Nobody was using them. Nobody was really thinking about them.

Also at this time, even after Bitcoin was launched, it would be quite a while before people started thinking about signatures in the kind of ways that we think about them in the Bitcoin space. Started thinking about these compact multi signatures and these threshold signatures and these adaptive signatures, which is what I call that scheme where you encrypt a secret, as part of the multisignature protocol. All these cool things that we talked about related to Schnorr signatures, nobody was thinking about back then.

You thought of a signature as, you have some public key and that’s may be associated to a key fob that you use to get into a building, the building management, how the registry of everybody’s public keys and their key fobs. When you beep into a building, that fob creates a signature on some random nonce that the door chooses, if it’s the valid signature, you get in. So the model that everybody was thinking of was one in which you had a fixed set of public keys, you were maybe verifying these signatures with some powerful door computer and you were producing them with some tiny, weak piece of hardware or something like that.

That was kind of the application of digital signatures and then the internet showed up and digital signatures were used in TLS or SSL to authenticate websites. But again, the kind of design constraints was essentially the same. You had some overtax server producing these signatures. It needs to be cheap to produce. Then you have people’s commodity hardware verifying like one for every web page, who cares about that? You have the certificate authority infrastructure which is a canonical list of public keys and they signed a new canonical list and so on and the keys are always fixed and you’re never making multisignatures, you’re never encoding weird things in the signature and they really just fixed public keys, signing is cheap. You don’t care if verification is cheap or not.

So with that context so you can finally double back to what my talk was about this morning, which was trying to develop some of these cool applications of Schnorr signatures. So the wider context here is that we hope in the coming weeks to publish a proposal for Bitcoin to extend the protocol to support Schnorr signatures as well as ECDSA and a couple other maybe less exciting things alongside that.

In advance of this kind of proposal, what we want is the ability to do all of these cool things that we’re talking about. So we’ve actually written code to do Schnorr multi signatures. We’ve written code to do threshold signatures, which are an extension of that, where maybe you’ve got 10 participants and you want any seven of them to be able to produce a signature. There’s kind of some cool tricks you can do there.

Peter McCormack: Is Schnorr in Zcash, right?

Andrew Poelstra: So Zcash, I believe uses ECDSA for its unshielded transactions because those are essentially just Bitcoin transactions. But for its shielded transactions, it uses some more elaborate cryptographic constructions.

Peter McCormack: I thought it used Schnorr, but maybe I’m wrong. You probably don’t care!

Andrew Poelstra: I don’t know either way.

Peter McCormack: But look, this is all just math right?

Andrew Poelstra: This is all this math.

Peter McCormack: Everything is math?

Andrew Poelstra: Well, okay, I’m going to say no to that! This was a lot of what my talk was about, which was if you think of everything as just math, then you necessarily make a lot of simplifying assumptions about how things work in practice. So one example that I talked about in my talk, was when you generate a signature, whether this be Schnorr or ECDSA or most signatures with a few exceptions, you need to produce some fresh randomness as part of the signature protocol.

Fresh secret randomness and then you basically treat this as an ephemeral secret key and there’s like an ephemeral public key associated to it, which we call a ‘nonce’ and eventually, it becomes part of the signature. If this random secret is anything short of uniform, if you have 256 random bits, but your seventh bit turns out to be 1, more often than not, then given enough signatures it’s possible for somebody to extract your secret key. There was actually a paper published about this a few weeks, maybe a month or two ago by a Nadia Heninger, at UCDS and a second other, I’m forgetting his name now.

Peter McCormack: I’ll look it up.

Andrew Poelstra: Which did this actually, it found some bias nonces in the Bitcoin Blockchain and was able to extract secrets, just using this kind of attack and they were very slightly biased by only like a bit too. But nonetheless, it was possible to extract the secret. So the way this looks in a mathematical paper is there is a symbol of this, which is an arrow sign with a dollar above it and that means like, choose randomly and the dollar is kind of funny.

Peter McCormack: It’s ironic really!

Andrew Poelstra: Yeah it is ironic! The truth of this has nothing to do with Bitcoin where these dollars and cents signs come in. The idea is that you’re flipping a coin and a dollar is a 100 coins. So if you need like hundreds of bits, then you take a dollar, you’re flipping hundreds of coins is the idea. There’s this visual pun there that has survived to this day and now I think modern readers probably think it might have something to do with Bitcoin, but it’s not, it’s just some ridiculous pun about coin flipping.

So you’ve got this symbol, a dollar sign with an arrow below it and that means uniformly randomness and you have that for the secret nonce, you have this for your secret key and you have us in a few other places. The reason I say this is not just math is that if you screw up choosing your private key so it’s not uniformly random, it really doesn’t matter. It just has to have sufficient entropy, that nobody can guess it.

If you screw up choosing your nonce uniformly randomly, by even one bit or even less than a bit in principle, then you lose all of your keys and all of your money. The truth is, that it’s hard to get uniform randomness in practice. Eventually, you need some sort of source of entropy, some sort of source of guessable data. You need to somehow ‘whiten’ that, you need to turn it from whatever distribution you’re getting, if you’re using like some sort of hardware RNG, it probably changes its distribution based on the heat around it.

You need to somehow what’s called ‘whiten’ that to make it uniform. You need to do this reliably. If you’re in a virtual machine or something, you worry about what happens if the virtual machine is cloned after you choose your randomness and now you’re actually using the same randomness in two virtual machines. You worry in multiple multiparty protocols, what happens if somebody restarts the protocol part way through after someone has chosen their randomness, will they choose the same randomness?

These problems actually for the case of single signatures, just ordinary ECDSA or Schnorr signatures is actually solved. What you do is you take your secret key and your message and you just hash that. It turns out that if you use a hash function like sha256, this is so close to randomness that no one has been able to detect a meaningful deviation from uniform. If you put the same input into this twice, so we’ve got the same thing of course, but if you’re hashing your secret key and your message, the only way to get the same input is if you’re signing the same message twice, so you’ll just produce the same signature.

