Read_892 - Not ECDSA. Not Schnorr. Meet DahLIAS.

[00:00:00] Speaker A: That means if you have five inputs from five different people, the transaction needs five different signatures. With an aggregate signature, all of those can be bundled into one. Even if each signer is spending a different input and signing a different part of the transaction, the result is one signature that proves the entire transaction was properly authorized. It's like zipping a whole list of approvals into one file. The signature is compact, but still verifiably proves that each signer authorized their specific UTXO. Instead of verifying 10 separate signatures, you verify one. The best in Bitcoin made. Audible I am Guy Swan and this is Bitcoin. [00:00:52] Speaker B: Audible. What is up guys? Welcome back to Bitcoin. [00:01:11] Speaker A: Audible I am Guy Swan, your professor for today. The guy who has read more about. [00:01:17] Speaker B: Bitcoin than anybody else you know. [00:01:19] Speaker A: This show is brought to you by ledn. [00:01:22] Speaker B: So we actually had Mauricio, one of their co founders on the show and we had such an awesome conversation and we ended up talking for a while after and then we just kind of stayed in contact and ended up talking about doing a partnership. And in total honesty, I've only ever recommended two different bitcoin backed lending services. [00:01:39] Speaker A: And the one that I am using today is ledn. [00:01:42] Speaker B: If you've listened to this show for any time, you probably have heard about my ridiculous basement and renovating like finishing this house tales and the horrors that I've had with the contractor. Well after Leaden survived the last bear market and they do their proof of reserves and I love all of that about them, I finally was like, okay, I'll do a Leaden loan because I didn't want to outright sell that much Bitcoin to work on the house because the house is not an investment, right? It just barely keeps up with dollars. But I wanted to use my Bitcoin to fix up my house and finally. [00:02:13] Speaker A: Have a real studio. Well, today two thirds of the bitcoin that I would have had to sell. [00:02:19] Speaker B: I get to keep because I used. [00:02:20] Speaker A: A Leaden loan instead of selling. This might not be the best decision. [00:02:24] Speaker B: At every time in the market or based on, you know, your situation, but you need to have this in your toolkit because LEDN makes it so easy. You don't have to do monthly payments. You can pay it off whenever you want. You can refinance very easily. And I'm literally talking like a couple of clicks for this sort of stuff. [00:02:41] Speaker A: And, and if you use it intelligently. [00:02:43] Speaker B: This could be an insanely valuable tool. [00:02:45] Speaker A: I have a link right down in the description. [00:02:47] Speaker B: I really like the guys that run this company and what they have built. Also, don't forget I've got a couple other great resources. We've got a 10% discount for get Chroma. So this is about red light therapy. I use their blue light blockers and I've gotten really serious about controlling my hormones and light exposure and it's made a huge difference. And these guys are really awesome too and they have some fantastic products. 10% discount code Bitcoin audible obviously the HRF. We just talked with CK the other day. Those guys are legends and they have an awesome financial freedom report. And if you've listened to Bitcoin Audible for any length of time, you know about a handful of projects that I am deeply focused on for fixing the major problems of the web. And pubkey and Picard, the stack that. [00:03:30] Speaker A: They have built over at pubkey is. [00:03:31] Speaker B: Seriously fascinating, especially if you are building apps. These are seriously awesome resources. Save the links. And if you don't, because your bookmarks are a nightmare like mine, you can always come back to Bitcoin Audible and you'll find them right down in the description. I'm always going to have a place to buy Bitcoin too, so if you're ever looking for that, that should be down there as well. Now I mentioned the read that we're getting into today and this one's from Bitcoin Audible and Kiara Bickers, which I believe I've read something by Chiara before on the show, if I'm not mistaken, but this one's a little bit more technical. But this is a really cool. [00:04:05] Speaker A: This is a pretty significant development, I. [00:04:08] Speaker B: Think, and I kind of talk about like why and get a little bit more into the nitty and gritty of comparing it to things like Taproot and Lightning and CTV and those sorts of things. Like in the in the realm of a path like roadmaps for trying to implement the few things we probably have left to still implement in Bitcoin, like soft forks are not easy and I don't think I think we have kind of a limited timeline for things that can actually get done. And with recent just stupid filter changes in node policy, I think showing just how controversial and difficult it is to get agreement now, exploring the few things we have left and the most important. [00:04:48] Speaker A: Things that would be desirable to implement. [00:04:51] Speaker B: Into Bitcoin, this could be one of them. So with that I won't get too far ahead of myself and we'll go ahead and get into today's read and. [00:05:01] Speaker A: It'S titled Not ECDSA not Schnorr Meet Dalias By Kiara Bickers Meet Dalias A full aggregation signature scheme that works with SEC P256K1 Bitcoin's cryptographic curve aggregate signatures aren't new. They've been around since the early 2000s, but building one that actually works in Bitcoin's security model with Bitcoin's elliptic curve has never been proven. Developers speculated it might be possible. They shared hand wavy sketches and said maybe it worked like music too. [00:05:41] Speaker B: But across transaction inputs the idea lingered. [00:05:44] Speaker A: For years as developer Folklore Close never provably confirmed. That changed recently when Jonas Nick and Tim Ruffing of Blockstream