That’s no more of a risk than somebody copying and pasting your digital signature, it doesn’t matter. But then as soon as you go into these multiparty protocols, suddenly this matters a lot. Suddenly you need to think, well actually the random challenge that goes into the signature is something that includes contributions from everybody. So if one party is generating the randomness deterministically this way, such as always generate the same randomness and the same message.

Somebody else starts multiple signing sessions and the same message, but tweaks their contribution, the result will actually be multiple signatures but the same nonce and you can steal the private key. This is scary! The reason that I answered your question, is it just math with no, is that this really isn’t just math. The way that this kind of thing happens, which is subtle and actually often when I talk to people developing multisignature protocols, they were shocked, horrified and hurry to check their code.

The way that this happens is that you have these papers, that have an arrow with a dollar sign, choose uniform randomness. Okay, that’s fine. I mean you assume and for the purpose of papers here in this idealized model where you assume the source of the randomness. In real life, you think, ‘well, I need some randomness and I don’t want to worry about biases from hardware RNGs or lack of entropy or virtual machines splitting or whatever.

So instead I’m going to use some sort of hash function and I’m just going to hash all the data that’s going into the signature. This will give me uniformly random data, that’s uniform, except for the fact that it repeats if you give it the same input, but that’s fine. It’s fine if it repeats because everything else will repeat, I’m duplicating it. This is such an obviously safe thing to do, that probably nobody even thinks about the assumptions going into that. They think, ‘well is this hash function really a good hash function when sha2566 was perfectly fine’. Then that’s the end of it.

So you take this kind of unwritten, unspoken assumption that is valid, beneficial and best practice for single signatures. That appears to not be even really changing the model from your mathematical idealization very much. Then you apply it to a new scenario and suddenly the specific assumptions you made, that repeats can only come by producing the same signature, is wrong. But because you never vocalized that, you don’t notice that that was one place where you deviated from the paper, where the actual difference between your ideal paper model and the model in real life, is that you now require these reputations to be either, everything repeats or nothing repeats. The result is that you lose your keys.

This was basically what my talk was about this morning, it was just a series of examples of this. Fairly either simple assumptions that were so subtle that you might not realize you were making them or assumptions that were so obviously safe that you don’t even notice when you carry over to a more general scheme where they actually don’t hold, where suddenly they were just basically in the background.

Peter McCormack: I was going to say, you’ve made my job really easy because I’ve had one question and we’ve done half an hour now, so I’ve only got to do one more question and we’re done! I was really scared about this interview. I was like, “ what do I ask Andrew, he’s so clever and I don’t know any of this!”

Andrew Poelstra: I really appreciate this. I now would discourage people from watching my talk if they’ve heard this podcast because I was very constrained for time during the talk. I actually went over time and I was still rushing stuff and skipping things. The funny thing was that I had actually intended to skip a lot of stuff in that talk. I had already removed a whole ton of stuff. So I’m glad to have the opportunity to babble now!

Peter McCormack: All right, well listen, let me ask the things that I find interesting because people are certainly going to listen to that and be fascinated by it. I am, but at the same time I’m like, ‘I don’t understand a lot of it’. But I tell you what I am interested in understanding. A couple of things firstly, you’re a mathematician, right? What does that mean to you?

Andrew Poelstra: Oh, that’s a very personal question.

Peter McCormack: Let me ask you a funny question. I keep talking about it. I start every interview with “what is Bitcoin?” Because every answer is different and I heard first heard Adam Back do it on the Epicenter podcast, it was such a fascinating answer and I’ve never stopped asking it. What is math? Can you describe math?

Andrew Poelstra: So mathematics in general, is the art of finding patterns in logical structures and finding connections between seemingly apparently very different logical structures.

Peter McCormack: That’s amazing, that’s quotable!

Andrew Poelstra: Thank you.

Peter McCormack: I have a quote for each show, I’m going to use that! Just talk me through, what was the education progression? When you got interested in math, you’ve obviously gone through, I’m assuming you’ve done all the way up to a masters? So talk me through that progression and what your thesis was? I probably won’t understand it, but I’m fascinated by it anyway.

Andrew Poelstra: Certainly! So the progression into cryptography is actually kind of interesting. When I was 12 or 13 years old, I was watching Stephen Colbert who now does the Today Show.

Peter McCormack: But you probably already had your master’s at 13?

Andrew Poelstra: Pretty much! At the time I had not even started applying to colleges or anything like that, or university, as we say in Canada.

Peter McCormack: We say university in England.

Andrew Poelstra: Excellent! So I live in Texas now. I’m so used to speaking to Americans that I’ve adopted their turns of phrase. So I was watching Stephen Colbert and he was doing this bit on how some cryptographers had decoded some Enigma messages from World War II. Of course, Stephen was laughing like…

Peter McCormack: Bletchley Park? That’s about 25 minutes from my house.

Andrew Poelstra: Wow!

Peter McCormack: Yeah I live in Bedford and Bletchley… As a kid, we used to go to the local swimming pool there because they had water slides.

Andrew Poelstra: That’s very cool. That’s like a mythical place to me.

Peter McCormack: You’ve not been?

Andrew Poelstra: I’ve never been, no.

Peter McCormack: Do you ever come to London?

Andrew Poelstra: I have been to London twice, for one day because British Airways stranded me, this happened multiple times.

Peter McCormack: Right, next time you’re in England, I’m going to get you from the airport and I will take you to Bletchley Park and then you can get your connection.