Research, together with Yannick Serran of Ledger, published a paper that turned this cryptographic ghost story into a concrete provable result. DALIAS is the first formal secure construction of a full constant size aggregate signature scheme, or caesa, that works on Bitcoin's native curve. [00:06:16] Speaker B: But that's a lot of words, so. [00:06:18] Speaker A: Let'S break that down full Multiple signatures across different inputs are combined into one, and the result is a 64 byte signature whose size stays constant no matter how many signers or inputs cross input. Each signer can authorize different inputs and all combine into one signature. It adds no significant new assumptions beyond those already relied on by Bitcoin. Dalius builds a new cryptographic primitive using the same math. Bitcoin already relies on unlocking an entirely new kind of signature. Let's talk about curves and signatures. Digital signatures are how Bitcoin proves that a user has authorized a transaction. When you go to spend Bitcoin, your wallet uses a private key to sign a message, and the network verifies that signature using the matching public key. Bitcoin uses the SEC P256K1 curve. It is fast, efficient, and has been battle tested over time. It supports signature schemes like ECDSA, Bitcoin's original signature algorithm, and Schnorr added through Taproot in 2021, which are currently the only signature schemes permitted by Bitcoin consensus. Traditionally, full signature aggregation relied on mathematical operations not supported by Bitcoin's Curve secp256k1, which made it seem out of reach. These features have typically relied on other types of elliptic curves, for example, BLS or Bona Lin Shecum signatures use a special kind of curve called a pairing friendly curve, which enables advanced operations like combining many signatures even on different messages, into one. The problem is that BLS signatures do not work on SEC P256K1, while Schnorr was a natural upgrade from ECDSA since both rely on the same kind of elliptic curve. Adding BLS would be a much bigger leap and a departure from Bitcoin's existing security model. Though technically possible, it would introduce new cryptographic assumptions and add significant complexity to the protocol. Supporting a curve that is pairing friendly like BLS 12381 would be a major change for Bitcoin. This is part of why full signature aggregation has never been done on SECP 256k1 until now. What Aggregate Signatures actually Do Most Bitcoin users are familiar with multisignatures. In a multisig wallet, multiple people jointly authorize the spending of a single UTXO or some specific coin, and everyone signs the same input data. This setup is useful for things like shared custody wallets. Aggregate signatures work differently. Instead of multiple people signing the same input or coin, each signer authorizes a different UTXO in a transaction. These separate signatures are then compressed into one compact proof. With Dalias, that means a single 64 byte signature on Bitcoin's SecP 256K1 curve that verifies all inputs at once. That means that if you have five inputs from five different people, the transaction needs five different signatures. With an aggregate signature, all of those can be bundled into one. Even if each signer is spending a different input and signing a different part of the transaction, the result is one signature that proves the entire transaction was properly authorized. It's like zipping a whole list of approvals into one file. The signature is compact, but still verifiably proves that each signer authorized their specific UTXO. Instead of verifying 10 separate signatures, you verify one. This helps realign incentives for privacy. By reducing the signature overhead to a single 64 byte proof, Dalias lowers the cost of combining inputs in coinjoins, making it financially smarter to choose privacy than to go without it. Why Half Aggregation Got Close Shortly after Schnorr signatures were introduced on Bitcoin, developers explored half aggregation as a way to compress multiple signatures, but they were not fixed size. Each input contributes to the size of the signature, so the transaction still grows with every participant. Dalias fixes this by enabling full aggregation across inputs and signers. No matter how many people are involved or what they are signing, all of their signatures compress into one constant size. 64 byte proof what Dalius actually Unlocks the main benefit here is that dahlias are reducing the size of complex transactions. Dalias uses a two round interactive signing process. It's similar to Musig2 in that regard, but it isn't a multi signature protocol because it doesn't require all participants to co sign the same message. Instead, it aggregates different signatures on different messages across the transaction. Dalias is also faster to verify than checking each signature individually, up to twice. [00:11:49] Speaker B: As fast in some cases. [00:11:51] Speaker A: Lower verification costs make it easier for people to run full nodes, which which helps preserve Bitcoin's decentralization over time. Importantly, Dahlias comes with strong cryptographic guarantees. The scheme includes formal security proofs. Earlier folklore approaches to full signature aggregation lacked this, and some were even later shown to be insecure. Fortunately, they weren't adopted prematurely. It's worth repeating. Dalias is not a multisig protocol. It isn't comparable to Musig 2 or Frost from a functional standpoint. Even if it shares similar cryptographic building blocks, it serves a different purpose. It offers a new way to encode many independent approvals into one clean, verifiable package. Future directions you might think if dalias. [00:12:45] Speaker B: Is so powerful, why isn't it a bip? [00:12:47] Speaker A: Why not propose it for Bitcoin consensus? Dahlias signatures don't look like Schnorr or ECDSA signatures. The verification algorithm is different. Instead of taking a single public key message and signature, a dalias verifier takes lists of public keys and Messages and