Andrew Poelstra: Can you imagine? So I get those funny stamps in the passport, where they say that you are only admitted for 24 hours. I took one of those and then used it to go to Bletchley Park. That would be a good statement about immigration. So, of course, Stephen was making fun of these guys, like “don’t you know that the war ended 70 years ago. So these messages are not a strategic interest anymore?” But what I got from this was, “whoa, that’s very interesting that it would be possible to encrypt something so well, that like 70 years later, people are still working to decrypt it”. Especially something like World War II communications, which are extremely high volume, so not one of those like weird codex that people found in the ground from however many, years ago where you’ve got 20 words to decrypt and it could be anything.

So I got very interested in the history of cryptography. I bought this book, “The Code Breakers” by David Kahn, which is giant and it’s like four inches thick. I read through this and I thought like, wouldn’t it be cool to be a cryptographer? But then I got into university and I talked to various people in the mathematics department and none of them really did cryptography at the university I went to, which is Simon Fraser in Burnaby, British Columbia. I said, “okay, well we’ll see. I mean, I’ll start doing a math degree and then I’ll just sort of see what I feel like a few years then”.

Then what happened was, after a couple of years, I went from sort of going through the motions thinking, “well, if I can’t do crypto, I’m just going to bum through and get a degree and see what kind of happens”. I fell in with a group of mathematicians who really very serious. They were all doing honours degrees, which seemed like a big deal to me at the time. They were all studying stuff in their spare time and they’re all reading these papers. Well, actually I started dating one of them and then I felt the need to impress her of course!

Peter McCormack: Did you impress her?

Andrew Poelstra: You know I never did. I did improve my GPA, get into grad school, did a bunch of reading courses and did half of a master’s in my undergraduate. But it was in this kind of vain attempt to…

Peter McCormack: Where is she now?

Andrew Poelstra: She’s in the Bay Area. She’s working for Google.

Peter McCormack: You still friends?

Andrew Poelstra: No, I haven’t talked to her in a few years.

Peter McCormack: You should show her what you’re doing now. You should say look, “I’ve fucking levelled up here!”

Andrew Poelstra: Well, she wasn’t impressed back when I was doing it when I was dating her!

Peter McCormack: Come on man, you’re Head of Research at Blockstream.

Andrew Poelstra: That’s true. I should also tell her how much I can lift! That’ll show her!

Peter McCormack: Do you want to know something else funny. Let me see if you can guess it. So Bletchley Park has come up in one other interview and it was a very cryptography based interview. Can you guess who it was with? I’d be amazed if you know. You will know him.

Andrew Poelstra: I mean the obvious guess is Adam Back, but then if you say that I’m not going to get it…

Peter McCormack: You need to go older than that.

Andrew Poelstra: Oh, Ian Grigg?

Peter McCormack: No, probably older, like the grandfather of cryptography kind of stuff.

Andrew Poelstra: Who have you had? Phil Rockaway? David Chaum?

Peter McCormack: I’ve met David Chaum, but no… Whit Diffie

Andrew Poelstra: Whit Diffie, nice! It’s a bit older yeah. He’s amazing. I’ve never spoken to him, but I see he kind of lingers around Stanford. I showed up at conference…

Peter McCormack: I just sat there for the whole interview, just fascinated by the way he spoke. God, I keep on interrupting you. You were with this group of mathematicians…

Andrew Poelstra: So I started doing real analysis, probability and mathematical physics actually. When I started at school I thought I can’t do cryptography, maybe should I do a physics degree, should I do a computer science degree? I did math as a hedge. That was my initial thought about a math degree. It’s a hedge between CS and physics.

So when I started doing math seriously, I started doing real analysis and probability, which are all very mathematical physics focused forms of mathematics. I really disliked algebra and number theory. I felt like these fields where just a random hodgepodge of very ad hoc statements that I guess you could prove are true. It seemed like there was no rhyme or reason or structure to this and it was just a zoo of stuff that I would have to memorize and I would never understand how any of it fit together.

So I avoided algebra and number theory as much as I possibly could, throughout my degree in. I got a degree where I basically did no number theory or real analysis and from there I transitioned to the University of Texas at Austin, where I did my masters and what it was focusing on there initially, what I wrote in all of my application letters is that I wanted to do mathematical physics. So I got to Texas, so a new state and a new country, it was very far away. It’s funny, I grew up right beside the US border and I thought, “oh, America, that’s the same as Canada. Who cares?”

Peter McCormack: You are all the same, right? I mean, you guys are a little bit calmer.

Andrew Poelstra: Yeah, exactly right. It was funny, what a shock it was! It turns out Texas is very different from Canada!

Peter McCormack: I mean I’ve been to Vancouver and I’ve been to Dallas. I mean they very different.

Andrew Poelstra: Yeah. But Vancouver and Bellingham are actually not that different. I mean there are visible differences, but like it’s easy to make that transition. It was not easy to transition to Austin. So I found myself in Texas. It was very hot. It was very strange. Everybody talked funny. Everything was far away, so big and it smelled like granite. You couldn’t get herbal tea at Mcdonald’s.

Peter McCormack: You can get herbal tea at Mcdonald’s?

Andrew Poelstra: In Vancouver, you can, absolutely.

Peter McCormack: That’s so funny! What do you get? Can I have a Big Mac and a herbal tea?

Andrew Poelstra: Yeah, you can absolutely do that in Vancouver.

Peter McCormack: You can’t get a beer at Mcdonald’s in the UK.

Andrew Poelstra: That’s true, nor in Canada or most of the US.

Peter McCormack: You could probably get a gun in Mcdonald’s in Texas. Come out with a Big Mac and a Glock 9.

Andrew Poelstra: Yeah probably! So around this time, I started hanging out on IRC, on the Bitcoin Wizards channel, which happened to have just been created actually a few months before I showed up in Texas. I think I’m going to do mathematical physics and then I show up, everything's weird and I’m hiding in my apartment for a few months and hanging out on IRC.

There’s all these strange people on the IRC channel, like Greg Maxwell, Pieter Wuille, Adam Back, Andrew Miller and all of the people who now we all know and love, but at the time they were not well known and they were just weird basically. Now it’s like eccentric and endearing I guess!

Peter McCormack: I’m gradually ticking them off as well.

Andrew Poelstra: Excellent! These guys were downloading cryptography papers off the internet, reading them and doing their own research. I thought, “what? That’s a thing you can do? I don’t need to be part of this? It doesn’t matter that there aren’t these professors who are doing what I want?” Because there still weren’t, even at UT, anybody doing the kind of cryptography that I had wanted to do as a child. So they’re doing all of this cool stuff and ironically they were talking about Schnorr signatures at this time, they were like “hey, there’s this thing that’s not ECDSA and it’s so much faster blah, blah blah”. We hadn’t even thought about any of the cool applications that I’ve talked about today.

At that time it was purely like, it’s algebraically simpler and it’s faster. Wouldn’t it be cool if we had these Schnorr signatures instead of ECDSA? That was just my first experience there of Schnorr signatures, was also proving that there was no, what we call the malleability, that you couldn’t take a Schnorr signature and somehow change it to be a different signature on the same message, which you can do with ECDSA.

Before SegWit this would cause all manner of problems, the second layer and that you could change TX IDs by changing signatures, with Schnorr signatures you couldn’t do that. That was the kind of thing that we cared about back then. So to be honest, I didn’t go to class at all. In the US…

Peter McCormack: You dropped out?

Andrew Poelstra: I did drop out, but I haven’t gotten to that part of the story. So I started this PhD program. I hadn’t done a masters or anything. In the US and the natural sciences, you just go straight into a PhD, which is a bit silly because the result is the first couple of years are basically coursework and the kind of stuff that you might have done in a masters if you had separate degrees for this. So I never went to class.

Fortunately, because my undergraduate education had been so blessed, it was a fairly small school, a very small math department and I had a lot of professors who were willing to personally help me out. I mean you can look these guys up like Veselin Jungic or Paul Tupper or Nilima Nigam in particular, were basically personally teaching me mathematics for years at SFU. It was really quite incredible. So as a result of that, I was able to just check out of all the prelims. So I would show up for class literally at the end of every semester to write the final exams and otherwise, I didn’t go to school. I would just spend all my time doing Bitcoin research.

After a few years of this, it became clear that I was not really progressing at all in my PhD in any way. It also became clear that the kind of research that I was doing in the Bitcoin space, while it’s very exciting and there’s a lot to it, is not PhD level research. It’s not deep enough. There’s a lot of cool applications, but ultimately like the algebra is small enough to fit on a single side and is small enough for me to explain on more mathematically focused podcasts in the space of 20 minutes. It just wasn’t PhD level stuff, but it was the stuff that I love to do and it was also morally the kind of stuff that I wanted to do.

There was a feeling I was getting, from the kind of cryptography that people were doing in academia, that it wasn’t really focused on real-world things. It wasn’t really trying to solve problems. It was still very much mired in this idea of having some sort of public key infrastructure. Some blessed list of public keys that is set by some authority and increasingly the world is seeming to be a place where you don’t have these trusted authorities to decide who’s allowed to produce signatures and then who doesn’t.

Bitcoin-like really is like the perfect example of that kind of thing. These Bitcoin people were not only doing the kind of cool cryptography that I found very exciting, but they were doing it very much for humanitarian reasons. They cared about self-sovereignty, they cared about individual agency, preventing surveillance and preventing censorship of economic activity. They were doing this by developing new cryptography and this just excited me to no end. So after a couple of years of this, I came to love Austin and I wanted to stay there.

A few of my friends from IRC started this company called Blockstream, where now I am Head of Research. At the time it was very much just a collection of IRC people and a few people from the VC world, who came together and we started this company. I actually did not join initially. I said I want to keep doing my PhD because you need a PhD to be a cryptographer, that’s what everyone said and I don’t want to be rolling my own crypto and so forth. So I did some sort of part-time consulting work for Blockstream for a little while, but after a while of this, it became clear that I was not getting anything out of this PhD.

I wasn’t going to class. I didn’t know half the professors. I actually made a half-hearted attempt to switch from math into computer science. It’s not like when you’re doing a bachelors, you can’t just switch. I actually applied to a separate PhD program, got in and then I dropped out of that. Then I dropped out of the first one. So I dropped it of 2 PhD programs when it became clear that Blockstream would sponsor my VISA to stay in Austin and just walked away from academia completely.

The funny thing here is going way back all the mathematical physics, all the real analysis that I do, now has nothing to do with what I do. Now I need to know algebra and number theory; the things that I try so hard to avoid!

Peter McCormack: Is that because you just didn’t like them? When I did math right, obviously I did it to a very… I stopped at GCSE level in the UK, 16. There were things I just didn’t understand. Did you not understand it or just not enjoy it?

Andrew Poelstra: I did not enjoy it. So some parts of it I did not understand. So especially in higher algebra, there are schemes, shears, categories and I don’t know. Real mathematicians listening to this podcast are laughing at me because I’m forgetting the words!

Peter McCormack: You’re a mathematician come on man!

Andrew Poelstra: I have business cards that say, mathematician.

Peter McCormack: Yeah, I’ve seen them, you’re a mathematician!

Andrew Poelstra: But people doing really intense PhD level algebra, really the kind of stuff where you can focus on one problem extremely deeply for years on end, which is a beautiful thing. I sometimes miss the opportunity to do that. That’s like, I mean the one thing that I gave up walking away from academia.