a single 64 byte proof. This makes Dalias incompatible with Bitcoin's current consensus rules. Supporting it at the base layer would require a consensus change. This paper doesn't propose that change, but it does something equally important. This paper shows that a full signature aggregation scheme for Bitcoin's native curve is possible. That alone is a major step forward. To make Dalias part of Bitcoin, someone would need to write a Bitcoin improvement proposal, maybe even using SEC P256K1 lab. That means specifying the scheme in detail, considering its implications for consensus and implementation, and building community support. This paper lays the cryptographic foundation for that conversation. The real value of the Dalaius paper is what it Full signature aggregation on SEC P256K1 is not just a thought experiment. It's concrete. It's efficient, it's secure. For years the idea lived in developer folklore. Now it's written down, analyzed, and proven. All that's left is to bring it to Bitcoin if we want it. [00:14:20] Speaker B: All right, so that wraps up the piece, and I just want to hit something that Kiara brought up in the article just to make sure it's clear because this is kind of a more technical thing and it can be difficult to understand or to frame it properly is this is not multi signature. This has nothing to do with multiple keys, unlocking the coins or anything about changing who owns or how ownership is determined in the network. This is just aggregating the signatures. This is just being able to put the signatures together such that they are, they can all still be verified with way, way less information. So this is not only relevant to someone taking like let's say in the context of coinjoins in, in the article talking about how like it, it brings back the incentives, the cost incentives to actually make privacy a, a cost benefit rather than an explicit cost. Because I can take my input and you can take yours and you know, somebody else can take theirs and we can put them together and then sign it with one signature. That's the combination of all of our signatures. Which doesn't mean that it takes all three of us to unlock it. We still each own our completely separate UTXOs and outputs, but they actually have nothing to do with each other. I don't need you to participate in order to unlock my coins or anything like that. It is nothing more than the fact that we have added our signatures together just to save space on the chain. But by doing so you also don't know which signature or which public key, so to speak, is attached to which utxo. Like they are aggregate, the chain only carries the single signature. That proves that every end, all individual pieces have been signed by their respective owners. But what's funny is that this is actually relevant to just an individual person, to just your own wallet. So one of the things that you know, if you're, as soon as you're in bitcoin or you use it long enough, or particularly if you ever find yourself in a really high fee environment, you know that it costs a whole heck of a lot more to send a transaction when somebody has paid you a hundred different to a hundred different UTXOs. So if I put my address out there for donations and somebody sends me a dollar and then you send me a dollar and then this person sends me a dollar and this person sends me $5 and they just, they just start stacking right As I just get like tons and tons of these UTXOs in my wallet. Well, the way bitcoin works, there's not an account system. There's not like one account that's like guy's account and this is my balance. In fact, none of those have any connection to them at all. Unless of course, you're all being, they're all being paid to the exact same address. Then it's obvious that that one address has those balances. But the transactions themselves are all that exist on the chain. And when I want to spend from those transactions, I'm not spending from some aggregate balance, even though my wallet does that for me just as a favor. Basically I'm actually spending from each one of those individual transactions that were sent, that were signed in broadcast. So the, the analogy that I like to give is that it's like a check. If you write a check, it's got an explicit amount on it and it's just that amount. So think about a transaction as I have sent from this address and from this balance to your address, this amount, and then that, that whole thing and I have signed it and that whole thing is stuck on the chain and it's just sitting there. And so if I get written checks from 100 different people, 100 different transactions, you know, donate some small amount to me and then I'm trying to send out the transaction for the total amount. [00:18:18] Speaker A: Let'S say 100 different people send me $1. [00:18:21] Speaker B: And each one of them write their check and they sign it and they write all the details out and the transfer of the funds. [00:18:26] Speaker A: We, well, the only way I can. [00:18:28] Speaker B: Send a hundred dollars worth or a hundred thousand sats, you know, whatever it is that we're, we're going with, I. [00:18:34] Speaker A: Actually have to Refer to all 100. [00:18:37] Speaker B: Of those checks in aggregate. So I can't just, I can't write one check. I have to reference and put in, in my check or in, in my transaction that pays out, I have to put that, that 100e. Every single one of those checks. [00:18:54] Speaker A: I have to say, okay, this is. [00:18:56] Speaker B: A transaction sent to me, this is a transact. And, and this is the signature to prove that I can unlock this. And then I can write my check for 100, which means that I have to put 100 times the amount of information on the chain in order to pay that. And that's a huge amount of data. Whereas if somebody had sent me 100, I mean, this is the whole purpose of lightning, right? If I got 100 of those payments over lightning, well then I still just only have the one check for my channel. So it's, it's all off chain. But I could, my cost could be completely different for my hundred dollars worth of Bitcoin, depending on whether or not I got sent, got sent it with a hundred different transactions or one transaction One transaction is going to just cost one transaction's fee. If I got sent over a hundred. [00:19:47] Speaker A: Individual ones that add up to 100. [00:19:49] Speaker B: I'm literally going to pay 100 times the fee. So if transaction fees are literally a dollar on chain, which is not totally unheard of for a normal transaction, it'll literally cost me $100 to move that $100. I will, I will literally have an equivalent fee for every single one of these UTXOs that I'm having to add into my big aggregate transaction to just prove that this check comes from this other place. Whereas if you had something like dalios. [00:20:19] Speaker A: You had a signature aggregation scheme. [00:20:21] Speaker B: Sure, you could combine transactions across multiple participants in something like a coinjoin, but you can also combine your transactions in your own aggregate transaction. So if I was having to pay from a hundred different previous transactions, the signature, the signature amount is almost, I think it's more than a third. I think it's like almost half of the transaction data. Generally, if we're just talking about like one UTXO and one signature, I think it's some, somewhere in the realm of like 70 bytes for like signature data versus like 140 or something bytes for like a, like the smallest transaction that you can do. If I'm not mistaken, it's somewhere in that realm. Of course, this does actually depend on the signature type. So it's like, you know, PKH or whatever, whatever your type of transaction is and whether you're segwit and all this stuff that those change just a little bit, but it doesn't really matter. The signature data is one of the biggest pieces of the entire transaction. And so in the context of the hundred UTXOs or the hundred addresses or previous transactions that you're spending from, because you have to reference every single check that you got, because there's nothing else there, you just reference other checks in the bitcoin network is that you can actually lop off like a half, half of the data. And so rather than spending $100 to send $100, which means it's completely worthless, you literally, like, if you had 100 UTXOs, it would cost more like 50. You would be able to aggregate all of the signature data and you still have to reference every single transaction, like the UTXOs and the addresses, but you don't have to include the signature because you have an aggregate signature that proves that you can sign for every single one of them. And thus it can accept one signature. Basically, 99 signatures get removed, and that significantly changes the dynamic of cost for a bunch of different transactions and is a huge, like a huge boon to those sorts of setups and aggregating things and also working in tandem with other people because you can save, you know, half of your transaction fee or the amount that you're doing if you aggregate with a whole bunch of people trying to close channels. And you do it with. Because you can do it across people at the same time that you can do it across inputs in just your own wallet. [00:22:48] Speaker A: And best of all is that it's. [00:22:51] Speaker B: On the same cryptographic curve, which means that you're not changing the security assumptions of the signature. You're not changing the cryptographic, the trust in the cryptographic primitive that these are valid signatures. You're not actually altering. You're basically altering a process of verifying it rather than the cryptography, the reliability of the cryptography itself and whether it means it's been verified. So you do obviously have to. If the consensus system right now is check each UTXO and check its signature. Well, if you only have one signature, then you obviously have to give it completely different instructions in order to check one signature against a ton of different UTXOs. So it is a soft fork because those are critical, like mission critical, consensus rules. How do I know this person has proved that they own this? But this is much less of a change and much less risk from the standpoint of cryptographic primitives then something like Taproot, if kind of. And how I would understand it and probably even more than Segwit, because you're, I don't know, might be comparable. Well, no, no, because you're, you're kind of within the same realm. It's kind of a different set of instructions of like, kind of order of operations for checking signatures. Like, you're not creating like a segwit. Segwit was actually kind of like a really big change to Bitcoin because it put signatures in a totally different place. And you have to have the assumption of all old nodes that like, it doesn't matter that there's no signature there. And so that was a pretty significant structural change. But. And obviously it's a soft work. Like there's no, there's no way around it. You're. If you're changing how signatures are verified, you're changing something pretty significant to the Bitcoin network. So this may never even happen. But it's pretty cool to actually see this happen in a much, a much more native way I guess is the way to put it, is that it's more in line with exactly how Bitcoin works right now. And it's a smaller footprint of what needs to change and a smaller profile in new unknowns. If something like this gets added or soft forked into the network, then essentially the other, the variations of what we're going to have to happen to get cross input signature aggregation in a different way or with Taproot and Schnorr and that sort of thing. And what's funny is that was one of the big selling points of Taproot. That was, that was one of the things for me is that I wanted to eventually have signature aggregation. I thought this was a very, a really powerful tool to rebalance the privacy incentives and to make it so that one might click on yes, coinjoin my coins not because they wanted privacy, but because they wanted to save funds or they wanted to save fees. In using Bitcoin it will