Peter McCormack: Let me ask you something. I saw a film recently, and I can’t remember the name. It was about this guy who’s raising his sister’s daughter because the sister killed herself and this kid’s a genius. It talked about a sister who had been working on one of these seven unsolved problems. Is that a real thing? Are there these big unsolved math problems out there?

Andrew Poelstra: Oh yes!

Peter McCormack: So that was a real thing?

Andrew Poelstra: That is, yeah, absolutely.

Peter McCormack: Wow. So how many are left?

Andrew Poelstra: So I believe there were 10 and there are 7. So you can look this up, they are called Hilbert’s problem.

Peter McCormack: They are unsolved?

Andrew Poelstra: Yes that’s correct.

Peter McCormack: Have you looked at any and thought I’m going to do that?

Andrew Poelstra: Yeah I have.

Peter McCormack: You get legendary status if you solved one, right?

Andrew Poelstra: Oh yeah, absolutely. So which ones have I looked at? The one that’s maybe most familiar to me now is actually P vs NP; are the set of program that you can efficiently compute the same of the set of programs whose computation can efficiently verify.

Peter McCormack: Yeah. I mean I’ve got no idea what you’re saying, but tell me anyway.

Andrew Poelstra: Well, the answer’s obviously no. But nobody knows how to prove this. Actually, if the answer were not no, then probably cryptography would not be a thing anymore. That would be really the ultimate destruction of everything that I’ve done and everyone who I’ve talked to who’s a cryptographer, it would just completely be obviated. It would be meaningless.

Peter McCormack: You’d be screwed man. What would you do? You’d have to do something new. You would have to go back to your PhD!

Andrew Poelstra: I might do that.

Peter McCormack: But your Bitcoin would be worthless. So you’d need to get a job! That would be so fucked! Could there be new problems? So there were these 10. Could someone go, “oh look, I found a new problem”.

Andrew Poelstra: Yep!

Peter McCormack: It’s so fascinating. It’s so out of my depth.

Andrew Poelstra: Yeah. Unfortunately, we can look them up if you want, but actually, most of them, even if you read them it’s hard to understand what they mean and it’s hard to…

Peter McCormack: But they’re all on a wall somewhere at one university, is that right? I’ll send you the link to the film because of the film’s fascinating. This little kid she’s so smart, but it’s a real story about this…

Andrew Poelstra: It’ll probably be at Cambridge because I believe that’s where David Hilbert worked in the late 1800s, early 1900s.

Peter McCormack: I thought it was in the US? Maybe it’s been Hollywoodized!

Andrew Poelstra: It might’ve been Hollywoodized. I’m sure that Hilbert was a Brit. Maybe I’m wrong about that.

Peter McCormack: Well, listen, I’m conscious of time and I could literally talk to you for hours. I was scared of this interview thinking, “what am I gonna talk to him about?” This is so fascinating. So you’re Head of Research. Have you always been Head of Research since you…

Andrew Poelstra: No. So when I started at Blockstream, Gregory Maxwell was there. He was the CTO and at the time we were a smaller company than we are now. Basically, everybody doing any sort of engineering was more or less a researcher. We were combining our sidechain research and our crypto research and like our actual development of Liquid and it’s open source counterpart called Elements. Greg would more or less oversee all of this stuff.

We grew and Greg’s position of CTO became increasingly like a management position and increasingly being a bridge between engineering and product. A lot of stuff that I don’t think Greg enjoyed doing every day and I think he found that he was being pulled away from the cool problem solving that he always loved doing. So last year, I guess at the beginning of 2017, he left. He gave us six months notice, he gave us quite a bit of notice, fortunately.

So when he left as CTO, this left a gap as far as research management. At that time we restructured a bit so the day to day engineering was not so much in Greg’s hands, but there were still a few gaps in particular around our kind of long term, pie in the sky or even just like not even pie in the sky, but things with a long time horizon, that kind of research. A lot of it was fairly deep in cryptographic and at this point, we’ve moved past the, “oh, look at these Schnorr signatures, they are not malleable” kind of phase and we were doing quite a lot of the research.

So in lieu of Greg, we created a new position, the Director of Research, which Greg asked me to take, where initially the way this was pitched to me was that I would more or less make sure that the three or four people we had doing just their own research project, just to make sure that they were still alive and that they were happy and that they would keep doing what they were doing. Maybe I’d have to show up at some meetings every week or something like that. But really I could keep on doing my own research projects and it wouldn’t be a thing, but we needed somebody who was in charge of research who could talk to the media and stuff like this.

Of course, that’s not how things went. I got into this and then five minutes later I was in charge of patent strategy and then I was showing up at management meetings all the time. Then I was having to set the direction of our various research initiatives and having an idea of how this would turn into productization and all of this stuff. I was talking to the press quite a bit more than I’d expected and I found myself having less time to be doing this research.

I mean, it’s a lot of fun that I get to go talk about this stuff. But the truth is all the real heavy lifting is being done now by Pieter Wuille, Jonas Nick and Tim Ruffing. It’s a lot of fun. It was surprising, if you’ve asked me a few years ago about that, I would have been horrified by the idea. I would have said, “oh no, I want to keep writing, I want to keep doing mathematics all day and doing crypto research”.

Peter McCormack: But it’s kind of interesting because it’s not that you’re just… I guess for your role as Head of Research for Blockstream, you’re really a researcher for Bitcoin?

Andrew Poelstra: Yeah! Then personally my motivations and everything that I do and even everything that Blockstream research is doing, ultimately comes down to, what would be good for the Bitcoin ecosystem and what will move the Bitcoin ecosystem towards the world I want to see, where all coins are fungible, where all outputs looks the same, where things are efficient enough that people can actually use a system where it’s private enough, that people don’t have to worry about their landlord knowing when they get a raise or businesses that don’t have to worry about exposing their financial stuff to other people.

Peter McCormack: Is that a lot of your work at the moment, on fungibility then?

Andrew Poelstra: Yes, indirectly. Most of the work that I focus on, on the research side is this scriptless script signature tech stuff that I’ve been talking about and these join the two things that I care about, which are privacy and scalability, in the sense that the result of all of this cool tech is that you can do these very intricate, interesting smart contract kind of things and the result what hits the Blockchain is just a signature. That’s not even a marked signature in any way.

It’s just like an ordinary signature that secretly was generated in a way that involves some sort of cool multiparty conversation. But in the end, you see one public key and you see one signature. Whether or not you have coins owned by one person or owned by multiple people or owned by split custody with some other thing with a timelock back out kind of thing or like a lightning channel or whatever. These all just look the same.

Peter McCormack: Does that mean you’re basically going to be screwing with chain analysis?

Andrew Poelstra: Oh, yes!

Peter McCormack: Because let’s be honest, they’re evil! How far away are we from seeing this?

Andrew Poelstra: So I hope that in the next couple of weeks we should finally write down a proposal and submit that to the Bitcoin mailing list. We’ve been going back and forth a whole lot on this thing called SigHash-NoInput which unfortunately is tangential to everything else. But if you’re going to have a new signature, you might as well have new rules for what exactly is science, is this thing called SigHash mode, which the lightning folks and a few other folks want an extension to this called SigHash-NoInput, where basically you don’t sign any details of the coin that you’re spending and this lets you rebind transactions to different transactional stuff and you do some layer two stuff more efficiently.

Doing that safely and doing that in a way that won’t encourage reckless behaviour or loss of the privacy and fungibility has been actually harder than every other part of this Schnorr signature stuff combined. Unfortunately, this is the kind of stuff that we have to nail down before we can do a proposal because this is consensus rules.

Peter McCormack: So, what’s the process? So you get your paper, you send it out to the Bitcoin mailing list, is that like a peer review process?

Andrew Poelstra: Yeah, so we publish something to the Bitcoin mailing list. We basically write a draft of what will become a BIP. So we have to write code alongside this, but actually, we’ve written almost all of the code for this. We actually have working code for all of these things. We just need to nail down a bunch of parameters. We publish this to the mailing list.

People will reply in various ways saying like, “hey, I want to use this in this way, you need to support this”, “this breaks such and such a use case”, “I worry that people are going to use this in the wrong way and we could possibly lose funds”, “I worry this is unsafe”, I worry this is too complicated”, “I worry it’s not complicated enough” and so on.

Peter McCormack: That’s quite interesting. So I talked about it with Bryan Bishop. He taught me about BIPs and how they work and it’s very interesting because I assume that just checking to make sure that you’re not screwing anything up, that you’ve thought about everything. But actually, people can widen the scope by saying, “okay, this is cool. That’s really interesting. I didn’t know that”

Andrew Poelstra: Yeah, absolutely. Then they’ll also say, “this is a new version”. So one thing that SegWit introduced, is this notion of script versioning, a version of Bitcoin outputs and this proposal will take a new version number. It will be the first use of the SegWit versioning scheme. People will say like, “is this everything that we want in version one outputs”.

There is a whole bunch of stuff that we wanted to do that we actually had to remove from the scope, because the design constructed was too high and we just weren’t getting toward the proposal. I’m sure people will talk about some stuff like that. So my guess is that this period of discussion will actually not last too long. I think we’ll have like maybe a month of back and forth with these kinds of design things.

Then hopefully design will quiet down and we’ll be in a position where we have a BIP, we’ll get a BIP number and then now we have a proposal. Well, a proposal is just a proposal. Next, we need to think about, “well if you want to deploy this, how are we going to deploy this? How are we going to get consensus?” There’s a whole discussion around that and there’s a whole discussion around the scheduling of that.

I’m separate enough from Bitcoin protocol development that I can’t really say what that’s going to look like and actually I think nobody’s really quite sure. The last major change, of course, was SegWit and there was a lot of crazy politicking that most of us did not expect going into it and a lot of the things that were just really very much against the Bitcoin ethos.

Peter McCormack: But I think that’s slightly different. So, okay, say it gets through the peer review process, everyone’s happy. How long does it take for the code to becomes deployed? This is to be deported on core?

Andrew Poelstra: Yep. So what it will look like is… Suppose everybody agrees this is what we want, this is how we want to deploy it, we have code already that you can merge into core. Like I said, there are a few parameters we’ve got to nail down, but we pretty much have code already in core. That would go into the next Bitcoin core release, the code for the deployment. Although it might not yet have the parameters for activation set at that point.

But it would be in Bitcoin core, it will be something you could review, it would probably be something that you could test. Then there’ll be a discussion about what the actual activation parameters are and then some date far in the future, I don’t want to make any guesses as to what this would look like… Well, 6–12 months after we’ve decided this is what we want to do and we have code that’s gone through the code review process. So in addition to the protocol, we to go through code review.

Peter McCormack: But this could be 2020?

Andrew Poelstra: I think so yeah.

Peter McCormack: So if this comes in, are we going to have full fungibility at that point?

Andrew Poelstra: So, this has been such an optimistic interview up to this point! There are a couple of tradeoffs that you have to make when you’re using this kind of stuff versus using a more typical Bitcoin check-multisig like everybody publishes individual signatures and everyone sees the policy kind of thing. One big one is that everybody who’s participating in these schemes needs to interact to do so. So there’s an additional protocol complexity to doing this.

So on the wallet side, it will actually be quite a while before wallets will upgrade, well for multisignature wallets to upgrade to use this kind of stuff. Although they are certainly incentivized to because the resulting signatures will be much smaller. But it is an interactive protocol, it’s quite a bit of complexity and R&D that needs to be done to actually deploy this. But there are a few people who have significant incentive to deploy this quickly.