make the natural incentives of batching transactions and batching signatures which even without some standard coin joining and Tor network and all of this stuff, even without like going the whole wasabi route or the samurai route, it actually does fundamentally change the nature of chainalysis such that the, the historical record, it's a little bit like lightning in that sense is that the aggregation is happening off chain and there is no permanent record. There's no like okay, whose signatures got added where in this list. It's like they're, they're obfuscated entirely off chain. And so trying to trace it on the blockchain, that information is no longer just publicly available. [00:26:40] Speaker A: The individual signatures and who signed which. [00:26:42] Speaker B: Input are now just privately coordinated between the people, between the parties involved. So this would actually make something like pay join even better as a privacy mechanism because you don't even know like now just any2UTXO to any amount of transaction could look exactly like a pay join. Like you don't even know. At least with a pageoin now you know that two different signatures are made to two different UTXOs and then sent to a couple different UTXOs. But there's actually another layer of benefit if you can aggregate those signatures because now you're not even. Are these even separate? Are these two different parties? Like what's the ability to put the pieces back together as to how many parties were involved or what's going on gets more and more obfuscated. It's, it's a little bit does to signatures what tap script does to the script. So for those of you who don't know, one of the interesting things about taproot is that unless you actually need the taproot, that's current path. [00:27:46] Speaker A: Let's. [00:27:46] Speaker B: Let's give an example. So lightning has three different paths. So when you make a lightning channel and you have like a certain balance in it, and you're updating it and you're making lightning payments back and forth, there are three different ways that you can close out that channel, that you can get those coins. One of them is referred to as the happy path. And that's when you and your channel, partner. Partner agree and you just sign a. [00:28:09] Speaker A: 2 of 2 multisig and boom, we're done. [00:28:11] Speaker B: And it just publishes to the chain and you get your balance. I get my balance. Then there is the. You're not online, but I am online and I want to get my coins back. And so I publish a separate script that is built into this exact same transaction that if I don't have your signature, I can still publish, but I have to wait a week and I have to publish a piece of information that allows you to challenge me if I am cheating if I don't have the latest state. Because if I have any old state, I had to give up, give up a piece of information that would let you steal it from me. So essentially only the most recent transaction in our channel I can. Is the only one that I can broadcast to the network safely without losing every bit of my money. And that means that if I'm trying to cheat you by reversing a transaction that or change what balance is owed to you, you have a week, you have like this, this time lock to come in because I broadcast without your explicit consent. I did it without your signature. You have this time span. This is the, this is the challenge, so to speak. You have this time span in order to come in and prove that you do in fact have a different state. And I was trying to cheat you. And then you get all my coins. [00:29:27] Speaker A: So that's a separate branch in the. [00:29:30] Speaker B: Transaction altogether or in the script, the opcodes, so to speak, for how I can actually spend this thing. So currently, when you spend, or I guess currently, if you're not using taproot, all of this script is basically published and visible on the chain. So you can tell in a general sense that. Or after you, after you pay it out to it, pay out of it. So first it's a hash, but then when I'm closing the channel, you'll see the other scripts. So you can see all these different paths. And you know, okay, this was a lightning channel and I chose the happy path to close it out. However, in Taproot, the benefit of Taproot is that you can actually put all of these scripts behind the signature itself. And if you have the happy path, you just publish it with a normal. [00:30:25] Speaker A: Signature and nobody even knows that there were other possible branches. [00:30:30] Speaker B: So it hides all this other scripting or opcodes or multisig or anything. [00:30:35] Speaker A: It's not visible unless it's actually spent with. [00:30:39] Speaker B: Because then you have to prove that that was in fact part of the hash so that you know it's valid to actually spend. In other words, there could be an infinite amount of stuff behind the fingerprint of the transaction and what you actually. [00:30:53] Speaker A: Use just needs to prove that it's. [00:30:55] Speaker B: Part of that fingerprint, but there can be all sorts of other stuff underneath it that obviously the fingerprint doesn't reveal. Like, you can, you can look at my fingerprint and I can prove that that's me. But you don't know anything about me. [00:31:08] Speaker A: Until you find me. [00:31:09] Speaker B: Until you can like look at me. My fingerprint doesn't tell you how tall I am. But if I say I'm 6 foot or 6 foot 1 tall and then I prove that this is my fingerprint, then you're like, oh, okay, well, yeah, you're right. That six, that, that fingerprint is this tall because I can see you and measure you now. Well, it's kind of that same way with Script, except that you can selectively reveal only the data that you need to prove. So let's say I have, you know, a bunch of different things in the script that say how much I weigh, how tall I am, the color of my eyes, blah, blah, blah. Well, I could reveal how tall I am without revealing anything else and then prove that that's that height is connected to the fingerprint. I don't know if this analogy is getting too complicated or not, but it just means that I don't need to show, I don't need to reveal everything. All I need to show that is, is that I can prove it that it's my fingerprint that is attached to this data or this path. So because of that, I can have a transaction that has a multisig. I can have a transaction that has like a time lock fallback. I can have a transaction that has like this, this master multi sig thing where like my, my one key is always valid. But if it's, if a transaction happens and nothing, nothing occurs, it sits in this like time lock waiting for like 100 days and nothing happens. And I don't show a different key. Well then like seven of my close family members can all redeem this without me, without needing my key at all. They just have to wait this 100 days. I can have another pass where if none of my family members do anything, well, my lawyer can get access to it after two years, blah, blah, blah. I could have a hundred different possible ways that this transaction is spendable, but then also just have a basic 2 of 2 multisig where me and you sign it together. And as long as we do that, we can just, we have full control and we can spend it just like it's a normal wallet. Well, then you and I can sign that transaction and publish it. And nobody has a clue that those 99 other paths are even there. That grants an interesting degree and layer of privacy for how you construct your transactions and what the instructions are for unlocking them. Whereas something like aggregate signatures is a way to aggregate how many participants there are and who's signing for which utxos. And so kind of like Taproot makes all scripts look like just one thing. Something like Dalias or signature aggregation makes all signatures look like one signature. And those are two really cool benefits to have. And this was, again, like I said, one of the selling points for Taproot, one of the things that had me interested in it because I wanted that eventual. I feel like if you get the economic incentives right, where privacy, doing something that gets you privacy is cheaper than doing the thing that loses privacy, if you have the economic incentives properly aligned so that privacy is the better alternative, whether you care about privacy or not, the market will take care of that problem and you will have more privacy than not by default. Over a long enough span of time. [00:34:26] Speaker A: If the incentives are aligned, you will. [00:34:28] Speaker B: Get the thing that you're looking for. And that's why I thought that was an important. That this idea of signature aggregation is an important and very valuable primitive that if we could get in the chain, that would be good, but it's also, it's also not the end of the world. Lightning does a wonderful job of kind of realigning those incentives as well. And there's no permanent blockchain of all the transactions and stuff on Lightning. One of the interesting way, and this is hilarious because I was just on the show with super testnet, which we ended up talking tons about Lightning and privacy and the. His him trolling the Monero people and all of that stuff. So stay tuned for that. You got to subscribe. But that chat will be next week, probably hard to say, but that will be out soon. And it was a such a great conversation. Always love catching up with super testnet. And that guy just builds stuff like crazy. That guy's wild. But we ended up talking a lot about that. And one of the things that he said that was really, really funny, that people don't really think about it, is that if somebody's trying to figure out like, did you make this Lightning transaction? Or blah, blah, blah, like you can just delete your transaction history and it's just gone. Like nobody, nobody has it. Like it's your transaction history. And you just can't do that with Bitcoin on Chain or Monero or anything that runs on a blockchain because it's just permanent records. So if somebody figures out some way to tie those things together, they have this permanent record to go back and dig through. And if they then find your public key or your private key or something, even if years later, after you thought you deleted them, but there was still, you forgot there was a backup of your wallet or you kept your public key information somewhere, well, now they can go back and connect all the dots and see all your transactions on Monero or on Chain, you know, whatever it is, you could accidentally leak that information. Whereas if you just deleted your transaction history on Lightning, that knows there's nothing, there's no other source to go look for that transaction history. But I don't want to lead that conversation too much because we get into so much, so much great stuff in that show. I think you guys are really going to enjoy that one. And you know, there's just so much about the kind of the concept of privacy because it's a forever moving target. So there's no one solution. And I think just having enough of those core primitives to aggregate and to split up ownership of a UTXO and to aggregate signatures and to like hide to basically prove the information rather than needing to show all the information and then sign which path that you took. You know, being able to hide script behind Taproot, being able to aggregate signatures so you don't have to show each individual signature for every utxo. And then something like CTV where you can have inside the script, part of that script can be the fact that you've allocated certain amount of bitcoin of this one address. You can split up a single UTXO into 100 different people, a thousand different people, a million different people, and whenever they quote, unquote, exit from that in a Taproot script, they only ever have to show that they're a part of it and they don't have to reveal the 999 other people in that UTXO. Like these kind of handful of things used together and specifically they're not huge extensions, they're like super risky like fundamental changes to the network. Not nearly as much as, you know, doing some ridiculous thing like