Peter McCormack: Say I have a wallet that has activated and you haven’t, what does that mean? If I send something to you. Am I anonymous, but you aren’t?

Andrew Poelstra: So what it will look like is when the coins are sitting in your pocket, they will look indistinguishable from anyone else using this version. Even if you have some weird multisig policy going on, even if you are actually some split custody with some company like BitGo or like Blockstream’s GreenAddress or some other company doing that, no one will be able to tell what exactly you’re doing. Even after you spend the coins, no one will be able to tell what your policy was when you spent them. Then they’ll show up in my pocket.

Actually, if I give you a fresh address, even if it’s an old address, nobody’s going to be able to tell anything. But when I spend those if I’ve got some sort of multisig policy, people say, “ah, that looks like something multisig. Ah, that looks like a BitGo transaction. That looks like a Liquid transaction”, whatever. So it’s only upon spending that these fungibility improvements start to become apparent and the reason for that is that already in the version zero output, if you’re doing complicated scripts, the output is just a hash of the script and you don’t reveal the script until spending time.

So the real benefits come with like coins that are moving a lot. Let me see the other trade-off. So the first one was the interactivity. The other one is that you need your keys online and that sort of comes with interactivity. You can’t have some keys in a vault where you take them out and then you create a signature and you carry the signature out of your vault and then put it into a computer. I mean you can, but because of an interactive protocol, you’re going to have to turn right back around and go into the vault for the second phase of the protocol and it’s very annoying. It’s probably not practical in real life.

So this would be the kind of thing that you want for coins that are moving a lot, definitely, because you get the improved privacy and fungibility and that’s where the big fungibility gains are to be made. But if you’ve got coins that you consider to be in long term storage, you probably should just leave them on the old school outputs. We’ll continue to have for quite a long time, we’ll have coins in these old school outputs, which is unfortunate because they won’t get to share the privacy and they’ll clearly be old school outputs.

Peter McCormack: But at some point, I guess you can bounce them around between wallets and then…

Andrew Poelstra: Yep. I mean eventually if you want to bring those coins back in into the economy, you can do some of that and at that point, you should move to the new output type.

Peter McCormack: This is going to be a real problem for regulators right?

Andrew Poelstra: So it’s really not. So historically regulators have gotten information on people’s financial activity by talking to financial institutions and they have various reporting requirements. In order to be various types of financial institution anywhere in the United States or Europe or Canada or the UK, you have to comply with these regulatory requirements that include a lot of reporting requirements and KYC requirements and so forth. Traditionally that’s been done by voluntary reporting.

When this Bitcoin stuff came out, a lot of these regulators got this kind of gleam in their eye and they’re like, “wait a minute, what if we don’t have to talk to anybody and what if we don’t have to make it visible what we’re doing to track all of this information? Why can’t we just copy it out of the Blockchain?” They hire people like chain analysts and so forth to extract this information directly from the Blockchain. But that was never something they could do before Bitcoin and in fact, I think a lot of people are not using Bitcoin because this is possible.

This is not even like going back to the status quo of cash, what it’s going to look like, well it kind of is in a couple of ways, but for ordinary users who are storing their coins in banks or exchanges or some custodian who subject to regulatory requirement, they will still have to be in compliant with the same sort of regulatory requirements that they would have had before, to be interacting with the economy. It’s a concern that regulators have, as this allows people to be their own bank and store their own money and to transact like that.

This is already a problem that regulators have with cash and this is maybe not something that you notice living in the UK or even in Canada where I came from, but in the southern United States, almost all of the economy is actually cash-based and people still do the reporting. They do audits. They pay their taxes and stuff, more or less because that’s what they need to do to be in a functioning society. The regulators don’t depend on this kind of draconian abilities that they’ve acquired over the years and I’m sure there’ll be sad to see these go, but I don’t think it’s that big of a problem for them.

Peter McCormack: I that they could be alarmed through myths.

Andrew Poelstra: Hmm. They certainly could be alarmed through myths. So the worry that I hear from some people is that I am making the world go completely dark and like anything can happen and nobody can tell what’s happening basically.

Peter McCormack: You are the dark overlord then? You are enabling terrorists and criminals?

Andrew Poelstra: Yeah, I’ve heard this from people.

Peter McCormack: But does that play on your mind at all?

Andrew Poelstra: No. So there are two answers that I have depending on who I’m talking to you and I guess I don’t really know who your audience is, but that’s fine. So to regulators, I point out that all of this privacy technology still admits the ability to create audit trails and to know who your customer is and the ability to follow the law. In fact, in a lot of ways this makes these reporting requirements easier to comply with and more secure to comply with because you can do things like committing audit logs to a Bitcoin signature using a sign of contract constructions, so nothing hits a Blockchain, nothing’s visible on the chain, but now you’ve got a cryptographic commitment to whatever auditing requirements are required associate to that transaction, that is anchored to that transaction in the Blockchain.

Actually, secretly your Bitcoin signature is also signing this data. So that’s the kind of stuff they should be happy about, that that kind of thing is possible. When I talk to actual financial regulators, people creating the rules, they’re actually excited, they think that’s cool. But the other thing that people mean when they say… Congresspeople, right? People who are, I mean, I guess they make laws but they don’t know what they’re doing and there’s kind of an hysteria that they’re worried about that this is somehow enabling cybercriminals or money launderers or terrorists or whatever.

The truth is that money laundering is a very large industry in this world, it’s a very high margin industry. By making privacy technology cheaper, we’re doing two things. One is we’re taking the margins from those people, who are bad people, but we aren’t making this kind of criminal behaviour like the actual drug trafficking or whatever is happening behind the scenes, we’re not making that any easier.