mimble, wimble or da, like changing the architecture of how transactions work. They're just ways to obfuscate, to narrow down exactly what you need to prove without revealing as much information as well revealing as little information as possible to just show that the correct thing happened and that you've cryptographically proved that the correct thing happened and that all the requisite owners were there without actually revealing feeling the choices, the alternative paths, the individual people and the individual signatures and who exactly is allocated what inside this one address or utxo. And I think pulling all of that together, there's just so much I just don't think we need that much more to enable us to build all of. [00:38:53] Speaker A: The things that we need and, or. [00:38:54] Speaker B: Would want with Bitcoin. And yes, it does mean that, you know, layer two and layer three are always going to be more complex than the base layer. And we obviously want to limit the degree of complexity and the assumptions that have to be made because the more complex it is, the more likely it is to break or the more failure modes there are. And so kind of having those handful of primitives at the base layer is super valuable in trying to lower the complexity of the layer twos and the layer threes. And also shrinking the assumptions that have to be made in order to know that one thing is guaranteed to this person or the, the reliability of this, this privacy element has, you know, this set of trade offs or this set of explicit benefit so that you can kind of narrow your view of where you're trying to solve a problem. And you don't kind of have to worry about this edge case anymore of, you know, doing it with two or three pieces rather than doing it with a fundamental primitive that you can prove on chain. And yet you don't have to create this really like this massive complexity at the base layer either. You're, you're making relatively simple and relatively low risk changes on the bitcoin network itself in order to simplify things. That would take three different pieces interacting together, which means that it could break. And instead you're replacing them with one thing that simply does that function in a very clear and straightforward way. And I've said a few times on this show, probably numerous times on this show is I just don't think there's that many primitives left to need at the base layer to basically build anything that we want to build. You know, the TCPIP doesn't have to be so complex to make all of the Internet possible. You know, you don't have to prove that you can build. You don't have to like put in some crazy complex thing in order to know that TC that you can run bitcoin on top of tcpip. You don't have to know ahead of time that that might be something you want to build. [00:41:04] Speaker A: You just need TCPIP to do its job. [00:41:07] Speaker B: And in the context of Bitcoin, you only need a handful of primitives about how you prove and verify ownership. And there are some benefits to data efficiency and privacy efficiency in accomplishing that task that if you just had a couple of small additions, I think it could have an order of magnitude effect on what you can build higher up. And one of those, one of those has been for a long time, basically since I was talking about Taproot, one of those has been aggregating signatures and the other has been splitting up ownership of the UTXO in on a. At the bitcoin layer so that there's one UTXO and one apparent signature and actually 100 different people own it. And there is no explicit revealing of who those hundred people are. There's not 100 different signatures. It's not 100, it's not 100% multisig. It's just a UTXO that is split up, that has explicitly broken up ownership, that each individual person can verify their one little piece of it on chain. And so in this context, that would be ctv. Well, CTV plus csfs, which one of them is basically a way to verify what CTV enables. But I think both of those, those primitives, you, God, you could just build so much with those. You could build so much with those. And it completely changes the dynamics of fees. And thinking about it would alter ultimately how we think about what a bitcoin transaction is. But I kind of think Lightning has already done that. Right? Is you're. You accept when you're using Lightning, you have an invoice. And I already think that's slowly but surely becoming the standard way of having that communication. And even things like Arkansas and Fediment and Ecash and all of these tools that are layer twos and threes and such that they're. How do you use any of them? You pay a Lightning invoice like Lightning is becoming the common language and it is becoming the connecting tissue between all of these separate things and it is increasingly becoming the same thing for tether and stablecoins is you're going to be paying Lightning invoices and fulfilling dollars. Which is what we were just talking about with the the. Alan Farrington's a fantastic piece. If you haven't listened to this one yet or read it, his half baked thesis on stablecoins highly recommend it. Always a huge fan of Farrington. He does such a good job of explaining and painting the picture and he brought up a couple different things that I hadn't totally considered. But I very much share a very similar opinion or similar image in my mind to what he laid out. So I encourage you to check that one out if you haven't. But I don't think we need much more in Bitcoin for Bitcoin to basically scale and provide its assurances indefinitely into the future with the one kind of potential existential question of making quantum safe signatures at some 10, 20 year timeline. Whatever the timeline is for that is just the expiration date on the cryptography itself, which I think is just natural cryptography has an expiration date. Every cryptography, every cryptographic system we've used previously has been broken at some point and so we would have to update it. So I think it's safe to make that assumption and just know that those are