Those industries already by virtue of being black market industries are operating outside of the law and they have these incredible margins. First of all, they’re spending an incredible amount on being criminals, like evading people chasing after them and stuff like this. So their financial shenanigans are just like one part of that wider cost and maybe we make that one part a little bit cheaper, but oh well they’re still in a very high margin business I guess.

That’s not going to enable anything that wasn’t enabled before, but the people who benefit from cheap privacy, who can’t use or who can’t participate in the economy in a private way because it’s too expensive, are ordinary people who are trying to live their lives, trying to pay their rent and trying to buy their groceries without these credit card companies, their advertisers, the credit agencies, their landlords and their governments watching their every move and using this information to develop profiles on them, which are then used for all sorts of nefarious purposes, like a lot of the psychological warfare that advertising companies like to engage in.

That’s the kind of thing that you can’t avoid as an ordinary person without spending a lot of time and effort, paying ATM fees all the time and carrying giant wads of bills around and worrying that somebody’s going to mug you and being unable to spend money online. All of these crazy inconveniences and you can’t pay your rent in cash in most of the United States anymore because of this kind of thing. Those are the people who suddenly will be able to transact, free of surveillance and free of censorship because of this. Those aren’t bad people. Those aren’t people who shouldn’t be able to do this.

Peter McCormack: No, that makes total sense.

Andrew Poelstra: The people who shouldn’t be able to do this are already doing it and they can afford to do it no matter how expensive we try to make it.

Peter McCormack: All right man, I’m sold! So bring fungibility on. We have crushed an hour and seven minutes without even thinking. I’m just conscious of time. It’s late. You’re tired.

Andrew Poelstra: I am tired. My mouth is dry. I need to sleep!

Peter McCormack: So one final question and you can keep it as short as you want. The first thing I saw of yours, was your presentation about Mimble Wimble and that was very interesting. Now we’ve seen it appear on GRIN and BEAM, how do you feel about that?

Andrew Poelstra: It’s very interesting. So Mimble Wimble appeared completely anonymously, like Bitcoin-style, somebody dead dropped this text document on Bitcoin Wizards. I became involved in the project fairly early on. The way it worked was a bunch of extensions of this confidential asset stuff that I mentioned very early on. So I had been thinking about this kind of crypto already and so when I saw that there were a couple of really cool innovations that this ‘Voldemort’ guy had come up with as part of Mimble Wimble and I was able to pick those up pretty quickly and I did a few talks about it.

I did a talk at “Scaling Bitcoin” in Milan explaining what this protocol was. Shortly after that, the GRIN project started, also operated by a whole bunch of anonymous people using Harry Potter names and I find this culture of anonymous cryptography fascinating and endearing in a way. It’s very strange that this novel research and development that’s happening, by people who are not trying to gain credit or credentials or even having a reputation to back the research with. It’s just throwing it out there and hoping that it sticks or hoping that it gets enough traction, without anybody clearly backing it.

I feel like this is a kind of thing that you might expect reading old science fiction novels, to see that kind of society develop where people are anonymously pushing forward the frontier of science and like somehow information can live on its own and live and die by its own merits. This is a very idealistic, kind of Utopian vision and I really enjoy seeing that kind of thing play out in real life. Of course, the real world is not so simple and clean as this, but in this one respect, it kind of is.

The fact that you have these anonymous papers and actually Voldemort cited at a whole bunch of these other ones in the Mimble Wimble paper and you can go look these up. So there’s actually a long history in the Bitcoin ecosystem and in the cryptocurrency space, this kind of anonymous stuff. I think it’s delightful. This is my answer to that.

Peter McCormack: Is it coming to Bitcoin?

Andrew Poelstra: Mimble Wimble? Not anytime soon. So that’s a much longer answer, but in short…

Peter McCormack: We’ll do that another day!

Andrew Poelstra: Yeah, we’ll do that another day. But I can give you a sound bite for it, which is basically right now Bitcoin’s soundness is unassailable. You can verify the soundness of the system by downloading the transactions by checking that the amount of every transaction are equal in the input and output, I guess less the transaction fee. There has been no inflation at any point in Bitcoin’s history.

If we replaced that unassailability, you look and add up the numbers, with a cryptographic assumption, no matter how strong it is, that would be a change in Bitcoin security model that I think would be a tough pill for a lot of people to swallow. So that’s the biggest… There are lots of more and more detailed reasons that Mimble Wimble needs a lot more development and improvement before it could be something we consider for Bitcoin, but I feel like that’s the big moral hump that we’d have to get over to move in that direction.

Peter McCormack: All right. I can’t tell you how much I’ve enjoyed this. Just to close out. How do people follow you? How do they follow your work?

Andrew Poelstra: All right, I am on IRC as AndyToshi.

Peter McCormack: Wow. Everybody says Twitter first. You’ve gone IRC.

Andrew Poelstra: I do not have a Twitter account.

Peter McCormack: You’re missing so much! We have so much fun.

Andrew Poelstra: So people text me Twitter links and that’s how I read Twitter; is by getting links by text.

Peter McCormack: You’re missing all the trolling and all the fun!

Andrew Poelstra: Yup! You can follow what I’m working on on GitHub; github.com/apoelstra and I think my email address is on GitHub. It’s apoelstra@wpsoftware.net. You can shoot me an email and chat with me about what I’m doing. If you’re in the Austin, Texas area and you want to buy me some coffee or a beer, I will show up at least once to talk to you!

Peter McCormack: I’m going to be there. What is it? I think it’s the 20th and I’m thinking I was going to be meet up with Justin. I owe you a beer after this. I’m going to take you for a beer when we hit Austin!

Andrew Poelstra: Cool, yeah, definitely a shoot me a message in some way and I will probably be in Austin on the 20th. So there we go. That is how to follow me. You travel to Austin, Texas and a buy me a beer!

Peter McCormack: Thank you so much.

Andrew Poelstra: Thank you. This is a lot of fun.