the sorts of changes and the realm of the things that we should be concerned about. And otherwise I think almost everything else can be left to higher layers and we can actually extend the assurances and the integrity and the sovereignty of the base layer to as many, to as great of a scale as is desired. That if people want it, they can get it. But we will see what happens with Dalias because this does kind of change things. This means that implementing this and the potential assumptions or risks of doing so actually just got a lot closer to home. They got to let closer to home in a good way. They, they got closer to what we see of and how we think about Bitcoin being secure right now without needing to make a ton more assumptions. It, it means that the, the surface area of problems is easier to identify and more clear. The edges are more clearly defined. And that may very well be, and that may very well mean that we could actually get this. That it, it becomes closer to the realm of possibility. Especially with how difficult softworks and changing Bitcoin have, has become these days. So a shout out to Chiara Bickers and to Bitcoin magazine obviously for always having I again, you know I have my complaints for Bitcoin magazine and other things. I have differences opinions of some people who work there but they are a fantastic resource. They publish great stuff, they hire people to write great stuff. I use them as a resource for so much and I can't possibly like they're a hundred times better than if you search something on Google 99 of the top 100. Bitcoin Magazine is better than the search results of every other crypto news and garbage that you're going to find. And you can find great stuff like this. Like I didn't even know about Dalias until I found this article. So a shout out, a shout out to, you know, respect where respect is due. Now before we close this out, if you want to get access to the fiat value of your bitcoin without selling your bitcoin, there are literally barely really two. There are two companies that I would trust and have used to get a bitcoin backed loan and Leden IO has just an incredible platform and the loan that I took out to finish the basement and to get the studio in this house finished. I'm so happy that I did it that way because I did it at $40,000 per bitcoin. So if I had sold the bitcoin to do this rather than taking out the loan, I'm going to get more than 2/3 of that bitcoin back. I'm going to have kept it and I'm going to have a finished basement and a studio. It's not perfect for every situation or every decision, but especially if you're trying to make an investment or you're spending bitcoin to mine bitcoin. Look at the platform, look at their terms. It might work perfect for you and save you a ton of SATs. I got a link for you right down in the Description Plus a 10% discount to Chroma if you were serious about your light health and your hormone and energy levels or you've gone down the red light therapy rabbit hole. Getchroma Co has some fantastic products and they happen to be awesome bitcoiners Discount code. Bitcoin audible gives you 10% off. Discounts are where it's at. Save your SATs and don't forget to check out the Financial Freedom Report by the Human Rights Foundation. Actually one really crazy story in the last Freedom Report. Russia has targeted bitcoin mining now and. [00:48:06] Speaker A: They'Re doing a national mining equipment registry. [00:48:09] Speaker B: And the law as currently drafted would actually empower. Let the Courts legally confiscate all of. [00:48:16] Speaker A: The bitcoin that is tied to, quote, unauthorized mining. [00:48:20] Speaker B: If you want to find out more about it, you want to hear about what's going on in Iran, Hong Kong, Togo, other news from Russia, Turkey. Basically the world of news around financial repression and then a lot of the fantastic new bitcoin nostr and encryption tools to protect your sovereignty. That is the Financial Freedom Report. And lastly, there are a handful of incredibly exciting projects around fixing what is wrong with the web. And you've got to check out pubkey if you haven't yet. Their current model and specifically Picar, which is part of their protocol, is in my top three things of what I am keeping a very close eye on for who can actually solve the major problems of the Internet. And if you haven't checked it out, especially if you're a builder looking to have an unstoppable way to build an app, don't sleep on this one. Check it out before you make a decision of how you're building. Link and details are in the show notes. And obviously subscribe to the show because there will be other episodes where we dig into some of the specifics and we kind of compare the various alternatives. [00:49:22] Speaker A: Like this, this is the place. [00:49:23] Speaker B: This is part of what I love about this show and the things that I dig into is how are we going to fix the problems of the web? How are. How does bitcoin change the dynamics? How do we bring peer to peer back, how do we create, you know, federations, these sorts of things? That's what this show is about. Digital sovereignty, monetary freedom, censorship, resistance, you name it. That is bitcoin audible. Don't forget to subscribe if you want to hear about the front lines and you want to dig into the history, the philosophy and the economics behind all of it. And also if you haven't left, review on Apple podcasts or Google podcasts. Definitely do. That's actually. That actually goes a really long way to helping us out. And I'm actually really proud of my rating over there and I seriously appreciate those who do take the time to, you know, help, help this show get more attention. So thank you to the audionauts and everybody else who has supported this show and me over the years. And that'll wrap us up. Thank you guys. I am Guy Swan. This is Bitcoin Audible. [00:50:22] Speaker A: And until next time, everybody. That is my two sa. It isn't obvious that the world had to work this way, but somehow the universe smiles on encryption. Julian Assange.